In the period 2017 through 2019, after nearly thirty years of consolidation around a layered internal IT security model, a major Australian bank shifted its business scope to include the consumption of public cloud technologies to support a significant core of its business operations.
This is a major departure from a historical alignment, where the banks IT systems were physically domiciled within their premises and protected from public or unmanaged ingress by a perimeter DMZ and a host of physical and process controls.
Outright ownership of premises, or lease responsibility for these environments, conferred the most basic human access control to ensure operational security. On top of that, ‘defence in depth’ centred around a layered network security architecture has to date, heavily influenced the attitude to secure operations.
This talk begins by observing the ground rules for the prior state and examines how that prevailing philosophy has been disrupted by a move to the overt consumption of public cloud infrastructure in support of many core banking functions; then it examines how we approach those concerns from the perspective of human and machine user access and the correct attribution of tech accountability and authority across all the banks business operations including cloud, in a more complex business landscape.