Automated Governance

Finding a proper balance between classic IT Governance, Risk, and Compliance (GRC) and modern technologies initiatives has been a reasonably difficult process for most large enterprises. The classic enterprise risk policy profiles are often redundant, misaligned, or in some cases outdated.

In this presentation, we are going to discuss two recently published papers that address modern patterns to deal with the imbalance. The first paper was introduced in September of 2019 called “DevOps Automated Governance Reference Architecture”. This paper discusses a reference architecture for digitally signing policy evidence that is automated in the delivery pipeline in the form of attestations in an attestation data store. The second paper was released in May of 2020 called “Automated Cloud Governance”. This paper is a follow on work from the original paper, including specific evidence opportunities from the major cloud providers to the cloud consumers.

The presenter of this session was chairperson of both of the working group papers and he will discuss an overview and also discuss opportunities these papers can provide. This session should be interesting with anyone working on DevOps, DevSecOps, and or Risk initiatives.



John Willis

John Willis is a Senior Director in Red Hat’s Global Transformation Office. Prior to Red Hat, he was the Director of Ecosystem Development for Docker, which he joined after the company he co-founded ...