Improve IT Governance with AWS (Part 2)

If you would like to read the first part in this article series please go to Improve IT Governance with AWS (Part 1).

AWS offer complete solutions that are compatible and expand each other. To assist in the complex, yet fundamental, governance strategy, AWS have proposed a number of security and governance features. Utilising these features can assist organisations in achieving the most from the comprehensive AWS environment and ably achieve governance objectives.

Introduction

In part one of this series we accomplished that the three principal objectives of IT governance are to assure that the utilisation of information and technology creates business value, to manage performance and to manage the risks related to using information and technology.

Cloud computing allows for exceptional growth in technology and opens the business up to a countless selection of technology options. This dictates the requirement for organisations to make the correct technology decisions more swiftly thus improved governance is essential in an environment where cloud computing dominates.

We considered the benefits afforded to AWS governance compared with an on premise alternative and started to look at how AWS governance features assist in addressing the fundamental governance areas.

A very simplified set of steps to good governance, no matter the framework, should include

  • Establishment of organisational starting point (what you have to work with)
  • Determine your requirements to achieve good governance. Benchmarking your resources and systems to see where you are and where you need to go in order to realise your goals
  • Simplify with standards, frameworks and best practices
  • Simplify IT complexity, aim at achieving a uniform and consolidated IT environment
  • Gain efficiency, automation tools and training
  • Avoid trying to reinvent a practice in-house that is unlikely to meet what is achievable form a specialist solution (most of the time this is time consuming, more costly and does not end well)

Taking these steps into consideration, it’s clear that AWS governance has covered this and so much more, ensuring the governance features available work seamlessly with their services so that the organisation can obtain their desired goals. AWS have done the majority of the arduous work for you.

To recap, the AWS governance feature set covers

  • The management of IT resources,
  • The management of IT performance
  • The management of IT security

We looked at managing IT resources with AWS and managing performance with AWS in Part One. To conclude the three areas, we will continue with management of IT security.

Fundamental governance areas and the AWS governance features to address them-continued…

Managing IT Security

This should include controlling of physical access to IT resources, securing IT resources and logging of access to IT resources (all areas of physical, administrative and technical controls).

Physical Access

An essential part of governance is to ensure that the physical environment is always secure – transparency into the controls utilised is key.

You need to ensure physical security measures are in place, maintained and monitored in order to effectively control the access to your facilities and resources.

AWS supports a range of governance features for controlling the physical access to IT resources. Its imperative we consider more than only the traditional physical access controls but also managing access to the virtual infrastructure (the cloud environment).

AWS supports the requirement for physical access security. AWS ensures that their data centres are secure through having them independently audited on a regular basis; audits include the following physical access controls:

  • AWS SOC 1
  • AWS SOC 2
  • AWS PCI DSS
  • AWS ISO 27001
  • AWS FedRAMP

Having the resources and expert skills on hand ensure that the security achieved is always the best it can be, adapting to the changing environment, whenever necessary.

Logical access

Controls used for identification, authentication, authorisation and accountability. Usually undertaken by a software component that enforces the required measure. It is challenging to synchronise all access controls, with an on-premise solution, without overlapping, and it is also becoming difficult for organisations to scale on premise solutions to meet the mounting intricacies in this area.

Logical access also involves establishing rules and policies and managing permissions and roles. This is also challenging to keep control of with an on-premise solution.

AWS governance features available to manage logical access

AWS Feature

What it aims to accomplish

Amazon S3 Control Lists Central permissions and conditions for use
Amazon S3 Bucket Policies Access based on setting up of conditional rules
Amazon S3 Query string Authentication Bypass normal authentication by using signatures to secure access request
AWS CloudTrail Logging of API or console actions for monitoring
AWS IAM Multi-factor Authentication Token needed for access, increased security
AWS IAM password policy Control of users password setup
AWS IAM Permissions Simple management of permissions
AWS IAM Policies Least privilege access management
AWS IAM roles Temporary access capability
AWS Trusted Advisor Automated security management

Table 1

Security of resources

AWS simplify this process significantly compared with the procedures that would be required to fulfil with an on premise alternative.

AWS governance features available to manage security of resources

AWS Feature

What it aims to accomplish

Amazon EC2 Dedicated Instances Private isolated virtual network
Amazon EC2 instance launch wizard Enables consistent launch procedure
Amazon EC2 Security groups Acts as a firewall to provide control over traffic inbound and outbound
Amazon Glacier archives Secure long term storage with default encryption
Amazon S3 Client-side encryption Encrypt data before sent to S3
Amazon S3 Server-side encryption Encryption of objects at rest and management of keys
Amazon VPC Virtual network (using AWS infrastructure) operated on premise
Amazon VPC logical isolation Virtual isolation of resources
Amazon VPC network ACLs Controls traffic at subnet level
Amazon VPC private IP addresses Protects private IP addresses from exposure to internet
Amazon VPC security groups Isolation for Amazon EC2 instances
Amazon Direct Connect Dedicated connection from your premises to AWS datacentre
Amazon VPN connection on premise hardware/software Secure connection from existing network to AWS
Virtual private gateways Control network security with hardware VPN connection to VPC

Table 2

Logging controls

Accurate logging of access or attempted access is fundamental to governance. Organisations are inundated with log data (from a wide range of processes and activities being undertaken on a daily basis). The possibilities of use for this data are vast however organisations find it difficult to correlate all the data and make sense of it and a lot of the time are overlooking important aspects, that are of value, because of poor log interpretation. Majority of the time this data collected goes to waste, when it should be of great use to the organisation, if they had the skills to know what to do with it.

Logs are important for a variety of reasons such as behaviour tracking, for compliance, maintenance and operations, forensics, monitoring level of service, managing costs and business decision-making (to add value) etc.

AWS governance features available to manage logs

AWS Feature

What it aims to accomplish

Amazon CloudFront access logs Logs of end user access to objects
Amazon RDS database logs Enables Monitoring of log files
Amazon S3 Object Expiration Set up of automated log expiration
Amazon S3 server access logs Logs access requests
AWS CloudTrail Security action logs on AWS management console and APIs

Table 3

Conclusion

If approached and implemented correctly, governance can deliver the most valued-added IT and performance as well as assist in IT risk management. All of which is necessary in achieving business objectives while remaining compliant.

AWS successfully ties everything together so that organisations can benefit from the ease and scalability while accomplishing the value afforded by good governance practice when utilising their solutions.

Organisations can rest assured that the governance domains are covered from delivering value to managing risk, improving monitoring to accomplish resource management as well as performance management. Consider the AWS solutions you utilising and applying the necessary governance-enabling features to ensure you achieve the best governance afforded to those solutions.

If you would like to read the first part in this article series please go to Improve IT Governance with AWS (Part 1).

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top