Major US Bank
NA
Confidential
PLATFORM
AWS
ASSIGNMENT
A major US bank sought to reduce friction for developers managing access control policies at scale. ScaleSec led a mixed virtual team of customers engineers and third party consultants in a company-wide effort to automate IAM policy construction. As a result of the team’s effort, the customer can now generate sophisticated policies with tailored permissions for hundreds of applications.
Project Challenges
Overview
Insight
Services Provided
First, the ScaleSec team examined the entire security posture of their cloud business ecosystem. Together the team reviewed minor modifications to deliver a more secure environment without a ton of retooling or long lead time. After that, the ScaleSec team applied our security assessment over the AICPA SOC 2 Trust Services Criteria (TSC) so that we could identify where theAttackIQ team could more clearly demonstrate the success verbiage needed to meet SOC 2 requirements. Further, we mapped the TSC to the NIST 800-53 and created a solid baseline of controls to allow AttackIQ to meet future compliance frameworks such as HIPAA and FedRAMP.
ScaleSec delivered the CloudSec Kickstart - SOC 2 engagement that included an interactive SOC 2 bootcamp, a platform security architecture review, and a SOC 2 compliance readiness assessment. The written report provided tailored analysis and recommendations to leverage AWS services and security features to reduce friction for developers and lower operating costs.
As a core component of their information security risk management approach, the bank is continuing significant investments to enhance cybersecurity programs. As an information-based company, the customer wanted to analyze each application to justify the provisioned permissions.
Partner Solutions / Products Used
AWS recommends a regular review of provisioned permissions to identify and remove unused permissions. To reliably execute this security best practice at scale, ScaleSec created a “policy factory” to automatically generate granular IAM policies based on historical application behavior. ScaleSec incorporated open source solutions like parliament and policy_sentry with existing investments to orchestrate policy construction. In addition to removing permissions for unused services, the policy factory refines permissions by mining AWS CloudTrail logs to profile the historical behavior of each application.
The orchestration layer also ensures compliance with security controls required by the customer’s corporate governance team. Amazon QuickSight dashboards provide insights into permission use, which became an important tool when analyzing and understanding application behavior. ScaleSec produced dynamic remediation guides for each original policy, and hosted workshops and technical exchanges to coach development teams through replacing current policies with those automatically constructed by the policy factory.
Results / Impact / Highlights
With permissions profiling and policy construction automated, engineers and developers can review and “right size” permissions regularly. This self-service model allows developers to design, validate, and deploy complex permissions without costly and error-prone manual steps.
ScaleSec continues to support the customer in building low-friction, scalable security solutions for a variety of financial services workloads across hundreds of AWS accounts.
Throughout this engagement, ScaleSec consultants worked with the customer and AWS to contribute detailed, transparent feedback for this use case to AWS service teams, which ultimately resulted in improvements recently launched for AWS IAM that can be used to achieve a similar outcome. ScaleSec is pleased to have contributed to the democratization of this powerful security feature which is now available for all AWS customers at no additional cost.