Standardizing Security after an Acquisition Using AWS Shield with Chetwood Financial

Founded in 2016, Chetwood Financial is on a mission to challenge every aspect of how financial services firms operate. The bank focuses on launching consumer-led propositions designed for underserved market segments, such as innovative savings and loan products. When Chetwood Financial acquired Yobota, its information security (InfoSec) team was challenged to deliver a unified governance initiative across both technology estates—a sizable challenge. “The initiative was the most significant security investment in the bank’s history. It was bold and ambitious,” says Abdul Khader, security subject matter expert at Chetwood Financial.

The digital bank, which is cloud native and all in on AWS, decided to design and implement its unified governance initiative using a suite of AWS services. “We evaluate alternative market products, and choosing AWS is almost always a no-brainer for us to deliver quickly and effectively,” says Sean McKeown, head of InfoSec at Chetwood Financial. Before implementing any service, the InfoSec team deliberated on the best way to redesign Chetwood Financial’s security posture and deliver business and security value as early as possible. The bank then drew on a combination of specialists in Chetwood Financial’s engineering department—along with external partners and its proactive engagement with the AWS team—to discuss proposals, collaboratively refine architecture, and verify that the solution followed AWS best practices.

Chetwood Financial set out to mature its security capability incrementally and continuously, working to improve security from the perimeter in. On its perimeter, the bank implemented AWS Shield, which provides near-real-time visibility and powers the mitigation of sophisticated distributed denial of service events. It also set up managed rules for AWS Web Application Firewall (AWS WAF), a service for protecting against common web exploits and bots. Chetwood Financial also boosted productivity by using infrastructure as code and centralized shared modules that are deployed for each of its workloads, thereby unlocking scalability. “Using AWS WAF and AWS Shield, we have increased confidence in our perimeter security,” says Khader.

Chetwood Financial used other AWS services in unison to automate security checks and boost efficiency for the InfoSec team. On AWS Security Hub—a service to automate AWS security checks and centralize security alerts—Chetwood Financial gains a unified source of insight into all security events across its estate. With greater visibility into current compliance levels across all of Chetwood Financial’s AWS accounts, internal engineering teams are empowered to deliver better reporting, prioritize high-value tasks, and protect assets. With enhanced visibility, the bank can also more efficiently comply with relevant legislation and regulatory requirements, including General Data Protection Regulation rules. “Now, we’re doing compliance evaluations in a consistent and automated way with minimal overhead using out-of-the-box services from AWS,” says Khader.

“Using AWS Security Hub turned out to be a game changer for us,” says McKeown. “With it, we gained a single-pane view into our compliance posture. By consolidating findings from various AWS security services, using AWS Security Hub made it simpler for our security team to identify and rectify potential risks promptly.”

To automate its security controls and deploy controls across both organizations, Chetwood Financial uses AWS Control Tower, which orchestrates multiple AWS services. The bank has significantly reduced the workload for its InfoSec team by automating processes, including saving an estimated 40 hours per month because the team no longer needs to manually generate a compliance report. Using automation, Chetwood Financial also reduced the time it takes to provision accounts from half a day to 5–10 minutes. In addition to saving time, automation minimizes the risk of human error to the company’s security posture. “Now, our controls are automatically deployed to both organizations,” says Carr. “The management workload and overhead is drastically smaller when automated, internally-defined security baselines are consistently deployed across all AWS accounts.”

As a result of these changes, the InfoSec team has shifted from a reactive to a proactive approach when it comes to dealing with security events, including using key performance indicator monitoring, key risk indicator monitoring, and threat modeling to prevent issues. “This initiative has embedded a culture of security by creating awareness about the estate for the wider team and stakeholders,” says Khader. By rolling out its unified governance initiative, Chetwood Financial has greatly enhanced communication between its InfoSec and engineering disciplines, meaning they can surface and address problems effectively. Team members are now focused on building new features to improve the bank’s security posture, such as preventive controls that will keep new projects compliant from the get-go. “We’re tackling leading-edge initiatives that seemed years away before we implemented this project, and we only delivered it in early 2023,” says McKeown.