About the Client
UnionDigital Bank (UD), the digital bank subsidiary of UnionBank, launched in July 2022. Based in the Philippines, UD’s goal is to ‘tech-up’ the Philippine economy bringing financial inclusivity for individuals, communities, and businesses. It achieves this by making financial solutions more accessible and safer to communities historically underserved by the banking sector.
We worked in close partnership with UD to ensure its digital banking services platform hosted on Amazon Web Services (AWS) was secure, compliant and satisfied the regulatory requirements of the central bank. Outcomes of the engagement include:
- Achieving all necessary security standards within a compressed two-month timeframe.
- Satisfying the requirements for UD to obtain its banking licence in time for the scheduled launch.
- Ensuring ongoing platform compliance through automation and self-correction.
Challenge: Central Bank’s Security Demands Required Specialist Cloud Skills
UD needed to meet stringent regulatory requirements set by Bangko Sentral ng Pilipinas (BSP), the central bank of the Philippines, so it could obtain a licence to operate. Since UD’s digital banking platform is hosted on AWS, this meant implementing sophisticated cloud security measures. The bank’s in-house infrastructure team were not equipped to deliver what was needed.
With a two-month window to satisfy the BSP requirements and apply for its banking licence, UD appointed Sourced Group an Amdocs Company (Sourced), to help.
“Launching a digital bank hosted in the cloud meant we were facing regulatory challenges that we hadn’t encountered before. We needed to act fast to ensure we kept on schedule and Sourced was the ideal partner, working with us around the clock to achieve our goals.”
Dominic Grunden
Chief Information Security Officer, UnionDigital Bank
Solution: Advanced Cloud Security Tools, Approaches and Controls
We devised a robust approach in line with established cybersecurity frameworks. This puts security at the heart of UD’s cloud-based banking platform and gave it the capacity to adapt fast when regulatory requirements evolve.
Starting with BSP requirements and enhancing them with best practices from industry bodies and Sourced’s own long experience with the Financial Services Industry (FSI), we quickly determined the baseline and target compliance posture required. This helped focus activity on the critical gaps to be closed in order to meet the timeline.
Since UD was using AWS Control Tower for the platform’s Landing Zone, we focused on leveraging and enhancing its built-in governance capabilities to ensure regulatory compliance. AWS Control Tower is used to deploy, and managed AWS Accounts based on known best practices as detailed in the Well-Architected Framework and can be customised according to organisational or industry requirements. This allowed us to meet BSP’s stipulations in an efficient and effective manner.
AWS Control Tower was used to deploy the core security infrastructure along with AWS GuardDuty for threat detection and AWS Security Hub to serve as a single plane of glass for security events. We also leveraged the AWS Config conformance pack for Center for Internet Security (CIS) benchmarks which provided basic detective and corrective control coverage.
With the security infrastructure established we turned our attention to encryption, selecting AWS Key Management Service (AWS KMS) to handle this. A KMS key pipeline was created so that UD’s teams could easily request keys to secure their applications, and the established automation ensured controlled rollout of key configurations and policies that conformed to the bank’s security directives.
Enterprise regulation dictates that all logs should be centralised in a Security Operations Centre (SOC). We achieved this by using AWS Kinesis Firehose to extract all Amazon CloudWatch logs in real-time, sinking them into a centralised S3 bucket. Alongside this, all key services were tuned to pipe logs into target S3 buckets held in a log archive account which was eventually integrated with the SOC.
Finally, to ensure standard operating environments (SOE) for the bank’s compute workloads, we created an SOE image foundry. This uses AWS EC2 Image Builder to bake in third party security agents, with Linux and Windows operating systems hardened against CIS benchmarks. As part of the pipeline, a granular release mechanism was developed, updating AMI IDs to AWS Systems Manager Parameter Store (SSM Parameter Store) for application workloads to reference during deployments in workload accounts.
“Sourced brought a good depth and breadth of knowledge across cloud, secure digital banking and AWS tooling. But it was the team’s agile approach that really added value. They were able to pivot and reprioritise as needed to meet the goals of the engagement.”
Dominic Grunden
Chief Information Security Officer, UnionDigital Bank
Outcome: Platform Security Helps UD Earn Banking Licence
We delivered Landing Zone compliance within the target timeframe, encompassing all the required detective and corrective controls. The security posture of the landing zone satisfied core BSP requirements, and we also maximised security observability by integrating configuration events to AWS Security Hub and leveraging dashboards and alerts. Centralising the issuance of KMS keys resulted in 0% variation in security key policy configuration, ensuring consistent adoption.
This engagement was instrumental in UD’s successful application for a banking licence. The digital bank launched in July 2022, enabling UD to make strides towards its vision of financial inclusivity in the Philippines.
“Sourced helped us stand up cloud, cloud security, encryption and APIs so we could meet regulatory requirements and launch UD as planned. We look forward to extending this relationship as our digital banking journey continues and to further Tech Up the Philippines.”
Dominic Grunden
Chief Information Security Officer, UnionDigital Bank