Modern IT Governance Through Transparency and Automation

AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015


Modern IT Governance Through Transparency and Automation

Mark RylandChief Architect, [email protected]


IT governance: high-level definition

• “The leadership, organizational structures, and processes to ensure that the organization's IT sustains and extends the organization's strategies and objectives.”– IT Governance Institute


Where does governance sit?• Part of a larger complex of GRC(S): governance,

risk management, compliance, and security• Compliance (policy) and security (implementation)

are shared responsibilities on AWS• Risk (management) is a strategic responsibility• Governance is your responsibility, with help from

AWS tools and capabilities


Compliance and securityCertifications and accreditations

for workloads that matter

MTCS

Security is a shared responsibility


Key governance questions• What do I have?• How it is performing?• Who is in control of it?• Is it secure and compliant?

– Are changes occurring with the right processes and protections?

• What is it costing me?


AWS and governance• AWS capabilities and services provide key

building blocks to answer these questions• Better answers than ever before in

traditional infrastructure• Still integration challenges, but leverage

the head start provided by the cloud


What do I have?• Describe* calls provide comprehensive lists of all

resources (for example, aws ec2 describe-instances)

• AWS Config provides integration, time-based insights• Partner ecosystem adds more value, richer

capabilities• (Building a comprehensive, accurate configuration

DB on-premises is practically impossible)


How is it performing?• Services emit metrics into CloudWatch

– Accessible through console, CLI, API

• Alerting and alarming on all metrical data– Rich integration with Simple Notification Service

• CloudWatch Logs integrates OS and app log data• Trusted Advisor (TA) for dashboard and alerts for under-

utilization, availability issues• Rich integration into third-party monitoring platforms from

AWS partners


Who is in control?• Powerful, fine-grained IAM capabilities

– Authentication and authorization– Reporting and analysis

• Rich integration to corporate identity systems through SAML or directly into Active Directory

• Tagging for administration, authorization, billing• [Demo]


Secure and compliant?... • … Are changes occurring with the right

processes and protections?• AWS infrastructure: yes• Customer responsibilities:

– Great tools and building blocks– Innovation required in the process model


Tools and building blocks• TA displays obvious (possible) issues• CloudTrail, Config, CloudWatch (Logs),

VPC Flow Logs, S3 logs, ELB logs• VPC peering (including cross-account)• CloudFormation for repeatable processes• Cross-account role-based access


Horizontal shared responsibility• Mission teams control their own infrastructure (VPCs,

instances, AMIs, DBs, S3 buckets, etc.)• Central security team has audit and control rights over

core infrastructure along with “shared security/compliance services”– Using cross-account role-based access, for example

• Agility benefits of mission-driven “shadow IT,” governance/security benefits of central IT control


Shared security services• Central team can manage for all

– Account creation/provisioning/setup– Identity management, federation endpoint(s)– Core networking and security IAM policies– CloudTrail, Config, security log management– Golden OS images (AMIs), associated IAM limits– Incident response/forensics services– Cost alarm/review/auditing services


Example: Shared services VPC


Automate, automate, automate• Programmable infrastructure changes

everything!• CloudFormation, APIs for everything at the

infrastructure level• For apps, Elastic BeanStalk, OpsWorks,

CodeDeploy, CodePipeline


Programmable infrastructure• Manage everything (including security and

compliance) using SDL from a source code repository

• Security and compliance baked in to your continuous integration/continuous deployment pipeline


Cost transparency and control• Everything billed by the hour, gigabyte• Bills updated 4x per day• Programmatic access to all billing data with

user-generated resource tags• CloudWatch tools/alarms for billing data• AWS MarketPlace helps with software license

management challenges


It’s happening!• Not a pipe dream, but a reality at agencies

like USA CIS, DHS– Michael Schwartz, CIO: https://youtu.be/QwHVlJtqhaI

• DevOps and CI/CD on the AWS cloud providing dev/ops CI/CD agility with baked-in governance benefits

https://youtu.be/QwHVlJtqhaI

https://youtu.be/QwHVlJtqhaI


AWS cloud can help• Today: Trusted Advisor and

other key building blocks• Soon: Automation-based

security and compliance with AWS “Trusted Architect” –documentation and workshops coming soon


Thank You.This presentation will be loaded to SlideShare the week following the Symposium.

http://www.slideshare.net/AmazonWebServices


Technology

Modern IT Governance Through Transparency and Automation