Your address will show here +12 34 56 78
2021 Blog, AWS Governance, Blog, Featured

Governance360 is an integrated and automated solution using the Control Tower Customization methodology. The solution is focussed on the entire lifecycle of a customer cloud adoption covering the following stages:


  • Workload planning for Cloud Migration and associated best practices with automation.
  • Multi-account management with secure and compliant AWS Accounts, Cost tracking against budgets, guardrails to ensure the workloads are deployed as per AWS Well Architected best practices. This component is called “Control Services” and provides preventive and corrective guardrails.
  • The workloads consisting of network, IDAM, compute, data, storage, applications need to be secure and monitored for static and dynamic threats and vulnerabilities covered under Security Management. This ensures proactive detection and correction of security threats.
  • Proactive monitoring enables observability across system, application, logs management with integrated alert aggregation, correlation and diagnostics to detection performance and availability issues.
  • Service Management and Asset Management integrates the Cloud management workflows with ITSM tools based on enterprise standards and enables self-service portals and active CMDB tracking.
  • Foundation of Automation-First approach with workflows, templates and BOTs provides a scalable enterprise grade framework of achieving better, faster, cheaper adoption of Cloud and ongoing cloud managed services leveraging RLCatalyst BOTs Server.

All the above components are complex systems that need integration and data sharing with active policies, status monitoring and workflows for suitable interventions to achieve a holistic Governance360 model. The solution ensures that proper policies and governance models are set up upfront and consistently updated, as life cycle changes are needed. It combines AWS Control Tower and other highly-available, trusted AWS services and Relevance Lab Automated solutions to help customers quickly set up a secure, multi-account AWS environment using AWS best practices. Through customization, this solution can integrate with AWS Control Tower lifecycle events to ensure the resource deployment stays in sync with the landing zone. In a single pane, get visibility on the organizational tree structure of your AWS accounts along with compliance status and non-compliance findings.

The diagram below explains the core building blocks of the Governance360 Solution.


Why do Enterprises need Governance360?
For most Enterprises, the major challenge is around governance and compliance and lack of visibility into their Cloud Infrastructure. They spend enormous time trying to achieve compliance in a silo manner. Enterprises also spend enormous amounts of time and effort on security and compliance. This can be addressed by automating compliance monitoring, increasing visibility across the cloud with the right set of tools and solutions. Our solution addresses the need of Enterprises on the automation of these security & compliance. By a combination of automated preventive, detective, and responsive controls, we help enterprises by enforcing nearly continuous compliance and auto-remediation and there-by increase the overall security and reduce the compliance cost.

Some of the use cases on why Enterprises would adopt Governance360:

  • Centralized Cloud Operations Management
  • Configuration, Compliance and Audit Management
  • Automated proactive monitoring and Observability of your Applications
  • Self-Service Provision and Deprovision of Cloud resources
  • Cloud Financial Management

As shown in the above diagram, Governance360 uses a set of tools and policies across multiple layers. This solution starts with a deployment of AWS Control Tower, post which an AWS CloudFormation template you deploy in the account where AWS Control Tower landing zone is deployed. The template launches an AWS CodePipeline, AWS CodeBuild projects, AWS Step Functions, AWS Lambda functions, an Amazon EventBridge event rule, an AWS Simple Queue Service (Amazon SQS) queue, and an Amazon Simple Storage Service (Amazon S3) bucket which contains a sample configuration package. The solution can also create an AWS CodeCommit repository to contain the sample configuration package, instead of the Amazon S3 bucket.

Once the solution is deployed, the custom resources are packaged and uploaded to the CodePipeline source using Amazon S3, and triggers the service control policies (SCPs) state machine and the AWS CloudFormation StackSets state machine to deploy the SCPs at the organizational units (OUs) level or stack instances at the OU and/or account level. Also, integration with Security Hub ensures all of your accounts and resources are being continuously monitored for Continuous Compliance.


Our standard and the custom library includes a set of pre-built templates (Cloud Formation and Terraform) and policies (YAML/JSON). This could be a combination of CFTs for deployment or provision and policies to enforce, monitor the governance and compliances. This can help automated deployment with one-click for your Network, Infrastructure, and Application Layer and enforce pre-defined compliance on your account.

Governance360 Maturity Model
Governance360 maturity model consists of 4 levels as shown below:


    Level-1 (Basic Governance)
  • Covers AWS Control Tower
  • Takes about 4-6 weeks
          • What is AWS Control Tower?
          • Secure.
          • Compliant.
          • Multi-Account AWS Environments.
          • Based on AWS Best Practices.
          • How does it work? Step-1
          • Multi-Account Structure.
          • Identify and Access Management.
          • Account Provisioning Workflows.

          • Step-2
          • Apply Guardrails – Security and Compliance Policies.
          • Prevents non-compliance during new deployments.
          • Detects and Remediate non-compliances found on Accounts and Resources.

          • Step-3
          • Monitors Compliance with Visual Summaries.
          • Provides Dashboard for Accounts, Guardrails and Compliance status all in one place.
          • What benefits does it provide?
          • Automated & Standardized Account Provisioning.
          • Get better control of AWS environments.
          • Govern your workloads more easily and Drive Innovation.
          • Cost and Budget Management.
          • What is still missing in maturity at this Level?
          • A manual setup model where making changes to all different OUs and Accounts is not automated to deploying new policies and customization is not easy.
          • Setup of VPC/Subnet/IAM roles needs more advanced templates and automation.
          • Only mandatory guard-rails are activated and still need more work for getting all AWS Foundation and CIS Top 20 Benchmark compliance.
          • Cost Optimization missing.
          • Integration with ITSM Tools missing.


            • Level-2 (Advanced Governance)
            • Automation led Governance@Scale
            • Covers AWS Service Management Connector and ITSM Integrations
            • Additional 6-8 weeks
                    • What is Governance@Scale?
                    • Use Customization of Control Tower using CI/CD Pipeline Best Practices.
                    • Rich library of Automation Templates for Infra Automation.
                    • Get extended compliance to AWS Foundation and CIS Top-20.
                    • Cost Optimization Techniques – Instance Scheduler, Compute Optimizer, AWS Workspaces Cost Optimizer, Cost monitor lambda functions.
                    • Activate AWS Service Catalog, AWS Service Management Connector.
                    • How does it work?
                    • Deployment of Customization of Control Tower and Custom Guardrails.
                    • Enablement of Security Hub, Config
                    • Service Catalog and Service Management capabilities using your ITSM platform (ServiceNow, Jira SD, Freshservice).
                    • What benefits does it provide?
                    • Ease of deployment of security controls @ Scale using CI/CD pipeline.
                    • Dashboard of Security Hub.
                    • Dashboard for Asset Management.
                    • Dashboard of AWS Config Aggregator.
                    • What is still missing in maturity at this Level?
                    • No integration with Security monitoring of resources and accounts – Static or Dynamic.
                    • Proactive Monitoring of Health of Assets is missing.


                      • Level-3 (Proactive and Preventive Governance)
                      • Covers AWS Security Hub and AWS Monitoring tools integration
                      • Provides Proactive and integrated monitoring of real time security and health parameters for appropriate early warning systems and actions. This can help early detection of adverse events, diagnosis and action
                      • Additional 8-10 weeks
                              • What is Proactive and Preventive Governance?
                              • Use the ITSM/Custom Cloud Portal to look at the compliance status across your multi-account cloud Infrastructure.
                              • Get a single pane of glass view for your multi-account cloud assets.
                              • Enable SSM to run periodic vulnerability assessments on your resources.
                              • How does it work?
                              • Integration of AWS Security Hub with AWS Control Tower.
                              • Use of GuardDuty and Inspector.
                              • Enable CloudWatch.
                              • What benefits does it provide?
                              • Dashboard of Security Hub.
                              • Dashboard of Proactive Health Monitoring.
                              • Dashboard of Vulnerability and Missing Patches.
                              • What is still missing in maturity at this Level?
                              • Granular policies for Account and Resource level control are missing.
                              • Continuous Compliance and Remediation is missing.
                              • Vulnerability and Patch Management fix is missing.
                              • Industry Specific extensions for specialized compliances – HITRUST, HIPAA, GRC, GDPR etc.


                                • Level-4 (Intelligent Compliance with Remeditions)
                                • Covers Cloud Custodian and Intelligent Automation with BOTs and Policies
                                • Helps achieve Continuous Compliance
                                • Helps achieve Industry-Specific Security Standards (Depends on the type of compliance.)
                                • Typically, 4-6 weeks per compliance standards
                                      • What is Intelligent and Continuous Compliance with Industry Specific Coverage?
                                      • Continuous monitoring, detection and auto-remediations achieved as scale.
                                      • Ability to learn from previous incidents and increase coverage & compliance.
                                      • Enterprise grade Automation covering full-lifecycle of cloud resources, system changes and people interactions.
                                      • Baseline the requirements for the Industry specific compliance needs like HITRUST, HIPAA, GDPR, SOC2 etc.
                                      • Deploy Quick Starts for these specific standards.
                                      • How does it work?
                                      • Integration with RLCatalyst BOTs Server and Command Centre.
                                      • Application and Business Service level Monitoring and Diagnosis.
                                      • Integration with Cloud Custodian.
                                      • Launch Compliance Standard Specific Quick Starts.
                                      • Enable AWS Systems Manager (or Manage Engine) and patch management.
                                      • What benefits does it provide?
                                      • Continuous Compliance Dashboard – Custodian + Security Hub.
                                      • Dashboard of Vulnerability – Compliance Status.
                                      • Command Centre Dashboards.

                                      • How to get started
                                        Relevance Lab is a consulting partner of AWS and helps organizations achieve automation led Cloud Management using Governance360, based on the best practices of AWS. While Enterprises can try and build some of these solutions, it is a time-consuming activity and error-prone and needs a specialist partner. Relevance Lab has helped 10+ Enterprises on this need and has a reusable automated solution and pre-built library to meet the security and compliance needs.

                                        For more details, please feel free to reach out to marketing@relevancelab.com.

                                        References
                                        Reference Architecture for HITRUST on AWS
                                        Customizations for AWS Control Tower
                                        AWS Control Tower and Cloud Custodian
                                        Deploy and Govern at Scale with AWS Control Tower
                                        Relevance Lab solution for Compliance as a Code



                                        0

                                        AWS Cloud provides the right platform to scale Health Informatics and Genomic Research with security, data privacy, and cost-effectiveness. Relevance Lab offers a scalable architecture blueprint with RLCatalyst Research Gateway and pre-built support for common researcher tools like BioInformatics starter kit, Nextflow, R-Studio, Open Data sets to speed up Scientific Research on Cloud.

                                        Click here
                                         for the full  story.

                                        0

                                        2021 Blog, Blog, Featured

                                        Major advances are happening with the leverage of Cloud Technologies and large Open Data sets in the areas of Healthcare informatics that includes sub-disciplines like Bioinformatics and Clinical Informatics; rapidly being adopted by Life Sciences and Healthcare institutions in commercial and public sector space. This domain has deep investments in scientific research and data analytics focusing on information, computation needs, and data acquisition techniques to optimize the acquisition, storage, retrieval, obfuscation, and secure use of information in health and biomedicine for evidence-based medicine and disease management.

                                        In recent years, genomics and genetic data have emerged as an innovative area of research that could potentially transform healthcare. The emerging trends are for personalized medicine, or precision medicine leveraging genomics. Early diagnosis of a disease can significantly increase the chances of successful treatment, and genomics can detect disease long before symptoms present themselves. Many diseases, including cancers, are caused by alterations in our genes. Genomics can identify these alterations and search for them using an ever-growing number of genetic tests.

                                        With AWS, genomics customers can dedicate more time and resources to science, speeding time to insights, achieving breakthrough research faster, and bringing life-saving products to market. AWS enables customers to innovate by making genomics data more accessible and useful. AWS delivers the breadth and depth of services to reduce the time between sequencing and interpretation, with secure and frictionless collaboration capabilities across multi-modal datasets. Plus, you can choose the right tool for the job to get the best cost and performance at a global scale— accelerating the modern study of genomics.

                                        Relevance Lab Research@Scale Architecture Blueprint
                                        Working closely with AWS Healthcare and Clinical Informatics teams, Relevance Lab is bringing a scalable, secure, and compliant solution for enterprises to pursue Research@Scale on Cloud for intramural and extramural needs. The diagram below shows the architecture blueprint for Research@Scale. The solution offered on the AWS platform covers technology, solutions, and integrated services to help large enterprises manage research across global locations.


                                        Leveraging AWS Biotech Blueprint with our RLCatalyst Research Gateway
                                        Use case with AWS Biotech Blueprint that provides a Core template for deploying a preclinical, cloud-based research infrastructure and optional informatics software on AWS.

                                        This Quick Start sets up the following:

                                        • A highly available architecture that spans two availability zones
                                        • A preclinical virtual private cloud (VPC) configured with public and private subnets according to AWS best practices to provide you with your own virtual network on AWS. This is where informatics and research applications will run
                                        • A management VPC configured with public and private subnets to support the future addition of IT-centric workloads such as active directory, security appliances, and virtual desktop interfaces
                                        • Redundant, managed NAT gateways to allow outbound internet access for resources in the private subnets
                                        • Certificate-based virtual private network (VPN) services through the use of AWS Client VPN endpoints
                                        • Private, split-horizon Domain Name System (DNS) with Amazon Route 53
                                        • Best-practice AWS Identity and Access Management (IAM) groups and policies based on the separation of duties, designed to follow the U.S. National Institute of Standards and Technology (NIST) guidelines
                                        • A set of automated checks and alerts to notify you when AWS Config detects insecure configurations
                                        • Account-level logging, audit, and storage mechanisms are designed to follow NIST guidelines
                                        • A secure way to remotely join the preclinical VPC network by using the AWS Client VPN endpoint
                                        • A prepopulated set of AWS Systems Manager Parameter Store key/value pairs for common resource IDs
                                        • (Optional) An AWS Service Catalog portfolio of common informatics software that can be easily deployed into your preclinical VPC

                                        Using the Quickstart templates, the products were added to AWS Service Catalog and imported into RLCatalyst Research Gateway.



                                        Using the standard products, the Nextflow Workflow Orchestration engine was launched for Genomics pipeline analysis. Nextflow helps to create and orchestrate analysis workflows and AWS Batch to run the workflow processes.

                                        Nextflow is an open-source workflow framework and domain-specific language (DSL) for Linux, developed by the Comparative Bioinformatics group at the Barcelona Centre for Genomic Regulation (CRG). The tool enables you to create complex, data-intensive workflow pipeline scripts and simplifies the implementation and deployment of genomics analysis workflows in the cloud.

                                        This Quick Start sets up the following environment in a preclinical VPC:

                                        • In the public subnet, an optional Jupyter notebook in Amazon SageMaker is integrated with an AWS Batch environment.
                                        • In the private application subnets, an AWS Batch compute environment for managing Nextflow job definitions and queues and for running Nextflow jobs. AWS Batch containers have Nextflow installed and configured in an Auto Scaling group.
                                        • Because there are no databases required for Nextflow, this Quick Start does not deploy anything into the private database (DB) subnets created by the Biotech Blueprint core Quick Start.
                                        • An Amazon Simple Storage Service (Amazon S3) bucket to store your Nextflow workflow scripts, input and output files, and working directory.

                                        RStudio for Scientific Research
                                        RStudio is a popular IDE, licensed either commercially or under AGPLv3, for working with R. RStudio is available in a desktop version or a server version that allows you to access R via a web browser.

                                        After you’ve analyzed your results, you may want to visualize them. Shiny is a great R package, licensed either commercially or under AGPLv3, that you can use to create interactive dashboards. Shiny provides a web application framework for R. It turns your analyses into interactive web applications; no HTML, CSS, or JavaScript knowledge is required. Shiny Server can deliver your R visualization to your customers via a web browser and execute R functions, including database queries, in the background.

                                        RStudio is provided as a standard catalog item in RLCatalyst Research Gateway for 1-Click deployment and use. AWS provides a number of tools like AWS Athena, AWG Glue, and others to connect to datasets for research analysis.

                                        Benefits of using AWS for Clinical Informatics

                                        • Data transfer and storage
                                        • The volume of genomics data poses challenges for transferring it from sequencers in a quick and controlled fashion, then finding storage resources that can accommodate the scale and performance at a price that is not cost-prohibitive. AWS enables researchers to manage large-scale data that has outpaced the capacity of on-premises infrastructure. By transferring data to the AWS Cloud, organizations can take advantage of high-throughput data ingestion, cost-effective storage options, secure access, and efficient searching to propel genomics research forward.

                                        • Workflow automation for secondary analysis
                                        • Genomics organizations can struggle with tracking the origins of data when performing secondary analyses and running reproducible and scalable workflows while minimizing IT overhead. AWS offers services for scalable, cost-effective data analysis and simplified orchestration for running and automating parallelizable workflows. Options for automating workflows enable reproducible research or clinical applications, while AWS native, partner (NVIDIA and DRAGEN), and open source solutions (Cromwell and Nextflow) provide flexible options for workflow orchestrators to help scale data analysis.

                                        • Data aggregation and governance
                                        • Successful genomics research and interpretation often depend on multiple, diverse, multi-modal datasets from large populations. AWS enables organizations to harmonize multi-omic datasets and govern robust data access controls and permissions across a global infrastructure to maintain data integrity as research involves more collaborators and stakeholders. AWS simplifies the ability to store, query, and analyze genomics data, and link with clinical information.

                                        • Interpretation and deep learning for tertiary analysis
                                        • Analysis requires integrated multi-modal datasets and knowledge bases, intensive computational power, big data analytics, and machine learning at scale, which, historically can take weeks or months, delaying time to insights. AWS accelerates the analysis of big genomics data by leveraging machine learning and high-performance computing. With AWS, researchers have access to greater computing efficiencies at scale, reproducible data processing, data integration capabilities to pull in multi-modal datasets, and public data for clinical annotation—all within a compliance-ready environment.

                                        • Clinical applications
                                        • Several hindrances impede the scale and adoption of genomics for clinical applications that include the speed of analysis, managing protected health information (PHI), and providing reproducible and interpretable results. By leveraging the capabilities of the AWS Cloud, organizations can establish a differentiated capability in genomics to advance their applications in precision medicine and patient practice. AWS services enable the use of genomics in the clinic by providing the data capture, compute, and storage capabilities needed to empower the modernized clinical lab to decrease the time to results, all while adhering to the most stringent patient privacy regulations.

                                        • Open datasets
                                        • As more life science researchers move to the cloud and develop cloud-native workflows, they bring reference datasets with them, often in their own personal buckets, leading to duplication, silos, and poor version documentation of commonly used datasets. The AWS Open Data Program (ODP) helps democratize data access by making it readily available in Amazon S3, providing the research community with a single documented source of truth. This increases study reproducibility, stimulates community collaboration, and reduces data duplication. The ODP also covers the cost of Amazon S3 storage, egress, and cross-region transfer for accepted datasets.

                                        • Cost optimization
                                        • Researchers utilize massive genomics datasets that require large-scale storage options and powerful computational processing, which can be cost-prohibitive. AWS presents cost-saving opportunities for genomics researchers across the data lifecycle—from storage to interpretation. AWS infrastructure and data services enable organizations to save time, money and devote more resources to science.

                                        Summary
                                        Relevance Lab is a specialist AWS partner working closely in Health Informatics and Genomics solutions leveraging AWS existing solutions and complementing it with its Self-Service Cloud Portal solutions, automation, and governance best practices.

                                        To know more about how we can help standardize, scale, and speed up Scientific Research in Cloud, feel free to contact us at marketing@relevancelab.com.

                                        References
                                        AWS Whitepaper on Genomics Data Transfer, Analytics and Machine Learning
                                        Genomics Workflows on AWS
                                        HPC on AWS Video – Running Genomics Workflows with Nextflow
                                        Workflow Orchestration with Nextflow on AWS Cloud
                                        Biotech Blueprint on AWS Cloud
                                        Running R on AWS
                                        Advanced Bioinformatics Workshop



                                        0