Financial Services Firm
Financial Services Firm
- Industry: Financial services
- Size: 15,000+ Employees
- Annual Revenue: £8 Bn
Solution
- Chose Nephos’ Data Infrastructure Assessment for complex customer needs.
- Deliver key insights on cloud usage and security risks.
- Identify and assess uncontrolled cloud services for risks.
- Offer a regulatory-compliant risk evaluation, ensuring client safety.
Challenge
- Identifying Unauthorised Cloud Services
- Assessing Associated Risks
- Evaluating the Enterprise-Grade Status of Recognised Cloud Services
- Developing Risk Mitigation Strategies
Results
- Discovered 3,000+ cloud services, revealing significant data security risks.
- Evaluated services using 20+ remediation criteria
- Found regulated data in 92 HR apps
- Identified services missing SOC-1/2 or PCIDSS certifications, key for top cloud security.
About the Client
The client in question is one of the UK’s largest and most established financial services firms, boasting approximately 17,686 employees and serving over 17 million customers. With a history that dates back to 1884, this firm has solidified its reputation as a trusted provider of a variety of financial services, including savings accounts, mortgages, insurance, and personal loans. They are a pivotal player in the UK’s financial landscape, significantly contributing to the country’s economic stability and prosperity.
The Challenge
The customer, like many others in the financial services sector, turned to digital channels to achieve cost savings and faster time-to-value. Adopting a ‘Cloud-First, Not Cloud-Only’ strategy presented challenges, including the identification of enterprise-ready cloud services and effective data management in the Cloud – essential for compliance in a regulated industry.
Traditional tools proved inadequate, leading to an exploration of the Cloud Access Security Broker (CASB) domain. Before proceeding, they aimed to gain an initial understanding of their current cloud utilisation to:
- Detect unauthorised cloud services in use
- Assess the risks associated with these services
- Determine if the identified cloud services adhere to enterprise-grade standards and assess any potential threats they may pose
- Develop strategies to mitigate these identified risks
The customer was looking for a partner who would help them gain an initial understanding of their current cloud utilisation to:
- Detect unauthorised cloud services in use
- Assess the risks associated with these services
- Determine if the identified cloud services adhere to enterprise-grade standards and assess any potential threats they may pose
- Develop strategies to mitigate these identified risks
The Nephos Solution
To impeccably fulfil the customer’s intricate needs, our dedicated team opted for Nephos’ Infrastructure Assessment service. This premium offering delivered crucial insights into the cloud services in use, along with an exhaustive assessment of potential risks that might jeopardise the customer’s valuable data.
However, the real challenge lay in the use of unknown cloud services beyond IT’s control. This was addressed by our team, who identified and evaluated these services for potential risks as a distinct, independent service. The end result was a comprehensive risk evaluation that met strict regulatory and security requirements, providing the client with timely and effortless solutions.
Our prompt and effective strategy culminated in a thorough risk evaluation, seamlessly aligning with both regulatory and security requirements. This provided the client with timely, effortless outcomes, epitomizing our commitment to excellence and our capability to deliver beyond expectations.
The Results
Nephos uncovered an astonishing 3,000+ cloud services, a figure 100 times greater than initially expected, revealing a significant threat to the client’s data security. Each service was meticulously evaluated against over 20 critical criteria, providing a solid foundation for Nephos’ detailed remediation strategy. The investigation brought to light the following key information:
- High risk applications used by the organisation (known and unknown)
- Applications storing data outside of the UK
- Applications that take ownership of the client’s data once uploaded
- Services with known breaches
Additionally, we discovered regulated data across cloud services, including 92 HR applications, with only five meeting enterprise standards. We also identified services lacking key certifications like SOC-1/2 or PCIDSS, marking them as non-compliant. The Smart Discovery service offered crucial insights into cloud usage and risks, significantly shaping the client’s advanced cloud security strategy.