Governance360 is an integrated and automated solution using the Control Tower Customization methodology. The solution is focussed on the entire lifecycle of a customer cloud adoption covering the following stages:

Workload planning for Cloud Migration and associated best practices with automation.
Multi-account management with secure and compliant AWS Accounts, Cost tracking against budgets, guardrails to ensure the workloads are deployed as per AWS Well Architected best practices. This component is called “Control Services” and provides preventive and corrective guardrails.
The workloads consisting of network, IDAM, compute, data, storage, applications need to be secure and monitored for static and dynamic threats and vulnerabilities covered under Security Management. This ensures proactive detection and correction of security threats.
Proactive monitoring enables observability across system, application, logs management with integrated alert aggregation, correlation and diagnostics to detection performance and availability issues.
Service Management and Asset Management integrates the Cloud management workflows with ITSM tools based on enterprise standards and enables self-service portals and active CMDB tracking.
Foundation of Automation-First approach with workflows, templates and BOTs provides a scalable enterprise grade framework of achieving better, faster, cheaper adoption of Cloud and ongoing cloud managed services leveraging RLCatalyst BOTs Server.

All the above components are complex systems that need integration and data sharing with active policies, status monitoring and workflows for suitable interventions to achieve a holistic Governance360 model. The solution ensures that proper policies and governance models are set up upfront and consistently updated, as life cycle changes are needed. It combines AWS Control Tower and other highly-available, trusted AWS services and Relevance Lab Automated solutions to help customers quickly set up a secure, multi-account AWS environment using AWS best practices. Through customization, this solution can integrate with AWS Control Tower lifecycle events to ensure the resource deployment stays in sync with the landing zone. In a single pane, get visibility on the organizational tree structure of your AWS accounts along with compliance status and non-compliance findings.

The diagram below explains the core building blocks of the Governance360 Solution.

Why do Enterprises need Governance360?
For most Enterprises, the major challenge is around governance and compliance and lack of visibility into their Cloud Infrastructure. They spend enormous time trying to achieve compliance in a silo manner. Enterprises also spend enormous amounts of time and effort on security and compliance. This can be addressed by automating compliance monitoring, increasing visibility across the cloud with the right set of tools and solutions. Our solution addresses the need of Enterprises on the automation of these security & compliance. By a combination of automated preventive, detective, and responsive controls, we help enterprises by enforcing nearly continuous compliance and auto-remediation and there-by increase the overall security and reduce the compliance cost.

Some of the use cases on why Enterprises would adopt Governance360:

Centralized Cloud Operations Management
Configuration, Compliance and Audit Management
Automated proactive monitoring and Observability of your Applications
Self-Service Provision and Deprovision of Cloud resources
Cloud Financial Management

As shown in the above diagram, Governance360 uses a set of tools and policies across multiple layers. This solution starts with a deployment of AWS Control Tower, post which an AWS CloudFormation template you deploy in the account where AWS Control Tower landing zone is deployed. The template launches an AWS CodePipeline, AWS CodeBuild projects, AWS Step Functions, AWS Lambda functions, an Amazon EventBridge event rule, an AWS Simple Queue Service (Amazon SQS) queue, and an Amazon Simple Storage Service (Amazon S3) bucket which contains a sample configuration package. The solution can also create an AWS CodeCommit repository to contain the sample configuration package, instead of the Amazon S3 bucket.

Once the solution is deployed, the custom resources are packaged and uploaded to the CodePipeline source using Amazon S3, and triggers the service control policies (SCPs) state machine and the AWS CloudFormation StackSets state machine to deploy the SCPs at the organizational units (OUs) level or stack instances at the OU and/or account level. Also, integration with Security Hub ensures all of your accounts and resources are being continuously monitored for Continuous Compliance.

Our standard and the custom library includes a set of pre-built templates (Cloud Formation and Terraform) and policies (YAML/JSON). This could be a combination of CFTs for deployment or provision and policies to enforce, monitor the governance and compliances. This can help automated deployment with one-click for your Network, Infrastructure, and Application Layer and enforce pre-defined compliance on your account.

Governance360 Maturity Model
Governance360 maturity model consists of 4 levels as shown below:

Level-1 (Basic Governance)
Covers AWS Control Tower Takes about 4-6 weeks

What is AWS Control Tower?	Secure. Compliant. Multi-Account AWS Environments. Based on AWS Best Practices.
How does it work?	Step-1 Multi-Account Structure. Identity and Access Management. Account Provisioning Workflows. Step-2 Apply Guardrails – Security and Compliance Policies. Prevents non-compliance during new deployments. Detects and Remediate non-compliances found on Accounts and Resources. Step-3 Monitors Compliance with Visual Summaries. Provides Dashboard for Accounts, Guardrails and Compliance status all in one place.
What benefits does it provide?	Automated & Standardized Account Provisioning. Get better control of AWS environments. Govern your workloads more easily and Drive Innovation. Cost and Budget Management.
What is still missing in maturity at this Level?	A manual setup model where making changes to all different OUs and Accounts is not automated to deploying new policies and customization is not easy. Setup of VPC/Subnet/IAM roles needs more advanced templates and automation. Only mandatory guard-rails are activated and still need more work for getting all AWS Foundation and CIS Top 20 Benchmark compliance. Cost Optimization missing. Integration with ITSM Tools missing.

Level-2 (Advanced Governance)
Automation led Governance@Scale Covers AWS Service Management Connector and ITSM Integrations Additional 6-8 weeks

What is Governance@Scale?	Use Customization of Control Tower using CI/CD Pipeline Best Practices. Rich library of Automation Templates for Infra Automation. Get extended compliance to AWS Foundation and CIS Top-20. Cost Optimization Techniques – Instance Scheduler, Compute Optimizer, AWS Workspaces Cost Optimizer, Cost monitor lambda functions. Activate AWS Service Catalog, AWS Service Management Connector.
How does it work?	Deployment of Customization of Control Tower and Custom Guardrails. Enablement of Security Hub, Config Service Catalog and Service Management capabilities using your ITSM platform (ServiceNow, Jira SD, Freshservice).
What benefits does it provide?	Ease of deployment of security controls @ Scale using CI/CD pipeline. Dashboard of Security Hub. Dashboard for Asset Management. Dashboard of AWS Config Aggregator.
What is still missing in maturity at this Level?	No integration with Security monitoring of resources and accounts – Static or Dynamic. Proactive Monitoring of Health of Assets is missing.

Level-3 (Proactive and Preventive Governance)
Covers AWS Security Hub and AWS Monitoring tools integration Provides Proactive and integrated monitoring of real time security and health parameters for appropriate early warning systems and actions. This can help early detection of adverse events, diagnosis and action Additional 8-10 weeks

What is Proactive and Preventive Governance?	Use the ITSM/Custom Cloud Portal to look at the compliance status across your multi-account cloud Infrastructure. Get a single pane of glass view for your multi-account cloud assets. Enable SSM to run periodic vulnerability assessments on your resources.
How does it work?	Integration of AWS Security Hub with AWS Control Tower. Use of GuardDuty and Inspector. Enable CloudWatch.
What benefits does it provide?	Dashboard of Security Hub. Dashboard of Proactive Health Monitoring. Dashboard of Vulnerability and Missing Patches.
What is still missing in maturity at this Level?	Granular policies for Account and Resource level control are missing. Continuous Compliance and Remediation is missing. Vulnerability and Patch Management fix is missing. Industry Specific extensions for specialized compliances – HITRUST, HIPAA, GRC, GDPR etc.

Level-4 (Intelligent Compliance with Remeditions)
Covers Cloud Custodian and Intelligent Automation with BOTs and Policies Helps achieve Continuous Compliance Helps achieve Industry-Specific Security Standards (Depends on the type of compliance.) Typically, 4-6 weeks per compliance standards

What is Intelligent and Continuous Compliance with Industry Specific Coverage?	Continuous monitoring, detection and auto-remediations achieved as scale. Ability to learn from previous incidents and increase coverage & compliance. Enterprise grade Automation covering full-lifecycle of cloud resources, system changes and people interactions. Baseline the requirements for the Industry specific compliance needs like HITRUST, HIPAA, GDPR, SOC2 etc. Deploy Quick Starts for these specific standards.
How does it work?	Integration with RLCatalyst BOTs Server and Command Centre. Application and Business Service level Monitoring and Diagnosis. Integration with Cloud Custodian. Launch Compliance Standard Specific Quick Starts. Enable AWS Systems Manager (or Manage Engine) and patch management.
What benefits does it provide?	Continuous Compliance Dashboard – Custodian + Security Hub. Dashboard of Vulnerability – Compliance Status. Command Centre Dashboards.

How to get started
Relevance Lab is a consulting partner of AWS and helps organizations achieve automation led Cloud Management using Governance360, based on the best practices of AWS. While Enterprises can try and build some of these solutions, it is a time-consuming activity and error-prone and needs a specialist partner. Relevance Lab has helped 10+ Enterprises on this need and has a reusable automated solution and pre-built library to meet the security and compliance needs.

For more details, please feel free to reach out to marketing@relevancelab.com.

References
Reference Architecture for HITRUST on AWS
Customizations for AWS Control Tower
AWS Control Tower and Cloud Custodian
Deploy and Govern at Scale with AWS Control Tower
Relevance Lab solution for Compliance as a Code

2021 Blog, AppInsights Blog, ServiceOne, Blog, Featured

RLCatalyst AppInsights Now Available for AWS & ServiceNow Customers to provide Dynamic Application-Centric View of Cost, Health, and Security

By RL Admin on

September, 2021

- 2021 Blog, AppInsights Blog, ServiceOne, Blog, Featured

Relevance Lab announces the availability of a new product RLCatalyst AppInsights on ServiceNow Store. The certified standalone application will be available free of cost and offers a dynamic application-centric view of AWS resources.

Built on top of AWS Service Catalog AppRegistry and created in consultations with AWS Teams, the product offers a unique solution for ServiceNow and AWS customers. It offers dynamic insights related to cost, health, cloud asset usage, compliance, and security with the ability to take appropriate actions for operational excellence. This helps customers to manage their multi-account dynamic application CMDB (Configuration Management Database).

The product includes ServiceNow Dashboards with metrics and actionable insights. The design has pre-built connectors to AWS services and unique RL DataBridge that provides integration to third-party applications using serverless architecture for extended functionality.

Why do you need a Dynamic Application-Centric View for Cloud CMDB?
Cloud-based dynamic assets create great flexibility but add complexity for near real-time asset and CMDB tracking, especially for enterprises operating in a complex multi-account, multi-region, and multi-application environment. Such enterprises with complex cloud infrastructures and ITSM tools, struggle to change the paradigm from infrastructure-centric views to application-centric insights that are better aligned with business metrics, financial tracking and end user experiences.

While existing solutions using Discovery tools and Service Management connectors provided a partial solution to an infrastructure-centric view, a robust Application Centric Dynamic CMDB was a missing solution that is now addressed with this product. More details about the features of this product can be found on this blog.

Built on AWS Service Catalog AppRegistry
AWS Service Catalog AppRegistry helps to create a repository of your applications and associated resources. These capabilities enable enterprise stakeholders to obtain the information they require for informed strategic and tactical decisions about cloud resources.

Leveraging AWS Service Catalog AppRegistry as the foundation for the application-centric views, RLCatalyst AppInsights enhances the value proposition and provides integration with ServiceNow.

Value adds provided:

Single pane of control for Cloud Operational Management with ServiceNow
Cost planning, tracking, and optimization across multi-region and complex cloud setups
Near real-time view of the assets, health, security, and compliance
Detection of idle capacity and orphaned resources
Automated remediation

This enables the entire lifecycle of cloud adoption (Plan, Build and Run) to be managed with significant business benefits of speed, compliance, quality, and cost optimization.

Looking Ahead
With the new product now available on the ServiceNow store, it makes easier for enterprises to download and try this for enhanced functionality on existing AWS and ServiceNow platforms. We expect to work closely with AWS partnership teams to drive the adoption of AWS Service Catalog AppRegistry and solutions for TCAM (Total Cost of Application Management) in the market. This will help customers optimize their application assets tracking and cloud spends by better planning, monitoring, analyzing and corrective actions, through an intuitive UI-driven ServiceNow application at no additional costs.

To learn more about RLCatalyst AppInsight, feel free to write to marketing@relevancelab.com.

2021 Blog, AppInsights Blog, Blog, Featured

RLCatalyst AppInsights-Dynamic Application CMDB with AWS and ServiceNow

By RL Admin on

June, 2021

- 2021 Blog, AppInsights Blog, Blog, Featured

Many AWS customers either integrate ServiceNow into their existing AWS services or set up both ServiceNow and AWS services for simultaneous use. Customers need a near real-time view of their infrastructure and applications spread across their distributed accounts.

Commonly referred to as the “Dynamic Application Configuration Management Database (CMDB) or Dynamic Assets” view, it allows customers to gain integrated visibility into their infrastructures to break down silos and facilitate better decision making. From an end-user perspective as well, there is a need for an “Application Centric” view rather than an “Infrastructure/Assets” view as better visibility ultimately enhances their experience.

An “Application Centric” View provides the following insights.

Application master for the enterprise
Application linked infrastructure currently deployed and in use
Cost allocation at application levels (useful for chargebacks)
Current health, issues, and vulnerability with application context for better management
Better aligned with existing enterprise context of business units, projects, costs codes for budget planning and tracking

Use Case benefits for ServiceNow customers
Near real-time view of AWS applications & Infrastructure workloads across multiple AWS accounts in ServiceNow. Customer is enabling self-service for their Managed Service Provider (MSP) and their Developers to:

Maintain established ITSM policies & processes
Enforce Consistency
Ensure Compliance
Ensure Security
Eliminate IAM access to underlying services

Use Case benefits for AWS customers
Enabling application self-service for general & technical Users. The customer would like service owners (e.g. HR, Finance, Security & Facilities) to view AWS infrastructure-enabled applications via self-service while ensuring:

Compliance
Security
Reduce application onboarding time
Optical consistency across all businesses

RLCatalyst AppInsights Solution – Built on AppRegistry
Working closely with AWS partnership groups in addressing the key needs of customers, RLCatalyst AppInsights Solution provides a “Dynamic CMDB” solution that is Application Centric with the following highlights:

Built on “AWS AppRegistry” and tightly integrated with AWS products
Combines information from the following Data Sources:
- AWS AppRegistry
- AWS Accounts
  - Design time Data (Definitions – Resources, Templates, Costs, Health, etc.)
  - Run time Data (Dynamic Information – Resources, Templates, Costs, Health, etc.)
- AppInsights Additional Functionality
  - Service Registry Insights
  - Aggregated Data (Lake) with Dynamic CMDB/Asset View
  - UI Interaction Engine with appropriate backend logic

A well-defined Dynamic Application CMDB is mandatory in cloud infrastructure to track assets effectively and serves as the basis for effective Governance360.

To learn more about RLCatalyst AppInsights Solution Build on AWS AppRegistry click here.

AWS recently released a new feature called AppRegistry to help customers natively build an AWS resources inventory that has insights into uses across applications. AWS Service Catalog AppRegistry allows creating a repository of your applications and associated resources. Customers can define and manage their application metadata. This allows understanding the context of their applications and resources across their environments. These capabilities enable enterprise stakeholders to obtain the information they require for informed strategic and tactical decisions about cloud resources. Using AppRegisty as a base product, we have created a Dynamic Application CMDB solution AppInsights to benefit AWS and ServiceNow customers as explained in the figure below.

Modeling a common customer use case
Most customers have multiple applications deployed in different regions constituting sub-applications, underlying web services, and related infrastructure as explained in the figure below. The dynamic nature of cloud assets and automated provisioning with Infrastructure as a Code makes the discovery process and keeping CMDB up to date a non-trivial problem.

As explained above, a typical customer setup would consist of different business units deploying applications in different market regions across a complex and hybrid infrastructure. Most existing CMDB applications provide a static assets view that is incomplete and not well aligned to growing needs for real-time application-centric analysis, costs allocation, and application health insights. This problem has been solved by the AppInsights solution leveraging existing investments of customers on ITSM licenses of ServiceNow and pre-existing solutions from AWS like ServiceManagement connector that are available for no additional costs. The missing piece till recently was an Application-centric meta data linking applications to infrastructure templates.

Customers need to be able to see the information across their AWS accounts with details of Application, Infrastructure, and Costs in a simple and elegant manner, as shown below. The basic KPIs tracked in the dashboard are following:

Dashboard per AWS Account provided (later aggregated information across accounts to be also added)
Ability to track an Application View with Active Application Instances, AWS Active Resources and Associated Costs
Trend Charts for Application, Infrastructure and Cost Details
Drill-down ability to view all applications and associated active instances what are updated dynamically using a period sync option or on-demand use based

The ability to get a Dynamic Application CMDB is possible by leveraging the AWS Well Architected best practices of “Infrastructure as a Code” relying on AWS Service Catalog, AWS Service Management Connector, AWS CloudFormation Templates, AWS Costs & Budgets, AWS AppRegistry. The application is built as a scoped application inside ServiceNow and leverages the standard ITSM licenses making it easy for customers to adopt and share this solution to business users without the need for having AWS Console access.

Workflow steps for adoption of RLCatalyst AppInsights are explained below. The solution provided is based on standard AWS and ServiceNow products commonly use in enterprises and build on existing best practices, processes and collaboration models.

Step-1	Define AppRegistry Data	Use AppRegistry
Step-2	Link App to Infra Templates – CloudFormation Template (CFT) / Service Catalog (SC)	AWS Accounts Asset Definitions
Step-3	Ensure all Assets Provisioned have App and Service Tagging (Enforce with Guard Rails)	AWS Accounts Asset Runtime Data
Step-4	Register Application Services – Service Registry	Service Registry
Step-5	AppInsights Data Lake refresh with static and dynamic Updates (Aggregated across accounts)	RLCatalyst AppInsights
Step-6	Asset, Cost, Health Dashboard	RLCatalyst AppInsights

A typical implementation of RLCatalyst AppInsights can be rolled out for a new customer in 4-6 weeks and can provide significant business benefits for multiple groups enabling better Operations support, Self-service requests, application specific diagnostics, asset usage and cost management. The base solution is built on a flexible architecture allowing for more advanced customization to extend with real time health and vulnerability mappings and achieve AIOps maturity. In future there are plans to extend the Application Centric views to cover more granular “Services” tracking for support of Microservice architectures, container based deployments and integration with other PaaS/SaaS based Service integrations.

Summary
Cloud-based dynamic assets create great flexibility but add complexity for near real-time asset and CMDB tracking. While existing solutions using Discovery tools and Service Management connectors provided a partial solution to an Infrastructure centric view of CMDB, a robust Application Centric Dynamic CMDB was a missing solution that is now addressed with RLCatalyst AppInsights built on AppRegistry as explained in the above blog.

For more information, feel free to contact marketing@relevancelab.com

References
Governance360 – Are you using your AWS Cloud “The Right Way”
ServiceNow CMDB
Increase application visibility and governance using AWS Service Catalog AppRegistry
AWS Security Governance for Enterprises “The Right Way”
Configuration Management in Cloud Environments

2023 Blog, AppInsights Blog, AWS Governance, Blog, Featured, thank you

Are you using your AWS Cloud, “The Right Way”?

2021 Blog, AppInsights Blog, ServiceOne, Blog, Featured

RLCatalyst AppInsights Now Available for AWS & ServiceNow Customers to provide Dynamic Application-Centric View of Cost, Health, and Security

2021 Blog, AppInsights Blog, Blog, Featured

RLCatalyst AppInsights-Dynamic Application CMDB with AWS and ServiceNow

About

Recent News

A Pre-built Platform for Site Reliability Engineering Implementation at Scale

Powering Frictionless Scientific Research for Better Human Lives with Research Gateway

Streamline SOX Compliance with Automation using RLCatalyst and RPA Solutions

Early Adoption of GenAI with Security and Data Privacy using Azure OpenAI for Customers

Platform

Services

Frictionless Business

Resources

Quick Links

Policies