Principal Financial Group® Strengthens Cloud Security with AWS Experts

Principal focuses on improving the wealth and well-being of people and businesses. With a workforce today of nearly 20,000 employees, Principal serves approximately 68 million customers worldwide, offering services in financial planning, protection, investment, and retirement. Principal has long prioritized data security and compliance, operating under the National Institute of Standards and Technology (NIST) Cybersecurity Framework and actively championing cybersecurity industry wide. As part of an ongoing technology transformation, Principal is enhancing security, agility, and scalability by migrating the majority of its workloads to AWS, its preferred cloud services provider.

Each workload Principal migrates to AWS undergoes extensive security controls and reviews covering governance, assurance, identity access management (IAM), threat detection, and infrastructure protection. Matt Raveling, assistant vice president of technology at Principal, explains, “Maintaining a strong security posture is fundamental to cloud adoption. As an organization, we believe that being responsible means being highly security conscious.”

As Principal began moving more workloads to the cloud, its teams recognized the need to further elevate its cloud security posture through a more systematic, efficient approach. To align security structure, roles, skillsets, and tools with cloud requirements, legacy processes had to be optimized; these outdated workflows had created bottlenecks in AWS and workload approvals, slowing innovation. "We didn’t have the scale of people aligned with what was required," says Raveling. "We were progressing, but it wasn’t consistent enough to meet our cloud needs or business objectives. We wanted to move at the same speed as the business."

Principal engaged AWS experts, including AWS Professional Services, the AWS Security Assurance Services team, and AWS Training & Certification for its migration. First, AWS conducted capability maturity assessments for current operations and skills using the AWS Cloud Adoption Framework (AWS CAF) to assess cloud readiness, and the AWS Well-Architected Framework to review security practices.

Based on the findings, AWS experts documented capability scopes, targeted objectives, and prioritized roadmaps. Together, Principal and AWS implemented a Cloud Security Operating Model (CSOM) Accelerator and CSOM framework to speed up Principal's cloud adoption and achieve intended business outcomes by addressing people- and process-related opportunities in enterprise cloud transformation.

Principal worked with AWS consultants to document and enhance appropriate security controls for its specific cloud environment and services based on its rigorous legal and regulatory requirements, corporate policies, security standards, cloud operating model, and best practices. In addition, AWS helped Principal implement recommendations from the AWS Cloud Adoption Framework to mature Principal’s security program on AWS across five core pillars: identity and access management, detection, infrastructure security, data protection, and incident response. As part of the process, the company worked with AWS to implement security controls and use AWS tools and third-party solutions for detecting, preventing, and taking proactive security measures.

Raveling comments, “AWS did a great job of working with each of our capability owners, helping them understand their capability and best practices. It meant they could expand training to some of their staff, giving us a point person with a decent foundation of knowledge to whom the security team could turn.” Principal also upskilled its security team members through hands-on AWS Training and used AWS Skill Builder, an on-demand learning center, to help employees develop relevant AWS skills. Consequently, this helped fast-track the migration of applications and workloads to the cloud and reduced the time required for approving new cloud products and services.

With the support of AWS experts, Principal established cloud security best practices that enabled faster cloud adoption by helping the company focus on execution rather than troubleshooting. Principal advanced several security capabilities, confirming the presence of robust security controls, best practices, and continuous monitoring tools.

The project has made it faster and easier to approve and configure new AWS services. It has also provided software engineers with clear, easily accessible best practices to follow when using AWS services. This has given the Principal security team a boost in efficiency—reducing security architecture review processes from months to weeks and improving time to market. “Working with AWS experts, we’ve established a cloud security operating model that enhances our security posture, accelerates our development process, and meets our speed-to-market goals securely,” Raveling says.

Furthermore, by further advancing its security posture, Principal is more confident in pursuing the development of AI initiatives through multiple AWS services. Developers saw services like Amazon Bedrock, Amazon Translate, and Amazon SageMaker quickly go through internal approval processes thanks to the streamlined security processes. “The AI space is evolving quickly,” Raveling concludes, “and AWS is helping us ensure we have the right security associated with the technology while supporting innovation.”