A leading non-banking financial corporation engages in consumer finance and commercial lending. Their wide range of services include finance for two wheelers and commercial lending and they cater to corporates with a wide portfolio of financing products including working capital loans and machine loans amongst others.

Noventiq who has worked with the financial services company for over 5 years has built a wide range of solutions on AWS that enable scalability, security and high availability for the financial services provider. We have been efficiently managing the customer’s AWS environment during the 5+ years helping them significantly save on costs. The popular financial services customer has completed multiple migrations, database assessment and migration, and leveraged Managed Services, cluster security and various other solutions to achieve business outcomes.

Financial Services

Published Date : 23-August-2023

Strengthening Security Stance with AWS Best Security Practices & IAM

While the financial services customer has been optimizing AWS for a variety of needs, they were also faced with a critical imperative. With a distributed authentication for disparate environments, their security stance required strengthening and they required centralised user visibility and control to protect the infrastructure from risks. The authentication system was cumbersome as users had to generate distinct credentials for each account. Recognizing the need for a more robust security framework, the organization aimed to establish standardized AWS security best practices, particularly in the area of Identity and Access Management (IAM). This strategic move was driven by the organization’s commitment to upholding stringent security standards throughout their operations.

Similar to the wide range of solutions deployed for the client, the transformation included an assessment and strategy and several key facets to enhance the efficiency and security of their AWS infrastructure. With a huge volume of sensitive data typical to a finance organization, it was highly critical to protect access and exchange of the data. Noventiq gave serious consideration to these needs before coming up with the best-fit solutions.

Their specifications revolved around several key pillars:

  • Establishing centralized access across AWS accounts and resources through a seamless Single Sign-on experience.
  • Implementing dedicated AWS accounts tailored to distinct workloads, encompassing security, development, logging, UAT, production, and more.
  • Introducing role-based access control to efficiently manage and assign permissions for various stakeholders across AWS instances.
  • Enforcing meticulous access control measures for privileged users operating within AWS instances.

Instituting a streamlined and comprehensive consolidated billing system to enhance financial clarity and oversight across their AWS environment. These requirements collectively formed the blueprint for an enhanced and seamlessly managed AWS infrastructure oversight across their entire AWS environment. Together, these measures constituted a holistic approach towards achieving a more secure, efficient, and well-organized AWS infrastructure

Leading with Insight: Centralized Access Control and Visibility

To help the financial services leader achieve these goals, a holistic approach that would address specific needs and strengthen security stance with AWS was adopted.

Robust access management across diverse AWS environments is facilitated through Multi-Factor Authentication (MFA) control utilizing the AWS IAM Identity Center. Streamlining authentication, Single Sign-On (SSO) is employed for seamless access to AWS accounts and resources. The access mechanism for AWS instances and applications is centralized through a Privileged Access Management (PAM) solution, integrated with the On-premises Active Directory for enhanced control. Role-based permissions for AWS services are extended to third-party partners and contractors via PAM, ensuring a secure and tailored access framework. To bolster security, MFA detection is enforced for IAM and root users’ console access through guardrails. Additionally, preventive guardrails are implemented to prevent configuration changes in the underlying implementation, while detective guardrails, facilitated by AWS Config rules, continuously monitor and detect configuration alterations, enhancing the overall security posture of the AWS environment.

Leading with Insight: Centralized Access Control and Visibility

Time for business rollout in a new location has reduced to 3 days from weeks

Zero downtime for application with Well Architected Framework

Time taken for threat detection and remediation reduced drastically

  • Centralized authentication and authorization instances and applications using PAM
  • Role base permission for different stakeholders
  • Standardization of provisioning new accounts
  • Disallow usage of disabled AWS region
  • Centralized Management of Encryption keys
  • Continuous monitoring
  • Billing management