About the customer
The customer is the third-largest bank by market capitalization in Australia, with commercial and retail banking business units dominating. It is among the top 4 banks in Australia, the largest banking group in New Zealand and Pacific, and among the top 50 banks in the world.
The customer changed the game with the adoption of cloud-based services in order to pursue a more flexible technology-driven strategy to lower their cost to innovate. They moved in the cloud to host more dynamic content across their customer touchpoints and allowed access for data sharing with external organizations. The move was also geared up as ANZ market entered a new digital era.
To navigate through this environment, the customer was exploring to create an enterprise-wide data lake solution to analyze aggregated, de-identified data sets for customer insights. They wanted to move ‘quaint’ data ponds that popped up in different departments into a single Hadoop-based data lake.
Being in the banking domain, the security of their customer data was of paramount importance to them. They believed that data of their customers and transactions was an A-grade strategic asset. Keeping security as their top priority, they wanted to prosecute legacy technology to improve the flow of data within their organization that could create an edge over the competition. As a prominent bank in the ANZ region, they were also subjected to various regional and global banking standards and compliances, which further mandates them to ensure chosen cloud service which must support their stringent compliance requirements.
After carefully reviewing the tight security requirements, Blazeclan proposed a multi-fold approach to support the customer so as to achieve the desired outcome. To begin with:
- The certified SA’s proposed a secure; multi-account setup based on AWS best practices. The solution is based on the creation of the landing zone with multiple AWS accounts with security baseline.
- A separate AWS account was created to serve a specific purpose for this solution. The accounts were tagged as Master, Logging, Security, Shared Service, Dev and Prod AWS accounts. This segregation was put in place to ensure a higher degree of confidence about the security of data stored in these accounts. Furthermore, this segregation was complemented by creating user access privileges using a centralized user management tool (ADFS). These user access controls allowed only those actions that were cleared by IAM permissions for a particular user role.
- For secure transmission of confidential data between the customer and AWS, a site to site VPN was proposed. Similarly, to secure data at rest loaded in AWS data services, AWS KMS service was used.
- To formalize the security baseline, CIS AWS foundation benchmark was implemented in all the accounts. Also, all proposed AWS accounts were subject to periodic CIS audit to find the deviation from baseline security best practices.
- For efficient and effective monitoring, several security alerts were created using Cloud Trail, Config and CloudWatch. The entire data lake SaaS solution for the customer was designed by following security first approach keeping banking security guidelines in the consideration.
- Service-specific security consulting included the following:
- For monitoring the production resources, the team advised the use of Amazon CloudWatch to capture and summarize utilization metrics natively for AWS resources.
- AWS CloudTrail was set up to log, continuously monitor, and retain account activity related to actions across their AWS infrastructure.
- Centralized AWS config bucket was encrypted with AWS KMS encryption.
- AWS GuardDuty was configured across multiple accounts to send a timely alert of any malicious attempts.
- All EC2 servers were installed with endpoint protection to protect against malware and viruses.
- IAM roles in conjunction with ADFS were created for a role-based and centralized user authentication.
Apart from AWS native tools, we have used Trend Micro Deep Security to strengthen the security of the instances in the AWS accounts. Trend Micro’s Deep Security provides features like Intrusion Prevention, Anti-Malware, Firewall, and Integrity Monitoring.
Overall, a complete upscale of their entire AWS account and environment based on security pillars of AWS well-architected framework was proposed to them.
- Single Hadoop-based data lake: The customer was able to aggregate its data into a single Hadoop-based data lake, which allowed them to move away from the concept of data warehouses.
- Derive Customer Insights: The customer leveraged cloud and big data to nurture its institutional data and analyze aggregated, de-identified data sets for customer insights and patterns.
- Staying ahead of the security curve: The customer chose to stay ahead of the technology and we supported them in building secure frameworks for cloud deployments. The customer also got a chance to leverage emerging security technology.
- Automated security: Automating their security operations and integrating them into the deployment pipeline, allowed their application teams to scale their pace of deployment without compromising the overall security of the application.
AWS CloudTrail, Amazon GaurdDuty, Amazon CloudWatch, AWS API Gateway, AWS IAM, AWS WAF, AWS KMS