Cloud security transformation case study

Introduction

A major North American bank with a focus on cloud-first technology expansion reached out to us to make sure the work underpinning its cloud-first journey was clearly evaluated and understood by key stakeholders.

Challenge

The client needed a comprehensive view of the cloud security governance capabilities and how they should operate. To make sure cloud adoption efforts are managed, a detailed target operating model for public cloud was required. In addition, the client needed a way to integrate cloud-specific controls with enterprise control objectives and ensure the roles and responsibilities for securing public cloud would be well understood by many technical teams and partners.

Approach

We clearly understood our client’s challenges and built a governance program to account for people, process and technology. Listed below are some of the key actions our team took to help build technical and business alignment.

• Cloud security target operating model: Helped our client define a target operating model to clearly outline the roles and responsibilities of each team and individual, built an interaction model and performed a gap analysis.
  
• Cloud workload assurance: Conducted a gap analysis and revised the existing cloud control matrix based on industry-leading practices and popular frameworks, such as NIST, CSA and CIS. Defined the security requirements for the cloud workload assurance and aligned them with the cloud control matrix and industry-leading practices. Created a Responsible-Accountable-Consulted-Informed (RACI) chart and interaction model as well as an event monitoring and remediation process.
  
• Cloud security maturity assessment: Assessed the current state against the cloud adoption roadmap and provided a means for tracking progress towards it. Provided a measurable and objective way to communicate cloud adoption progress and gaps with stakeholders, and identified areas of improvement as an input for planning and budgeting.
  
• Cloud security reference architecture: Developed a target state architecture for public cloud, a cloud capability map and cloud architecture patterns for specific priority areas.
  
• Cloud data security framework: Developed cloud key data security governance artifacts, including a governance process and cloud data discovery, classification and protection policy. Assisted our client with cloud secrets management solution design and processes on the public cloud.
  

Impact

Designing of the cloud security target operating model ensured alignment on ownership, technical decisions, executable roadmap and downstream initiatives, and it enabled decision making by providing traceability of scope to the overarching strategy, vision and anticipated benefits.

By uplifting security controls and filling the existing gaps and a well-defined security configuration and protection program for cloud workloads (cloud workload assurance), we helped increase visibility and stakeholder trust. Furthermore, we helped our client identify security improvement opportunities in their enterprise delivery pipeline to increase performance through automated security checks.

The target-state architecture deliverables have been maintained by an enterprise architecture team and have been leveraged in many instances for architecture decisions and as a standard reference for architecture verifications. In addition, the capability map has been leveraged to develop a maturity roadmap and assessment framework for the cloud transformation program.

Cloud data security deliverables have enabled the bank to migrate the corporate data analytics platform to the cloud and benefit from virtually unlimited computing and machine learning capabilities.