Helping enterprises who are conducting an AWS cloud migration as part of a technology transformation project, we are often asked about IT governance and how to ensure policies and controls are consistently applied between old and new environments. Ensuring the goals of IT governance -- from management to security, and from cost to performance -- is central to the Flux7 approach. In today’s article, we’ll share how we help accomplish these governance goals for our customers and as a result, how you, too, might consider approaching IT governance in the cloud.
When it comes to IT governance, we start with the Flux7 Enterprise DevOps Framework (EDF), using it as a guide to developing solutions for our customers. The EDF incorporates governance and AWS principles for IT Management, cost control, security, performance, and resiliency.
For a deeper dive on the EDF, download our paper, DevOps on AWS: The Flux7 Enterprise DevOps Adoption Framework
The EDF and the Flux7 DevOps consulting engagement process offer several elements that address the governance of cloud environments:
- Assessment, the first phase of our Agile DevOps delivery model, is comprised of a series of meetings to learn more about a customer’s business, technology, and process goals. NetSecOps is a primary meeting within the Assessment phase, during which we work with security teams to learn more about frameworks the team may be using, (e.g. COBIT) and the specific compliance and governance needs that should be incorporated and deployed into the final solution.
Flux7 Assessment Platform Sample
- Security and Monitoring are central to the EDF in the form of Inspectors and Injectors. These two elements of the framework serve to continuously monitor and log all aspects of code delivery -- from SCM (source code management) all the way to the AWS Landing Zone. A standard solution would deploy through security hardening pipeline technologies such as AWS CloudTrail logs, Custom IAM roles, S3 (encrypted and policies), IAM hardening, AWS Guard Duty, AWS Config, AWS Inspector, AWS Shield, VPC flow logs, and security isolated audit accounts.
- Networking security is built-in as code for VPC, Security Groups, NACLs, VPN pipelines and more. These best practices are built-in and specific custom integrations with third-party Inspectors and Injectors are built for customers when needed.
- Secret Management and governance around the use of secrets in environments are critical; keeping secrets, (like passwords and keys), secure and encrypted at rest and in transit can be conducted in several ways. While the most popular solutions typically include deploying HashiCorp Vault with a combination of AWS Systems Manager Parameter Store, the ultimate solution depends on the customer’s use case(s).
Config Governance, Regulatory Compliance with CIS
For a large hotelier, who has Tier One PCI compliance needs, we implemented CIS Level 2 Alerting Framework using AWS Config. (A Level 2 CIS hardened image is preconfigured to meet CIS Benchmarks in environments where security is paramount, acting as a defense in depth measure.) Additionally, we helped to automate the implementation of open source and AWS WAF managed rules set to protect the company’s external facing services, ensuring availability and a superior customer experience.
Cost Governance & Secret Management
We had the opportunity to work with a large telecommunications company on a cost control and alerts project. As a standard part of our cost governance practice, we develop an account structure that assists in the segregation of cost. AWS Config was implemented to ensure that unauthorized use of AWS resources was flagged and alerts were sent to the appropriate parties. We also helped develop a tagging policy specific to cost governance that the customer can now use to identify cost centers associated with resources for cost allocation and tracking.
In addition, we helped the firm implement DevOps at scale by creating a repeatable pattern for 120 applications. It became clear, as we progressed developing the pattern, that a secret solution was needed; we chose HashiCorp Vault to retrieve and inject secrets as the applications were deployed in the AWS Landing Zone. Since these applications were also external facing, we helped develop and deploy an effective and secure AWS WAF solution.
IT Asset Governance
Last, we had the opportunity to work with the innovation lab for a large manufacturer who had specific IT Management needs around asset inventory. To help them address the issue, we developed and deployed AWS Systems Manager Inventory in the firm’s environments, in a repeatable and automated manner. Custom rules were co-developed or handled by the customer team and updated through automation pipelines implemented by the Flux7 AWS consulting team.
Cost governance was also important to this customer, so our team developed and deployed a solution for Jenkins to use Spot instance for its slave when possible, thereby saving up to 90% off of on-demand prices. Lastly, the hardening process and services described above were extended as part of the Account creation automation we put in place, helping ensure the firm’s environment included AWS security best practices.
IT Governance can help organizations align IT with business strategies to ensure regulatory obligations, cost goals, customer data privacy, and other business initiatives are met. Using the Flux7 EDF as a framework for IT Governance in conjunction with our customers’ DevSecOps objectives, we identify specific needs, create a custom plan of action and work as partners with our customers, teaching as we go, to actively build a solution that delivers governance with agility. Interested in learning more? Reach out to us today.