Our client is one of the largest global banks dealing with Retail Banking, Commercial Banking and Global Markets.
The bank had partnered with two cloud providers and it was difficult to implement a common security architecture which can span across different departments and business functions as every business had a different requirement across different cloud providers.
The client wanted to take stock of all the different cloud components and wanted to establish a common security framework. At the same time, the bank was worried about the criticality of the data and wanted to also remediate any existing vulnerabilities to prevent any data theft or espionage.
The solution was designed as two pronged approach:
- Short term approach to continuously scan and fix any existing vulnerabilities.
- Long Term approach to design a security controls framework and design.
As part of the short term approach, a third party vulnerability management tool was on-boarded which could scan all the components of both the cloud providers instead of choosing different cloud native tools. A team was formed to continuously scan the entire estate and plans were devised to fix the ‘Critical & High Risk’ vulnerabilities.
On the other hand, as part of the long term approach, ‘Cloud Security Design Patterns’ were created to address all different security controls to be implemented which were agnostic of any cloud platforms. A ‘Security Cloud Control Matrix’ was also developed which elaborated on the actual controls by each cloud provider
This programme spanned for 10 months which covered four lines of business and covering around 50+ applications.
- Around 100+ Critical/High Risk security findings were found and closed as part of the short term approach which helped the bank to prevent against any financial and reputational loss.
- Cloud Security Design Patterns were created using the bank’s security framework
- Cloud Security Control Matrix was designed which were used as a baseline control framework for every business.
- The controls were integrated as part of the product backlog as non-functional requirements to ensure security is factored across all projects in a DevSecOps model.
Looking Ahead to More Opportunities in the Cloud
The bank is now seeking for a managed services model to secure the entire growing cloud space using the Cloud Security Design Patterns and Cloud Security Control matrix. This framework is applicable for almost all the banks, but needs to be customized as per different bank’s business and security objectives.