1 / 36

MetricStream Cloud

MetricStream Cloud. August 2014. Cloud Computing Definition.

erv
Download Presentation

MetricStream Cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MetricStream Cloud August 2014

  2. Cloud Computing Definition • Cloud computing is the delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility (like the electricity grid) over a network (typically the Internet)* *Wikipedia

  3. Service Models - Saas, PaaS, IaaS .

  4. Cloud Deployment Models • Private cloud • The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. Often used within enterprises for data security reasons. (Single-tenant architecture) • Public cloud • Mega-scale cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. Useful for deployments where security concerns related to data are not paramount. (Multi-tenant architecture) • Hybrid cloud • The cloud infrastructure is a composition of two or more clouds (private or public). Often used in development environments, where the public cloud is used for application development and testing, whereas the private cloud is reserved for production-grade deployments .

  5. MetricStream Cloud Highlights Dedicated Infrastructure With Sophisticated Controls & Capabilities

  6. Standard Managed Services across Cloud Options • Monitoring – Servers, Logs, Application, Database, Network, etc. • Security – Anti-virus, Anti-malware, HIDS, Patching, Security Assessments (VA, PT), etc. • Backup – Offsite and Onsite • Dedicated Systems – Web, App and Database Tier • Dedicated Managed Services Team • Dedicated Application Support Team

  7. GRC Express Salient Features • Virtual infrastructure hosted in MetricStream’s partner datacenters - Virtual WebApp and Database servers • Daily Backups to Production Data Center and Remote Data Center

  8. Standard Cloud Salient Features • Dedicated Primary servers hosted in partner datacenters - Dedicated WebApp and Database servers • Pre Production server for Testing • Daily Backups to Production Data Center and Remote Data Center

  9. Premium Cloud Salient Features • Dedicated Primary & DR servers – Dedicated Offsite Backup • Pre Production server for Testing • Optional Encryption-at-rest

  10. Enterprise Cloud Salient Features • Dedicated Primary and DR servers • Encryption-at-rest enabled • Intrusion Detection and Pre Production server for Testing. • Optional High Availability.

  11. Key Differentiators in Features Highlights: • All cloud offerings are supported by a software firewall, endpoint protection, host-based intrusion detection, and OS patches • MetricStream Application License is included in the pricing only for GRC Express • Pricing for all cloud offerings includes third-party licensing costs • Given dedicated systems and encrypted backups, not all use cases require the encryption-at-rest capability

  12. Multi-layered Security For Superior Data Protection

  13. Multi-layered Security For Superior Data Protection

  14. Key Factors Enabling MetricStream Cloud SLAs • SSAE 16 Tier IV Datacenters • 24x7 NOC Remote monitoring Tools and Dashboards • Best in class IDS & IPS for both Network layer & Application Layer • High Redundancy and Availability • Dedicated Disaster Recovery (DR) capabilities • Dedicated Teams for Infra and Applications Support • Express Deployment and Change Control – Standard Images for MetricStream Platform and Applications, SOPs

  15. MetricStream Compliance • Focuses on MetricStream’s non-financial reporting controls - relate to security, availability, processing integrity, confidentiality, and privacy SSAE 16 SOC 2 Type II Compliant • Focuses on • HIPAA Privacy Rule - protects the privacy of individually identifiable health information • HIPAA Security Rule - security of electronic protected health information • HIPAA Breach Notification Rule - provides notification following a breach of unsecured protected health information. HIPAA Compliant • Ensures safe handling of customer data that are treated as sensitive information PCI-self Certified • Ensures adherence to privacy policies that complies with the US-EU-Swiss Safe Harbor Framework US/ EU/ Swiss Safe Harbor Certified

  16. Cloud Customers Breakdown 13 Customers 26 Customers 54 Customers

  17. Making GRC Adoption Easy GRC Journey User Experience Upgrades Provisioning &Deployment Integrations Cloud-Ready

  18. MetricStream R&D Evolution and Strategy GRC Platform Enterprise-Ready Apps Cloud-Ready Apps

  19. GRC Cloud Exec Owner: Vidya Phalke • Build Amazing GRC Apps in the Cloud • Exec Owner: Anindo Banerjea • Content Intelligence Feeds in the Cloud • Exec Owner: Vasant Balasubramanian • MetricStream Apps in the Cloud • Exec Owner: Vidya Phalke • GRC Expert Network • Exec Owner: Mark Mitchell

  20. Selected Case Studies for Cloud Deployments • Swiss Multinational Pharmaceutical Company • More than 500 users • Managing Corporate Agreements • Seamlessly consolidate multiple CIA management processes -- including policy management, sales force risk monitoring, IRO audits, issue remediation, certifications and attestations, reporting and Training • Enable the company to proactively monitor and detect sales force risks through Key Risk Indicators (KRIs) with automatic notifications indicating whenever thresholds are breached One of the Largest Consumer Products Brand • More than 200,000 users across 80 countries • Survey Management solution for initiating and tracking Corporate Compliance • Global convergence of multiple GRC initiatives on a single, centralized platform • Audits, assessments of financial and regulatory controls and requirements, attestations, policy management, incident management, and risk management World’s Leading Health Insurance Provider • More than 10,000 users • Survey Management solution for Corporate Compliance - Tracking of fraud and abuse claims by special investigation units (SIUs) and departments from initiation to closure • Regulatory Alert Tracking supporting task assignment, status tracking and reporting • Market Conduct Examination tracking • Investigating and resolving any conflicts of interest that are identified

  21. Selected Case Studies for Cloud Deployments • One of the largest department store retail chains • Social Compliance solution comprising of policy management, supplier audit and supplier corrective and preventive action • Enable a systematic and structured approach to managing social compliance for suppliers and vendors, manage factory audits • Streamline the social compliance audit process, beginning with risk assessment and audit planning, and extending to audit execution, field data collection, reporting, and implementation of audit recommendations • A multinational food and beverage corporation • Compliance Management solution to manage controls efficiently, improve visibility to track and monitor the results globally across sectors, regions and markets and automate generation of consolidated reports. • Create framework to define and capture control test results. • Reporting at corporate level to show the compliance trend across the sectors/regions Catalyst for the economic diversification of Abu Dhabi • More than 20,000 users • Manage COI compliance and risk, quickly identify sources and frequency of conflicts • End to end Surveys management solution to comply with for Conflict Of Interest requirement management • Create, enforce and track surveys throughout the organization • Update policies with changes in COI regulation • Identify gaps and proactive remediation

  22. Confidential Cloud Customers

  23. Cloud SOPs & Policies • CloudOps-Standard Operating Procedure.doc • Change Management Process • Patch Management Process • MS_Cloud_Checklist.xls • Cloud_ Server_Access_Request_Form.doc • Disaster Recovery Plan (Cloud Application).doc • CRP Express Client Access. • The documents are available in SVN- http://svn/svn/QMS/trunk/Procedures/Cloud_Ops Contd..

  24. Cloud SOPs & Policies • Production & UAT Server request: Requester has to fill ‘MS_Cloud_Checklist ‘ and send an email to CloudOps with following details. - Go Live date for UAT & Production. - Architecture checklist -SOW or link to SOW document. -Sales to PS transition Doc • Production Server Access: - Fill up ‘Cloud_ Server_Access_Request_Form’ and email to Project Manager for approval with CloudOps in CC. • SSL Implementation: -SSL has to be implemented and verified before Go Live, Project owner/Team need to generate the CSR and send to CloudOps in order to purchase SSL certificate. Contd..

  25. Cloud SOPs & Policies • Backup: - Fill ‘MS_Cloud_Backup_Checklist’ and send to CloudOps to configure the Backupbefore Go Live. • Application Security Hardening: - Default password for SYSTEMI/pfadmin (for All application Admin accounts) account has to be changed to stronger passwords that conform to MetricStream company standards.

  26. Cloud Data Backup and Recovery All hosted applications are backed up for Configuration and Data on a periodic basis as per SLA with the customer. GRCExpress: • Complete VM image is backed up M-F nightly to a location different from the source data location. This is a separate server/storage. • All the backup files are in Encrypted format. • The most recent 5 backup images will be kept on site in Network Attached Storage (NAS). • The most recent 10 days backups will be kept off site. Contd..

  27. Cloud Data Backup & Recovery Standard, Premium & Enterprise : • All Application related data/configuration is backed up M-F nightly to a location different from the source data location. This is a separate server/storage. • Application server backup is the disk file image. • Database server backup is via a full database export. • All the backup files are in Encrypted format • The most recent 2 weeks of backup will be kept on site in Network Attached Storage (NAS). • The most recent 10 days backups will be kept off site. • Encrypted backup process:When backups are created they are encryptedusing GPG and encryption algorithm is RSA with key length on 2048 . • The encryption key, passphrase and backups will be stored in different locations. Contd…

  28. Cloud Data Backup & Recovery The standard recovery process is: • All Production Data Recovery will need to be approved by the CTO. • Complete ECP and Database reinstallation on a new server is done. • This follows the same process as the Cloud installation as per MS-Cloud-Checklist

  29. Cloud Disaster Recovery Process Dedicated DR site is configured for Premium and Enterprise customers. • Disaster is defined as a situation where a site, including all the computer systems that are hosted in there, is lost. All the existing systems of that site have to be replaced by alternate systems. • DR machine will have the same Operating System and 75% of similar hardware (CPU, Memory, Diskspace, Network) as the original production Server Machine.

  30. MetricStream Partner Datacenters • vXchnge Internet Solutions • Cybercon • Navisite • QTS (Coming Soon) • Etisalat (Coming Soon)

  31. Corporate and Cloud Network- Schematic Diagram

  32. Corporate and Cloud Network

  33. Scope of improvements in Cloud Architecture • Enhancing the security features. • Auto provisioning. • Improvement in RTO , RPO • Better Backup and Recovery strategy. • Dashboard for end-to-end service. • Ticketing system to handle the requests.

  34. Cloud Operations • Infrastructure (Network, Servers, Operating Systems.. etc.). -Server procurement, Server setup, Database, patch management and other software installation. • Security (Firewalls, Antivirus, IDS.. etc.) -Configure and monitor the alerts • Monitoring (Alertbot, OpManager, Central Logging.. etc.) -Configure, Monitor and report. • Data Backup. -Onsite and offsite backup • Disaster Recovery. -DR Replication and DR Drill. • Data Encryption. -Backup Data Encryption. • Access Controls. -Server access

  35. Cloud & Corporate Engineering Teams

  36. Thank You Questions, Comments, Discussion

More Related