European bank partners with SIGHUP and CyberArk to implement a DevSecOps cloud-based initiative

SIGHUP engineering advisory and CyberArk Conjur helped implement the initiative in an enterprise-grade environment within six months.

Collaborative partnership between European Bank

Summary

In this DevSecOps project, a top European bank, serving more than ten million customers, leveraged SIGHUP engineering advisory and CyberArk Conjur to implement a cloud-based security initiative in an enterprise-grade environment within six months. SIGHUP worked with the bank to assess their needs and evaluate different vendors, ultimately selecting and deploying CyberArk Conjur Secrets Manager. Using Conjur helped ensure that secrets used across Kubernetes and cloud-native environments could be centrally secured and managed, resulting in an 80% increase in the adoption of DevSecOps practices.

Company profile

A leading European bank wanted to meet its customers’ needs more rapidly by enhancing its digital banking services with Kubernetes and cloud-native computing environments.
However, with the increased digitization of services, security became increasingly important to the bank’s stakeholders and clients.

More than 40% of SIGHUP’s customers operate in the financial sector, where SIGHUP can provide its strong expertise in compliance policies, sector best practices and production-grade cloud infrastructure services. The relationship with SIGHUP originates from an engineering advisory project focused on selecting and deploying a secrets management solution that could help secure their cloud-native environments while keeping up with the fast pace of their business.

Challenges

Just like other banking and financial services organizations have experienced in past years, as the bank initiated its journey to the cloud, it adopted a variety of cloud-based technologies to rapidly address and respond to new business needs, such as providing customers with secure home banking services and secure apps for mobile phones.
While offering these advanced services to their customers, the bank realized that adopting cloud and related open-source technologies came with a price in terms of management and security constraints. Moreover, the bank recognized one of the most critical aspects of the cloud journey was how to properly manage identities and secrets (privileged credentials or grants) across different cloud services.
Applications require secrets to access corporate and other sensitive resources, so managing secrets across different cloud and hybrid services are typically a pain point in every organization’s cloud journey. For example, an application that runs in a cloud environment may need access to an on-premises service, in which case, the application would need to be safely provided with the required secret so it could securely access the on-premises resource.
Additionally, in order to track where and when the application accessed the resource an audit record should be maintained.

This capability is typically provided by a secrets management platform, which can make life easier for developers who write applications and operative processes running on them, all while giving security teams full control of secrets and other non-human credentials.

Solutions

Security is a critical priority for the bank’s leadership and the entire organization.
Considering the nature of Cloud technologies, the bank decided to engage an external engineering firm with specialized expertise that could support and lead the bank in designing, selecting and deploying a secrets management platform to address the bank’s immediate and future needs.

Phase 1 – Software selection
The bank leveraged SIGHUP to provide the necessary guidance and expertise. SIGHUP is a Cloud Native Computing Foundation member that provides and maintains a fully Open Source Kubernetes Distribution called Fury. Moreover supports its customers with expert engineering around cloud transformation, including technical review of possible solutions and vendors during software selection processes. For this customer’s needs, SIGHUP recommended the implementation of Conjur Secrets Manager Enterprise from CyberArk, which enables DevOps and infrastructure teams to safely manage secrets access and generate identities for the related workloads.

Conjur has been selected because it helps simplify application development with one centralized secrets management service to control and audit access. Besides, it helps ensure robust authorization, supports enterprise scale and availability and provides an extensive integration library. The out-of-the-box integration library was a specific requirement to simplify alignment and integration with the bank’s current architecture and future projects.

Phase 2 – Business alignment
The project’s second stage focused on aligning requirements with each business user to ensure compatibility with Conjur and the bank’s cloud-native security policies.

As the organization was in the early stages of adopting a cloud-based infrastructure, it was necessary to replicate and adapt the security requirements that were in place on the existing infrastructure. By leveraging Conjur’s extensive feature set and SIGHUP’s engineering advice, the customer was able to minimize the effort of establishing and adopting the cybersecurity standards for secrets management while designing new policies to address emerging cloud security needs.

Results

The bank has been able to establish a robust engagement and increased awareness of DevSecOps best practices.

A Long-term partnership
The DevSecOps methodology requires an “in progress” approach that has been embraced by the customer, which established a long-term relationship with SIGHUP and CyberArk. SIGHUP continues to work closely with the bank’s DevSecOps team to maintain security standards and to ensure that every new project adheres to internal security policies.

This long-term partnership focuses on:

  • Aligning each business unit to ensure compatibility with Conjur and cloud-native security best practices;
  • Establishing a security-first approach by ensuring that new cloud applications and services are managed via Conjur authenticators;
  • Supporting and managing the SDLC (Software Development Lifecycle) and related security aspects;
  • Supporting the application onboarding in the Kubernetes cluster and helping ensure that applications avoid untrusted practices.So far, the bank has:
  • Enabled the organization to increasingly embrace DevOps and DevSecOps methodologies while adopting a “shift left” approach – so that security is considered earlier in the process;
  • Obtained the centralization of a standard approach to managing secrets and cloud identities;
  • Embraced a “policy as a code” approach, which made security configuration parameters declarative, versionable and repeatable;
  • Established centralized audit records for all authorization events and secrets operations, avoiding the typical security islands approach of multi-cloud/platform scenario;
  • Achieved cloud scalability, performance and availability while minimizing latency support.

KEY BENEFITS

  • Fully manage security in a cloud-based environment within six months;
  • Within the last two years, the customer has registered an 80% increase in adoption of DevSecOps practices.

Talk to an expert

Understand the key components of an Identity Security strategy

Get a first-hand look at CyberArk solutions

Identify next steps in your Identity Security journey