Automating the Common Controls Framework (CCF) - Part II

Author: Adobe Tech GRC Team

The Common Control Framework (CCF) by Adobe represents the foundation of our company-wide compliance strategy. The CCF helps various cloud products, services, platforms, and operations achieve and maintain compliance with various security certifications, standards, and regulations such as SOC2, ISO, PCI, FedRAMP and others.

Adobe’s Technology Governance Risk and Compliance (Tech GRC) team has designed, is developing & continues to enhance a CCF automation platform to meet the ongoing needs of compliance at Adobe.

A scalable controls automation platform makes it easier for teams to onboard controls as well as help reduce the effort required on behalf of product engineering & operations teams for ongoing compliance. As a continuation to our previous post introducing “Automating the Common Control Framework,” this blog will expand on the underlying layers of the platform and how they operate together to provide a one-stop view for compliance.

As discussed previously in “Scaling Security Controls Across the Enterprise,” one of the foundational principles of the CCF is the “driver-subscriber” model that allows Adobe to scale the CCF across the organization with minimal overhead. The Automation Platform ingests logs and data provided by “driver” solutions to provide near-real-time operating effectiveness of CCF controls. In addition, the platform aims to provide a one-stop-view of compliance status to management and product teams.

The CCF automation platform is built on a layered framework that consists of four core layers as depicted in the image below: Data, Service, Application & Visualization.

Data Layer

The data layer within the CCF automation platform is storing data received from driver solutions in a manner such that it can be consumed by the other layers within the automation platform. This is achieved by storing a log or a relationship key from the driver solutions that directs the automation platform to the original data source as needed.

The main reasons for following this approach are to:

• Reduce data proliferation by subscribing to one true source of data
• Negate the potential risk of connectivity to Adobe production environments
• Reduce potential security risks and data contamination risks that might arise

Service Layer

The CCF Automation Platform uses a microservice architecture that allows the platform to scale and integrate with other driver solutions to access data essential to demonstrate ongoing controls operating effectiveness. Microservices relay the logs and data to the application layer from the data layer. Adobe’s instances of JIRA and Splunk are examples of centralized services that have dedicated microservices from the CCF Automation platform built to interact with their APIs.

Application Layer

The Application layer manages the logic (also known as rules engine) which is used to automate the testing of CCF individual controls using the normalized data fetched from the data layer. These are a series of complex conditional statements that encapsulate the validation workflow defined in CCF controls.

These checks are performed at a regular cadence by the rules engine with the aim of providing near real-time validation of control effectiveness and the platform displays an alert to management of potential control failures. This workflow continues to evolve, and additional control checks will be added on a continuous basis.

Visualization Layer

The visualization layer will be responsible for providing management and product teams with a consolidated and precise one-stop view into all upcoming compliance activities, control potential failures & risk areas. The Visualization layer is tasked with presenting the overall compliance state in an easy to understand manner to product teams.

Innovation at Adobe is never ending and the CCF Automation Platform is continuously evolving and expanding. The CCF Automation platform is another step in Adobe’s strategy that enables us to better protect customer data and meet changing regulatory and industry compliance demands while enabling continuous innovation across our products and services.

In our next blog, we will expand on how teams across Adobe will leverage the platform to seamlessly self-onboard to CCF with minimal intervention required from internal compliance team, and also on the aspect of how the platform will assist management at Adobe with a near real-time view of the compliance status and how that effects the future of compliance at Adobe. Stay tuned for further updates.