Case Study
Compliance automation with qTOOLS for FinServOverview
Compliance as Code with qTOOLS for Financial Services
The Financial Services industry is known for being risk-averse, which has made it slow to adopt new technologies. This is especially true for cloud technology, which was initially seen as a risky proposition. In the early days of cloud, there were concerns about security, reliability, and data privacy that made it difficult for Financial Services companies to justify the risk of moving their critical applications and data to the cloud. Additionally, highly regulated industries like Financial Services must get things right the first time, or risk being front-page news due to a security breach or compliance violation.
However, over time, it became clear that the benefits of cloud technology could not be ignored. The scalability, flexibility, and cost-effectiveness of cloud infrastructure made it an attractive option for many Financial Services companies. As a result, many companies began to explore cloud solutions, but they still approached it with caution. Rather than taking a “let’s get there first and figure out the rest” approach, they took their time to make sure they got it right. A prominent bank in California (the client) is one of those organizations that took a cautious approach to cloud adoption. The client recognized the benefits of cloud technology, but they also understood the importance of security and compliance in their industry. As a result, they implemented numerous processes and tools to shift-left with their security posture. However, they still required any application destined for public cloud to go through multiple checks before it could go live for consumers.
Opportunity
The security, compliance, and risk teams at the client defined the “Permit To Operate” (PTO) process as a review gate for applications to migrate to the cloud. To get the green checkmark for PTO, an application had to satisfy a set of 50+ items, including security and compliance requirements. To meet these requirements, the AppDev and DevOps team had to collect evidence, such as screenshots from the AWS console and snippets of log data from security scanning tools, then provide them to the architecture, security, and compliance team for verification and signoff.
Initially, the PTO process was a manual process that quickly became a bottleneck in the process of releasing an application on the cloud. PTO for each application took weeks. To solve this problem, the Cloud Governance team at the client set out to automate the PTO process to the extent possible.
Given the complexity of the rules, no tools available in the market were a straight fit for the PTO process. Additionally, the client security team already utilized AWS Config to validate compliance. As a result, Cloud Governance decided to write custom AWS Config rules to automate the gathering of evidence for AWS resources.
However, during the initial phase of automating the first 5 PTO items, the Cloud Governance team realized some pitfalls in this approach. For instance, developing custom AWS Config rules needed developers with advanced knowledge of AWS. Additionally, AWS Config service usage and access were strictly controlled by the client security team, which added a layer of complexity to implementing custom rules. At the end of the day, custom rules were still codes that needed to go through their PTO process. Once the evidence was gathered, it ended up again on AWS Config. Application teams still needed to gather screenshots from AWS Config to seek signoff.
Solution
To overcome these challenges, the client turned to Qualigy Tech’s qTOOLS product, specifically qSEC, a compliance as code engine that automates manual security tasks. qSEC allows clients to automate security tasks and focus on scaling and innovating their businesses. The solution offers over 400 security checks to detect misconfigurations and suspicious security events across the ecosystem, with the alert response being a key aspect for the rapid remediation of issues that might lead to data leakage.
Qualigy Tech’s qSEC is a flexible framework that can be customized to meet the client’s PTO automation needs. Using a combination of resource policies and post-filtering of collected data on Amazon Athena, Qualigy Tech’s team was able to automate evidence collection for PTO items. Custom QuickSight dashboards were also built to visualize evidence collected, alleviating the need for application teams to provide screenshots.
The advantages of using qSEC for the PTO process are clear. qSEC is a flexible framework that can accommodate PTO items that are a combination of multiple AWS resources, something that most leading SaaS vendors in this space cannot accommodate. Additionally, qSEC has a small AWS footprint and is a pure serverless implementation, making operational overhead negligible. The monthly run rate for all PTO items is a few hundred dollars, a tiny fraction of what it would have been with AWS Config. Overall, qSEC provided better functionality while costing significantly less compared to a native cloud solution.
Results
Are you facing a similar challenge with proving your application security and compliance? Our team is ready to help guide you through the process. Contact us today to learn more.