/.case_study

+
Apiture
CSP
Amazon Web Services (AWS), S3
Framework
The Center for Internet Security (CIS)
Compliance & Certification
SSAE 18, SOC2 Type II (CIS)
Examining Bodies
FFIEC

About

Apiture

Apiture delivers innovative digital banking solutions to banks and credit unions throughout the United States. Their flexible, highly configurable solutions meet a wide range of financial institutions’ needs, from leveling the playing field with larger banks to enabling unique, digital-only brands.

Industry:

Financial Technology Company

Key Benefits:

Automating asset discovery and data classification, visual presentation of risk posture, applying policies to data types, driving proactive security initiatives with data insights

Results

Time efficiency

More time hardening defenses and less time investigating where defenses need to be hardened.

Automation

Automated mapping, data classification and data policy monitoring.

Compliance

Huge time saver and gives us great confidence in our security posture

Apiture Integrates Data Security into SecOps with Open Raven

When Apiture migrated to the cloud for improved service delivery speed and quality, CISO Sean Darragh needed to maintain his ability to protect data from attacks and compliance risks. For Apiture, security is not simply a requirement; it is a core business value. Like many, Sean understands that the pace of the cloud will continue to accelerate. The answer was not to make more hires but to find a more efficient approach. He knew that the familiar list of legacy, non-native, governance and DLP tools would not give him the leading-edge efficiency he was after. Sean’s goal was to find a cloud-native, data-centric, and automated approach to three challenges: Discovering assets and classifying data; Applying data guardrails with policies that follow the data; Driving proactive security with data analysis.

"I don’t want another single-note tool. I need an automated platform that tells me where sensitive data is and when the controls must be hardened."

Sean Darragh,
CISO,
Apiture

Challenges in cloud data security

When Apiture migrated to the cloud for improved service delivery speed and quality, CISO Sean Darragh needed to maintain his ability to protect data from attacks and compliance risks. For Apiture, security is not simply a requirement; it is a core business value. Like many, Sean understands that the pace of the cloud will continue to accelerate. The answer was not to make more hires but to find a more efficient approach. He knew that the familiar list of legacy, non-native, governance and DLP tools would not give him the leading-edge efficiency he was after. Sean’s goal was to find a cloud-native, data-centric, and automated approach to three challenges: Discovering assets and classifying data; Applying data guardrails with policies that follow the data; Driving proactive security with data analysis.

Discovering assets and classifying data

Challenge

Sean describes visibility as a fundamental requirement for good security posture. Visibility feeds every part of SecOps from planning to detection, response, and reporting. However, his previous toolset required significant time and manual steps involving multiple roles—DBAs, architects, and service owners, among others. It was clear that such efforts would continue to increase with both the advancement of cloud technology and the growth of the business.

Solution

Automating these tasks with Open Raven proved to be invaluable in scaling the effectiveness of Sean's team. The Open Raven Data Security Platform simplified how Sean's team answers fundamental data questions with automated discovery, mapping, and classification across their AWS Organization. Sean’s team found the setup simple, fast, and familiar. Upon connecting, the Map and Asset List began populating with discovered resources and attributes, including asset type, region, account, encryption status, MFA settings, backup status, VPC peering relationships, and security group access. Immediately, Sean and his team were able to quickly confirm assumptions about their environment that would have previously required significant work.


Sean describes his day one impressions of the Open Raven Data Security Platform, “The ease of setup is a huge burden of work lifted from my team and, based on my experience with other tools, is unique and unexpected. And then I get a map of my cloud? Impressive. I was immediately able to see every region in which we have resources, with granular details available in a click. This is exactly what I needed. Automation is critically important in adapting to the speed, variety of changes, and threats in the cloud.”

Applying data guardrails with policies that follow the data

Challenge

Sean needed to future-proof his tooling and processes to support the speed of the business. To get there, he needed to streamline risk detection and response without adding bottlenecks such as hard checkpoints.

Solution

The Open Raven Data Security Platform enabled Sean’s team to apply policies to specific data types, regardless of location, rather than particular services or storage pools, and automate risk detection of rogue assets and misplaced data. Sean said, “With Open Raven, we can easily translate business rules into enforceable policies that follow the data rather than being enforced where we think all of our sensitive data resides. We don’t need to slow anyone down because we have automated guardrails that tell us when mistakes have been made and need attention.”

For Sean, risk is always top of mind. Open Raven provides relief through its immediate visibility and automated data risk detection. Such automation allows his SecOps Team to focus their time on preventing issues and hardening defenses rather than repetitive, manual tasks. “My job as a CISO is to identify and communicate risk. For that, I need hard data points, not assumptions. Before Open Raven, identifying the locations and types of sensitive and financial data required significant time and entirely too much JSON. Now, every morning, I come into the office, log in to Open Raven Maps, and know that we’re on top of all the changes occurring across our infrastructure. With Open Raven, I have automated visibility and control and can better scale my resources. I can’t get this anywhere else, not as quickly nor as affordably.”

Driving proactive security with data analysis

Challenge

The complexities surrounding cloud visibility require significant efforts by Sean’s team. To define and drive proactive security, Sean needed more efficient data discovery, classification, and analysis. Having precise and current supporting information is critical to gaining approval and garnering organizational support for initiatives. Sean and his team spend valuable time discovering assets, evaluating risks, and analyzing viable next steps versus time hardening defenses.

Solution

The built-in Splunk-based Analytics Module allows his team to incorporate data findings from Open Raven in SPL queries, reports, and dashboards. Combining infrastructure and data context is valuable beyond Security. Apiture’s Finance and Legal Teams often coordinate across departments to gain point-in-time snapshots into cloud costs and risks. Now, his team has unfettered access to discover and investigate infrastructure much like data scientists, extracting valuable insights for use in continued proactive security.

"We can more quickly and easily show what we have going on and why we need to take specific actions. It doesn’t matter what you know or say if your audience can’t understand it. The built-in data visualizations help me own the security conversation.”

Sean Darragh,
CISO,
Apiture

Conclusion

Sean needed a more efficient method to stay on top of sensitive data assets, tried Open Raven, and found a force-multiplier in improving detection and response for at-risk data. The decision to use Open Raven as his cloud data security platform continues to be justified. Repetitive but critical discovery and classification tasks have been automated, streamlining many parts of SecOps. Working with the Open Raven Services Team, Sean customized dashboards to show trends about sensitive data across his environment. “I already considered the platform to be a force multiplier because of asset discovery, mapping, data classification, and guardrails; but, the Analytics Module truly set it apart. Open Raven nailed it when they identified the shift to data-centric security for the cloud. I’m excited to have such confidence in our posture as new threats and regulations come to surface.”

Schedule a demo

Restore visibility and control of your public cloud data.