AWS re:Inforce 2024
Managing Security with a Unified Strategy Featuring Nubank Grc203

Title: AWS re:Inforce 2024 - Managing security with a unified strategy, featuring Nubank (GRC203)

Insights:

  • Introduction and Agenda: The session, GRC 203, focuses on managing security with a unified strategy, featuring Nubank. The agenda includes introductions, security and regulatory challenges in the financial services industry (FSI), Nubank's history and challenges, their multi-organization strategy, and outcomes and lessons learned.
  • Speakers:
    • Ricardo Marques, Senior Solutions Architect at AWS, with extensive experience in IT and financial services.
    • Dave Hannigan, CISO at Nubank, with 24 years of experience in security and 12 years in cloud security.
    • Thiago, Lead Software Engineer for Cloud Security at Nubank, with over 10 years of experience in technology and information security.
  • Security Challenges in FSI:
    • Companies in FSI face constant and varying regulatory requirements, dynamic security threats, and limited cloud security and compliance specialists.
    • Operating in multiple countries like Brazil, Mexico, and Colombia involves dealing with numerous regulators and specific regulations, such as data access restrictions and disaster recovery requirements.
  • AWS Shared Responsibility Model: AWS helps relieve customer operational burden by taking responsibility for the security of the cloud, while customers are responsible for security in the cloud. AWS provides a range of services for security, management, and governance.
  • Nubank's Growth and Strategy:
    • Nubank started in Brazil in 2013 and expanded to Mexico and Colombia, reaching 100 million customers.
    • The company focuses on keeping costs low (90 cents per customer per month) to benefit customers with zero or lower fees.
    • Nubank's mission is to fight complexity and empower people, maintaining a customer-centric approach.
  • Technical Implementation:
    • Nubank uses a multi-organization strategy to manage security across different countries and products.
    • They employ a "Know, Prevent, Fix" strategy inspired by Google's framework for dealing with vulnerabilities.
    • AWS Config and Security Hub are crucial for recording configuration changes and running security checks.
    • A security baseline is applied across all accounts and regions to ensure consistent security measures.
    • Custom Terraform modules and CloudFormation stack sets are used to automate security configurations and controls.
  • Challenges and Solutions:
    • Managing rapid growth while maintaining security and cost efficiency.
    • Operating globally while adhering to local regulations and managing different risk committees.
    • Synchronizing technical controls across various regions and teams.
  • Outcomes and Lessons Learned:
    • Proper resource tagging is essential for security and financial management.
    • Clear leadership dependencies are key to scalable and reliable solutions.
    • Extending AWS service capabilities and ensuring proper monitoring in complex systems are ongoing challenges.

Quotes:

  • "Imagine that all of you are parents of three kids... The question is what strategy you as a parent can adopt to raise your kids respecting their characteristics, giving them autonomy and freedom, but without putting them at risk."
  • "For regulators, there is no distinction between security in the cloud and of the cloud. The company is responsible for both."
  • "Our cost to serve... is 90 cents a month per customer. That enables every penny that we save throughout cost goes back to our customers in terms of zero fees or lower fees."
  • "We want to reach 100 million people. And proud to say that we actually did that last month of getting 100 million customers onto our platform."
  • "How do you manage globally and operate locally? And this is what Ricardo was talking about with those different regulators, with the different structures inside of a global organization."
  • "We built a scalable, reliable solution. We could enable the teams to build their own baselines. So, we are sure that every time a new account enters an organization, it's going to have the guide rails that we want."
  • "Platformization is key for company growth and success. And this platform really helps everyone to be in sync and everyone to work together."
Managing Customer Identities with Amazon Cognito Iam221Managing Your Cloud Security Universe as One Grc224 S