This article originally appeared on Medium.
The other day I decided to re-watch Jurassic Park, the pop-classic from 1993 in which a theme park suffers a major power breakdown that allows its cloned dinosaurs to rampage freely throughout the park. If you are one of the few that haven’t seen it yet, I definitely recommend you do -- if nothing else for the realization I had as I watched it again. While the film steers us toward Chaos Theory and the Butterfly Effect, the big a-ha moment I had as I re-watched the film is that Jurassic Park is actually an IT failure that would have benefited from DevOps best practices.
InGen, the company behind Jurassic Park, is a bioengineering start-up founded by John Hammond. Dedicated to the cloning of extinct life, according to the film, InGen “spared no expense” in building the most technologically advanced theme park in the world: Jurassic Park.
Ultimately, we see in the follow-up film, The Lost World, that the financial fall-out for this start-up and its investors is quite vast:
- Damaged or destroyed equipment, $17.3M
- Demolition, de-construction, and disposal of Isla Nublar facilities, $126M
- Wrongful death settlements, $72.1M
- “Stock drop from seventy-eight and a quarter to nineteen flat with no good end in sight…”
The film’s focus on recreating dinosaurs misguides us as there are several problems that directly stem from IT issues that could have prevented the downfall of Jurassic Park:
- Only one person, Dennis Nedry, the Park’s computer programmer, knew how to operate the system. According to the film, there are two million lines of code. Yet, there is no transparency about what is in the code, allowing Nedry in the film to create Whte rbt.obj, a backdoor that ultimately disables nearly all of Jurassic Park's security. With no code or security reviews, Nedry is able to access and steal from the Jurassic Park embryo chamber. Jurassic Park highlights a lack of business continuity as one person's departure brings the entire system down. Moreover, it illustrates the most extreme possible ramifications of the lone ranger IT mentality.
DevOps, on the other hand, is about creating a set of shared values and processes that encourage development and operations to work jointly within the organization. Applying DevOps security approaches would have established guardrails, accountability, and transparency, better ensuring that Nedry followed a set of agreed-upon practices.
- On top of a lack of transparency and accountability, Jurassic Park lacks IT security. Nedry (an anagram of nerdy) is the only one who knows the system password. As we see in the film, the system denies access time and again as Ray Arnold, the site’s chief engineer, tries to access the system. This delays rescue for many hours as the team decides that a system reboot is their only hope.
Single sign-on could have solved this issue, allowing Arnold to use his one set of login credentials to access the system. In addition, proper secret management could have helped address the issue, authenticating users like Arnold, providing them with access to sensitive systems, like the Jurassic Park security system. Imagine what a different outcome the film would have had if Arnold was able to quickly access and restore the security system!
3. Last, but not least, the Jurassic Park system had no preventive controls to protect against a rogue employee scenario. Nedry had complete, unchecked root access that allowed him to turn off all security systems across the Park -- all without any alerts or notifications to other staff.
Applying DevOps security best practices could have prevented this. Role-based access controls and the principle of least privilege would have assigned Nedry access to resources based on his role within the organization, giving him access to only those resources necessary to conduct his job. Moreover, a robust rules engine would have provided centralized visibility and control, giving management the ability to actively monitor the system. Security rules could have alerted management to changes Nedry made to the core system that were not in-line with organizational policy, allowing them to investigate Nedry’s changes well before an incident occurred.
I found it quite amusing that 25 years later, while a lot more is understood, there is still a lot that IT can learn from the mistakes of In-Gen, the start-up at the heart of the film. While Jurassic Park makes many points about what a bad idea it is to reintroduce dinosaurs in the common age, no one conducted a root cause analysis. While it was poor management of IT that caused the project to fail miserably, DevSecOps best practices could have saved the project.
Do you agree? What ways do you think Jurassic Park could have benefited from DevOps best practices? I look forward to your feedback below.