While an upsurge in technology transformation and its adoption continues to yield more innovative products and services, it has also exposed us to greater risks. It’s critical to strike the right balance between transformative innovations and risk management.
As we improvise designs and implementations, Security framework becomes even more important and a parallel focus area. This makes encryption of data- at-rest and data-in-motion imperative. Lack of enterprise encryption results into a Key Management System as a Service; and it is commonly known as KMaaS.
Covering Overreaching Business Challenges
Nationwide Building Society adopted cloud-native technologies to elevate the overall security posture by implementing an end-to-end KMaaS, which covers these overarching business challenges:
- Need for robust and certifiable automated provisioning of enterprise keys and secrets management used by applications, containers and VMs running on multi cloud and on-premise
- Avoiding Cloud Service Providers (CSP) lock-in while serving multiple service providers
- Uninterrupted CI-CD Pipeline i.e. seamless integration onto existing DevSecOps
- Need for an easily deployable, quickly deliverable and a cost-efficient solution
Reviewing their legacy systems, Nationwide determined that there was a significant need for a new process to support how keys/credentials should be issued and managed. The absence of a centralized system was expensive and came with higher risk. Since KMaaS is a centralized key management system, at any given point, if either CSPs (AWS/Azure) failed, the application still remains functional. There is no lock-in period with any CSP, which means users have the flexibility to lift and shift from AWS to Azure and vice-versa.
Integration between KMaaS and any DevSecOps tool (e.g., Jenkins, Kubernetes etc.) is an out of the box solution provided by Hashi Corp vault, which makes integration easier with less manual intervention.
The implementation of the solution was not easy, as the roll-out saw seasoned professionals facing project level challenges, including, achieving the right balance between value delivered and governance required. Some enabler capabilities/stories (such as HSM-Hardware Security Model) were not fully mature and required temporary solutions that added to tech debt.
Nationwide and Publicis Sapient worked as a team on the challenges and conceived the KMaaS solution in early 2020 which followed a successful prototype with a Minimum Viable Product (MVP) in Nov 2020. In a short span of 10 months, we moved from inception to go-live.