Blending AI DevOps delivery model with the security requirements of ISO/IEC 27001:2022

This article is focused on particular set of considerations and transition activities for day-to-day business operations related to the delivery of AI-powered products or services on ground of the DevOps delivery model and in conjunction with the security requirements of ISO/IEC 27001.

I would like to clarify in advance that the scope of this publication refers to management processes and technological intersection between the DevOps model, ISO 27001 security requirements and various AI deliveries, therefore it should not be used as an exhaustive guide for AI deployments or reference guide for DevOps deliveries.

The ISO/IEC 27001:2022 standard (previously known as ISO/IEC 27001:2013, incl. Cor. 1:2014 and Cor. 2: 2015) is perhaps one of the most recognisable and best-known security body of knowledge used by the organisations today to build and maintain Information Security Management Systems (ISMS). And there is a good reasons for that. At one hand the standard promotes a holistic and proactive approach for establishing, implementing, improving and maintaining the overall corporate security on business operations level, and on the other hand it is well balanced and risk-aware, taking into consideration the actual enterprise requirements for cyber-resilience and operational excellence. Last but not least, the standard secures consistent and proven results over significant time loop.

However, there is no doubt that one of the greatest challenges for any profitable organisation today is to increase and constantly improve the service or the product delivery. The market demands push the service providers to continuously increase their Quality of Service (QoS), speed and effectiveness. This trend challenges the traditional management processes and leads to more efficient operational and development models, like the DevOps delivery model.

In a nutshell, DevOps shines with its straightforward approach to blend and merge the business operations and development teams into a single delivery pipeline per services or products family by using the skill and knowledge gathered across the organisation and ultimately brings coherent results and customer satisfaction. DevOps models perfectly fit to enterprises with developed System/Software Development Life-Cycle (SDLC) and/or with ITIL based delivery, but it is well applicable even for more traditional organisations with weak or balanced matrix structures, such as banks or telco companies.

The significant improvement of the delivery process these days make the complex and comprehensive technologies, such as those based on neural networks machine learning (or ML solutions) or based on complete self-aware AI, even more affordable and easy to deploy.

One reasonable question would be how to keep the efficiency, the improvements and the overall philosophy of DevOps models by deploying AI solutions without jeopardising the corporate security, risk assessments and polices already incorporated within the organisation’s ISMS and eventually stipulated by ISO/IEC 27001?

The answer of the question above is not obvious, especially if you want to exploit simultaneously the benefits of the chosen delivery and security models, and consequently requires acceptable compromises. And this is all about within the current study.

The approach proposed by this article is to use ISMS, stipulated by the European Standard ISO/IEC 27001:2022, as a ground base for any further considerations, transition activities and operational changes in order to blend a DevOps model within. You can reverse the approach if you are considering that the security is less important for your business but for AI-powered products or services - I would place the security topic with higher priority.

❖ First things first — update your security objectives aligned with the organisation’s strategic goals for all upcoming AI deployments. Take into consideration your current DevOps practices. For example, „Infrastructure as Code“ is a proven DevOps practice for quality assurance, automation and configuration management. Try to extend your security objectives with appropriate polices in accordance with your business demands. For  example, a compliance with PCI-DSS would be an option for financial/bank institutions, or a compliance with HIPAA for medical/health-care institutions;

❖ Update the risk management methodology. As minimum, take into account the following points:

• Define what you will accept as AI technology, product and service. Not all solutions based on neural networks should be considered as self-aware with artificial cognitive abilities, but there are solutions with self-learning capabilities applicable for variety types of automations;
• Add appropriate risk categorisations for consistent event identification across your projects and BizOps. This information would be extremely useful for your P&PMO as well;
• Add ground rules for the negative risks (threats) related to AI deployments in order to avoid any acceptance or transfer strategies;
• Add ground rules for the identified positive risks (opportunities);
• Align all risk findings and plans with the DevOps and BizOps of your organisation;
• Add Expected Monetary Value (EMV) analyses for risk measurements of AI deployments.

❖ Align the company security policy with the global standards and regulations for AI deployments, such as AI Act of European Commission, ANSI/PMIxAI and EU Art. 2016/679 (known as GDPR);

❖ Update your cryptography policy. The AI DevOps delivery pipeline must be secured with appropriate strategy, technology and response polices. Take into advice that any AI delivery shall be maintained at some point and the response strategy should be in place within the DevOps feedback loop in order all potential security issues to be handled properly;

❖ Validate the security workflow for AI DevOps deliveries. The presumption is that AI technology cannot be categorised as regular or traditional technology and therefore should be managed, monitored, planned and audited in appropriate way in compliance with DevOps delivery pipeline for build → test → release of AI based apps or services;

❖ Revise your remote and hybrid office policy;

❖ Revise your Service Delivery Policy and Procedures (SDPP). It is essential to update and unify all active Service-level Agreements (SLA) with your customers in accordance with your company goals in order to deploy AI-powered solutions. One possible approach to achieve such transition is to update your current agreements with more generalised Service-level Commitments (SLC);

❖ Plan and perform on regular basis HR training sessions for information security, AI technology and DevOps deliveries of AI-powered solutions;

❖ Update the access security policy to specific resources related to AI DevOps delivery and maintenance. This is a peculiar topic, because the access policy requires due-diligence on several business, security and operational levels. I will not dive into details here, but in general keep in mind that we should not impact the DevOps delivery pipeline unless the enterprise security polices are not jeopardised;

❖ Secure the physical and environmental areas — this topic refers to Annex A.11.1 of ISO/IEC 27001:2022. In a nutshell, all security perimeters and boundaries which have areas that contain either sensitive or critical information required for AI DevOps delivery should be specified, monitored and controlled. You may consider also how the digital workspaces without human interaction should be managed, for instance to be defined with limitations or completely excluded from Statement of Applicability (SOA);

❖ Ensure the operation security policy — referring to Annex A.12.1 of ISO/IEC 27001:2022, this topic is all about how the DevOps information flow and documentation are managed, the procedure is in place, the change management is defined and operational, the capacity management is properly monitored, etc. To ensure the operations policy for organisations with SDLC practices and DevOps deliveries is quite challenging. Fortunately, as I have mentioned above, the standard ISO/IEC 27001 is using a holistic and proactive approach for corporate security. The strong recommendation stipulated by the standard is to separate the development, testing and operational environment in order to reduce the risks of unauthorised access or changes to the operational environment. On the other hand DevOps philosophy presumes blending of all enterprise knowledge and expertise in order to deliver products or services with highest quality. You should find and negotiate an approach that will not impact the success of DevOps delivery. My advice is to refer to the best practices such as "Infrastructure as Code", and particularly to apply "Policy as Code", in order to find a compromise and automate some of the security procedures;

❖ Deploy effective logging and monitoring for your AI DevOps. There is a perfect match of the security requirements, assumptions and constraints provided by Annex A.12.4 of ISO/IEC 27001:2022 with any DevOps delivery model including these with AI-powered products or services. In addition to the recommendations provided by the standard I would add that all logging and performance metrics, categorisations and so forth should be unified in order to improve the upcoming business and security analyses. RFC 5424 protocol would be a good starting point for those who want to implement and automate new logging and monitoring procedures and services;

❖ Validate your communication policies considering as a minimum two points:

• Revise your information categorisation — in fact this topic is simple for definition and implementation but very often it is omitted by many organisations even without DevOps activities;
• DevOps workflow increases significantly the communication flows on all levels within the organisation and externally with multiple stockholders (customers, service providers, etc.). This creates a complete collaboration environment that needs to be addressed properly by the overall security strategy. According to Annex A.13 of ISO/IEC 27001:2022 there are many topics to be handled, including the networks segregation, transfer polices & procedures, SLAs with customers and/or outsourced service providers, updated Non-Disclosure Agreements (NDA) considering the AI deployments and the information sensitivity, and more. You should take into account all these topics and make them work as a single body of requirements applicable for all your AI DevOps deliveries;

❖ Annex A.14 of ISO/IEC 27001:2022 is perhaps one of the most important parts of this security standard and is considered as an integral must have part of any ISMS. The importance of this topic is even more significant considering the collaborative philosophy of the DevOps activities and the unpredictable nature of the AI-powered solutions. So, I will focus your attention on several topics that must be implemented across all your developments, deliveries, communications and other DevOps activities:

• Begin your DevOps activities with exhaustive feasibility studies how AI is expected to perform in particular environment(s). Be specific! In case you are going to deploy the same AI solution in different user environment then you should perform new feasibility study;
• Each feasibility study must be followed by descriptive security requirements analysis and specifications. The security assessment should always be conducted with appropriate risk assessment, so you need to refer to your security risk management plan and methodology mentioned above;
• The security assessment of AI-powered solutions should address the technological capabilities to control and limit the cognitive abilities of the AI technology you are planning to use;
• The security risk assessment should lead to appropriate EMV analyses in order to predict eventual costs from legislation and other formal and informal issues. A good practice for AI DevOps is to perform quantitative and qualitative Data Privacy Impact Assessments (DPIA);
• The DevOps deliveries very often are deployed as public services (Chat-bots, Call-center assistants, etc.). The information managed by AI-powered services are bi-directional and on public environment you should expect fraudulent activities back to your services. Due to the unpredictable nature of AI you should be extremely cautioned and pro-active when applying security measures for risk mitigation. I encourage you to align your security policy with Annex A.14.1.2 and A.14.1.3 of ISO/IEC 27001;
• Perform make-or-buy analyses for AI technologies on ground of clear guarantees for technological transparency and documentation. Annex A.14.2 stipulates number of security requirements and guidelines that need to be designed and incorporated within your SDLC;
  Secure your development environment (ref. Annex A.14.2.6);
• Do not hesitate to design and plan number of tests, experiments and rehearsals of your AI deployments. Take into consideration that AI solution is much more manageable in controlled/test environment compared to any public deployment. The system or service security and acceptance testing should be unified for all your AI DevOps deliveries. In that matter, Annex A.14.2.8 and A.14.2.9 of ISO/IEC 27001 provide requirements and guidance how to achieve that;

❖ Deploy effective and transparent Information Reporting Security System (IRSS). The DevOps practices cover various activities to secure the continuous integration and delivery and deployment of micro-services as a lightweight mechanism for rapid delivery and scaling of the development processes. As mentioned above, the collaboration on all levels is an essential part of the DevOps philosophy and increases significantly the communication between the stakeholders. Your security policy and strategy in accordance with ISO/IEC 27001 should handle this intensive work environment by:

• Defining responsibilities and procedures in order to ensure rapid and effective response to address security incidents, weaknesses and events. Of course, you may integrate these polices and automations within the existing ticketing or event-tracking systems;
• Recording all assessments, considerations and decisions;
• Reporting all findings and make them visible in accordance with your security policy to the DevOps stakeholders;
• Collecting evidences for security issues. This topic is particularly important to AI-powered services in order to commence preventive actions and minimize the risk of criminal or civil proceeding.

DevOps paradigm of rapid service and product delivery becomes more and more popular. On the other hand the enormous capacity of the AI solutions to automate and bring services on the market without human interaction would be quite compelling for any management, considering the costs reduction and the short-term profit growth.

The purpose of this article was to exploit the benefits of DevOps and AI deployments for organisations with implemented ISMS.

I hope those considerations described above gave you a good starting point to improve the delivery of your next AI-powered services without sacrificing the overall security of your organisation and without impacting the BizOps that secures the sustainability of your business.

Nevertheless, this topic requires continuous attention from your side in your current and future endeavours and I would appreciate your feedback on that matter.