Kasasa Automates Sensitive Information Detection Using Amazon Macie

As a provider that oversees the sensitive data of community financial institutions across the country, the wholesale financial services company Kasasa aims to be as technologically robust as it is foundationally secure. The company needed an automated and efficient way to identify sensitive information and operationalize security for its customers and their clients. To automate its processes and secure its environment in the cloud, Kasasa worked with multiple Amazon Web Services (AWS) solutions, including Amazon Macie, a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect sensitive data in AWS. Using AWS solutions, Kasasa has improved the security of its data and, in turn, bolstered trust among its customer institutions.

Kasasa delivers a wide portfolio of services for small community financial institutions, such as banks and credit unions. These services include building and maintaining its customer institutions’ websites, providing marketing services, and offering differentiated products, such as free rewards checking, noninterest income–generating solutions, and loans that allow borrowers to pay ahead and take back any extra they’ve paid if needed.

Kasasa serves small community financial institutions, which sometimes don’t have ready access to technical resources or possess the experience to work in the cloud space. Some of these institutions might have only one person in their IT departments, or their tech specialist is also their head of retail. But regardless of size, they can operate only if consumers can trust that their personal information and financial data will be secure in the cloud. Thus, Kasasa is committed to providing its clients with technical capabilities and being a careful custodian of their sensitive data.

However, before it turned to AWS solutions, Kasasa lacked the tools to quickly and simply verify data or identify sensitive information. Much of its knowledge had come from manual reviews or the manual discovery of an issue in the environment. The company faced a challenging and time-consuming process of taking inventory and parsing the information to become fully aware of its sensitive data.

In 2016, Kasasa began using AWS to address some of its security concerns. Prior to that, the company had relied on a traditional data center model, and most of its applications ran on various hypervisors. To keep track of changes in its environment and maintain a high level of security, Kasasa runs its environment through Terraform, an open-source infrastructure-as code (IaC) software tool. Kasasa’s move to AWS and an entirely cloud-based solution meant that it could incorporate processes into its infrastructure through IaC. Because AWS has a repository of existing code to accomplish tasks on AWS using Terraform, everything the company wanted to do was already supported.

But Kasasa still needed a way to inventory sensitive data. For this, the company turned to Amazon Macie, a solution that automates the discovery of sensitive data at scale and lowers the cost of protecting data. Because Macie works alongside Terraform, the Kasasa team was able to use Terraform modules to set up templates for jobs that had different use cases and configuration criteria. It was also able to bundle all the Macie–related AWS resources within a single Terraform project that could be applied to multiple accounts. “The way Amazon Macie works is a natural fit with IaC because the jobs within Amazon Macie are immutable. Amazon Macie gives us more control over the change process and helps us stay accurate,” says Michael Pearcy, a cloud security engineer at Kasasa.

Running discovery jobs on Macie is a quick and automated process, taking from 30 minutes to a few hours depending on the volume of data. Most importantly, Macie gives the Kasasa team visibility it wouldn’t otherwise have because it wouldn’t have the means or the resources to do this type of discovery without a tool like Macie.

The team uses Macie alongside AWS Security Hub, a cloud security posture management service that performs security best-practice checks, aggregates alerts, and facilitates automated remediation. The security scores provided by Security Hub have helped Kasasa to build a framework for how to secure its environment in the cloud. “Having a central dashboard where we can improve visibility into the configurations in the environment is very helpful because we can just go in there and remediate,” says Emmanuel Babalola, a cloud security engineer at Kasasa. “It helps us better our security posture in the environment.”

The Kasasa team also incorporated Amazon Athena, an interactive query service that makes it easy to analyze data in Amazon Simple Storage Service (Amazon S3)—object storage built to retrieve any amount of data from anywhere—using standard SQL. Using Macie alongside Athena provided the team with comprehensive visibility in its data security posture, including the presence of sensitive information. With the newly gained information about what resources needed to be protected, the team had some direction when discussing sensitive data. This knowledge, in turn, lowered the risks associated with data protection. “Having that kind of inventory, a comprehensive look at our data definitely reduces our risk,” says Pearcy. “We can check that we are aligned with different compliance standards for our protection and our users’ protection.”

Kasasa’s next phase in deploying AWS security solutions includes expanding its use of Amazon Macie. The Kasasa team aims to create automated discovery jobs to get immediate feedback about sensitive data that may be at risk.

Using Amazon Macie and other AWS security-related solutions has helped Kasasa to demonstrate that it follows best practices in data auditing. In an industry where security is paramount, this gives its customer institutions reassurance that their data will be safe. “The trust that the industry holds in cloud security due to the reputation of AWS is really integral to being able to convey that sense of trust with these smaller financial institutions,” says Pearcy.