Automation System for Validation of Configuration and Security Compliance in Managed Cloud Services

Validation of configuration and security compliance at the time of creating new service is an important part of service management process and governance in most IT delivery organizations. It is performed to ensure that security risks, governance controls and vulnerabilities are proactively managed through the lifecycle of the services, and to guarantee that all discovered problems and issues are addressed and remediated for quality assurance before the services are delivered to customers. The validation process is complex and is typically carried out by following a checklist with questions and answers through manual steps that are time consuming and error prone. This lengthy process is particularly troublesome when providing managed cloud services to enterprise customers with a pre-specified request fulfillment time in SLA. In order to improve the timeliness and quality of cloud services, we have introduced an automation system to orchestrate the validation process with executable scripts to be executed against the services. We will describe a novel policy mechanism to capture exception rules for eliminating possible interference in security configuration contained in the scripts. We will explain how our system is designed and implemented to fulfill the needs of large enterprises from both the service provider's and the service consumer's vantage points.