Skip to Main Content

Generative AI: Using artificial intelligence to make human impact.Learn how

Insight

How to have an overarching effective position on security

Sangamesh Kotni
Sangamesh Kotni

While an upsurge in technology transformation and its adoption continues to yield more innovative products and services, it has also exposed us to greater risks. It’s critical to strike the right balance between transformative innovations and risk management.

As we improvise designs and implementations, Security framework becomes even more important and a parallel focus area. This makes encryption of data- at-rest and data-in-motion imperative. Lack of enterprise encryption results into a Key Management System as a Service; and it is commonly known as KMaaS.

Covering Overreaching Business Challenges

Nationwide Building Society adopted cloud-native technologies to elevate the overall security posture by implementing an end-to-end KMaaS, which covers these overarching business challenges:

  • Need for robust and certifiable automated provisioning of enterprise keys and secrets management used by applications, containers and VMs running on multi cloud and on-premise
  • Avoiding Cloud Service Providers (CSP) lock-in while serving multiple service providers
  • Uninterrupted CI-CD Pipeline i.e. seamless integration onto existing DevSecOps
  • Need for an easily deployable, quickly deliverable and a cost-efficient solution

Reviewing their legacy systems, Nationwide determined that there was a significant need for a new process to support how keys/credentials should be issued and managed. The absence of a centralized system was expensive and came with higher risk. Since KMaaS is a centralized key management system, at any given point, if either CSPs (AWS/Azure) failed, the application still remains functional. There is no lock-in period with any CSP, which means users have the flexibility to lift and shift from AWS to Azure and vice-versa.

Integration between KMaaS and any DevSecOps tool (e.g., Jenkins, Kubernetes etc.) is an out of the box solution provided by Hashi Corp vault, which makes integration easier with less manual intervention.

The implementation of the solution was not easy, as the roll-out saw seasoned professionals facing project level challenges, including, achieving the right balance between value delivered and governance required. Some enabler capabilities/stories (such as HSM-Hardware Security Model) were not fully mature and required temporary solutions that added to tech debt.

Nationwide and Publicis Sapient worked as a team on the challenges and conceived the KMaaS solution in early 2020 which followed a successful prototype with a Minimum Viable Product (MVP) in Nov 2020. In a short span of 10 months, we moved from inception to go-live.

This KMaaS solution was built using HashiCorp’s Vault technology and native hardware security modules from cloud providers. The solution was hosted as a stretch capability across AWS and Azure. It offers centralized control over the cryptographic keys used to protect data across applications, containers and infrastructure, both in the cloud and on-premise.

KMaaS is a first truly in multi-region, multi-cloud capability accessible by consumers across AWS, Azure and on-premise. It demonstrates how teams can collaborate to produce outstanding results with multiple features against aggressive timeframes. Some of the key features are listed below.

Nationwide was extremely satisfied with the new solution

This solution enabled us to accomplish Vault compliance with FIPS 140-2. Also, Vault is backed by Hardware Security Module (HSM), which is typically used by most security conscious organizations. The solution was built in such a way that AWS, Azure and on- prem can connect to one centralized system. This helped to optimize licenses/IT resources which in return resulted in cost savings. Penetration testing (process to ensure that there are no security loopholes or vulnerabilities) was done which concluded with zero high-severity issues. This certifies that KMaaS is adhering to all the cloud controls.

“It’s great to see that with partners like Publicis Sapient, Nationwide can build world class infrastructure such as key management as a service which was deployed on multiple regions and cloud providers under 6 months. This helped Nationwide to achieve fully automated deployment when it comes to encryption, secrets, and certificates and reduced overall deployment of products which means we can get products to our consumers faster than ever before.”
Saeed Abdi, Security Principal Lead, CTO Cloud Platform (Nationwide Building Society)

Initially, Publicis Sapient onboarded new Nationwide projects/applications on to the KMaaS tool. Following this, we gave existing projects time to migrate their applications from the current Vault clusters to KMaaS before sunsetting the existing clusters. Many Nationwide new projects started using KMaaS which allowed them to centrally store, manage and maintain a huge number of cryptographic keys safely and efficiently.

Sangamesh Kotni
Sangamesh Kotni
Manager Technology, Publicis Sapient