National Australia Bank is continuing to mature its enterprise security practices to cope with its cloud-first outlook, recently building a tool that can identify a security gap and deploy a new control to fix it in 45 seconds.
Security architect Ivan Sekulic told AWS re:Invent 2018 in Las Vegas that the bank’s cloud security team had recently joined forces with AWS Professional Services “to build a continuous compliance solution within NAB”.
“This solution allows us to systematically and continuously review the security compliance position of every AWS workload,” Sekulic said.
“It allows someone like me to identify a risk or a gap of a solution, articulate a security control, have it built as code, and delivered really fast.
“It gives us a real time view of security compliance across the whole enterprise and it allows our dev teams to deliver as fast as they want without being forced to use extra control planes or API brokers.”
According to Sekulic, the solution - which uses native AWS services itself - enables “enterprise-wide security updates with the push of a button” and has allowed the bank to “reduce the deployment time for an enterprise security control from 19 days to 45 seconds, which is a 35,000-times difference.”
He cited the solution as an example of NAB’s growing IT security capability maturation as the bank has rapidly scaled up its cloud ambitions throughout 2018.
Earlier this year, NAB revealed that it would undergo a fresh evolution of its security control framework and cloud security approach - and the bank has now revealed the results of that process.
Sekulic said that the overhaul was needed because more developers than ever before were creating apps on cloud-based services.
Fuelling that is NAB’s cloud guild, a training program that has reached 3000 NAB developers (and AWS-certified about 400 of them).
“In NAB, an order of magnitude more AWS developers are coming as a result of internal training programs like the NAB cloud guild,” Sekulic said.
“So as a result of that, an order of magnitude more applications are being built in the cloud.
“Without changing our approach, there was no way to scale the security practice to meet that kind of demand.”
Sekulic said that NAB had “invested heavily in automation and decentralisation” to meet demands to scale.
“Our goal is to automate everything we can. We replaced all centralised models with decentralised ones, and we understood the value of automation as our force multiplier,” he said.
“The security architecture team that I’m part of ... had to learn that our security requirements that we deliver had to be articulated well enough that they could be expressed as code, which allowed our dev teams to build that into their applications and our governance teams to validate it.”
Sekulic said NAB’s new cloud security strategy “stole liberally” from the AWS cloud adoption framework (CAF) and the AWS well-architected framework.
“From that, we developed some of our own key focus areas to deliver on,” he said.
Sekulic listed several areas that NAB’s security teams had focused on in overhauling their cloud security capabilities.
“Our first key focus area was we knew we needed to extend our existing security services to the cloud. All of our security teams had to establish their own competency in AWS,” he said.
“This allowed our security teams to be there as our technology teams built and developed applications, and allowed us to build native security capabilities to use the cloud to secure the cloud.”
The security organisation also wanted to be “secure by default and deliver security at every layer”. Much of the structure of this was revealed by NAB earlier this year.
Third, NAB security wanted to improve its focus on continuous security governance, ultimately leading to the development of the new continuous compliance solution.
“For us, that meant building self-service dashboards and providing reporting and visibility of the current state of security controls and posture to our development teams to give them a full understanding of what they have and allow them to take responsibility for security,” he said.
“It had to be continuous governance, always updated in real time.”