The four Ps of security, DevOps, Agile Cloud Development, and cloud migration are Process, People, Ptechnology, and Politics. In that order. The Ptechnology piece is by far the easiest piece, though it is often considered to be critical. Without Process and People, at this time, technology is just a bunch of 1s and 0s. Unfortunately, to do anything well, Politics is involved. These four Ps fit with nearly every technology and start first with architecture. Architects need to understand how their technology will be used, what processes are important, and to some extent, how much politics is involved. How good is your organization with the four Ps? Does everyone involved understand each aspect? How do Process, People, Ptechnology, and Politics fit into their world view?
The four Ps are particularly important to Detection, Prevention, Response, Remediation, Reporting, and Record Keeping. There is a Process as well as People, Ptechnology, and Politics around each of these, regardless of project. Everything starts with a Process to transform your organization: consider this the plan of the change, encompassing the scopes of individual projects while keeping the end goal in mind. People and Ptechnology are needed to implement the Process or plan. Unfortunately, Politics gets involved both within teams and, more importantly, across teams as the development, operations, and security infrastructures are modified.
This approach needs to be applied to every aspect of IT and perhaps even to the business. How does Detection, Prevention, Response, Remediation, Reporting, and Record Keeping fit into the four Ps?
- Detection is needed to understand when problems have occurred.
- Prevention is required to prevent known problems or issues.
- Response is required to be well-planned for each known or even unknown problem or issue.
- Remediation is often required as part of the Response.
- All Detection, Prevention, Response, and Remediation needs to be Reported to the proper governing bodies within an organization and sometimes outside.
- Record Keeping is required so that you can know what happened before, never lose institutional knowledge, and otherwise take an unknown issue and make it known.
This is a cycle! We are constantly in this cycle.
When we introduce a new product or a change to any environment, we need to see the impact to the Process, the People, and the Ptechology stack, and to see what Politics are involved—what approvals are needed. Basically, we need to look at the entire scope of the change. In small organizations, it may affect just two or three IT staff, but in larger organizations, perhaps hundreds of IT staff are involved—not to mention the other workers impacted. How do you train them to understand the new change and its impact?
If training is not involved, that may be better, but if the change is drastic enough, then training is a necessity. That could lead to other issues. If the change is big enough, the risk may be too high, so a staged approach may be required. This is often the downfall to many desired changes: they are too large, the risk is too great, and the business is impacted. More importantly, the current Process and People are impacted.
We can never get away from Process and People. Ptechnology is always available, yet Process, People, and Politics are always available. One thing to consider is automation. Automation can change Process, definitely impacts People, and also has Political overtones. Your goal as the originator of a change or idea is to understand the impact to the environment, but also to the organization.
We may say that the future is the cloud, so everything must move to the cloud. This is a great statement, but what about the mainframes currently in use, or the compliance requirements for your organization? If your organization has these items and requirements, then the impact to Process and People, not to mention Politics, will be far-reaching. Even a small change to, say, encrypt everything at rest would have a far-reaching impact. What happens if the application is impacted by a performance issue, perceived or real? How do you safely encrypt within the cloud with your own keys? Your own HSM? How do you know if the data is copied to a location without encryption at rest?
As you can see, even supposed small changes have a great impact. Looking at your solutions with the four Ps involved gives you a start to understanding your business. Several of the most recent large breaches happened because of Process, Policy, Ptechnology, and Politics. Understand where they failed, learn from their mistakes, and update the 4 Ps to ensure your organization is not impacted.