UnixTime

Research Note

Development Environment Separation Standard

Use this standard to define the minimum security expectations for development, test, staging, and production environments.

On this page

When to use this

Use this standard to define the minimum security expectations for development, test, staging, and production environments.

Environment rules

Environment Purpose Data allowed Access model Network restrictions Change route Logging required
Development Build and unit test Synthetic / masked unless approved Developers Restricted from production Pull request / pipeline TBD
Test Functional/security testing Synthetic / masked unless approved QA / testers Restricted from production Test release TBD
Staging Pre-production validation Production-like, controlled Limited release roles Controlled paths only Change/release process TBD
Production Live service Approved production data Restricted operations roles Production-only controls Approved change Required

Minimum requirements

  • Environments are inventoried.
  • Access differs by environment.
  • Production access is restricted and reviewed.
  • Network paths between environments are documented and controlled.
  • Shared admin or identity services are risk-assessed.
  • Production data outside production requires approval.
  • Promotion to production follows change control.
  • Non-production systems have security baselines appropriate to risk.