There are many Governance, Risk & Compliance (GRC) solutions
available in the market to cater to the customer requirements and some
of the major GRC solution providers in market have moved their solutions
to the cloud considering the advantages available by moving to cloud
such as Lowered total cost of Ownership ( TCO), highly scalable, ease of
deployment globally, No hardware cost for customer to maintain for
hybrid or public cloud. Governance Risk and Compliance (GRC)
requirements are rapidly evolving and the single greatest influence in a
shifting GRC landscape is the transformation of business from localized
data centers to virtualized and cloud based IT environments.
Virtualization offers a powerful new way to manage and use digital
information, but it also creates new complexities for organizations in
managing risk, threats, and compliance. In the last decade or so several
GRC vendors have evolved significant platforms that enable GRC
solutions to be available on cloud. GRC solutions are available on
various Cloud models such as SaaS, Paas and IaaS models as well as
Hybrid, Private or Public clouds.
Here we will discuss some of the GRC solutions available on cloud either as on premise ( Private cloud), Hybrid cloud or Public cloud solutions which is useful for security & GRC professionals to update their skills in these areas of GRC & Cloud.
Some of the Major GRC Players in the market who are offering GRC solutions on Cloud are:
1. Metricstream GRC Cloud
To enable users, of both RSA Archer and CloudPassage Halo, to collect data about cloud assets, especially in large and complex environments, CloudPassage has released an open-source security data connector. The Halo Connector for Archer retrieves scan data from a CloudPassage Halo account and streams it to RSA Archer GRC. It also has the ability to enrich the scan data with associated event data before sending it to Archer.
Security professionals can use this information to gain enhanced visibility into an organization’s risks, such as determining what servers are running vulnerable software.
The Halo connector script is a Ruby script that is designed to execute on a repetitive basis. It keeps Archer GRC up-to-date with Halo scan results as time passes and new Halo scans occur. This script retrieves scan data from a CloudPassage Halo account and sends it to Archer GRC.
3. IBM Open Pages Cloud
Open Pages Cloud is a preconfigured SaaS risk management solution hosted by IBM and delivered online. Designed for businesses that seek the capabilities of an advanced risk and compliance management solution but without the IT, personnel and infrastructure costs of an in-house deployment – this cloud-based service offers you rapid implementation, security and ease of use.
OpenPages Operational Risk Management (ORM) on Cloud – the first module of the OpenPages GRC on Cloud solution – enables the identification, analysis and management of operational risk across the enterprise. Preconfigured with a set of “Jump Start” services to accelerate its business benefits, OpenPages ORM on Cloud helps enhance visibility into your risk exposure, mitigate potential losses and improve business decision-making for growth.
4. ACL GRC on Cloud as well as on Mobile App- iPhone & Android Google Play store
6. Modulo GRC
Module Risk Manager offers Mobile Device Collectors: New automated collectors gather data required for analysis in the GRC process both onsite as well as remotely using devices such as the iPhone and other smartphones.
Module GRC Open Source Collectors: modSIC (Modulo Open Distributed SCAP Infrastructure Collector) is the industry’s first open source initiative for GRC management. It provides a common platform to create collectors and gather security data in order to automate policy compliance, audits and risk assessments utilizing the Security Content Automation Protocol (SCAP) standard.
7. Oracle GRC
GRC Intelligence also provides the ability to aggregate data from multiple sources, further increasing insight. The depth and breadth of available analytics presents a nearly unlimited set of analysis possibilities
8. SAP GRC
Audit Management gives auditors the tools to gain insight that can help them become advisers to the business & not just the auditors. Big data analytics tools in Fraud Management is integrated right into the Audit Management solutions. So you can use big data analytics to identify insights and share those with the organization board, stakeholders, Internal audit teams.
Certifications: GRC & Cloud
There are GRC vendor specific certifications such as RSA Archer, Metricstream, SAP GRC Access controls, Oracle Enterprise GRC Manager, IBM Open Pages who offer certifications in GRC Suite of solutions. Security & GRC professionals need to update themselves by getting themselves updated, trained and certified in some of these latest versions of GRC solutions to advise organizations in a better way while identifying the right GRC solution to be implemented or adopted.
There are cloud certifications also available online which the security & GRC professionals can update themselves with:
Here we will discuss some of the GRC solutions available on cloud either as on premise ( Private cloud), Hybrid cloud or Public cloud solutions which is useful for security & GRC professionals to update their skills in these areas of GRC & Cloud.
Some of the Major GRC Players in the market who are offering GRC solutions on Cloud are:
1. Metricstream GRC Cloud
- http://www.metricstream.com/microsite/cloud/overview.htm
- http://www.metricstream.com/pdf/articles/GRC-Cloud-Overview.pdf?aliId=195265961
- GRC Express Provides virtual private infrastructure hosted in MetricStream’s partner datacenters with Backup and Recovery on Amazon Web Services (AWS) Cloud.Pricing includes MetricStream Application License; Preferred by customers making their first cloud deployment Standard
- OnDemand Provides dedicated Primary Servers hosted in MetricStream’s partner datacenters with Backup and Recovery on AWS Cloud
- Premium OnDemand Provides dedicated Primary, Backup, and Recovery Servers hosted in MetricStream’s partner datacenters
- Enterprise OnDemand Provides dedicated Primary, Backup, and Recovery Servers hosted in MetricStream’s partner datacenters with: • Intrusion Detection System (optional) • High Availability Architecture (optional) • Database Clustering (optional)
- All these offerings are housed in data centers maintaining the physical, network, and data security for customers’ information assets
- http://www.emc.com/cloud/hybrid-cloud-computing/index.htm?nav=1
- http://www.emc.com/security/rsa-archer-governance-risk-compliance/index.htm
- http://www.cloudpassage.com
To enable users, of both RSA Archer and CloudPassage Halo, to collect data about cloud assets, especially in large and complex environments, CloudPassage has released an open-source security data connector. The Halo Connector for Archer retrieves scan data from a CloudPassage Halo account and streams it to RSA Archer GRC. It also has the ability to enrich the scan data with associated event data before sending it to Archer.
Security professionals can use this information to gain enhanced visibility into an organization’s risks, such as determining what servers are running vulnerable software.
The Halo connector script is a Ruby script that is designed to execute on a repetitive basis. It keeps Archer GRC up-to-date with Halo scan results as time passes and new Halo scans occur. This script retrieves scan data from a CloudPassage Halo account and sends it to Archer GRC.
3. IBM Open Pages Cloud
Open Pages Cloud is a preconfigured SaaS risk management solution hosted by IBM and delivered online. Designed for businesses that seek the capabilities of an advanced risk and compliance management solution but without the IT, personnel and infrastructure costs of an in-house deployment – this cloud-based service offers you rapid implementation, security and ease of use.
OpenPages Operational Risk Management (ORM) on Cloud – the first module of the OpenPages GRC on Cloud solution – enables the identification, analysis and management of operational risk across the enterprise. Preconfigured with a set of “Jump Start” services to accelerate its business benefits, OpenPages ORM on Cloud helps enhance visibility into your risk exposure, mitigate potential losses and improve business decision-making for growth.
4. ACL GRC on Cloud as well as on Mobile App- iPhone & Android Google Play store
- http://www.acl.com/2013/05/29/acl-launches-acl-grc-worlds-first-data-driven-cloud-based-grc-solution/
- http://www.acl.com/pdfs/ACL_GRC.pdf
- Risk management: Perform enterprise-wide risk assessment to drive mitigation efforts across all risk and control groups.
- Project management: Efficiently plan and organize engagements for all audit, risk and compliance management programs, through to execution and reporting—including global tracking and reporting of issues.
- Results management: Share and manage data analysis results from ACL™ Analytics, drive remediation activities and track outcomes, enabling informed, data-driven risk assessment, prioritization and decision making
- ACL’s SaaS Cloud model minimizes IT burden, while providing the highest level of security and centralized 24/7 cloud access from anywhere.
- ACL GRC enables remote and mobile users to stay productive through its innovative smartphone and tablet interfaces. ACL GRC also supports data-driven decision making through integration with ACL Analytics, a cost-effective data analysis tool, linking transaction level information to corporate level risks. The new offering integrate with server-based ACL Analytics Exchange to enable continuous risk monitoring.
- https://www.qualys.com/enterprises/it-grc
- https://www.qualys.com/enterprises/security-compliance-cloud-platform/
- Continuous Monitoring ( CM)
- Vulnerability Management (VM)
- Policy Compliance ( PC)
- Questionnaire Service ( QS)
- PCI Compliance ( PCI)
- Web Application Scanning ( WAS)
- Web App Firewall ( WAF)
- Malware Detection ( MD)
- Qualys Secure Seal ( SEAL)
Qualys Virtual Scanner Appliances
Qualys’ software-based virtual scanner appliances are qualified to run on many most common virtualization and cloud platforms including VMware and Amazon EC2. These virtualized scanners supplement the hardware-based Qualys Scanner Appliances. Like with the hardware-based scanners, customers can manage the virtual scanners from their Qualys accounts via a secure web interface, where all gathered scan data will be available for reporting and remediation. Installed in minutes and requiring no maintenance by the user, scanners needs no special configurations to obtain updates and new vulnerability signatures.6. Modulo GRC
- http://modulo.com/news/modulo-to-demonstrate-grc-automation-in-the-cloud-at-rsa-conference-2011
- http://modulo.com/grc-solutions/
Module Risk Manager offers Mobile Device Collectors: New automated collectors gather data required for analysis in the GRC process both onsite as well as remotely using devices such as the iPhone and other smartphones.
Module GRC Open Source Collectors: modSIC (Modulo Open Distributed SCAP Infrastructure Collector) is the industry’s first open source initiative for GRC management. It provides a common platform to create collectors and gather security data in order to automate policy compliance, audits and risk assessments utilizing the Security Content Automation Protocol (SCAP) standard.
7. Oracle GRC
- https://www.oracle.com/cloud/index.html
- http://www.oracle.com/us/solutions/corporate-governance/risk-financial-governance/enterprise-GRC-manager/overview/index.html
- http://www.oracle.com/us/solutions/corporate-governance/057095.pdf
GRC Intelligence also provides the ability to aggregate data from multiple sources, further increasing insight. The depth and breadth of available analytics presents a nearly unlimited set of analysis possibilities
8. SAP GRC
- https://help.hana.ondemand.com/help/frameset.htm?e7c9982cbb571014a97a8a675cf28c15.html
- http://help.sap.com/grc-ac
SAP GRC 10.1 is the newest release, which is in general
availability and it is all HANA-available. The entire core GRC solution
suite (Access control, Process control, Risk Management, Global Trade
Services) is available on HANA, as well as a number of new HANA-based
innovations, so as HANA-native applications such as Fraud Management and
Audit Management. GRC is one of the earliest adopters of the HANA
platform. Customers can go for GRC on HANA for real time reporting and
alert management. With SAP's HANA Enterprise cloud, SAP does all the
hosting and application management. SAP has come up with new commercial
models to deliver solutions including subscription based pricing.
Fraud Management and Audit Management are two of the first HANA
high-performance applications that SAP has built that are native HANA
applications, Fraud Management is designed for fraud investigation and
detection teams within organizations to essentially detect and prevent
fraud.Combined along with the predictive analytics suite, including the
KXEN analytics suite, gives fraud investigation and detection
departments within companies a chance to detect fraud, identify patterns
in data that may indicate a potential fraud that could go viral within
an organization, and stop transactions right in the actual transaction
systems before they become frauds.Audit Management gives auditors the tools to gain insight that can help them become advisers to the business & not just the auditors. Big data analytics tools in Fraud Management is integrated right into the Audit Management solutions. So you can use big data analytics to identify insights and share those with the organization board, stakeholders, Internal audit teams.
Certifications: GRC & Cloud
There are GRC vendor specific certifications such as RSA Archer, Metricstream, SAP GRC Access controls, Oracle Enterprise GRC Manager, IBM Open Pages who offer certifications in GRC Suite of solutions. Security & GRC professionals need to update themselves by getting themselves updated, trained and certified in some of these latest versions of GRC solutions to advise organizations in a better way while identifying the right GRC solution to be implemented or adopted.
There are cloud certifications also available online which the security & GRC professionals can update themselves with:
- Cloud Security alliance (CSA) https://cloudsecurityalliance.org/education/ccsk/
- Cloud Credential Council ( CCC): http://www.cloudcredential.org/certifications/
- Cloud school; http://cloudschool.com/certifications
- Other vendors like VMware, Amazon AWS, Salesforce, Microsoft, Red Hat, Oracle, IBM, HP, CA, EMC, CompTIA also offer Cloud certifications
No comments:
Post a Comment