Skip to main content

Compliance as Code with HYMDL for Financial Services

· 5 min read
Ravi Tiyyagura
CTO

Overview

The Financial Services industry is known for being risk-averse, which has made it slow to adopt new technologies. This is especially true for cloud technology, which was initially seen as a risky proposition. In the early days of cloud, there were concerns about security, reliability, and data privacy that made it difficult for Financial Services companies to justify the risk of moving their critical applications and data to the cloud. Additionally, highly regulated industries like Financial Services must get things right the first time, or risk being front-page news due to a security breach or compliance violation.

However, over time, it became clear that the benefits of cloud technology could not be ignored. The scalability, flexibility, and cost-effectiveness of cloud infrastructure made it an attractive option for many Financial Services companies. As a result, many companies began to explore cloud solutions, but they still approached it with caution. Rather than taking a “let’s get there first and figure out the rest” approach, they took their time to make sure they got it right. A prominent bank in California (the client) is one of those organizations that took a cautious approach to cloud adoption. The client recognized the benefits of cloud technology, but they also understood the importance of security and compliance in their industry. As a result, they implemented numerous processes and tools to shift-left with their security posture. However, they still required any application destined for public cloud to go through multiple checks before it could go live for consumers.

Opportunity

The security, compliance, and risk teams at the client defined the “Permit To Operate” (PTO) process as a review gate for applications to migrate to the cloud. To get the green checkmark for PTO, an application had to satisfy a set of 50+ items, including security and compliance requirements. To meet these requirements, the AppDev and DevOps team had to collect evidence, such as screenshots from the AWS console and snippets of log data from security scanning tools, then provide them to the architecture, security, and compliance team for verification and signoff.

Initially, the PTO process was a manual process that quickly became a bottleneck in the process of releasing an application on the cloud. PTO for each application took weeks. To solve this problem, the Cloud Governance team at the client set out to automate the PTO process to the extent possible.

Given the complexity of the rules, no tools available in the market were a straight fit for the PTO process. Additionally, the client security team already utilized AWS Config to validate compliance. As a result, Cloud Governance decided to write custom AWS Config rules to automate the gathering of evidence for AWS resources.

However, during the initial phase of automating the first 5 PTO items, the Cloud Governance team realized some pitfalls in this approach. For instance, developing custom AWS Config rules needed developers with advanced knowledge of AWS. Additionally, AWS Config service usage and access were strictly controlled by the client security team, which added a layer of complexity to implementing custom rules. At the end of the day, custom rules were still codes that needed to go through their PTO process. Once the evidence was gathered, it ended up again on AWS Config. Application teams still needed to gather screenshots from AWS Config to seek signoff.

Solution

To overcome these challenges, the client implemented HYMDL Compliance, a compliance-as-code engine that automates manual security tasks. The solution leveraged several AWS services to create a comprehensive, automated compliance framework:

Amazon Athena: Used for post-filtering of collected data, allowing for complex queries across multiple AWS resources.

Amazon QuickSight: Employed to create custom dashboards for visualizing collected evidence, eliminating the need for manual screenshot collection.

AWS Lambda: Utilized as part of HYMDL Compliance's serverless implementation, enabling efficient and scalable execution of compliance checks.

Amazon S3: Used for storing collected compliance data and evidence in a secure, durable manner.

AWS Identity and Access Management (IAM): Employed to manage fine-grained permissions and access controls for the compliance solution.

Amazon EventBridge: Utilized to trigger compliance checks on a schedule or in response to specific events in the AWS environment.

AWS Systems Manager: Used for securely managing and retrieving configuration data and secrets required for the compliance checks.

Implementation

The implementation of HYMDL Compliance involved the following key steps:

  1. Resource Policy Definition: Custom resource policies were created to define the specific compliance requirements for the client's PTO process.

  2. Data Collection: HYMDL Compliance was configured to collect relevant data from various AWS services, including Amazon EC2, Amazon RDS, Amazon S3, and Amazon VPC.

  3. Data Processing: Collected data was processed using Amazon Athena, allowing for complex queries to be run across multiple AWS resources to gather the required evidence for PTO items.

  4. Visualization: Custom Amazon QuickSight dashboards were developed to present the collected evidence in a clear, easily understandable format.

  5. Automation: AWS Lambda functions were used to automate the execution of compliance checks on a regular basis or in response to specific events.

  6. Integration: The solution was integrated with the client's existing security and compliance workflows, ensuring seamless adoption by the application teams.

Preparing your site for Docusaurus v3 - social card

Results

In summary, the client’s PTO process was successfully automated using HYMDL Compliance framework, which allowed for more efficient evidence collection and reduced costs. This is a prime example of how financial services institutions can embrace cloud technology while still prioritizing security and compliance.

Contact-Us

Are you facing a similar challenge with proving your application security and compliance? Our team is ready to help guide you through the process. Contact us today to learn more.

Contact Us