Effective Cloud Governance Balances Innovation, Security

Security leaders from United Launch Alliance (ULA) and Amazon Web Services (AWS) highlighted how effective permissions and targeted policies are enabling secure cloud adoption in regulated environments during AWS re:Invent in Las Vegas, Nevada.

By addressing challenges like limited cloud knowledge and implementing new tools like identity access management (IAM), ULA is balancing innovation with security, while maintaining flexible, evolving governance strategies.

ULA is still in the early stages of it’s cloud journey, developing its Cloud Center of Excellence (CCoE) roughly two years ago. As the organization continues to build out its cloud strategy, ULA Cloud Security Architect Jeff McClain said his focus is on balancing security and innovation.

Bryan Gunter, senior aerospace consultant at AWS, highlighted how ULA and AWS leveraged three key policies to fit both security and development team needs.

• Service control policies set guardrails for the enterprise.
• Identity policies, like IAM, define permissions for users based on the roles and actions.
• Boundary policies create a “safe zone” for developers to test freely, without compromising security.

“The idea is that developers come into our onboarding account, they play around … while they are performing their actions, cloud trail is capturing what they’re doing,” said Gunter. “Then we can use AWS IAM access analyzer to determine what did they actually do? And how can we actually determine our policies?”

ULA also took inventory of cloud adoption roadblocks. McClain noted that overall, there was a lack of knowledge about cloud services. The diverse workforce – ranging from software engineers to technicians – also posed a problem when defining least privilege access. ULA began discussions with users and team leads to examine current policies and gauge how to best approach the problem.

“I thought I could standardize this and kind of get back to the basics, [but that] really was program to the problem that the permissions were either far too broad … or they were just so tight, so dialed in that every few weeks … they were having to come in and rework those costs.”

Implementing the new policies required McClain and his team to develop both technical and non-technical solutions. For instance, the CCoE represented a key non-technical component necessary for ULA to adopt an effective and functional permissions mindset.

According to McClain, service approval processes – though not a new concept – were foundational and among the most critical elements of implementing these policies and frameworks.

“It’s basically anything and everything we can think of that we need to implement, put in place so our users don’t have to think about it and security doesn’t have to think about it,” said McClain. “You really do have to understand the controls you have around each of these services.”

Cody Hartman, senior software engineer at ULA, agreed that effective governance and strategy are crucial to the software tooling process. Policies are often manually written and deployed. Hartman said creating future policies will be easier with the IAM Access Analyzer, which helps establish roles and policies based on what tools developers use.

“As developers integrate, we need to as well. They may add new services or remove services, and so those policies are essentially a living document,” said Hartman. “They’re not going to stay completely stable.”