Cloud Automation for I.T. Governance, Risk, and Compliance (GRC) in Healthcare

It has been said that the “hero of a successful digital transformation is GRC.” The ISACA website states, “to successfully manage the risk in digital transformation you need a modern approach to governance, risk and regulatory compliance.” For GRC program development, it is important to understand the health information technology resources and tools available to enable long term success.

What is GRC and why it important?

According to the HIPAA Journal, the average cost of a healthcare data breach is now $9.42 million. In the first half of 2021, 351 significant data breaches were reported, affecting nearly 28 million individuals. The needs have never been more acute among healthcare providers, insurers, biotechnology and health research companies for effective information security and controls. Protecting sensitive data and establishing a firm security posture is essential.  Improving health care and reducing cost relies on structured approaches and thoughtful implementation of available technologies to help govern data and mitigate risk across the enterprise.

Effective and efficient management of governance, risk, and compliance, or GRC, is fast becoming a business priority across industries. Leaders at hospitals and health systems of all sizes are looking for ways to build operating strategies that harmonize and enhance efforts for GRC. Essential to that mission are effective data governance, risk management, regulatory compliance, business continuity management, project governance, and security. But rather than stand-alone or siloed security or compliance efforts, a cohesive program coupled with GRC solutions allow for organizational leaders to address the multitude of challenges more effectively and efficiently.

What are the goals for I.T. GRC?

For GRC efforts, leaders are looking to:

  • Safeguard Protected Healthcare Data
  • Meet and Maintain Compliance to Evolving Regulatory Mandates and Standards
  • Identify, Mitigate and Prevent Risk
  • Reduce operational friction
  • Build in and utilize best practices

Managing governance, risk, and compliance in healthcare enterprises is a daunting task. GRC implementation for healthcare risk managers can be difficult, especially during this time of rapid digital and cloud transformation. But relying on internal legacy methods and tools leads to the same issues that have been seen on-premises, stifling innovation and improvement. As organizations adapt to cloud environments as a key element of digital transformation and integrated health care, leaders are realizing that now is the time to leverage the technology to implement GRC frameworks that accelerate their progress toward positive outcomes. What’s needed is expertise and a clear roadmap to success.

Cloud Automation of GRC

The road to success starts with a framework, aligned to business objectives, that provides cloud automation of Governance, Risk, and Compliance. Breaking this into three distinct phases, ideally this would involve:

  1. Building a Solid Foundation – within the cloud environment, ensuring infrastructure and applications are secured before they are deployed.
  • Image/Operation System hardening automation pipelines.
  • Infrastructure Deployment Automation Pipelines including Policy as Code to meet governance requirements.
  • CI/CD Pipelines including Code Quality and Code Security.
  • Disaster Recovery as a Service (DRaaS) meeting the organization’s Business Continuity Planning requirements.
  • Configuration Management to allow automatic remediation of your applications and operating systems.
  • Cost Management strategies with showback and chargeback implementation.
  • Automatic deployment and enforcement of standard security tools including FIM, IDS/IPS, AV and Malware tooling.
  • IAM integration for authorization and authentication with platforms such as Active Directory, Okta, and PingFederate, allowing for more granular control over users and elevated privileges in the clouds.
  • Reference Architectures created for the majority of the organization’s needs that are pre-approved, security baked-in to be used in the infrastructure pipelines.
  • Self-service CMDB integration with tools such ServiceNow, remedy and Jira ServiceDesk allowing business units to provision their own infrastructure while providing the proper governance guardrails.
  • Resilient Architecture designs
  1. Proper Configuration and MaintenanceInfrastructure misconfiguration is the leading cause of data breaches in the cloud, and a big reason misconfiguration happens is infrastructure configuration “drift,” or change that occurs in a cloud environment post-provisioning. Using automation to monitor and self-remediate the environment will ensure the cloud environment stays in the proper configuration eliminating the largest cause of incidents. Since workloads will live most of their life in this phase, it is important to ensure there isn’t any drift from the original secure deployment. An effective program will need:
  • Cloud Integrity Monitoring using cloud native tooling.
  • Log Management and Monitoring with centralized logging, critical in a well-designed environment.
  • Application Monitoring
  • Infrastructure Monitoring
  • Managed Services including patching to resolve issues.
  • SLAs to address incidents and quickly get them resolved.
  • Cost Management to ensure that budgets are met and there are no runaway costs.
  • Perimeter security utilizing cloud native and 3rd party security appliance and services.
  • Data Classification
  1. Use of Industry Leading Tools – for risk assessment, reporting, verification and remediation. Thwart future problems and provide evidence to stakeholders that the cloud environment is rock solid. Tools and verification components would include:
  • Compliance reporting
  • Risk Registry integration into tools
  • Future attestations (BAAs)
  • Audit evidence generation

Where do you go from here?

Your organization needs to innovate faster and drive value with the confidence of remaining in compliance. You need to get to a proactive state instead of being reactive. Consider an assessment to help you evaluate your organization’s place in the cloud journey and how the disparate forms of data in the organization are collected, controlled, processed, stored, and protected.

Start with an assessment that includes:

  • Identification of security gaps
  • Identification of foundational gaps
  • Remediation plans
  • Managed service provider onboarding plan
  • A Phase Two (Foundational/Remediation) proposal and Statement of Work

About 2nd Watch

2nd Watch is a trusted and proven partner, providing deep skills and advisory to leading organizations for over a decade. We earned a client Net Promoter Score of 85, a good way of telling you that our customers nearly always recommend us to others. We can help your organization with cloud native solutions. We offer skills in the following areas:

  • Developing cloud first strategies
  • Migration of workloads to the cloud
  • Implementing automation for governance and security guardrails
  • Implementing compliance controls and processes
  • Pipelines for data, infrastructure and application deployment
  • Subject matter expertise for FHIR implementations
  • Managed cloud services

Schedule time with an expert now, contact us.

-Tom James, Sr. Marketing Manager, Healthcare


Riding the Digital Transformation: Why Enterprises Are Reengineering Their Cloud Infrastructure

Post 2020, how are you approaching the cloud? The rapid and unexpected digital transformation of 2020 forced enterprises worldwide to quickly mobilize workers using cloud resources. Now, as the world returns to an altered normal, it’s time for organizations to revisit their cloud infrastructure components with a fresh perspective. Hybrid work environments, industry transformations, changing consumer behavior, and growing cyber threats have all effected the way we do business. Now it might be time to change your cloud.

Risk mitigation at scale

Avoiding potential missteps in your strategy requires both wide and narrow insights. With the right cloud computing infrastructure, network equipment, and operating systems, organizations can achieve better risk mitigation and management with cloud scalability. As you continue to pursue business outcomes, you have to solve existing problems, as well as plan for the future. Some of these problems include:

  • Scaling your cloud platform and infrastructure services quickly to keep up with increasing and/or unexpected demand.
  • Maximizing cloud computing services and computing power to accommodate storage, speed, and resource demands.
  • Prioritizing new and necessary investments and delivery models within a fixed budget.
  • Innovating faster to remain, or gain, competitive advantage.

Overall, to avoid risk, you need to gain efficiency, and that’s what the cloud can do. Cloud infrastructure, applications, and Software as a Service (SaaS) solutions are designed to decrease input, and increase output and effectiveness. The scalability of cloud services allows enterprises to continue growing and innovating, without requiring heavy investments. With continuous cloud optimization, you’re positioned to adapt, innovate, and succeed regardless of the unknown future.

Application modernization for data leverage

Much of the digital transformation started with infrastructure modernization and the development of IaaS as a base line. Now, application modernization is accelerating alongside a changing migration pattern. What used to be simply ‘lift and shift’ is now ‘lift and evolve.’ Enterprises want to collaborate with cloud experts to gain a deeper understanding of applications as they become more cloud native. With a constant pipeline of new applications and services, organizations need guidance to avoid cloud cost sprawl and streamline environment integration.

As application modernization continues, organizations are gaining access to massive amounts of data that are enabling brand new opportunities. This requires a new look at database architectures to make sure you’re unlocking value internally and potentially, externally. While application modernization and database architecture are interconnected, they can also transform separately. We’re starting to see people recognize the importance of strategic cloud transformations that include the entire data footprint – whether it’s the underlying architecture, or the top level analytics.

Organizations are getting out of long-term licensing agreements, monetizing their data, gaining flexibility, cutting costs, and driving innovation, customer value, and revenue. Data is pulled from, and fed into, a lot of different applications within constantly changing cloud environments, which brings both challenges and opportunities. Enterprises must transform from this to that, but the end goal is constantly changing as well. Therefore continuous motion is necessary within the digital transformation.

Changing core business strategies

One thing is for sure about the digital transformation – it’s not slowing down. Most experts agree that even after pandemic safety precautions are eliminated, the digital transformation will continue to accelerate. After seeing the speed of adoption and opportunities in the cloud, many enterprises are reevaluating the future with new eyes. Budgets for IT are expanding, but so is the IT skills gap and cybersecurity incidents. These transitions present questions in a new light, and enterprises should revisit their answers.

  • Why do you still have your own physical data center?
  • What is the value in outsourcing? And insourcing?
  • How has your risk profile changed?
  • How does data allow you to focus on your core business strategy?

Answering these questions has more enterprises looking to partner with, and learn from, cloud experts – as opposed to just receiving services. Organizations want and need to work alongside cloud partners to close the skills gap within their enterprise, gain skills for internal expansion in the future, and better understand how virtualized resources can improve their business. It’s also a way to invest in your employees to reduce turn-over and encourage long-term loyalty.

Security and compliance

At this point with security, compliance, and ensuring business continuity, enterprises must have solutions in place. There is no other way. Ransomware and phishing attacks have been rising in sophistication and frequency year-over-year, with a noticeable spike since remote work became mainstream. Not only does your internal team need constant training and regular enforcement of governance policies, but there’s a larger emphasis on how your network protections are set up.

Regardless of automation and controls, people will make mistakes and there is an inherent risk in any human activity. In fact, human error is the leading cause of data loss with approximately 88% of all data breaches caused by an employee mistake. Unfortunately, the possibility of a breaches is often made possible because of your internal team. Typically, it’s the manner in which the cloud is configured or architected that creates a loophole for bad actors. It’s not that the public cloud isn’t secure or compliant, it’s that it’s not set up properly. This is where many enterprises are outsourcing data protection to avoid damaging compliance penalties, guarantee uninterrupted business continuity, and maintain the security of sensitive data after malicious or accidental deletion, natural disaster, or in the event that a device is lost, stolen or damaged.

Next steps: Think about day two

Enterprises who think of cloud migration as a one-and-done project – we were there, and now we’re here – aren’t ready to make the move. The cloud is not the answer. The cloud is an enabler to help organizations get the answers necessary to move in the direction they desire. There are risks associated with moving to the cloud – tools can distract from goals, system platforms need support, load balancers have to be implemented, and the cloud has to be leveraged and optimized to be beneficial long-term. Without strategizing past the migration, you won’t get the anticipated results.

It can seem overwhelming to take on the constantly changing cloud (and it certainly can be), but you don’t have to do it alone! Keep up with the pace and innovation of the digital transformation, while focusing on what you do best – growing your enterprise – by letting the experts help. 2nd Watch has a team of trusted cloud advisors to help you navigate cloud complexities for successful and ongoing cloud modernization. As an Amazon Web Services (AWS) Premier Partner, a Microsoft Azure Gold Partner, and a Google Cloud Partner with over 10 years’ experience, 2nd Watch provides ongoing advisory services to some of the largest companies in the world. Contact Us to take the next step in your cloud journey!

-Michael Elliott, Director of Marketing


Continuous Compliance – Automatically Detect and Report Vulnerabilities in your Cloud Enterprise

Customers are wrangling with many challenges in managing security at scale across the enterprise. As customers embrace more and more cloud capabilities across more providers, it becomes daunting to manage compliance.

The landscape of tools and providers is endless, and customers are utilizing a mix of traditional enterprise tools from the past along with cloud tools to try to achieve security baselines within their enterprise.

At 2nd Watch we have a strong partnership with Palo Alto Networks, which provides truly enterprise-grade security to our customers across a very diverse enterprise landscape – datacenter, private cloud, public cloud and hybrid – across AWS, Azure and Google Cloud Platform.

Palo Alto Networks acquired a brilliant company recently – Evident.io. Evident.io is well known for providing monitoring, compliance and security posture management to organizations across the globe. Evident.io provides continuous compliance across AWS and Azure and brings strong compliance vehicles around HIPAA, ISO 27001, NIST 800-53, NIST 900-171, PCI and SOC 2.

The key to continuous compliance lies in the ability to centralize monitoring and reporting as well as insight into one console dashboard where you can see, in real time, the core health and state of your cloud enterprise.

This starts with gaining core knowledge of your environment’s current health state. You must audit, assess and report on where you currently stand in terms of scope of health. Knowing current state will allow you to see the areas where you need to correct and will also open insight into compliance challenges. Evident.io automates this process and allows for automated, continuous visibility and control of infrastructure security while allowing for customized workflow and orchestration, which allows clients to tune the solution to fit specific organizational needs and requirements easily and effectively.

After achieving the core insight of current state of compliance, you must now work on ways to remediate and efficiently maintain compliance moving forward. Evident.io provides a rich set of real-time alerting and workflow functionality that allows clients to achieve automated alerting, automated remediation and automated enforcement. Evident.io employs continuous security monitoring and stores the data collected in the evident security platform, which allows our clients to eliminate manual review and build rich reporting and insight into current state and future state. Evident.io employs a rich set of reporting capabilities out of the box, across a broad range of compliance areas, which helps to report compliance quickly and address existing gaps and reduce and mitigate risk moving forward.

Evident.io works through API on AWS and Azure in a read-only posture. This provides a non-intrusive and effective approach to core system and resource insight without the burden of heavy agent deployment and configuration. Evident Security Platform acquires this data through API securely and analyzes it against core compliance baselines and security best practices to ensure gaps in enterprise security are corrected and risk is reduced.

Continuous Compliance requires continuous delivery. As clients embrace the cloud and the capabilities the cloud providers provide, it becomes more important then ever before that we institute solutions that help us manage against continuous software utilization and delivery. The speed of the cloud requires a new approach for core security and compliance, one that provides automation, orchestration and rich reporting to reduce the overall day-to-day burden of managing towards compliance at scale in your cloud enterprise.

If you are not familiar with Evident.io, check them out at http://evident.io, and reach out to us at 2nd Watch for help realizing your potential for continuous compliance in your organization.

-Peter Meister, Sr Director of Product Management


Governance, Risk and Compliance Drive Change Across the Organization

What is GRC?

Governance, Risk and Compliance (GRC) is a standard framework that helps to drive organizations towards a common set of goals and principals. The overarching theme is strategically focused on how technology utilization and operations tie directly back to an organization’s business goals and, in many cases, aspirations.

There are many facets to GRC. In the cloud it means the same thing as it did in the datacenter. We need to ensure IT organizes around the business, and we need to make sure risk is minimized and compliance is maintained.

At 2nd Watch we work with clients across all areas of GRC. Clients take various levels of focus in each area, and some areas are more important based on the vertical the client is operating in.

The cloud extends beyond the physical bounds of an organization, and with that institutes new challenges and requires a shared cloud responsibility model. The CSP is responsible for the underlying infrastructure setup and physical maintenance of their cloud infrastructure. We work with our cloud ISV and providers’ tools, technologies and best practices to help maintain strong governance and lower risk while meeting compliance.

The landscape of software, tools and solutions to support governance, risk and compliance is daunting in the cloud marketplace. 2nd Watch focuses on providing a holistic support to our clients around GRC. We believe there are fantastic capabilities directly inside the cloud management portals to help customers along the journey to strong GRC framework and institution.

Microsoft Azure Compliance Manager

In Microsoft Azure we can utilize Compliance Manager. Compliance Manager is a workflow-based assessment tool that enables organizations to track, assign and verify regulatory compliance procedures and activities in support of Microsoft Cloud technologies – including Office 365 and Dynamics. It supports ISO 27001, IS0 27018 and NIST and supports regulatory compliance around HIPAA and GDPR.  It is a foundational tool to utilize within Microsoft Azure to help you along the path to achieving strong governance, risk and compliance around Microsoft Cloud technologies.

With Amazon Web Services we have a complete set of core cloud operations management tools to utilize within the AWS console to help us bolster governance and security and reduce risk. Amazon provides resources with a full prescriptive set of compliance quick reference guides, which provide an overview of how to maintain a cloud compliant environment through strong security and controls validation, and insight and monitoring for activity and security assurance.

Amazon has a complete Cloud Compliance Center where clients can tap into an abundant set of resources to help along the way.

Beyond the tools, both Microsoft Azure and AWS provide strategic support with partners around compliance. There are many accelerators and programs that organizations can request from and Amazon and Microsoft to help them achieve and maintain GRC specifically tuned to the cloud.

GRC is unique to each organization. Cloud providers bring a substantial set of resources and technologies, along with great prescriptive guidance and best practices to help and guide you in achieving a strategic GRC framework and set of processes and procedures in your organization.

Take advantage of these built-in capabilities as you start to look at other tools and technologies to complete your holistic approach to governance, risk and compliance, and please reach out to 2nd Watch to find out how we can support you along the way.

-Peter Meister, Sr Director of Product Management


AWS re:Invent 2017 Session: Continuous Compliance on AWS at Scale (VIDEO)

In cloud migrations, the elastic nature of the cloud is often touted as a critical capability in delivering on a business’ key initiatives.  However, if not accounted for in your Security and Compliance plans, you could be facing some real challenges. Always counting on a virtual host to be running, for example, will cause issues when that host is rebooted or retired. This is why managing Security and Compliance in the cloud is a continuous action requiring both forethought and automation.

At AWS re:Invent 2017, 2nd Watch hosted a breakout session titled “Continuous Compliance on AWS at Scale” where attendees learned how a leading, next generation, Managed Cloud Provider uses automation and cloud expertise to successfully manage Security and Compliance at scale in an ever-changing environment. This journey starts with account creation, goes through deployment of infrastructure and code and never ends.

Through code examples and live demos, presenters Peter Meister and Lars Cromley demonstrated the tools and automation you can use to provide continuous compliance of your cloud infrastructure from inception to ongoing management.  In case you missed the session or simply wish to get a refresher on the content that was presented, you can now view the breakout session recording below.

 

 

 

 

 

 

 

 

— Katie Laas, Marketing Manager, 2nd Watch

 


AWS re:Invent 2017 Recap and Initial Impressions

While AWS re:Invent 2017 is still fresh in our minds, here are some of the highlights of the most significant announcements.

Aurora Multi-Master/Multi-Region: This is a big deal! The concept of geographically distributed databases with multiple masters has been a long-desired solution. Why is this important?
Having additional masters allows for database writes, not just reads like the traditional read replicas that have been available. This feature enables a true multi-region, highly available solution that eliminates a single point of failure and achieves optimum performance. Previously, third party tools like Golden Gate and various log shipping approaches were required to accomplish proper disaster recovery and high availability. This will greatly simplify architectures for some that want to go active-active across regions and not just availability zones. Additionally, it will enable pilot light (and more advanced) DR scenarios for customers that are not going to be using active-active configurations.

Aurora Serverless: Aurora Serverless is an on-demand, auto-scaling configuration for the Aurora MySQL and PostgresSQL compatible database service, where the database will automatically start-up and scale up or down based on your application’s capacity needs. It will shut down when required, basically scaling down to zero when not being used. Traditionally, Aurora RDS required changing the underlying instance type to scale for database demand. This is a large benefit and cost saver for development, testing, and QA environments. Even more importantly, if your workload has large spikes in demand, then auto-scaling is a game changer in the same way that EC2 auto scaling enabled automated compute flexibility.

T2 Unlimited: T2 is one of the most popular instance types used by 2nd Watch and AWS customers, accounting for around 50% of all instances under 2nd Watch Managed Cloud Services. In the case of frequent, small and inconsistent workloads, T2 is the best price and performance option. However, one of the most common reasons that customers do not heavily leverage T2 is due to concerns related to a sustained spike in load that will deplete burstable credits and result in unrecoverable performance degradation. T2 unlimited solves this problem by essentially allowing unlimited surges over the former limits. We expect to see more customers will adopt T2 for those inconsistent workloads as a cost-effective solution. We will watch to see if this this shift is reflected in the instance type data for accounts being managed by 2nd Watch.

Spot Capacity: Spot instances are normally used as pools of compute that run standard AMIs and work on datasets located outside of EC2. This is because the instances are terminated when the spot price increases beyond your bid, and all data is lost. Now, when AWS reclaims the capacity, the instance can essentially hibernate, preserving the operating system and data, and startup again when the spot pricing is favorable. This removes another impediment in the use of spot capacity, and will be a large cost saver for environments that only need to be temporarily available.

M5 Instance Type: Given the large increase in performance of the newer processor generations, one can see large cost savings and performance improvements by migrating to a smaller sized offering of the latest instance type that meets your application’s needs. Newer instance types can also offer higher network bandwidth as well, so don’t put off the adoption of the latest products if possible.

Inter-region Peering: It’s always been possible to establish peering relationships between VPCs in the same region. Inter-region Peering uses AWS private links between VPCs in different availability zones and does not transit the open internet, eliminating VPNs, etc. This same feature is available inter-region. This makes multi-region designs cleaner and easier to implement, without having to build and configure VPN networking infrastructure to support it, which of course also needs monitoring, patching, and other maintenance. It was also announced that users of Direct Connect can now route traffic to almost every AWS region from a single Direct Connect circuit.

There were also some announcements that we found interesting but need to digest a little longer. Look for a follow up from us on these.

EKS: Elastic Container Services for Kubernetes – Amazon Elastic Container Service for Kubernetes (Amazon EKS) is a managed service that makes it easy for you to run Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes clusters. Even at last years’ AWS re:Invent we heard people wondering where the support for Kubernetes was, particularly since it has become the de facto industry standard over the past several years.

GuardDuty: AWS has now added a cloud-native tool to the security toolbox. This tool utilizes “machine learning” for anomaly detection. AWS GuardDuty monitors traffic flow and API logs for your accounts, letting you establish a baseline for “normal” behavior on your infrastructure, and then watches for security anomalies. These are reported with a severity rating, and remediation for certain types of events can be automated using existing AWS tools. We will be considering the best methods of implementation of this new tool.

Fargate: Run Amazon EKS and ECS without having to manage servers or clusters.

Finally, a shameless plug: If compliance is on your mind, watch this AWS re:Invent breakout session from our product and engineering experts.

AWS re:invent 2017: Continuous Compliance on AWS at Scale (SID313)

Speakers:
Peter Meister, Director of Product Management, 2nd Watch
Lars Cromley, Director of Engineering, 2nd Watch

In cloud migrations, the cloud’s elastic nature is often touted as a critical capability in delivering on key business initiatives. However, you must account for it in your security and compliance plans or face some real challenges. Always counting on a virtual host to be running, for example, causes issues when that host is rebooted or retired. Managing security and compliance in the cloud is continuous, requiring forethought and automation. Learn how a leading, next generation managed cloud provider uses automation and cloud expertise to manage security and compliance at scale in an ever-changing environment. Through code examples and live demos, we show tools and automation to provide continuous compliance of your cloud infrastructure.
Obviously, there was a lot more going on and it will take some time to go through it. We will keep you up to date with our thoughts.

–David Nettles, Solutions Architect, 2nd Watch
–Kevin Dillon, Director, Solutions Architecture, 2nd Watch


2nd Watch Enterprise Cloud Expertise On Display at AWS re:Invent 2017

AWS re:Invent is less than twenty days away and 2nd Watch is proud to be a 2017 Platinum Sponsor for the sixth consecutive year.  As an Amazon Web Services (AWS) Partner Network Premier Consulting Partner, we look forward to attending and demonstrating the strength of our cloud design, migration, and managed services offerings for enterprise organizations at AWS re:Invent 2017 in Las Vegas, Nevada.

About AWS re:Invent

Designed for AWS customers, enthusiasts and even cloud computing newcomers, the nearly week-long conference is a great source of information and education for attendees of all skill levels. AWS re:Invent is THE place to connect, engage, and discuss current AWS products and services via breakout sessions ranging from introductory and advanced to expert as well as to hear the latest news and announcements from key AWS executives, partners, and customers. This year’s agenda offers a full additional day of content for even more learning opportunities, more than 1,000 breakout sessions, an expanded campus, hackathons, boot camps, hands-on labs, workshops, expanded Expo hours, and the always popular Amazonian events featuring broomball, Tatonka Challenge, fitness activities, and the attendee welcome party known as re:Play.

2nd Watch at re:Invent 2017

 2nd Watch has been a Premier Consulting Partner in the AWS Partner Network (APN) since 2012 and was recently named a leader in Gartner’s Magic Quadrant for Public Cloud Infrastructure Managed Service Providers, Worldwide (March 2017). We hold AWS Competencies in Financial Services, Migration, DevOps, Marketing, and Commerce, Life Sciences and Microsoft Workloads, and have recently completed the AWS Managed Service Provider (MSP) Partner Program Audit for the third year in a row. Over the past decade, 2nd Watch has migrated and managed AWS deployments for companies such as Crate & Barrel, Condé Nast, Lenovo, Motorola, and Yamaha.

The 2nd Watch breakout session—Continuous Compliance on AWS at Scale—will be led by cloud security experts Peter Meister and Lars Cromley. The session will focus on the need for continuous security and compliance in cloud migrations, and attendees will learn how a managed cloud provider can use automation and cloud expertise to successfully control these issues at scale in a constantly changing cloud environment. Registered re:Invent Full Conference Pass holders can add the session to their agendas here.

In addition to our breakout session, 2nd Watch will be showcasing our customers’ successes in the Expo Hall located in the Sands Convention Center (between The Venetian and The Palazzo hotels).  We invite you to stop by booth #1104 where you can explore 2nd Watch’s Managed Cloud Solutions, pick up a coveted 2nd Watch t-shirt and find out how you can win one of our daily contest giveaways—a totally custom 2nd Watch skateboard!

Want to make sure you get time with one of 2nd Watch’s Cloud Journey Masters while at re:Invent?  Plan ahead and schedule a meeting with one of 2nd Watch’s AWS Professional Certified Architects, DevOps, or Engineers.  Last but not least, 2nd Watch will be hosting its annual re:Invent after party on Wednesday, November 29. If you haven’t RSVP’d for THE AWS re:Invent Partner Party, click here to request your invitation (Event has passed)

AWS re:Invent is sure to be a week full of great technical learning, networking, and social opportunities.  We know you will have a packed schedule but look forward to seeing you there!  Be on the lookout for my list of “What to Avoid at re:Invent 2017” in the coming days…it’s sure to help you plan for your trip and get the most out of your AWS re:Invent experience.

 

–Katie Laas-Ellis, Marketing Manager, 2nd Watch

 

Gartner Disclaimer

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About 2nd Watch

2nd Watch is an AWS Premier tier Partner in the AWS Partner Network (APN) providing managed cloud to enterprises. The company’s subject matter experts, software-enabled services and cutting-edge solutions provide companies with tested, proven, and trusted solutions, allowing them to fully leverage the power of the cloud. 2nd Watch solutions are high performing, robust, increase operational excellence, decrease time to market, accelerate growth and lower risk. Its patent-pending, proprietary tools automate everyday workload management processes for big data analytics, digital marketing, line-of-business and cloud native workloads. 2nd Watch is a new breed of business which helps enterprises design, deploy and manage cloud solutions and monitors business critical workloads 24×7. 2nd Watch has more than 400 enterprise workloads under its management and more than 200,000 instances in its managed public cloud. The venture-backed company is headquartered in Seattle, Washington. To learn more about 2nd Watch, visit www.2ndwatch.com or call 888-317-7920.


SCOR Velogica Moves to AWS for Better Security, SOC2

While some large enterprises avoid moving to the cloud because of rigid security and compliance requirements, SCOR opted for the cloud for a key block of its business precisely because of the cloud’s rigid security and compliance offerings.

SCOR is a leader in the life reinsurance market in the Americas, offering broad capabilities in risk management, capital management and value-added services and solutions. A number of primary insurers use SCOR’s automated life underwriting system, Velogica, to market life insurance policies that can be delivered at the point of sale. Other companies use Velogica as a triage tool for their fully underwritten business.

“Through the Velogica system, we get thousands of life insurance applications a day from multiple clients,” explains Dave Dorans, Senior Vice President.  “Velogica is a significant part of our value proposition and is important to the future of our business.”

Data security has always been a priority for SCOR but the issue became even more critical as data breaches at some of the largest and most respected companies made headline news. SCOR decided to invest in a state of the art data security framework for Velogica.  “We wanted clients to have full confidence in the way Velogica stores and handles the sensitive personal data of individuals,” Dorans said.

SCOR’s goal was to have Velogica accredited as a Service Organization Control (SOC) 2 organization – a competitive advantage in the marketplace – by aligning with one of the more respected information security standards in the industry.  Determining what it would take to achieve that goal became the responsibility of Clarke Rodgers, Chief Information Security Officer with SCOR Velogica. “We quickly determined that SOC2 accreditation for SCOR’s traditional, on premise data center environment would be a monumental task, could cost millions of dollars and perhaps take years to complete.  Moreover, while SOC2 made sense for Velogica, it wasn’t necessary for other SCOR businesses.

Once it was determined that SOC2 was business critical for the company, Rodgers, analyzed the different ways of obtaining the security and compliance measure and determined that moving to the cloud was the most efficient path. SCOR Velogica turned to 2nd Watch to help it achieve SOC2 accreditation with AWS, figuring it would be easier than making the journey on its own.

On working with 2nd Watch, Rodgers commented, ““They came in and quickly understood our technical infrastructure and how to replicate it in AWS, which is a huge feat.” SCOR met significant benefits thanks to the migration, including:

Adherence to specific security needs: In addition to its SOC2 accreditation, 2nd Watch also implemented several security elements in the new AWS environment including; encryption at rest in Amazon Elastic Block Store (EBS) volumes leveraging the AWS Key Management System (KMS), Amazon Virtual Private Cloud (VPC) to establish a private network within AWS, security groups tuned for least privilege access, Security-Enhanced Linux, and AWS Identity and Access Management (IAM) Multi-Factor Authentication (MFA).

AWS optimization: 2nd Watch has helped SCOR identify opportunities for optimization and efficiencies on AWS, which will help down the road if the company wishes to expand the AWS-hosted application to regions outside of North America.  “With our SOC2 Type 1 behind us, we are now focused on optimizing our resources in the AWS Cloud so we can fully exploit AWS’s capabilities to our security and business benefit.” Rodgers explains. “We will rely on 2nd Watch for guidance and assistance during this optimization phase.”

Cost savings on AWS: Rodgers hasn’t done a full analysis yet of cost savings from running the infrastructure on AWS, but he’s confident the migration will eventually cut up to 30% off the price of hosting and supporting Velogica internally.

Hear from SCOR how it achieved better security with AWS on our live webinar April 7. Register Now