How ScaleSec Automates AWS Permissions at Scale

Project Challenges

A major US bank sought to reduce friction for developers managing access control policies at scale. ScaleSec led a mixed virtual team of customers engineers and third party consultants in a company-wide effort to automate IAM policy construction. As a result of the team’s effort, the customer can now generate sophisticated policies with tailored permissions for hundreds of applications.

Overview

Nowadays, nearly every major bank relies on cloud computing as a cornerstone of agility and operational efficiency. Our customer hosts a growing portfolio of mobile and online services powered by APIs and microservices on AWS. AWS was selected for security, productivity, speed to market, and elasticity to support customer demand.

Insight

A strong cybersecurity strategy is paramount to safeguarding customer data and a crucial component in building trust in banking. ScaleSec helps banking customers safeguard customer data using security automation to unlock innovation and reduce time to market by accelerating development cycles. Automation is an effective way to grow cybersecurity maturity, especially for customers who operate technology at scale. Mistakes in manual processes can be costly, introduce risk, and slow time to market. ScaleSec was selected for deep AWS security expertise and technical leadership.

ScaleSec demonstrated commitment and ownership and delivered the results we needed. Their flexibility and collaborative work ethic were key to success for our busy team. – VP Enterprise Identity & Access Management/

Services provided

As a core component of their information security risk management approach, the bank is continuing significant investments to enhance cybersecurity programs. As an information-based company, the customer wanted to analyze each application to justify the provisioned permissions.

Partner Solutions / Products Used

AWS recommends a regular review of provisioned permissions to identify and remove unused permissions. To reliably execute this security best practice at scale, ScaleSec created a “policy factory” to automatically generate granular IAM policies based on historical application behavior. ScaleSec incorporated open source solutions like parliament and policy_sentry with existing investments to orchestrate policy construction. In addition to removing permissions for unused services, the policy factory refines permissions by mining AWS CloudTrail logs to profile the historical behavior of each application.

The orchestration layer also ensures compliance with security controls required by the customer’s corporate governance team. Amazon QuickSight dashboards provide insights into permission use, which became an important tool when analyzing and understanding application behavior. ScaleSec produced dynamic remediation guides for each original policy, and hosted workshops and technical exchanges to coach development teams through replacing current policies with those automatically constructed by the policy factory.

Customer Voice

“The policy factory greatly reduces the effort required to create custom IAM policies to support hundreds of business applications.” Enterprise IAM Makeover – Senior Director of Cloud Engineering, Major US Bank

Results / Impact / Highlights

With permissions profiling and policy construction automated, engineers and developers can review and “right size” permissions regularly. This self-service model allows developers to design, validate, and deploy complex permissions without costly and error-prone manual steps.

ScaleSec continues to support the customer in building low-friction, scalable security solutions for a variety of financial services workloads across hundreds of AWS accounts.

Throughout this engagement, ScaleSec consultants worked with the customer and AWS to contribute detailed, transparent feedback for this use case to AWS service teams, which ultimately resulted in improvements recently launched for AWS IAM that can be used to achieve a similar outcome. ScaleSec is pleased to have contributed to the democratization of this powerful security feature which is now available for all AWS customers at no additional cost.