General Design Principles

The Well-Architected Framework identifies a set of four general design principles to facilitate good design in the cloud for financial services workloads.

Documented operational planning—To define your cloud-operating model, you must work with internal consumers and stakeholders to set a common goal and strategic direction. Many organizations have adopted the “Three Lines of Defense” model to improve effectiveness of risk management:
- At the first line of defense, operational managers are responsible for executing risk and control procedures on a day-to-day basis.
- The second line establishes various risk management and compliance functions to help build and/or monitor the first line-of-defense controls.
- As the third line of defense, internal auditors provide the governing body and senior management with comprehensive assurance based on the highest level of independence and objectivity within the organization.
Establishing clear roles and responsibilities across the three lines of defense is vital to developing an effective operating model for regulated cloud adoption.
Automated infrastructure and application deployment—Automation enables you to execute and innovate quickly and scale security, compliance, and governance activities across your cloud environments. Financial services institutions that invest in automated infrastructure and application deployment are able to accelerate the rate of deployments and more easily embed security and governance best practices into their software development lifecycle.
Security by design—Financial services institutions must consider aSecurity by Design (SbD) approach to implement architectures that are pre-tested from a security perspective. SbD helps implement the control objectives, security baselines, security configurations, and audit capabilities for applications running on AWS. Standardized, automated, prescriptive, and repeatable design templates help accelerate the deployment of common use cases as well as meet security standards (and ease the evidence requirements for audit) across multiple workloads. For example, to protect customer data and mitigate the risk of data disclosure or alteration of sensitive information by unauthorized parties, financial institutions need to employ encryption and carefully manage access to encryption keys. SbD allows you to turn on encryption for data at rest, in transit, and if necessary, at the application level by default.
Automated Governance—Humans working with runbooks and checklists often lead to delays and inaccurate results. Automated governance provides a fast, definitive governance check for applications deployment at scale. Governance at scale will typically address the following components:
- Account Management: Automate account provisioning and maintain good security when hundreds of users and business units are requesting cloud-based resources.
- Budget and Cost Management: Enforce and monitor budgets across many accounts, workloads, and users.
- Security and Compliance Automation: Manage security, risk, and compliance at scale to ensure that the organization maintains compliance, while executing against business objectives.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Abstract and Introduction

Scenarios