Skip to content
Major US Bank x ScaleSec Client Story

Major US Bank

Reducing Developer Friction at Large Bank by Automating AWS IAM Permissions at Scale
INDUSTRY
Financial
PRODUCTS
Banking, Investing
LOCATION

NA

ANNUAL REVENUE
NA

Confidential


PLATFORM

AWS

ASSIGNMENT

A major US bank sought to reduce friction for developers managing access control policies at scale. ScaleSec led a mixed virtual team of customers engineers and third party consultants in a company-wide effort to automate IAM policy construction. As a result of the team’s effort, the customer can now generate sophisticated policies with tailored permissions for hundreds of applications.

Project Challenges

A major US bank sought to reduce friction for developers managing access control policies at scale. ScaleSec led a mixed virtual team of customers engineers and third party consultants in a company-wide effort to automate IAM policy construction. As a result of the team’s effort, the customer can now generate sophisticated policies with tailored permissions for hundreds of applications.

Overview

Nowadays, nearly every major bank relies on cloud computing as a cornerstone of agility and operational efficiency. Our customer hosts a growing portfolio of mobile and online services powered by APIs and microservices on AWS. AWS was selected for security, productivity, speed to market, and elasticity to support customer demand.

Insight

A strong cybersecurity strategy is paramount to safeguarding customer data and a crucial component in building trust in banking. ScaleSec helps banking customers safeguard customer data using security automation to unlock innovation and reduce time to market by accelerating development cycles. Automation is an effective way to grow cybersecurity maturity, especially for customers who operate technology at scale. Mistakes in manual processes can be costly, introduce risk, and slow time to market. ScaleSec was selected for deep AWS security expertise and technical leadership.
bg-woman-phone-1221911038
"ScaleSec demonstrated commitment and ownership and delivered the results we needed. Their flexibility and collaborative work ethic were key to success for our busy team."
AnonVP Enterprise Identity & Access Management | Major US Bank

Services Provided

First, the ScaleSec team examined the entire security posture of their cloud business ecosystem. Together the team reviewed minor modifications to deliver a more secure environment without a ton of retooling or long lead time. After that, the ScaleSec team applied our security assessment over the AICPA SOC 2 Trust Services Criteria (TSC) so that we could identify where theAttackIQ team could more clearly demonstrate the success verbiage needed to meet SOC 2 requirements. Further, we mapped the TSC to the NIST 800-53 and created a solid baseline of controls to allow AttackIQ to meet future compliance frameworks such as HIPAA and FedRAMP.

ScaleSec delivered the CloudSec Kickstart - SOC 2 engagement that included an interactive SOC 2 bootcamp, a platform security architecture review, and a SOC 2 compliance readiness assessment. The written report provided tailored analysis and recommendations to leverage AWS services and security features to reduce friction for developers and lower operating costs.

As a core component of their information security risk management approach, the bank is continuing significant investments to enhance cybersecurity programs. As an information-based company, the customer wanted to analyze each application to justify the provisioned permissions.

Partner Solutions / Products Used

AWS recommends a regular review of provisioned permissions to identify and remove unused permissions. To reliably execute this security best practice at scale, ScaleSec created a “policy factory” to automatically generate granular IAM policies based on historical application behavior. ScaleSec incorporated open source solutions like parliament and policy_sentry with existing investments to orchestrate policy construction. In addition to removing permissions for unused services, the policy factory refines permissions by mining AWS CloudTrail logs to profile the historical behavior of each application.

The orchestration layer also ensures compliance with security controls required by the customer’s corporate governance team. Amazon QuickSight dashboards provide insights into permission use, which became an important tool when analyzing and understanding application behavior. ScaleSec produced dynamic remediation guides for each original policy, and hosted workshops and technical exchanges to coach development teams through replacing current policies with those automatically constructed by the policy factory.

Results / Impact / Highlights

With permissions profiling and policy construction automated, engineers and developers can review and “right size” permissions regularly. This self-service model allows developers to design, validate, and deploy complex permissions without costly and error-prone manual steps.

ScaleSec continues to support the customer in building low-friction, scalable security solutions for a variety of financial services workloads across hundreds of AWS accounts.

Throughout this engagement, ScaleSec consultants worked with the customer and AWS to contribute detailed, transparent feedback for this use case to AWS service teams, which ultimately resulted in improvements recently launched for AWS IAM that can be used to achieve a similar outcome. ScaleSec is pleased to have contributed to the democratization of this powerful security feature which is now available for all AWS customers at no additional cost.

bg-woman-phone-1221911038
“The policy factory greatly reduces the effort required to create custom IAM policies to support hundreds of business applications.”
Enterprise IAM MakeoverSenior Director of Cloud Engineering | Major US Bank

Want to speak with a ScaleSec expert?

Want to optimize and transform your existing digital portfolio? Reach out to us.