By Amit Verma, AWS Security Practice Head – Wipro
By Bhavesh Kumar Bhatt, Cloud Security Practice Head – Wipro
By Stephen Randolph, Sr. Partner Solutions Architect – AWS
By Tushar Agarwal, Sr. Partner Solutions Architect – AWS
Most enterprises are at different stages of their cloud journey. No matter where customers are at, a question that’s increasingly on their minds is, “How do we maintain or improve security and compliance posture during and after the migration?”
- In the pre-migration stage, there tends to be a lack of a uniform approach to assessing workloads from a security standpoint and being able to make a go / no-go decision for the migration to cloud.
- During the migration, effort is required to define a set of security controls relevant for the given workload while it migrates to the cloud. This is compounded by the fact organizations typically have a wide range of applications with varying security, governance, and compliance requirements (such as HIPAA, PCI/DSS, or GDPR).
- In the post-migration stage, maintaining the right compliance adherence and workload security risk posture visibility across identity, infrastructure, applications, and data remains one of the core concerns of the business, as well as for the risk/audit and security teams.
CARG is powered by Wipro’s Common Cloud Controls Framework (C3F) that addresses customers’ needs and concerns along their cloud security journey. It’s a single pane of glass solution that delivers a holistic risk and threat view, and provides an automated compliance adherence view of Amazon Web Services (AWS)-based business applications.
In this post, we’ll highlight some of the features of CARG, discuss how it can help your applications maintain a consistent security posture through a migration, and learn how CARG helped customers maintain security compliance through a migration.
Wipro is an AWS Premier Consulting Partner and Managed Service Provider (MSP) that harnesses the power of cognitive computing, hyper-automation, robotics, cloud, analytics, and emerging technologies to help clients adapt to the digital world.
CARG Features and Compliance Support
Wipro’s CARG solution offers a uniform yet customizable methodology and framework to help assess hundreds of business applications identified for cloud migration. It provides the ability to perform gap assessment against identified security controls, ensuring there’s a security remediation plan in place for protection of business applications once they migrate to AWS.
CARG recommends a base set of security controls for protection of candidate cloud applications in an automated fashion, and provides continuous monitoring of migrated applications to ensure compliance.
The following diagram shows various building blocks of the CARG solution.
Figure 1 – Migration stages with Wipro CARG.
Step 1: Cloud Go / No-Go Decision
CARG offers the ability to perform an application amenability check from a security perspective for the target cloud platform. It provides recommendations if the application should be migrated to cloud or not. This enables the enterprise to make an informed decision before proceeding with a cloud migration.
Step 2: Application Controls Assurance
CARG automatically recommends a set of security controls needed for protection of applications in the cloud. It also provides a platform for the risk and audit teams to work with enterprise security and business application teams in understanding how each control is going to be adhered to.
CARG also performs a granular assessment to provide controls assurance before an application migration to AWS.
Step 3: Continuous Controls Monitoring
Wipro’s C3F acts as a backbone to include various security controls, as well as AWS and industry best practices, to monitor the enterprise’s AWS environment on a continuous basis. It makes recommendations against risky changes, and provides business application-specific dynamic risk posture and compliance status.
Wipro’s CARG supports multiple compliance standards and regulations applicable to various industry vertical, such as PCI-DSS, HIPAA, FEDRAMP, and GDPR. It also provides compliance against frameworks such as NIST, ISO 27001 among others.
Figure 2 – List of regulations, statutory, and security frameworks supported by CARG.
CARG as a framework is flexible and can include an enterprise’s policies and internal controls, reporting adherence against the same. The CARG compliance module can also add other compliance and regulations based on enterprise need.
The CARG solution helps different personas across the enterprise succeed in their business objectives:
- Business application owners: Provides much-needed visibility of security risk posture and compliance adherence for respective business applications.
- CTO, CIO, and CISO office: Provides powerful insights of various security loopholes that need immediate attention across various AWS subscriptions.
- Risk and audit offices: Augments the risk and audit teams’ ability to perform business application audits and risk management before and after migration to AWS. This results in independent risk assurance on a company’s cloud journey.
Customer Story: Securing Your Migration Journey
Let’s highlight a Wipro customer’s journey to showcase the benefits of the CARG solution. This enterprise had more than 200 applications hosted on the cloud, with each application unique in the way it was architected, usage of cloud assets, and compliance needs.
The customer was planning to migrate an additional 300+ applications to AWS while ensuring all current and future workloads remain secure per their own internal policies and various compliance standards.
In addition to the governance of applications on the cloud, where each application’s risk and compliance needs are unique, the enterprise faced challenges identifying the security and governance controls during the pre-migration stage to AWS.
They needed to assess the application’s risk, security, and compliance posture and be able to report on industry standards like SOC2, HIPAA, GDPR, and security best practices such as NIST.
The ideal solution also needed to integrate with their existing ITSM, SIEM, and vulnerability management solutions to provide unified visibility of application’s risk and compliance posture to application owners, CISO, and risk and audit teams.
Figure 3 – User actions within the CARG platform.
Wipro’s CARG solution was brought in to help, and applications were onboarded onto the platform. For each application, CARG helped conduct a detailed analysis through risk profiling and recommended either ‘Cloud’ or ‘No-Cloud.’
Additionally, CARG proactively recommended security controls to protect each of the varied business applications that were to be hosted on AWS. It provided essential recommendations on the controls needed for each application’s security and compliance requirements. CARG also helped assess gaps in the controls needed for the applications.
CARG helped integrate third-party security tools for unified risk posture for an application, and provided a workflow-based approach for managing the gaps in addition to continuous controls monitoring across the enterprise’s cloud estate.
Summary of Benefits
CARG’s compliance posture assessment helps enterprise to have both a historic view and understand current trends while being audit and compliance ready.
Here are some additional features:
- Tailored and customizable holistic risk-based approach for cloud applications.
- Pre-migration assessment, and application risk and compliance profiling.
- Automated cloud security control recommendations as part of the cloud migration process.
- Integration with AWS-native security services and controls.
- Continuous security monitoring and generation of security insights, continuous compliance posture and remediation recommendations via single pane of glass.
- Contextualized stakeholder reporting and role-based access control for different personas.
- Provides adherence across 20+ regulatory and compliance requirements across cloud applications.
- Provides visibility by leveraging enterprise’s existing investment in AWS and other security solutions.
In a time where security threats are markedly increasing, a comprehensive security governance platform is essential for enterprises.
For enterprises with a large IT landscape spread across on-premises and cloud environments, managing security controls across platforms is tedious. Wipro’s Cloud Application Risk Governance (CARG) helps enterprises manage and maintain an optimum security posture with its single pane of glass.
To learn how CARG can help secure your enterprise’s journey to AWS, contact Wipro at [email protected].
Wipro – AWS Partner Spotlight
Wipro is an AWS Premier Consulting Partner and MSP that harnesses the power of cognitive computing, hyper-automation, robotics, cloud, analytics, and emerging technologies to help clients adapt to the digital world.
*Already worked with Wipro? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.