If you would like to read the first part in this article series please go to Improve IT Governance with AWS (Part 1).
AWS offer complete solutions that are compatible and expand each other. To assist in the complex, yet fundamental, governance strategy, AWS have proposed a number of security and governance features. Utilising these features can assist organisations in achieving the most from the comprehensive AWS environment and ably achieve governance objectives.
Introduction
In part one of this series we accomplished that the three principal objectives of IT governance are to assure that the utilisation of information and technology creates business value, to manage performance and to manage the risks related to using information and technology.
Cloud computing allows for exceptional growth in technology and opens the business up to a countless selection of technology options. This dictates the requirement for organisations to make the correct technology decisions more swiftly thus improved governance is essential in an environment where cloud computing dominates.
We considered the benefits afforded to AWS governance compared with an on premise alternative and started to look at how AWS governance features assist in addressing the fundamental governance areas.
A very simplified set of steps to good governance, no matter the framework, should include
- Establishment of organisational starting point (what you have to work with)
- Determine your requirements to achieve good governance. Benchmarking your resources and systems to see where you are and where you need to go in order to realise your goals
- Simplify with standards, frameworks and best practices
- Simplify IT complexity, aim at achieving a uniform and consolidated IT environment
- Gain efficiency, automation tools and training
- Avoid trying to reinvent a practice in-house that is unlikely to meet what is achievable form a specialist solution (most of the time this is time consuming, more costly and does not end well)
Taking these steps into consideration, it’s clear that AWS governance has covered this and so much more, ensuring the governance features available work seamlessly with their services so that the organisation can obtain their desired goals. AWS have done the majority of the arduous work for you.
To recap, the AWS governance feature set covers
- The management of IT resources,
- The management of IT performance
- The management of IT security
We looked at managing IT resources with AWS and managing performance with AWS in Part One. To conclude the three areas, we will continue with management of IT security.
Fundamental governance areas and the AWS governance features to address them-continued…
Managing IT Security
This should include controlling of physical access to IT resources, securing IT resources and logging of access to IT resources (all areas of physical, administrative and technical controls).
Physical Access
An essential part of governance is to ensure that the physical environment is always secure – transparency into the controls utilised is key.
You need to ensure physical security measures are in place, maintained and monitored in order to effectively control the access to your facilities and resources.
AWS supports a range of governance features for controlling the physical access to IT resources. Its imperative we consider more than only the traditional physical access controls but also managing access to the virtual infrastructure (the cloud environment).
AWS supports the requirement for physical access security. AWS ensures that their data centres are secure through having them independently audited on a regular basis; audits include the following physical access controls:
- AWS SOC 1
- AWS SOC 2
- AWS PCI DSS
- AWS ISO 27001
- AWS FedRAMP
Having the resources and expert skills on hand ensure that the security achieved is always the best it can be, adapting to the changing environment, whenever necessary.
Logical access
Controls used for identification, authentication, authorisation and accountability. Usually undertaken by a software component that enforces the required measure. It is challenging to synchronise all access controls, with an on-premise solution, without overlapping, and it is also becoming difficult for organisations to scale on premise solutions to meet the mounting intricacies in this area.
Logical access also involves establishing rules and policies and managing permissions and roles. This is also challenging to keep control of with an on-premise solution.
AWS governance features available to manage logical access
AWS Feature |
What it aims to accomplish |
Amazon S3 Control Lists | Central permissions and conditions for use |
Amazon S3 Bucket Policies | Access based on setting up of conditional rules |
Amazon S3 Query string Authentication | Bypass normal authentication by using signatures to secure access request |
AWS CloudTrail | Logging of API or console actions for monitoring |
AWS IAM Multi-factor Authentication | Token needed for access, increased security |
AWS IAM password policy | Control of users password setup |
AWS IAM Permissions | Simple management of permissions |
AWS IAM Policies | Least privilege access management |
AWS IAM roles | Temporary access capability |
AWS Trusted Advisor | Automated security management |
Table 1
Security of resources
AWS simplify this process significantly compared with the procedures that would be required to fulfil with an on premise alternative.
AWS governance features available to manage security of resources
AWS Feature |
What it aims to accomplish |
Amazon EC2 Dedicated Instances | Private isolated virtual network |
Amazon EC2 instance launch wizard | Enables consistent launch procedure |
Amazon EC2 Security groups | Acts as a firewall to provide control over traffic inbound and outbound |
Amazon Glacier archives | Secure long term storage with default encryption |
Amazon S3 Client-side encryption | Encrypt data before sent to S3 |
Amazon S3 Server-side encryption | Encryption of objects at rest and management of keys |
Amazon VPC | Virtual network (using AWS infrastructure) operated on premise |
Amazon VPC logical isolation | Virtual isolation of resources |
Amazon VPC network ACLs | Controls traffic at subnet level |
Amazon VPC private IP addresses | Protects private IP addresses from exposure to internet |
Amazon VPC security groups | Isolation for Amazon EC2 instances |
Amazon Direct Connect | Dedicated connection from your premises to AWS datacentre |
Amazon VPN connection on premise hardware/software | Secure connection from existing network to AWS |
Virtual private gateways | Control network security with hardware VPN connection to VPC |
Table 2
Logging controls
Accurate logging of access or attempted access is fundamental to governance. Organisations are inundated with log data (from a wide range of processes and activities being undertaken on a daily basis). The possibilities of use for this data are vast however organisations find it difficult to correlate all the data and make sense of it and a lot of the time are overlooking important aspects, that are of value, because of poor log interpretation. Majority of the time this data collected goes to waste, when it should be of great use to the organisation, if they had the skills to know what to do with it.
Logs are important for a variety of reasons such as behaviour tracking, for compliance, maintenance and operations, forensics, monitoring level of service, managing costs and business decision-making (to add value) etc.
AWS governance features available to manage logs
AWS Feature |
What it aims to accomplish |
Amazon CloudFront access logs | Logs of end user access to objects |
Amazon RDS database logs | Enables Monitoring of log files |
Amazon S3 Object Expiration | Set up of automated log expiration |
Amazon S3 server access logs | Logs access requests |
AWS CloudTrail | Security action logs on AWS management console and APIs |
Table 3
Conclusion
If approached and implemented correctly, governance can deliver the most valued-added IT and performance as well as assist in IT risk management. All of which is necessary in achieving business objectives while remaining compliant.
AWS successfully ties everything together so that organisations can benefit from the ease and scalability while accomplishing the value afforded by good governance practice when utilising their solutions.
Organisations can rest assured that the governance domains are covered from delivering value to managing risk, improving monitoring to accomplish resource management as well as performance management. Consider the AWS solutions you utilising and applying the necessary governance-enabling features to ensure you achieve the best governance afforded to those solutions.
If you would like to read the first part in this article series please go to Improve IT Governance with AWS (Part 1).