Why the Hybrid Cloud will Accelerate GRC Platform Adoption

For years GRC advocates have been focused on one message: we can lower risk and gain efficiencies by managing common processes in governance, risk, compliance (and security) across the silos within the business with a common program supporting people, process and technology. The mantra is some variation of test once, analyze across, report many.  People are getting it. Yet the work of it has barely begun in even the most advanced of organizations – GRC, while gaining momentum, is still very much in its infancy. 

The drivers for GRC are many; I’ve blogged about the Five Forcing Functions of GRC previously.  Summarized they are:  exploding digital universe, avalanche of regulations, hyper-extended enterprise, virtualization and cloud computing and perhaps the most important: heightened need for visibility from executive and a wide variety of stakeholders. 

After this week at the RSA Conference I’m convinced more than ever that one of the five forcing functions – virtualization and cloud computing- in particular, the hybrid cloud - is going to give GRC a majorly big push this year – driving the need for more standardization,  visibility and control that GRC can provide.

Hybrid Cloud makes GRC all that more vital. Why?  Think of the hybrid cloud as meta-silos – now we aren’t just dealing with the need to integrate GRC across the internal organization – but now across the entire extended enterprise.  Yes, we’ve been doing it for years, it’s true, managing dozens, and sometimes hundreds or thousands of 3^rd party relationships – but hybrid cloud puts a new twist on the hyper-extended enterprise.

As organizations adopt more cloud computing models, from a wider variety of workloads, managing identity, and information across virtualized and physical infrastructures – we will see the evolution of hybrid cloud management systems. And with this, and perhaps, even in advance of these new cloud management systems – will be specialized solutions that specifically address cloud trust.  In effect, we are reaching a point of convergence between GRC and cloud computing.

At the center of this convergence is the hybrid cloud – which is driving the emergence of new platforms that manage GRC across all external and internal systems, whether it is the dozens of cloud service providers that are embedded in your business process, or the internal processes that live within the increasingly porous boundaries of your organization. 

RSA’s Cloud Trust Authority is one example of a hybrid cloud GRC platform that leverages the RSA Archer GRC platform, along with RSA envision and DLP – and there will be more.  Some will come from the cloud service providers themselves and others from vendors like vmware, EMC and RSA that are taking Cloud trust very seriously. 

The push for wider-scale adoption will ultimately come from large organizations that will demand visibility into their providers’ environments.  Eventually there will be a tipping point where standardized processes - facilitated by the unprecedented granularity of introspection and controls monitoring that are built-in and automated within virtualized environments - will bring this vision of the hybrid cloud GRC platform to fruition.  

So, the Call to Action: take a good look at what your organization is really doing with cloud computing – and imagine what the program and technology architecture will need to be to manage GRC across all of those relationships.  Talk to your CSPs and vendors –delve deep leveraging the Cloud Security Alliance Consensus Questionnaire and CSA Cloud Controls Matrix- and explore the possibility that hybrid cloud computing can actually improve your GRC.

Cloud Assessments – Try the Cloud Security Alliance Consensus Questionnaire

I’ve blogged previously about the Cloud Security Alliance (CSA) and Cloud Audit – this group is doing ALOT to promote the use of best practices for providing security assurance within cloud computing –and has grown to over 15,000 members in a short period of time. CSA working groups are tackling the tough challenges like cloud assessment, identity in the cloud, and security-as-a-service - in an open, collaborative way.

One of CSA’s main accomplishments has been advancing the adoption of the Cloud Controls Matrix into international standards communities.  An important new development is the Consensus Assessments Initiative (CAI) Questionnaire – a spreadsheet that cloud consumers and assessors can use to understand what security controls Cloud Service Providers (CSPs) have implemented in their IaaS, PaaS, and SaaS offerings. The Questionnaire is a companion to the CSA Guidance and the CSA Cloud Controls Matrix.   Use it with CSPs you are considering – test it and give feedback to on what works and what doesn’t to the CSA working groups.

Fyi, if you haven’t heard, CSA is holding a half day summit co-located with the RSA Conference 2011, San Francisco, Feb 14.  Keynote speaker will be Marc Benioff, CEO Salesforce.com. 

As a footnote ENISA – the European Network and Security Agency - has just released a new 146 report on Risk and Resiliency in the Cloud for governments and health care agencies, leveraging work of the Cloud Security Alliance (CSA), among others.  This is another landmark in a series of international standards organizations adopting CSA work. Pages 13-20 describe a scenario which covers the challenges in conversational language. Interesting reading if you don’t want to read about controls J

For all of you attending the RSA Conference, see you there! I will be at the CSA Summit on Monday am and hanging at the RSA and EMC booths throughout the Expo hours.

 

Cloud Trust – Are you keeping up with your organization’s plans for monetizing the cloud?

Many enterprises are now embracing cloud computing – especially as a model to quickly launch new products and services. As GRC professionals, we are not always privy to these plans until they are well underway and can find ourselves in the position where we are trying to assure governance and security controls are in place in hosted environments – after the fact.

Gartner estimates that cloud computing services market will grow to over $150b by 2013. Your own organization may be part of this growth - leveraging private cloud, public cloud or hybrid models.  To provide value to your organization on issues of cloud trust, you will need to distinguish among cloud types and their respective trust characteristics. For example in the public cloud, you are less likely to be able to maintain traditional control over your organizations’ information assets, and in the private cloud, you can do much more. In fact, properly implemented, a private cloud deployment can prove more trustworthy than what you have internally in place today.

Most importantly, you will need to evaluate specifically what business processes and information, applications, and other assets would be moving to the cloud. This will require a pretty thorough evaluation that will lead to what type of cloud deployment model is the best destination for what you are trying to achieve. At EMC, we have been doing work on this by looking at each asset and its potential migration to the cloud through three “filters” – economic, functional, and trust. The real danger lies in moving assets to the cloud without applying all three.  More about that work coming in a later post.

In the interim, you might start having conversations with your business colleagues and management to understand more about how they are trying to improve customer experience, business processes and services – and how cloud computing may be leveraged to improve agility and lower costs through better resource utilization. Become familiar with what public cloud providers really offer in terms of security and assurance. Understand what communication service providers (that you may be using now or in the future) are planning to launch as cloud service offerings to support their very diverse and growing customer base – consumers as well as enterprises. (For a quick review of how CSPs can/are exploiting cloud opportunities - read this EMC Consulting Perspective here). 

The cloud computing market is evolving rapidly with new capabilities being offered almost daily that many organizations can’t afford to ignore. It is our responsibility as GRC professionals to stay ahead of this curve and keep our organizations and IT groups moving safely along the journey to the cloud.   

Here’s a brief review of cloud types – more coming next week on how to evaluate the trust profiles of each.

Public Cloud: Resources are owned and managed by the provider and shared across customers. Scale economies can be high and costs low, but for the enterprise customer both transparency and control can be low. A variation is the community cloud, a multi-company members-only version of a public cloud, usually centered on a common business process (e.g., for use by a purchasing consortium).

Private Cloud: Resources are owned and managed by the enterprise and shared across it. The enterprise has scale economies and cost advantages (though not on a par with the public cloud) together with more transparency and control. Private cloud resources are usually on premise; however, an external private cloud can be operated by an outside service and still offer the level of transparency and control (including over asset location and segregation) needed by the enterprise.

Hybrid Cloud: A mix of public and private clouds. Each application and its data may reside in isolation in one cloud or the other. In more complex configurations, selected data moves back and forth, for example when a public cloud CRM application shares data with financial applications in a private cloud. Sometimes a public cloud service is an on-demand extension of computing and storage infrastructure to handle peak loads. Hybrid cloud is the more complex configuration, but can offer greater flexibility and benefit.

 

Cloud Security -Certification of Cloud Security Knowledge

For all of you certification junkies - and in our field there are many :-)  - there is a good certification now available online (for $195 through Dec 2010) at the Cloud Security Alliance. Launched this month, it is a 50 question, multiple choice test that must be completed in 60 minutes - but don't worry - there is a study guide available at CCSK Study Guide.  The questions cover the information you will find in one overview document I mentioned in my last post - Cloud Security Alliance Guidance Version 2.1– Security Guidance for Critical Areas of Focus in Cloud Computing and another ENISA – Cloud Computing Risk Assessment.

The CSA is planning updates to this body of knowledge and will have a road map for certifications next year. In the meantime, it's a good idea to do the prep and take the exam. 

This certification isn't a substitute for current certifications such as CISM or CISSP. It is based on knowledge specific to cloud computing - so, you can't use any of your other certifications to grandfather you in!  

Since it is on-demand, it should fairly straightforward to set aside an afternoon  to review the material and then take the exam.  

Cloud Audit – Paving the Way to the GRC Enabled Cloud

I’ve just joined one of the Cloud Audit working groups – focused on developing controls for cloud computing.  Over 400 other keen GRC and Security professionals are part of this growing group. Don’t know about Cloud Audit? Let me share with you a bit about this and why it is important. First of all, governance, risk, security  and compliance management is becoming increasingly critical in the cloud – I’ve blogged on this previously.  What has been holding us back are consistent and standardized frameworks, open standards and interfaces that address not only controls but also easy to implement processes to provide assurances on levels of GRC and security in cloud environments.  Enter Cloud Audit, designed to smash down the roadblocks and getting us flying in the cloud.

 

Cloud Audit began in January of this year, driven by Christopher Hoff (CISCO), and others from many organizations including Telus, CSC, VMware, Microsoft, EMC, Unisy and  Terremark. It is a volunteer cross-industry effort from the best minds and talent in Cloud, networking, security, audit, assurance and architecture backgrounds – specifically focused on developing and providing a common interface that allows Cloud providers to automate Cloud Audits.

 

Central to the groups’ work is something called A6 – which stands for Automated Audit, Assertion, Assessment, and Assurance API.  The idea is that cloud providers and consumers of their services should be able to leverage an open, extensible and secure set of interfaces for Cloud GRC and Security. 

 

The mantra of the group is to: 

• Keep it simple, lightweight and easy to implement; offer primitive definitions & language structure using HTTP(S)
• Allow for extension and elaboration by providers and choice of trusted assertion validation sources, checklist definitions, etc.
• Not require adoption of other platform-specific APIs
• Provide interfaces to Cloud naming and registry services

You can get involved in these working groups or simply follow the discussions held every Monday at 1 pm est. Join the Google group for Cloud Audit here.

Cloud Audit of course is not the only group looking at the Cloud Security and GRC -

Many of you may know about the Cloud Security Alliance (focused on best practices and education in cloud computing), the Trusted Cloud Initiative(focused on certification for various cloud environments) and the European Network and Information Security Agency (ENISA)’s work on this topic – there have been some important documents produced over the past 6 months that are worth diving into.

 

We’ll have more about these orgs in future posts, but for now  - two good overview documents are Cloud Security Alliance – Security Guidance for Critical Areas of Focus in Cloud Computing and ENISA – Cloud Computing Information Assurance Framework.

If you haven't dug into cloud GRC - now is the time to do it. It's important for career and good for your company - there aren't many organizations today that don't see their future apps portfolio moving more and more into the cloud.

 

IT GRC Lifecycles – supporting each of Governance, Risk and Compliance – how about ITIL?

One of the big issues I hear from many customers and colleagues facing us in GRC is that there just so many different approaches and methodologies in play  to address our challenges – that implementing an end-end GRC program is hampered.  In the IT GRC world alone, we have, to mention a few:

·         IT Governance Institute’s COBiT and governance guidance

·         ITIL framework for IT Service Management

·         ISO 27000 series for security, which touches many aspect of IT

·         NIST approaches for Risk Management, including 800-30

·         OCEG’s Red Book, covering many aspects of Enterprise GRC, including IT GRC.

 

CIOs need approaches that dovetail with transforming IT as a Service

What all these lack is a common high-level approach that resonates with what a CIO is increasingly building as IT becomes more of a service.

We absolutely need to start aligning our approaches, even at the highest level, if we are to advance the cause of integrating and gaining synergies with end-end programs for GRC.

 One of my past colleagues, Scott Crawford,  Research Director at Enterprise Management Associates, completed a study a few years ago that showed that organizations that adopt ITIL have more mature GRC programs. I want to say ‘of course!’ but as it turns out, this isn’t that obvious to those GRC practitioners that have little insight into ITIL.

Here’s a thought – why not abstract approaches to a higher level that can accommodate the internationally accepted standards and methods – using the main stages of ITIL? At EMC Consulting, in fact, that is what we are doing, and it works well. IT GRC involves all the aspects of IT – from business continuity and data protection, through information governance and life cycle management, asset management, change and configuration management and of course, security management.

Integrating ITIL stages with GRC

Here’s a diagram showing how to pull together the main phases of ITIL: Strategy, Design, Implement and Operate – and move around the life-cycle whether you are looking through the governance-only lens, the risk management/security-only lens, the compliance-only lens or any combination.

This sort of approach typically resonates more with the cloud and datacenter folks, the pure IT folks.  But as we transition to the cloud – (and a good read on this, pulling concepts together is Chuck Hollis’s recent post on the 10 Big Ideas Shaping IT Infrastructure Today) -  isn’t that what we need to do as GRC practitioners? It’s the GRC-enable cloud, whether private or public, a key end-state?

 
 

 

Journey to the GRC-enabled Cloud - What are likely scenarios?

As the Cloud evolves to become GRC-enabled, there are likely to be events that force its evolution.  I am thinking of a few, and you may have many others. They may happen sequentially, but a more likely to happen simultaneously for all practical purposes…

1.       Bad things happen early on, forcing adoption of GRC-enabled cloud services.  Cloud consolidates lots of information in one world, making it attractive to those who would benefit from exploits. Clouds will be tested by some of the best criminal minds, not to mention the best intentioned humans who simply mess up.  We will learn where the holes are leveraging analytics and modeling, through the virtualization layer's highly granular monitoring capabilities, combined with security information and event monitoring that is extended to the cloud. We will patch and fret our way into smaller and smaller threat surfaces. These events will be forcing functions that cause cloud vendors to leverage economies of scale not only for cost reduction, but now for GRC-enablement, certification and dynamic risk management. 

 

2.       Cloud vendors stratify into layers of increasing GRC-enablement.  Cloud vendors will differentiate themselves based on their ability to offer various levels of GRC-enablement, based on the visibility, compliance and access needs of the customer. At first this will be coarse grained, but as organizations are able to understand and define their needs more granularly, services will naturally segregate information and entities by their classifications and allow them free movement within cloud segments that are matched precisely to those needs. Eventually service will be so superior it will be far cheaper for organizations to contract with a GRC-enabled cloud than retrofit their legacy IT environments, and increasingly, their internal clouds. Cloud vendors will seek long-term, high value relationships with high switching costs by leveraging technologies for data center monitoring, data encryption and tokenization, federated identity management and strong authentication to prevent fraud, detect malware and demonstrate compliance.

 

3.       Cloud vendors band together to create classifications that enable chain-of-trust-custody.  Federation between clouds will develops rapidly as the rules of engagement become more automated and understood, leveraging federated identity management, encryption and more. Insight into, understanding of and protection from  the ‘dark cloud’ will be possible through unified efforts of cloud owners and providers.

 

4.       Organizations understand their needs more granularly.  Organizations formalize information governance and learn to classify elements dynamically and accurately, based on business impact analysis that is rationalized and current, in a feedback loop with threat and vulnerability analysis. Information and assets will be able to be intelligently and automatically allocated to the cloud environ that meets information governance requirements.

What further scenarios do you imagine? What cloud eddies and currents can you see along the way?  Let’s continue the dialogue….. it’s time.

 

 

The GRC-enabled Cloud – governance, risk and compliance may be simpler, faster, cheaper, more trusted – eventually

When we talk about the Cloud, whether it is an internal cloud and external cloud (i.e. public cloud) or a private cloud (i.e. hybrid cloud), we are inevitably led to consider GRC. To date the Cloud GRC discussion has been limited to issues of privacy, trust, reliability and availability, narrowly focused at times on security. This is typical when profound changes are underway driving any paradigm shift, and this evolution to the Cloud is truly profound for IT. It changes not everything, but nearly everything.  It is as transformational for IT, and perhaps more so, than the movement from centralized to distributed client server computing in the 90’s.

Going forward, we need to broaden the Cloud discussion to imagine the scenarios where the Cloud is GRC-enabled, at the appropriate level, matching the precise needs of its diverse and distinct user communities. It’s time to reframe the discussion in a way that frees us to think strategically and practically about how the Journey to the Cloud may actually evolve. By doing this we can be proactive and creative, and avoid the inevitable backtracking and reworking that occurs when we react piecemeal to profound change. Let’s Rise Above the Clouds for a moment, and ‘blue sky’ GRC concepts one by one.

Governance in the Cloud.

What would a Governance-enabled Cloud look like? Governance translates directly through policy to authority, behavior and access in the Cloud.

Policy would need to be based not only on business and regulatory requirements, but on best practices that can be translated from written edicts through instantiations of configurations for all in-scope technologies. For example, applications would specify their operational policies; hosts would specify their control capabilities and hosting would occur when policies match control capabilities.

Classification Schema would need to underpin the policies that govern behavior of entities, in particular, applications, information or virtualized environs.  Entities would need to know their GRC profile, that is, how they are classified and what their attendant configuration and protection requirements are, and by extension, what the characteristics of their target cloud environs must be.

Chain of Trust-Custody. We know about chain of custody in the legal and even information security sense.  When clouds negotiate handoffs in this dynamic, fluid eco-system, the chain of trust would need to be carried with it, logged, analyzed, and be auditable. If the chain should break, it must either stop the movement or self-heal. Policy shapes the rules of interaction and policy enforcement would be able to break bindings dynamically.

Risk Management in the Cloud.

What would a Risk Management-enabled cloud look like? Risk translates directly to the probability or likelihood that a threat will have a negative impact on an entity.           

Business Impact Analysis (BIA) would need to be continuous and based on known and accepted levels of risk tolerance, at many levels of granularity, running from business process through the stack to applications, information and cloud environ. BIA would be based on not just availability(A), as we see today in business continuity, but also on confidentially(C) to ensure privacy and integrity(I) to ensure data quality, as well. This BIA-CIA profile would map into the governance classification schema, and be a foundation stone to facilitate trust.

Threat and Vulnerability Analysis would need to be dynamic, absorbing new threat-vulnerability pairs, and determining probabilities by sensing their context through the type of e-discovery, instrumentation and configuration controls monitoring that is possible at granular levels through the hypervisor. We have this type of technology today at the network level within the internal cloud; we need to extend it across cloud eco-systems. 

Risk Analysis and Remediation would need to be dynamic; near-real time.  Blocking and quarantining technologies will be part of the solution but most importantly, human-machine and machine-machine visibility into configuration postures, coupling and service levels will enable just-in-time remediation.

Compliance in the Cloud.

What would a Compliance-enabled cloud look like? Compliance translates into understanding how policy enforces regulatory and business requirements in the cloud, through the use of controls.

Control Rationalization and Normalization would need to be more automated.  Conflicting controls would be rooted out and overlapping controls allowed to persist only in those environs where deeper levels of defense are required, based on classifications and policy.

Control Implementation would need to be dynamic when possible. Human intervention will bottleneck processes, and where communication is machine-machine, collaborative decisions will need to be negotiated through rules or inference. Compliance will involve knowing such things as where information resides (or has resided), where it has been transmitted (to, from or through regulatory boundaries) and how it is protected (at rest or in flight, notified, consented or ‘safe harbor-ed’).

What further attributes do you imagine? What cloud eddies and currents can you see along the way?  Let’s continue the dialogue….. it’s time - cloud front approaching!

 

 

 

GRC is Transforming - UNDERSTANDING with Contextual Relevance and Traceability

Continuing our discussion about how GRC is transforming from an adhoc, rationalized stage to a more mature, optimized stage leveraging real-time information that gives us dynamic GRC – this post is about Understanding.  See the earlier post on Seeing, Understanding and Believing as concepts that usher in this new era.  Why do we need a new way of Understanding? The key ways in which Understanding is different in the new era of Dynamic GRC are: contextual relevance, traceability and the way we map the ecosystem. Let’s take them one by one.

Contextual Relevance is richer.  The bottom line is that we need context. Too much information and we will get lost. What are we seeing and how important is it, really? What is the contextual relevance? If it isn’t tied somehow to a  key risk indicator (KRI), why get distracted? What regulatory of business requirement is this in scope for; what policies and assets are relevant; what business processes is a risk? That is why we GRC people are so obsessed with mappings.

Traceability is unbroken. As our environments become more complex and dynamic, human beings can’t keep up with manual mappings.  We need  to be able to traverse the contextual connections- again I quote a CRO I know who told me ‘I need to pull the thread – whether it is PCI or SOX or the latest risk exposure – and know – very quickly where the problem truly is...’ .  GRC 2.0 systems have a sort of ‘segmented’ traceability – you can only go so far – perhaps a regulation is mapped to a policy and control - then you need to search to pick up the thread again. How is this control failure associated with a business process, and through the stack to an asset – ultimately to a measurement – such as the vulnerabilities in the application or on the servers, virtualized or not, that support that business process?

Mapping the eco-system is inference-based. So, ok - we know that understanding absolutely depends on being able to traverse the web in many directions, through requirements, policies, processes, controls, inventories, measurements and metrics in a meaningful way – and we can depend more and more on classifications and mapping to give us that context.  But how do we keep our models dynamically updated to reflect what if often daily or even, hourly significant change?  Well, we need technologies based on inference engines, where many associations are made dynamically, based on rules and transitivity (A is connected to B and B is connected to C so A is also a connected to C….) to do this.  Embedded and harvesting from the systems that we use every day.

That’s two out of three critical concepts in Dynamic GRC: Seeing (providing great visualization and analytics) and Understanding (providing contextual relevance through traceability of the eco-system). There are many great GRC applications and technologies out there today doing exactly this for a small targeted part of the GRC world – let’s hear from you!  Isn’t it time to pull this together across the entire spectrum?

Next time we’ll talk about the third critical concept in dynamic GRC: Believing.

GRC is transforming…. SEEING with Visualization and Analytics

Last week we talked about how GRC is transforming from an adhoc, rationalized stage to a more mature, optimized stage leveraging real-time information that gives us dynamic GRC. But what does that really mean? Earlier in the What’s the Hoo Ha about GRC we talked about Seeing, Understanding and Believing as concepts that usher in this new era. So, let’s take it apart. What’s the deal with Seeing? Quick review:

Seeing.  As many commenters on this blog point out, we need visibility and  transparency  to see our current exposure and give us the confidence to not only manage risks within our appetite but to exploit new opportunities with quantified risk.  The line of sight from a business or regulatory requirement deep into embedded controls has to be relatively unbroken and unobstructed.  It’s complex – and difficult – but not impossible - to see through the web of our hyper-extended, deeply-stacked, dynamic and increasingly virtual organizations.  Simple pie charts sitting on a single repository simply aren’t going to be enough.  Dynamic GRC needs really good navigation, visualization, data management and analytics, where we can literally see a model, heat map or trend line and use the combined power of our intuition and analysis to gain the insights we need to construct better decisions. Here we take a lesson from business intelligence and apply it to GRC.  We need to be able to see the key risk indicator (KRI) on the say, supplier management system approaching a service level agreement (SLA) threshold, then  drill down, slicing and dicing through the stack from the application layer to the network and server technology assets and controls to the root cause.  Let’s look at the key differentiators – navigation, visualization, data management and analytics:

Navigation is different. Today, many GRC apps use a simple web browser with hierarchal tree to drill down from say, an organizational unit, to business processes or assets with the unit, to perhaps some key risks and then, to controls that may be failing related to those risks. But really, that isn’t enough in a world where control states and other measurements are harvested real-time from IT management systems.  Think: Multi-dimensional traversal, and mash-ups from many sources.

Visualization is different. Not just pie charts and reports. Visualization is better because the underlying GRC intelligence is better. Think: Maps with overlays that show you where your greatest risks are geographically or by business process, with drill down to near-real time data.

Data management is different.  Not just a central, hierarchal data repository.  Dynamic GRC needs federated data sources – meta-data pointers to where the information lives, real-time. This requires Master Data Management so that different versions of the truth are reconciled. Think: Web of information and smooth, direct traversal.

Analytics are different. Not just database queries and simple risk calculations. Dynamic GRC relies on rich, granular data that can be sliced and diced as business intelligence. Think: What-if scenario modeling and sensitivity analysis, where you can see the effect on risk of tightening or loosening a control before there is an impact.

Why is dynamic GRC important? Because we can’t afford to have glacial reports that are frozen time - we need near real -time ‘seeing’.  In today’s economy where new investments need to show ROI within quarters we need to use what we already have. This is not rocket science – performance management systems for the business and resource management systems for IT have this information and are increasingly leveraging this kind of ‘seeing’.  Why should GRC be starved?  It’s part of the natural convergence between performance management and GRC.  And don’t you think it’s part of our responsibility as GRC stakeholders to drive awareness and make these kinds of major improvements that truly add value to our organizations?

Next time let’s talk about the next critical concept in dynamic GRC: Understanding.