Financial services companies have long been at the forefront of cloud adoption. For many companies, the cloud can help them consolidate disparate IT groups and improve data interoperability.
However, for large financial services companies with hundreds of divisions across multiple continents, it’s often critical to maintain divisions between applications and customer data, both by geography and by compliance requirements. How do they get the benefits of agility and data interoperability — without sacrificing compliance concerns?
A top global financial services and investment banking company with over $3B in annual revenues recently approached Logicworks with this challenge. Maintaining separation between departments and compliance requirements was critical; they spent millions of dollars a year on PCI-DSS compliance, and their main concern was to reduce audit scope so that they weren’t spending time and resources on workloads that did not contain regulated data.
To do this, the investment bank wanted to maintain entirely separate AWS accounts for regulated and non-regulated data. They also wanted to maintain separate accounts by geography, team, and SDLC tier. They approached AWS with this problem, and AWS recommended Logicworks as the most experienced AWS Landing Zone Partner to complete this project. Logicworks is also PCI-DSS Level 1 Certified, and highly experienced in financial services on AWS. Logicworks acted as a subcontractor to AWS Professional Services for this project.
AWS recommended AWS Landing Zone as the right solution for the investment company’s needs. AWS Landing Zone provides a framework for creating, automating, baselining, and maintaining a multi-account environment.
Rather than separate environments within the same account, separate accounts under one “master” AWS Organization allows the master to apply policies across all accounts from a single location. In this way, the investment bank could maintain centralized administrative control of all AWS accounts, and centralized auditability and security controls, while still enabling line-of-business management of their own accounts. The solution would also allow them to build a data lake that different accounts had access to.
It was decided that the investment bank would separate resources based on the presence of regulated data. The investment bank began by doing an audit of their existing applications to confirm where regulated data was stored and transmitted. They ensured that dependencies between these applications were reduced, to facilitate migration to AWS. The investment bank
With Logicworks’ guidance, the company ultimately decided to maintain five core AWS accounts:
- Master account (billing)
- Security/audit account
- Logging account
- Network account
- Shared services account
These accounts provide key security and financial controls around the environment. User access to these accounts will be strictly limited to only the administrators who operate the AWS environment, and where possible actions within these accounts will be automated to avoid human error.
Other accounts would be built using the Account Vending Machine feature in the Master account. Account Vending Machine enables automated deployment of additional accounts. You can set up a complex, secure, multi-account structure in a few hours or less, and it automatically enables the security guardrails for each new account. AVM automatically links the new account to the master account for billing, to the logging account for audit trail, and to existing account access rules. Once added, previously defined Stack Sets automatically roll out to the new environments, providing a baseline set of resources for each additional account.
Each line of business organizational unit would divide accounts by the presence of regulated data and SDLC tier:
- Production “regulated” account
- Production “non-regulated” account
- Non-production “regulated” account
- Non-production “non-regulated” account
Logicworks was responsible designing the AWS Landing Zone solution, producing extensive documentation about the security, networking, access, and data flow properties of the solution, and building out the foundational AWS Landing Zone solution with the core accounts and Account Vending Machine. The project was completed over the course of several months, with the involvement of Logicworks’ most senior engineers and solutions architects, with ongoing collaboration between AWS Professional Services, the investment bank’s IT team, and Logicworks.
As a result of the project, the investment bank has a highly secure, multi-account AWS architecture that is ready to receive applications and data. Logicworks significantly accelerated the AWS Landing Zone design and implementation due to its expertise in PCI-DSS compliance and complex architectures on AWS, and the investment bank expects to migrate several lines of business to the solution over the next year. Since the solution includes Account Vending Machine, Logicworks has ensured that the solution maintains their governance requirements, even as the company’s AWS environment scales.