University of Twente Student Theses


DevOps under control : development of a framework for achieving internal control and effectively managing risks in a DevOps environment

Plant, O.H. (2019) DevOps under control : development of a framework for achieving internal control and effectively managing risks in a DevOps environment.

[img] PDF
Abstract:Although multiple definitions of the DevOps concept exist, DevOps is generally considered to be an Agile software development approach with the goal of combining development and operations and emphasizing frequent and fast software deployment. Four main aspects of DevOps are collaboration, automation, measurement and monitoring. While the DevOps approach offers great benefits, many companies are struggling with the implementation of DevOps and with maintaining control of their processes due to the required autonomy of the DevOps teams and the high degree of automation. At the same time, they struggle with demonstrating this control towards external auditing parties. This study therefore seeks to identify which types of risks companies using DevOps are generally exposed to and to develop a framework that helps companies control their processes and manage risks without hindering the speed and efficiency of the DevOps approach substantially. The literature review suggests that many risk management controls concerning access management, change management, compliance and security can be automated. However, research on DevOps is still scarce and specific risks applicable to DevOps are hardly mentioned. Furthermore, we conducted case studies in nine companies using DevOps which show that manners of implementing DevOps differ widely and that many companies in practice use a combination of traditional and automated controls to manage their DevOps environment. This study also shows that soft aspects such as organizational culture, communication and team responsibility are of integral importance for effectively mitigating risks in DevOps. Risks associated with DevOps can be grouped into five categories which are transitional, organizational, project, team and product risks. It is further argued that there is no best way to implement DevOps and that the DevOps concept rather needs to be tailored to the needs of the company in question. Two main factors that influence companies in their decision how to manage their processes are the DevOps maturity and risk appetite. Based on these factors, a framework is developed that suggests four strategies with suitable controls to manage risks in DevOps. The findings of this study implicate that companies first have to find a way to establish a solid DevOps culture before relying on automation practices. Likewise, auditors will have to find a way to assess these so-called "soft controls" in order to reliably give assurance on internal control. This thesis presents some first suggestions on how this can be done.
Item Type:Essay (Master)
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science, 85 business administration, organizational science
Programme:Business Information Technology MSc (60025)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page