Control Broker: Financial Services Security Module

Automate security prevention and detection as part of Vertical Relevance's Financial Services Framework (FSF)

Within the financial services industry, one of the most common focuses is ensuring the security of workloads and infrastructure. A security misstep can lead to regulatory fines and a loss of customer trust. To manage risk, security teams often need to review every infrastructure stack – this is time intensive and can slow down innovation. By leveraging policy-as-code, companies can automate governance and security policies to reduce risk while allowing developers to innovate.

Vertical Relevance's solution, Control Broker, empowers developers to get quick and frequent feedback on whether their infrastructure as code (IaC) is compliant with firm-mandated security requirements. Control Broker allows organizations to build customized rules and store them in a centralized directory, which means every part of the business can be subject to the same compliance requirements. Control Broker, a serverless application can be called from any stage of the software development lifecycle (SDLC) from the developer's IDE to the CI/CD build, test, deployment stages, and even integrate with continuous detective solutions through a simple API call.

Vertical Relevance


 United States, Canada


Centralized library of controls

Build a repository of controls that can be centrally updated and distributed

Automated security review 

Automate security policies provides immediate feedback on compliance without manual review 

Accelerate path to production

Leverage a fast path to deployment while ensuring products' compliance via Control Broker 

Security control as a service

Reap benefits with an iterative approach for teams with thousands of security controls 

  • How it works
  • When engaging with customers, Vertical Relevance analyzes existing controls currently in place, identify gaps that need to be filled with new controls, and then builds out the infrastructure to support the evaluation using Vertical Relevance's Control Broker.

    Control Broker provides a foundation for a customer's security evaluation capabilities. At its core, the Control Broker is built to be a serverless application which is a single endpoint that various consumers (CI/CD pipelines, and AWS config rules) can send their resource configuration to and receive a response of compliant or non-compliant.

    The Control Broker and its components:

    1. Policy library: centralized library of security and compliance controls defined as policy as code.

    2. Evaluation engine: leverages controls defined in the policy library to evaluate the compliance of provided resource configuration and return COMPLIANT or NON-COMPLIANT.

    3. Consumer: a tool or service that makes requests to the Control Broker to determine the compliance of a set of resources (CI/CD pipelines, AWS config, and developer workstations).

    When the Control Broker and its components are implemented, the customer will be able to handle preventative and detective controls and keep their environment safe and secure.

  • Key activities
  • Perform due diligence

    Understand current security review processes and discover security controls

    Define controls

    Define the discovered controls in a ticketing system as discrete rules that can be implemented in code

    Implement control broker

    Deploy and configure the Control Broker into the security account designated for centralized control storage

    Deploy controls with policy as code

    Automate each control in a Policy as Code tool chosen by VR and the customer

    Automate functional tests

    Test controls against customer workloads known to be valid (passing current security review)

    Implement Control Broker consumers

    Implement Control Broker consumers to interface with deployment pipelines and artifact repositories

    Empowers continuous adoption

    Train security teams to enforce security and compliance controls across organizations

  • Customer contribution
  • Key personnel 

    Provide access to key personnel across the organization for discovery and due diligence activities 

    Developer access

    Grant read-only permissions for development team members to AWS accounts and code repositories

    Documentation and artifacts

    Share relevant information including internal processes, security policies, and compliance requirements

    Infrastructure as code 

    Provide examples of infrastructure known to be not valid and not valid under the current security review processes

  • About this consultant
  • Vertical Relevance is a consulting firm focused on financial services, including wealth management, asset management, banking, and insurance, helping with the design and delivery of effective transformation programs across people, process, and systems. With 10+ years of AWS and 20+ years of financial services experience, they understand business needs and build solutions to meet sales, marketing, and compliance goals.

  • Architecture diagram

AWS Marketplace Details

Vertical’s AWS validated qualifications, customer references, and office locations.

Blog Post

This post presents different security tools as individual baselines that address different types of vulnerabilities across the AWS cloud environment.

Blog Post

This post outlines how to operationalize PaC with a serverless evaluation engine as part of the broader Control Broker solution.

Explore icon
Explore all Consulting Offers

Browse our portfolio of Consulting Offers to get AWS verified help with solution deployment.

Learn more 
Build icon
Deploy a solution yourself

Browse our library of AWS self-deploy solutions to common architectural problems.

Learn more 
Find an APN Partner icon
Find an AWS Partner

Engage with AWS Partners for secure, innovative, and cost-effective custom solutions that leverage the power and scalability of AWS services to meet your needs.

Learn more