AirWalk’s Cloud Continuous Compliance Framework

One of the largest, most complex financial institutions in the world, with businesses across retail and corporate banking, global markets, insurance and wealth management. They operate in over 60 markets, with as many regulators, serving 40 million customers

The organisation is large, diverse and complex – their AWS landscape covers 300+ accounts over 6 AWS regions serving a DevOps Community of 1200+ and utilizes over 90 AWS services.

The regulated nature of the businesses, across 60 countries, creates an environment where innovation can be slowed by compliance and IT security requirements.

The client needed a way to enable innovation, allowing the introduction of new projects and services, without stifling the pace of cloud adoption while managing risk and compliance.

Continuous Compliance is a key enabler of innovation, providing guardrails for a multitude of AWS based projects while both informing IT Security professionals of the security posture and allowing the customer to manage risk in their AWS cloud environments.

The Continuous Compliance framework is built on and extends a number of AWS security services, including AWS Organizations, CloudWatch Events / Event Bus, IAM and CloudTrail. Lambda and DynamoDB are the core compute and database components of the solution, deployed in each region these tools provide near real-time event driven compliance in this complex environment. Compliance visibility is provided both through an ADFS authenticated security portal, CloudWatch events and SNS to the system owners.

Cross functional development streams can operate autonomously across the globe with the additional guidance and direction from the compliance framework supported by the Cyber Security team.

AirWalk’s financial services experience helped the client to design and develop a continuous compliance framework to counter the organization’s normally conservative risk approach and allow them to adopt an innovative approach to AWS services, while maintaining an informed and controlled risk position.

Prevent

• IAM – Permissions, Roles and Service Control Policies are aligned and maintained across 200+ accounts and 90+ AWS Services, the first line of defense providing access to approved services

Detect

• Events are processed in near real-time providing actionable alerts on the compliance stance while containing compliance drift and informing both IT security and risk departments across the entire AWS landscape

Correct

• Remediating high risk events as they happen, while allowing development, innovation and a risk-based approach to the introduction of new AWS services

Exempt

• Allowing exemptions to be managed by the risk owners in the bank means the decisions on higher risk configurations are in the hands of the business risk functions.