AWS for Industries
How Legal & General manage diverse requirements and deliver value at speed in a highly regulated environment
In virtually every country, financial services organizations are heavily regulated. Although this has often been used as a rationale for a lack of innovation, leveraging controls that are designed for both accountability and speed can allow for innovation and regulation to co-exist.
This post discusses how Legal & General’s central IT function, Group Technology, have implemented a landing zone environment to provide the securely governed multi-account AWS environment that the business needs to go further, faster, and safer. It also provides insights into how Legal & General are combining technology and cultural change to deliver business value.
Established in 1836, Legal & General are one of the UK’s leading financial services groups and a major global investor, with over £1.4 trillion in total assets undermanagement*. Legal & General also provide powerful asset origination capabilities. Together, these underpin leading retirement and protection solutions: they are a major international player in pension risk transfer, in UK and US life insurance, and in UK workplace pensions and retirement income. Legal & General’s purpose is to improve the lives of their customers, build a better society for the long-term, and create value for their shareholders. This inspires them to use their long-term assets in an economically and socially useful way to benefit everyone in their communities, as well as help create their vision of Making a difference through inclusive capitalism.
As each of Legal & General’s businesses embrace the Cloud to become more responsive to their customers’ needs and deliver on their purpose, it’s important that Group Technology works in partnership with them to deliver the right level of agility, speed, and control.
*at 31 Dec 2021
Managing diverse requirements
Legal & General’s organization is divided into federated business divisions. These lines of business use a wide variety of different technologies best suited to their specific needs, ranging from mainframes to serverless. They all collaborate closely, yet they also have diverse operating models and requirements, sometimes even in different regulatory environments. The AWS Cloud Foundation team within Group Technology is centralized. This team acts as an enabler to all business divisions across the organization, making it easier for them to deliver their workloads into AWS at scale.
The team’s aim isn’t to be a gatekeeper, but to enable agility through the creation of reusable patterns and guardrails that empower engineering teams to use AWS in line with all of Legal & General’s policies and standards. This means that divisional engineering teams can consume approved services from the Cloud Foundation and build, test, and operate at their own pace within a set of preventative and detective compliance rules.
Building the foundation
Following initial discussions internally, and after identifying the problem statement and vision, the AWS Cloud Foundation team approached their AWS account team for help. Adopting the same Working Backward customer-centric methods used internally at Amazon to develop breakthrough innovations, the team started to scope an initial Minimum Loveable Product (MLP). Next, they discussed in more detail how to support Legal & General’s diverse requirements, best practices, recommended approaches/architecture, and how to deliver a solution that provided an agile cloud service to their federated business. As a result of these collaborative discussions, Legal & General and AWS decided to implement AWS Control Tower.
AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment, called a landing zone. It creates your landing zone using AWS Organizations, bringing ongoing account management and governance, as well as implementation best practices based on AWS’s experience working with thousands of customers as they move to the cloud. Builders can provision new AWS accounts in a few steps, while having peace of mind knowing that accounts conform to company policies. Governance can be extended into new or existing accounts, helping to gain visibility into their compliance status quickly.
The AWS Control Tower architecture was designed and implemented in partnership with the AWS Professional Services team and the AWS Solution Architect assigned to their account. The solution comprises AWS Control Tower, AWS Config, AWS Security Hub, as well as custom compliance rules written with AWS Lambda and AWS Audit Manager. Therefore, the Cloud Foundation Landing Zone – as this deployment of AWS Control Tower is known at Legal & General – allows business divisions to provision a secure and compliant AWS account into which they can build.
Building the team
Another important element of Legal & General’s strategy has been to build out a Centre of Enablement with AWS expertise supporting the growing requirement for AWS across the business. Early on, the Legal & General management team identified the need to move all of their teams from projects to value streams and platforms, products, and services. Historically, projects have been delivered in a linear fashion with workloads passing through a series of gates where security, compliance, and audit reviews have occurred in series. This approach is common to many regulated organizations, but it requires multiple manual steps and doesn’t particularly lend itself to pace, agility, or collaborative working.
The AWS Cloud Foundation team are now employing a platform-as-a-product based delivery model where developers can self-serve and deploy reusable components on demand. When combined with the automated nature of the guardrails deployed using AWS Control Tower, this means that workloads can pass through the development process far more quickly and with fewer delays and blockers, thereby avoiding the need for ongoing manual approvals. Numerous previously manual steps have now been completely eradicated as effort spent on automation has allowed pre-approval of these processes. For example, L&G’s Security Operations Centre (SOC) no longer needs to check and approve that each workload has enabled AWS CloudTrail and is connected to the SOC systems. Instead, they know that if it’s a Cloud Foundation AWS account, then the workload’s CloudTrail is enforced and will automatically be connected to the SOC systems. This makes it easier for workload teams to move faster, as they don’t have to repeat this task each time, while also giving the SOC confidence that deployed workloads meet a high security bar, and that Legal & General are meeting their regulatory obligations. From the outset, guardrails were collaboratively defined, reviewed and agreed among security teams, developers, and –architects. This has provided a vital ongoing feedback loop into the Cloud Foundations platform to make sure of continuous development and improvement.
The following diagrams show how Legal & General have transformed approval processes from workloads passing through “gates” with multiple manual steps to continuous activities delivered at pace, enabled by automated security guardrails.
Figure 1: Legal & General’s manual approval process before AWS Control Tower
Figure 2: Legal & General’s automated approval process after AWS Control Tower
Creating repeatable services
With the core foundations in place, the Legal & General AWS Engineering team started to create building blocks that can be immediately deployed and used by the engineering teams across the business. They are creating repeatable services, such as DNS Self-Service, a centralized Certificate Manager service, and automated backups to a secure vault using AWS Backup. In addition, the team are supporting Legal & General’s businesses to track, control, and plan their cloud spend with a third-party cloud financial management tool and help deliver on Legal & General’s net-zero commitments by providing a carbon calculator dashboard built upon the AWS Customer Carbon Footprint Tool. User experience is paramount with a keen focus on providing the best developer experience, and all services are backed by Infrastructure-as-Code (IaC), thereby making them fully reusable. The available services are continuously evolving and developing based upon customer requirements. Other teams have started to adopt a similar model and are building their own platforms on top of the Cloud Foundation, including an Amazon Elastic Kubernetes Service (Amazon EKS) platform running on AWS Fargate.
In this post, we’ve seen how Legal & General are making sure of security and compliance through the creation of a AWS Control Tower-based foundational platform, thereby allowing the business units to experiment, deploy, and manage in a safe yet flexible environment. By providing this automated, controlled environment with the right guardrails in place to support their regulatory framework, AWS Control Tower has also enabled Legal & General to implement organizational and cultural change to their team structures.
It’s never too late to revisit your Cloud Foundations, as balancing security and agility is a constantly evolving challenge. To find out more, refer to the AWS Control Tower service page.