Scaling A Governance Risk And Compliance Program For The Cloud Emerging Technologies And Innovation
Governance, risk, and compliance programs are sometimes looked upon as the bureaucracy getting in the way of exciting cybersecurity work. But a good GRC program establishes the foundation for meeting security and compliance objectives. It is the proactive approach to cybersecurity that, if done well, minimizes reactive incident response.
Of the three components of cybersecuritypeople, processes, and technologytechnology is the viewed as the easy button because in relative terms, its simpler than drafting a policy with the right balance of flexibility and specificity or managing countless organizational principles and human behavior. Still, as much as we promote technology and automation at AWS, we also understand that automating a bad process with the latest technology doesnt make the process or outcome better. Cybersecurity must incorporate all three aspects with a programmatic approach that scales. To reach that goal, an effective GRC program is essential because it ensures a holistic view has been taken while tackling the daunting mission of cybersecurity.
GRC has a symbiotic relationship
The breadth and depth of a GRC program varies with each organization. Regardless of its simplicity or complexity, there are opportunities to transform or scale that program for the adoption of cloud services, emerging technologies, and other future innovations.
What Is Aws Cloudtrail
AWS CloudTrail is a service that constantly tracks and logs user activity. From the commands you run from your shell to the clicks in the AWS console, CloudTrail logs it all! Below is a diagram that elaborates on how this useful service works:
Bonus Tidbit: On top of CloudTrail, you can also use AWS Config to monitor and view configuration changes on resources that wouldnt be captured from the details of an API call. Heres a diagram to help visualize how Config functions:
Framework For Establishing Your Landing Zones
This guidance for establishing your landing zone is based on input from various AWS teams, best practices derived from customer feedback and interactions. This multi-account framework provides the level of isolation necessary to secure your AWS environment, while also allowing your operations to scale and adapt to organizational change as needed.
You use AWS Organizations to group AWS accounts based on function into two categories of organizational units : Foundational and Additional. An OU is a way to group AWS accounts based on common security policy requirements. The Foundational OUs are shared services that provide functionality required across all of your AWS accounts and are typically the responsibility of central teams. They are building blocks for establishing the rest of the accounts structure. The Additional OUs are for establishing the customer overall environment and have dependencies on the Foundational OUs.
The Foundational OUs are further categorized into two groups: Infrastructure OU and the Security OU. Infrastructure OU accounts are used for shared services across your AWS Organization for things like shared IT services and networking infrastructure. The Security OU accounts are used for centralized security services, such as log archival, security tooling, and break-glass / forensics.
You May Like: Entry Level Government Jobs Ohio
Streamline And Automate Compliance
Traditional assurance methods become challenging with scale. Reduce risk and enable scale by using our activity monitoring services that detect configuration changes and security events across your system, even integrating our services with your existing solutions to simplify your operations and compliance reporting.
Controls Assessment And Continuous Monitoring
AWS implements a variety of activities prior to and after service deployment to further reduce risk within the AWS environment. These activities integrate security and compliance requirements during the design and development of each AWS service and then validate that services are operating securely after they are moved into production .
Risk management and compliance activities include two pre-launch activities and two post-launch activities. The pre-launch activities are:
AWS Application Security risk management review to validate that security risks have been identified and mitigated
Architecture readiness review to help customers ensure alignment with compliance regimes
At the time of its deployment, a service will have gone through rigorous assessments against detailed security requirements to meet the AWS high bar for security. The post-launch activities are:
AWS Application Security ongoing review to help ensure service security posture is maintained
Ongoing vulnerability management scanning
These control assessments and continuous monitoring allow regulated customers the ability to confidently build compliant solutions on AWS services. For a list of services in the scope for various compliance programs see the AWS Services in Scope webpage.
Read Also: How To Get Government Contracts For Trucking
Aws Risk And Compliance Program
AWS has integrated a risk and compliance program throughout the organization. This program aims to manage risk in all phases of service design and deployment and continually improve and reassess the organizations risk-related activities. The components of the AWS integrated risk and compliance program are discussed in greater detail in the following sections.
Automating Set Up Of Your Landing Zone
As the number of AWS accounts in your landing zone grows, automation becomes necessary for efficient governance and management. In line with AWS philosophy, I believe you should use the right tool for the job and recommend two options to assist in you in the orchestration of your landing zones through automated means. The first is to use AWS Control Tower, an AWS managed service to set up and govern a multi-account environment that uses AWS Organizations and a number of other services to automate the orchestration. For those that are building out a new landing zone or prefer an easier solution without the need for heavy customization, AWS Control Tower assists you getting started quickly with centrally managed governance and best practices preconfigured. The second option is direct management through AWS Organizations for customers that need a high level of customizability and that are experienced in building tooling to manage their environments.
A future blog highlights the considerations for using either method to manage your landing zones.
Don’t Miss: How Do I Get Government Housing
Why Amazon Web Services
The organization was originally working with another hosting provider for its web application, but soon found that its services, particularly billing and redundancy for back-end services, were relatively inflexible. CGR then engaged Amazon Web Services because of the strong AWS brand reputation and the knowledge that AWS infrastructure could support clients and distributors in Europe.
At that time, AWS was already well known with the CGR development team. Most of them used AWS before and they were familiar with the application programming interfaces that act as the interface to services. The CGR developers knew that AWS would easily allow them to add capacity for a set number of hours to support increases in demand from clients, and then remove that capacity during quieter periods.
CGR began by using with for a scalable infrastructure and to run the CGR application on an isolated section of the AWS Cloud. Later, the development team added to act as a primary domain name server and keep track of internal servers, and to back up database information.
Using AWS, CGR is able to service its European clientele with an average three-second reduction in response time. CGR regularly backs up its databases every six hours, ensuring that client data is available for retrieval on request or in the event of a system issue.
About Corporate Governance Risk
Benefits of AWS
AWS Services Used
How Gitops Helps With Governance Risk And Compliance
GitOps provides the ability to log-audit and document all activities that affect data usage. It exposes changes to the system, optimizes deployment, supports version-controlled infrastructure, and increases transparency and auditability. Lets take a closer look at the components of a system under observation by GitOps in terms of governance, risk and compliance. In this context, we understand these three components as follows:
Governance. Includes the declared and documented policies covering the handling of data authentications, authorizations, onboarding, networking, security groups, configmaps, etc. Once policies are declared and documented in the Git repository, all commits and pull request or merge request processes are easily regulated.
Risk. GitOps empowers teams to iterate faster to ship new features without the fear of causing an unstable environment that results in legal and financial risks.
Compliance. Compliance may include the guidelines derived from HIPAA, GDPR, PCI, etc. A compliance auditor can look at Git Logs and see who made any changes, when and why, and how that impacted the running system deployments. The importance of the ability to log, audit, and document all activities that affect the use of data cannot be overstated. For example, all network policies can be part of Terraform code kept in a repo. Similarly, configmaps and various other authentication and authorization policies can also be a part of Git repository.
Don’t Miss: Government Subsidy For Solar Power
How Aws Can Support The Evolution Of Your Grc Framework
Your key to success is breaking down perceived silos or functional silos. Bring the people in the silos of the GRC framework, along with other key stakeholders, together. Create a shared vision and a shared understanding of the desired business outcomes. In doing so, you can drive collaboration to achieve those outcomes. This approach supports the transition to a more effective and efficient GRC framework.
You can start by making use of the AWS Cloud Adoption Framework , which draws on experiences from a wide variety of enterprises in many industries. The AWS CAF explains that cloud adoption requires fundamental changes you should discuss and consider across your entire organisation. Its important that your stakeholders across all organisational unitsboth outside and within ITsupport these changes.
Additionally, the SRC Blueprint addresses two important nontechnical challenges that slow down cloud adoption projects: a lack of end-to-end planning to mitigate cloud risks, and the slow pace of legacy GRC evaluation and approval processes. The SRC Blueprint provides end-to-end support for enterprises to align business goals with cloud security by defining a vision, strategy, and roadmap for successful cloud migration. It also delivers a cloud security strategy, a cloud-aligned critical decision framework, and a roadmap of security and GRC capabilities to achieve your cloud migration goals.
Metricstream Enhances Cloud Security And Compliance With Continuous Control Monitoring On Aws Enabling A Proactive Response To Threats And Vulnerabilities
SAN JOSE September 20, 2022 MetricStream, the global market leader of integrated risk management and governance, risk, and compliance , today announced MetricStream CyberGRC works with AWS Security Hub, a cloud security posture management service from Amazon Web Services , to provide continuous control monitoring , delivering meaningful intelligence on an organizations cloud environment.
CCM refers to the use of automated tools and technologies to continuously test and monitor the effectiveness of security controls in line with compliance standards . This improves the compliance posture and reduces audit costs. As a result of this integration, customers will have access to near real-time cloud security control tests that identify issues requiring attention, providing Chief Information Security Officers the visibility required to respond to vulnerabilities proactively.
AWS Security Hub performs security best practice checks, aggregates alerts, and enables automated remediation. Combined with MetricStreams always-on CCM, CISOs can ensure ongoing compliance of cloud assets to standards, with minimal user intervention.
Recommended Reading: Government Guaranteed Small Business Loans
How Can Aws Help With Grc
AWS Cloud Operations optimizes cloud resources with business agility and governance control. You can manage dynamic resources on a massive scale and reduce costs.
For example, with AWS Cloud Operations, you can perform the following tasks:
- Govern, grow, and scale AWS workloads in one place
- Ensure your risk management process stands up to an audit
- Automate compliance management to remove human error
Customer Cloud Compliance Governance
AWS customers are responsible for maintaining adequate governance over their entire IT control environment, regardless of how or where IT is deployed. Leading practices include:
Understanding the required compliance objectives and requirements
Establishing a control environment that meets those objectives and requirements
Understanding the validation required based on the organizations risk tolerance
Verifying the operating effectiveness of their control environment
Deployment in the AWS Cloud gives enterprises different options to apply various types of controls and various verification methods.
Strong customer compliance and governance may include the following basic approach:
,AWS Security Documentation,AWS compliance reports, and other information available from AWS, together with other customer-specific documentation. Try to understand as much of the entire IT environment as possible, and then document all compliance requirements into a comprehensive cloud control framework.
Designing and implementing control objectives to meet the enterprise compliance requirements as laid out in theAWS Shared Responsibility Model.
Identifying and documenting controls owned by outside parties.
Verifying that all control objectives are met and all key controls are designed and operating effectively.
Also Check: Surplus Government Property For Sale
What Is Aws Security Hub
AWS Security Hub is one of the must-have services when you are talking about setting up and managing security or compliance in your environments.
There are several standards offered within the Security Hub service that you can enable. Once you have the standards you need enabled, Security Hub does the heavy lifting of running security checks and pulling information from other services like Inspector, GuardDuty, Macie, and much more, then takes the results and presents the findings to you in a single comprehensive view. From there, you will have your list of actions you can take to better lockdown and secure your environment.
There are many other services for governance and compliance. Want to learn more about governance and compliance on AWS? Come join me in my new introduction to Governance and Compliance on AWS course and lets get to learning!
Governance Risk And Compliance When Establishing Your Cloud Presence
Weve updated this post to reference the recently published Management & Governance Lens, an extension of the AWS Well-Architected Framework.
When speaking with the business and technology leaders I work with, they express the need to bring new products and services to market quickly. They must also stay secure while doing so. At the same time, they must maintain a resilient environment while adapting workloads to changing business needs over time. In this multi-part blog series, I share AWS best practices to help our customers plan their AWS environments to meet these security, scalability, and adaptability requirements.
Recently, AWS published the Management and Governance Lens, an extension of the AWS Well-Architected Framework. The M& G Lens provides a set of prescriptive guidance collected from thousands of migrations and activation days. From this work, we learn about how to manage and govern so that you have migration ready, scale ready and optimized for efficiency cloud ready environments. My goal is to guide customers in design considerations for managing their cloud presence. This series will be followed by additional blog posts that guide the implementation of common use cases and patterns aligning with this guidance.
Don’t Miss: Business Loans Through The Government
Why Evolve Your Grc
To establish GRC frameworks, enterprises have traditionally developed an array of programmes and departments such as Internal Audit, Compliance, Risk, Legal, Finance, IT, and HR, as well as the line of business, the executive suite, and the enterprises board itself. However, this traditional approach can be disjointed. When elements of the GRC framework are siloed, it is more likely that wrong or counterproductive objectives are established, suboptimal strategies are selected, and performance is not optimized.
According to OCEG, organisations that integrate GRC processes and technology across previously siloed areas report benefits such as:
- greater information and data quality
- improved ability to gather information and data quickly and efficiently
- greater consistency in processes and approaches
A good GRC framework ensures that the right people get the right information at the right times that the right processes are followed and the right solutions, using technology or otherwise, are implemented in a timely fashion.
Introduction By Mark Schwartz
In several earlier posts I discussed new strategies for governance in the cloud and the digital world in general. In the first, I talked about the kind of governance that requires standardization and rules. In the second, I wrote about governing projects and investments. The underlying point of these posts was that its one thing to move to the cloud, but another to fully realize its value for your business. As soon as you begin working in the cloud, youll realize benefits. But the clouds potential for delivering business value is vast. Once youre operating in the cloud, the next step is to evolve your governance and risk management approaches to take advantage of the cloud.
In this post, John Thorp, from our AWS Security Assurance and Advisory practice, dives into Governance, Risk, and Compliance and how AWS can help you evolve your practices in these areas.
Also Check: Government Assistance For Career Change
Aws Compliance And Governance: What You Need To Know
This AWS Certified Security – Specialty training maps to the SCS-C01 IT governance, risk management, and compliance exam objectives and covers topics such as:
- Staying compliant with AWS tools that keep data safe while saving money
- Understanding shared responsibilities in data compliance
- Managing deployments using EC2, CloudFormation, and Elastic Beanstalk
- Managing cost control options
Operational And Business Management
AWS uses a combination of weekly, monthly, and quarterly meetings and reports to, among other things, ensure communication of risks across all components of the risk management process. In addition, AWS implements an escalation process to provide management visibility into high priority risks across the organization. These efforts, taken together, help ensure that risk is managed consistently with the complexity of the AWS business model.
In addition, through a cascading responsibility structure, vice presidents are responsible for the oversight of their business. To this end, AWS conducts weekly meetings to review operational metrics and identify key trends and risks before they impact the business.
Executive and senior leadership play important roles in establishing the AWS tone and core values. Every employee is provided with the companys Code of Business Conduct and Ethics, and employees complete periodic training. Compliance audits are performed so that employees understand and follow established policies.
Also Check: Government Approved Credit Counseling Agencies