IT governance is defined by the Information Systems Audit and Control Association (ISACA) as the structures and processes put in place to ensure that an organization’s IT sustains and extends the organization’s strategies and objectives. When structured correctly, governance should serve as the scaffolding of an organization’s IT structure so that the organization can focus on what it does best.
When it comes to the application of IT governance in organizations, there are two regularly opposing points of view: those who believe in its sheer necessity and those who believe that IT policies and compliance rules slow down IT in its entirety. And although this opposition exists in the workplace, IT governance is crucial because it allows organizations to fully realize their missions while satisfying established industry rules and policies.
Applying automation and orchestration to IT governance
If you read January’s post from AHEAD’s Technical Architect, Adam Youngblood, Automation vs. Orchestration: How to Pick the Right Tool, you’re probably familiar with why these tools are important and how they apply to IT. So how do we apply automation and orchestration not just to IT, but to the structures and policies that guide IT in an organization?
According to Youngblood, orchestration is the process of taking a simple task and creating a workflow that can be applied via automation. When it comes to important business structures, we can apply orchestration to automate tasks to make things run faster and more efficiently, with increased standardization and decreased time to value, essentially eliminating human error.
Let’s use PCI compliance as an example—an important standard that applies to any company using credit cards for transactions. I’ll start by mentioning an important point from the PCI 3.0 checklist (a reference guide for auditors to ensure PCI compliance): “Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic”. Let’s say you dedicate an FTE to constantly click through your firewalls to make sure you are in compliance with this important checkpoint. A fast and efficient way to conduct this process is through automation. Here are the steps needed to break down this process:
- Identify the cardholder data environment
- Identify systems that need access to cardholder data environment
- Identify types of inbound/outbound traffic
- Identify points of communication between environments
- Scan points of communication
- Document results
- Check for any non-compliance results
- Initiate alarms and notifications
- Remediate if necessary
- Repeat steps regularly
In this process, automation can help provide value by adding logic to each step. Automation can also help by interacting with other systems to help remediate if the results mean non-compliance. Additionally, utilizing third-party vendors, such as Tripwire, Nessus, or Splunk, can help with remediation and documentation, or we can write documentation in our language of choice.
Evaluating cloud solutions
So what does this mean for businesses that are evaluating cloud providers as a part of their overall IT strategy? While they may not need to completely rewrite their policies, they may want to re-evaluate to include cloud providers as they look to adopt them as part their overall IT strategy. In doing this, business leaders can ensure that the resources they deploy within their preferred cloud provider complies with internal security, audit, and other IT policies.
Ensuring compliance within the public cloud space
Public cloud providers like Amazon Web Services (AWS) champion the “Shared Responsibility Model”: the idea that AWS is responsible for security of the cloud (hardware, physical access, etc.), while the consumer is responsible for security within the cloud (firewalls, encryption at rest/in-transit, etc.).
To ensure this security, consumers of cloud resources can write their own automation tools based on automation workflows or utilize tools from third parties. And in the public cloud space, vendors like Microsoft Azure and Amazon Web Services provide the tools needed to help ensure compliance of IT policies, such as Azure Scheduler, AWS Config/Config Rules, and AWS Lambda. Whatever the choice may be, it is important to include cloud providers in IT policies, as well as a way to evaluate and remediate your compliance needs.
When looking to adopt a cloud provider for your organization, it is important to weigh your options for meeting regulation needs. With the help of automation and orchestration tools, you can easily automate your IT policies or you can use the tools available from third-party public cloud services.