AWS for Industries

How Legal & General manage diverse requirements and deliver value at speed in a highly regulated environment

In virtually every country, financial services organizations are heavily regulated. Although this has often been used as a rationale for a lack of innovation, leveraging controls that are designed for both accountability and speed can allow for innovation and regulation to co-exist.

This post discusses how Legal & General’s central IT function, Group Technology, have implemented a landing zone environment to provide the securely governed multi-account AWS environment that the business needs to go further, faster, and safer. It also provides insights into how Legal & General are combining technology and cultural change to deliver business value.

L&G Logo 4C Black

Established in 1836, Legal & General are one of the UK’s leading financial services groups and a major global investor, with over £1.4 trillion in total assets undermanagement*. Legal & General also provide powerful asset origination capabilities. Together, these underpin leading retirement and protection solutions: they are a major international player in pension risk transfer, in UK and US life insurance, and in UK workplace pensions and retirement income. Legal & General’s purpose is to improve the lives of their customers, build a better society for the long-term, and create value for their shareholders. This inspires them to use their long-term assets in an economically and socially useful way to benefit everyone in their communities, as well as help create their vision of Making a difference through inclusive capitalism.

As each of Legal & General’s businesses embrace the Cloud to become more responsive to their customers’ needs and deliver on their purpose, it’s important that Group Technology works in partnership with them to deliver the right level of agility, speed, and control.

*at 31 Dec 2021

Managing diverse requirements

Legal & General’s organization is divided into federated business divisions. These lines of business use a wide variety of different technologies best suited to their specific needs, ranging from mainframes to serverless. They all collaborate closely, yet they also have diverse operating models and requirements, sometimes even in different regulatory environments. The AWS Cloud Foundation team within Group Technology is centralized. This team acts as an enabler to all business divisions across the organization, making it easier for them to deliver their workloads into AWS at scale.

The team’s aim isn’t to be a gatekeeper, but to enable agility through the creation of reusable patterns and guardrails that empower engineering teams to use AWS in line with all of Legal & General’s policies and standards. This means that divisional engineering teams can consume approved services from the Cloud Foundation and build, test, and operate at their own pace within a set of preventative and detective compliance rules.

Building the foundation

Following initial discussions internally, and after identifying the problem statement and vision, the AWS Cloud Foundation team approached their AWS account team for help. Adopting the same Working Backward customer-centric methods used internally at Amazon to develop breakthrough innovations, the team started to scope an initial Minimum Loveable Product (MLP). Next, they discussed in more detail how to support Legal & General’s diverse requirements, best practices, recommended approaches/architecture, and how to deliver a solution that provided an agile cloud service to their federated business. As a result of these collaborative discussions, Legal & General and AWS decided to implement AWS Control Tower.

AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment, called a landing zone. It creates your landing zone using AWS Organizations, bringing ongoing account management and governance, as well as implementation best practices based on AWS’s experience working with thousands of customers as they move to the cloud. Builders can provision new AWS accounts in a few steps, while having peace of mind knowing that accounts conform to company policies. Governance can be extended into new or existing accounts, helping to gain visibility into their compliance status quickly.

The AWS Control Tower architecture was designed and implemented in partnership with the AWS Professional Services team and the AWS Solution Architect assigned to their account. The solution comprises AWS Control Tower, AWS Config, AWS Security Hub, as well as custom compliance rules written with AWS Lambda and AWS Audit Manager. Therefore, the Cloud Foundation Landing Zone – as this deployment of AWS Control Tower is known at Legal & General – allows business divisions to provision a secure and compliant AWS account into which they can build.

Building the team

Another important element of Legal & General’s strategy has been to build out a Centre of Enablement with AWS expertise supporting the growing requirement for AWS across the business. Early on, the Legal & General management team identified the need to move all of their teams from projects to value streams and platforms, products, and services. Historically, projects have been delivered in a linear fashion with workloads passing through a series of gates where security, compliance, and audit reviews have occurred in series. This approach is common to many regulated organizations, but it requires multiple manual steps and doesn’t particularly lend itself to pace, agility, or collaborative working.

The AWS Cloud Foundation team are now employing a platform-as-a-product based delivery model where developers can self-serve and deploy reusable components on demand. When combined with the automated nature of the guardrails deployed using AWS Control Tower, this means that workloads can pass through the development process far more quickly and with fewer delays and blockers, thereby avoiding the need for ongoing manual approvals. Numerous previously manual steps have now been completely eradicated as effort spent on automation has allowed pre-approval of these processes. For example, L&G’s Security Operations Centre (SOC) no longer needs to check and approve that each workload has enabled AWS CloudTrail and is connected to the SOC systems. Instead, they know that if it’s a Cloud Foundation AWS account, then the workload’s CloudTrail is enforced and will automatically be connected to the SOC systems. This makes it easier for workload teams to move faster, as they don’t have to repeat this task each time, while also giving the SOC confidence that deployed workloads meet a high security bar, and that Legal & General are meeting their regulatory obligations. From the outset, guardrails were collaboratively defined, reviewed and agreed among security teams, developers, and –architects. This has provided a vital ongoing feedback loop into the Cloud Foundations platform to make sure of continuous development and improvement.

The following diagrams show how Legal & General have transformed approval processes from workloads passing through “gates” with multiple manual steps to continuous activities delivered at pace, enabled by automated security guardrails.

Figure 1: Legal & General’s manual approval process before AWS Control Tower

Legal & General’s automated approval process after AWS Control Tower

Figure 2: Legal & General’s automated approval process after AWS Control Tower

Legal & General’s automated approval process after AWS Control Tower

Creating repeatable services

With the core foundations in place, the Legal & General AWS Engineering team started to create building blocks that can be immediately deployed and used by the engineering teams across the business. They are creating repeatable services, such as DNS Self-Service, a centralized Certificate Manager service, and automated backups to a secure vault using AWS Backup. In addition, the team are supporting Legal & General’s businesses to track, control, and plan their cloud spend with a third-party cloud financial management tool and help deliver on Legal & General’s net-zero commitments by providing a carbon calculator dashboard built upon the AWS Customer Carbon Footprint Tool. User experience is paramount with a keen focus on providing the best developer experience, and all services are backed by Infrastructure-as-Code (IaC), thereby making them fully reusable. The available services are continuously evolving and developing based upon customer requirements. Other teams have started to adopt a similar model and are building their own platforms on top of the Cloud Foundation, including an Amazon Elastic Kubernetes Service (Amazon EKS) platform running on AWS Fargate.

Conclusion

In this post, we’ve seen how Legal & General are making sure of security and compliance through the creation of a AWS Control Tower-based foundational platform, thereby allowing the business units to experiment, deploy, and manage in a safe yet flexible environment. By providing this automated, controlled environment with the right guardrails in place to support their regulatory framework, AWS Control Tower has also enabled Legal & General to implement organizational and cultural change to their team structures.

It’s never too late to revisit your Cloud Foundations, as balancing security and agility is a constantly evolving challenge. To find out more, refer to the AWS Control Tower service page.

TAGS:
Darren Ash

Darren Ash

Darren Ash Senior Customer Solutions Manager Darren is a Senior Customer Solutions Manager working within the AWS UK Financial Service team. He helps Financial Services customers accelerate their cloud maturity and use the cloud to transform their business. Outside of work, Darren enjoys mountain biking, getting outdoors with his wife and daughters and is an avid reader, especially of Science Fiction.

Andi Brocks

Andi Brocks

Andi Brocks Principal Solutions Architect Andi Brocks is a Principal Solutions Architect within the AWS UKI Financial Services Team. Andi works with our largest FS customers to execute on their cloud strategies. Andi has over 10 years’ experience in the Financial Services industry.