This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.
Security governance
Note
Develop, maintain, and effectively communicate security roles, responsibilities, accountabilities, policies, processes, and procedures.
Security governance defines the organizational structure, roles, responsibilities, accountabilities, and capabilities required to implement security effectively. It provides the ability to drive, track, and report on security controls while maintaining oversight that information security risk is being managed within your respective risk appetite. Successful security governance is a continuous endeavor that must adapt to changing business requirements and threat landscapes in a planned and measurable way.
When done well, security governance will effectively orchestrate and align your organization's security activities, providing security information and insights to enable decision making. Security governance flows from a security strategy that should reflect the priorities of the Board of Directors and have commitment from the Chief Executive. It should be driven by people who understand the business and rely on mechanisms focused on efficiency, visibility, and control; often through automation and simplification.
Adopting modern, automated workflows and a Zero Trust security model early in software and infrastructure development processes creates a scalable, effective environment. This will help you address relevant legislative, regulatory, and internal policy requirements while also supporting your business objectives.
Start
The starting point for establishing a robust security strategy in your organization involves aligning your security risks with your business objectives. These risks should be mitigated with defined and implemented controls, including detective, responsive, and preventative measures. These controls often manifest as guardrails; automated technical implementations that help your organization operate within its risk appetite and budget. This approach frees up other functions within your organization to focus on their core business, while trusting that decisions made are aligned with the organization's security framework and risk appetite.
An effective security function must be supported by a clear set of roles and responsibilities, such as a responsible, accountable, consulted, informed (RACI) model. This model, underpinned by a clear understanding of your security responsibilities in the cloud, forms the basis for your organization's Governance, Risk, and Compliance (GRC). Establishing a GRC model early on outlines critical roles, risk-based requirements, and compliance obligations in a concise and precise manner.
During this initial stage, begin to foster a blameless culture where mistakes are viewed as opportunities for learning and improvement. By doing so, you encourage open communication about potential security risks and incidents and promote a proactive approach to security.
The agility offered by cloud computing and DevOps/DevSecOps practices has opened new avenues for security governance that differ significantly from traditional models. The DevOps mantra to have "everything as code" offers improved visibility and control, reducing friction, costs, and many of the risks associated with legacy solutions. To realize these advantages, begin to introduce new ways of working and modern operating models that are conducive of DevOps with a deep security focus (often referred to as DevSecOps) as you improve your security governance practices.
Security should be considered at every step of the cloud journey. However, incorporating it into the initial design often results in the largest impact. This is because doing so reduces the operational effort to certify that a solution meets the security requirements for launch into production. Incorporating security controls into the development lifecycle, such as the design, build, test, or deploy stages, becomes more cost-effective, more objective, and easier to manage at scale. Development teams benefit from both flexibility and certainty, which are derived (in part) from security policies, processes, procedures, and controls.
Artifacts that can accelerate your security governance journey include:
-
A security operating model that defines the "people and processes" aspects of security governance, including responsibilities under the Shared Responsibility Model
. -
A security risk appetite statement that defines expectations for different workload categories; not all workloads require the same level of protection and compliance.
-
A security controls framework that meets applicable laws, industry and government regulations, and external security frameworks such as NIST
, CIS , ISO/IEC 27001 , or others. -
A cloud security policy that extends the IT security policy framework and defines new or updated policies to address the improved security management capabilities that cloud computing offers.
-
Documented principles that help decision making in the absence of specific guidance.
AWS services (examples):
-
AWS Identity and Access Management (IAM) allows you to manage user access and permissions to AWS services and resources, establishing the foundation for secure access control.
-
AWS Control Tower helps you set up and govern a secure and compliant multi-account AWS environment. It provides a centralized framework for managing multiple AWS accounts, allowing you to enforce security policies, configure preventive and detective guardrails, and streamline the provisioning and management of AWS resources.
-
AWS CloudTrail enables you to log, monitor, and retain AWS API activity, providing visibility into actions taken within your AWS account and supporting compliance and security analysis.
-
AWS Config allows you to assess, audit, and evaluate the configurations of your AWS resources, helping to achieve compliance with security policies and best practices.
Advance
Once the fundamental security governance capabilities have been established and embedded, continue to measure, iterate, and improve your governance model. Your governance model must remain agile and flexible, so that it can accommodate changing business goals, risk appetite, compliance requirements, and capabilities. Continuous refinement of your GRC model, driven by these evolving factors, should be expected and encouraged. This includes improvements not only to policies, processes, and standards but also to the broader operating model; the existing security governance capabilities should not be considered static and unchanging as new information and ways of working are introduced.
With your fundamental security framework established, broaden the applicability of the existing security measures across all departments and operations within your organization. Begin the transition to modern security practices within your governance model. These include the implementation of dynamic authentication methods and stringent access controls on all resources into your existing framework. Supplement this approach with continuous monitoring of all systems and network activities, fostering situational awareness of potential threats, and deploying granular control over resource access. This comprehensive and evolving approach is not only necessary for maintaining an effective security posture but also forms the foundation of advanced approaches to security such as the Zero Trust model.
Automation and continuous improvements will help move from a reactive to a proactive approach, which will help reduce risks and increase the security return on investment (ROI). Having a blameless culture in your organization is crucial to ensuring that lessons are learned from incidents or issues. As collaborative incident response and remediation of vulnerabilities become a recurring part of your security governance strategy, emphasizing learning and improvement will help drive proactive attitudes towards cybersecurity. Without this culture being present, those in your organization may fear making changes required to improve processes and procedures at the pace required.
Enhancing the effectiveness of your security governance calls for
continuous improvements to policies, processes, standards, and the
operating model, made possible by regular reviews and amendments.
Automation is a key enabler in transitioning from a reactive to a
proactive security approach, elevating your security standard,
reducing risks, and optimizing the security return on investment.
At this phase,
automation
Automating more aspects of your security policies and procedures
makes sure that decisions are made based on near real-time risk
assessments. This step to favor automation paves the way for more
complex security models. Previously manual tasks, like asset
inventory management, require advanced methods at this stage. Use
automated tools for asset discovery and tracking to continuously
provide a comprehensive view of your asset landscape, aiding risk
mitigation and effective security governance. For example, you can
use
Workload
Discovery on AWS
Capabilities that are measured and reported on provide assurance that security investments are delivering value and mitigating risk. Establish a reporting framework that gives your management team confidence that security risks are being managed effectively and within the agreed risk appetite. Make use of the cloud's capabilities to automate the production of report data. This practice not only saves time but also boosts confidence in your metrics and provides a single chain of reporting based on a single data source. Use AWS Security Hub to automate security best practice checks, aggregate security alerts into a single place and format, and understand your overall security posture across all of your AWS accounts.
Excel
An organization that excels in security governance leverages the cloud to maintain control over its cloud-based assets and operations. Decisions are made with confidence, powered by reliable cloud metrics (such as incident response and vulnerability resolution metrics), which guide both investment decisions and performance evaluations of previous investments. These organizations can readily navigate changing business goals, evolving customer requirements, the shifting threat landscape, and large-scale technical modifications.
Regularly re-evaluate your security model so that roles and responsibilities align with
evolving business goals. It's common to switch from a project-based approach to a
product-based mentality, focusing on the needs of various stakeholders, including business
units, development teams, and cloud platform teams. At AWS, we embed security within our engineering
teams
Expand upon the effective asset management strategies already in place. At this stage, your organization should be using advanced technologies like AI and predictive analytics to track asset usage patterns and detect potential vulnerabilities before they arise. This provides a holistic view of your security landscape and equips you with actionable insights for strategic decision-making based on historic events.
Prioritization of security efforts should continue to hinge upon a risk-based approach. Use risk metrics to forecast demand for security services and resources. Such a proactive approach not only drives more informed investment decisions but also enables your team to preemptively meet customer needs. Continual monitoring of the consumption and effectiveness of your security services provides valuable insight into areas that are performing well and those needing improvement.
Excel at automated governance by codifying your security policies and processes. By doing so, you can facilitate continuous measurement of automated controls effectiveness over time, assuring that improvements to security posture can be reported accurately. Embed and automate risk management processes at each stage of every workload's lifecycle by defining risk thresholds that can be measured, and allow teams to request exceptions where required. Embracing a continuous risk management approach contributes to the overall risk management processes of your cloud ecosystem, fostering a proactive rather than a reactive approach to security governance.
By integrating automated governance practices, your organization can provide consistent compliance, reduce manual effort, such as those required by approval boards, and enhance the overall security of your systems and data.
In addition to control automation, AWS uses weekly, monthly, and quarterly meetings and reports for communication of risks across all components of the risk management process. AWS also implements an escalation process to provide management visibility into high priority risks across the organization. All these efforts manage risk consistently within the complexity of the AWS business model.
AWS services (examples):
-
Amazon Macie: Amazon Macie is a data security and privacy service that uses machine learning and pattern matching to discover, classify, and protect sensitive data stored in AWS. It helps organizations identify and secure their sensitive data, such as personally identifiable information (PII), intellectual property, and financial data, by automatically recognizing sensitive data patterns and providing alerts and recommendations for securing the data.
-
AWS Systems Manager (SSM): AWS Systems Manager is a management service that helps organizations manage and automate operational tasks in their AWS environment. It provides a unified interface for managing resources, configuring operating systems, automating patch management, and collecting software inventory. SSM also includes the Parameter Store, which securely stores and manages configuration data, secrets, and other sensitive information that can be securely accessed by authorized AWS services and applications.