Enabling Compliance and Governance at Scale in a Multi-Cloud Environment

ComplianceSecurity Automation

At Adobe, we have rapidly expanded the footprint of our cloud services and heavily adopted a micro services-based architecture across multiple public cloud environments. This has helped us serve our customers in a more agile fashion. With this expansion it is imperative that we live up to the trust that our customers put into our cloud services. The Adobe Common Controls Framework (CCF) is the foundation of how we help cloud products, services, platforms, and operations achieve and maintain compliance with various security certifications, standards, and regulations such as SOC2, ISO, PCI, FedRAMP and others. 

Expanding upon earlier blog posts from our team including ‘Centralized Security Governance practices to help drive better compliance’ and ‘Scaling Security Controls Across the Enterprise’, I am going to elaborate practical examples of how Adobe uses these control roles to drive our security compliance and governance program using CCF. In these blogs we introduced the concept of “drivers,” “subscribers,” and “contributors” in relation to security and compliance controls. To recap, a “Driver” is responsible for developing a security service which will address a CCF control requirement. This can then by consumed by Adobe’s business unit “Subscribers” to help meet compliance requirements through integration with the central process. A “Contributor” leverages the robust service provided by the driver and works with the “Driver” and “subscribers” to implement processes to meet control requirements. I will expand further on how we have used the driver, subscriber, and contributor model with a few practical examples below. 

“Driver” Role

At Adobe, we have built several central processes like Quarterly Compliance Reviews (QCR), compliance risk assessments, and a business continuity and disaster recovery program (BCDR) to centralize and effectively drive governance, risk, and compliance activities through CCF. We have also implemented centralized tools such as MAVLink and Hubble to help ensure that our cloud services are in a secure state and security controls are uniformly implemented across the technology stack. 

These central processes and tools act as “drivers” as these are robust central services that all teams across the company can subscribe to in their security compliance journey to satisfy CCF control requirements.  

 “Subscriber” Role

Adobe has multiple Business Units and there are many teams that own engineering and operations across our product portfolio. These teams act as subscribers as they subscribe to and leverage robust services provided by the central driver services to meet the requirements of relevant CCF control domains.

“Contributor” Role

We have built a robust security compliance engagement model for technology compliance product owners from Adobe’s Technology Governance Risk and Compliance (Tech GRC) team to partner with the product teams across multiple business units in their security compliance journey. These roles act as contributors as they drive the security and compliance agenda by working with the product teams to meet security and compliance requirements and implement processes to satisfy control requirements. They ensure the delivery of secure and compliant products and services to our customers.

“Drivers” in Action

  1. Quarterly Compliance Review (QCR) is a driver service to continuously monitor compliance with CCF across all of Adobe. Examples of some activities that are part of a QCR:
  • Production access review
  • Role-based access review
  • Cryptographic Key Custodian and Cryptographic Key Rotation review 
  • Review of Firewall and Router Rule Sets
  • Asset Review
  • Vulnerability scan review

This central driver service helps Adobe product and service teams meet with several CCF control domains like Identity and Access management, Asset management, Vulnerability management and Network operations. 

2) Technology security compliance risk assessment is a driver service executed on an annual basis for risk, process and control owners to perform an annual review of the risks, process and controls they own and to notify Adobe management of changes in the security risk landscape that needs attention. This central service helps Adobe meet the Risk Management control domain of CCF.

3) BCDR program is a driver service operated centrally across Adobe. The driver centrally executes several critical BCDR related activities like the business impact assessment, disaster recovery and enterprise resilience across the product and service portfolio and helps Adobe meet the business contingency and backup management control domains of CCF.

4) Corporate network security controls (through Project Zen) is a driver service which helps to better automate management of access to internal applications to streamline the overall user experience while also tightening security controls. The controls established through this service help Adobe meet with sever control requirements of the Identity and access management domain of CCF. 

5) Central security tooling – Adobe has developed central tools like MAVLink and Hubble that act as a driver service to collect useful telemetry from our public cloud accounts/subscriptions and can be set up quickly in a new environment. We use the data collected by these tools to notify service owners through automated ticketing when their service deviates from their hardened secure state. This mechanism helps our engineering and operations teams who act as subscribers to the central driver service to meet several CCF control domains like configuration management and asset management.  

In addition to all the above mechanisms, the security and compliance best practices are baked into our corporate technology standards relevant to the specific security domain. Automated controls are implemented to track continuous adoption and monitor, detect deviations, and track remediations to closure. Certain industry best practices are driven through strategic security initiatives broadly across the company in our security engagement process through Adobe-wide engineering sprints. After the execution of initiatives across the company, we work to add these best practices as a requirement in related corporate standards. We also add these security best practices as a control objective in the Adobe Common Controls Framework for companywide continuous adoption. To help scale the program further, we plan to use our CCF automation platform to reduce the amount of manual effort needed for the ongoing maintenance of these requirements and provide dashboards to the respective product/service owners with a comprehensive view of the security state of assets they own.  

A centralized governance model along with centralized security tooling and automation capabilities help drive security compliance and governance efforts at scale across an organization. At Adobe, we use the above mechanisms to maintain the Common Controls Framework, help mitigate security risks at scale, and help reduce security weaknesses in our environment. This helps us to improve our security posture in an effort to improve your trust in Adobe’s cloud services. 

Prabhath Karanth
Manager, Information Security, Adobe TechGRC team

Compliance, Security Automation

Posted on 10-14-2020