What issue can we solve for you?
Type in your prompt above or try one of these suggestions
Suggested Prompt
Insight
How to have an overarching effective position on security
How to have an overarching effective position on security
While an upsurge in technology transformation and its adoption continues to yield more innovative products and services, it has also exposed us to greater risks. It’s critical to strike the right balance between transformative innovations and risk management.
As we improvise designs and implementations, Security framework becomes even more important and a parallel focus area. This makes encryption of data- at-rest and data-in-motion imperative. Lack of enterprise encryption results into a Key Management System as a Service; and it is commonly known as KMaaS.
Covering Overreaching Business Challenges
Nationwide Building Society adopted cloud-native technologies to elevate the overall security posture by implementing an end-to-end KMaaS, which covers these overarching business challenges:
- Need for robust and certifiable automated provisioning of enterprise keys and secrets management used by applications, containers and VMs running on multi cloud and on-premise
- Avoiding Cloud Service Providers (CSP) lock-in while serving multiple service providers
- Uninterrupted CI-CD Pipeline i.e. seamless integration onto existing DevSecOps
- Need for an easily deployable, quickly deliverable and a cost-efficient solution
Reviewing their legacy systems, Nationwide determined that there was a significant need for a new process to support how keys/credentials should be issued and managed. The absence of a centralized system was expensive and came with higher risk. Since KMaaS is a centralized key management system, at any given point, if either CSPs (AWS/Azure) failed, the application still remains functional. There is no lock-in period with any CSP, which means users have the flexibility to lift and shift from AWS to Azure and vice-versa.
Integration between KMaaS and any DevSecOps tool (e.g., Jenkins, Kubernetes etc.) is an out of the box solution provided by Hashi Corp vault, which makes integration easier with less manual intervention.
The implementation of the solution was not easy, as the roll-out saw seasoned professionals facing project level challenges, including, achieving the right balance between value delivered and governance required. Some enabler capabilities/stories (such as HSM-Hardware Security Model) were not fully mature and required temporary solutions that added to tech debt.
Nationwide and Publicis Sapient worked as a team on the challenges and conceived the KMaaS solution in early 2020 which followed a successful prototype with a Minimum Viable Product (MVP) in Nov 2020. In a short span of 10 months, we moved from inception to go-live.
This KMaaS solution was built using HashiCorp’s Vault technology and native hardware security modules from cloud providers. The solution was hosted as a stretch capability across AWS and Azure. It offers centralized control over the cryptographic keys used to protect data across applications, containers and infrastructure, both in the cloud and on-premise.
KMaaS is a first truly in multi-region, multi-cloud capability accessible by consumers across AWS, Azure and on-premise. It demonstrates how teams can collaborate to produce outstanding results with multiple features against aggressive timeframes. Some of the key features are listed below.
-
![]()
Static secrets (key values)
Static secret key values are credentials intended to be used for relatively long periods to access applications. Vault as part of KMaaS solution helps us securely store them.
-
![]()
Dynamic secrets for supported databases
Dynamic secrets keys are not pre-existed credentials as they are generated every time when the applications are accessed. This lowers the possibility of the credentials being exposed.
-
![]()
Active Directory authentication
AWS/Azure users of KMaaS are authenticated via Active Directory, this helps in the onboarding and offboarding of users from KMaaS.
-
![]()
KMIP for data encryption at rest
KMIP is a standardized protocol that allows services and applications to perform cryptographic operations without needing direct access to cryptographic material, by delegating its storage and lifecycle to a key management server.
-
![]()
PKI certificate generation and sign-off in minutes instead of weeks
Public Key Infrastructure (PKI) certificates provide a framework that enables cryptographic data security technologies such as digital certificates and signatures to be effectively and quickly deployed on a mass scale.
-
![]()
Backed by HSMs across AWS and Azure
Hardware security Module (HSM) is a physical device that protects and stores highly sensitive cryptographic data.
-
![]()
Multi-Region Deployment
Multi-region deployment on AWS for DR (Disaster Recovery) and seamless patching/ updates.
-
![]()
Availability
KMaaS tool is built to be highly available.
-
![]()
Compliance
It is aligned and complaint to Client’s (Nationwide) Public Key infrastructure (PKI) Certificate Authority (CA), on-prem, It’s also Payment Card Industry (PCI) complaint.
Nationwide was extremely satisfied with the new solution
This solution enabled us to accomplish Vault compliance with FIPS 140-2. Also, Vault is backed by Hardware Security Module (HSM), which is typically used by most security conscious organizations. The solution was built in such a way that AWS, Azure and on- prem can connect to one centralized system. This helped to optimize licenses/IT resources which in return resulted in cost savings. Penetration testing (process to ensure that there are no security loopholes or vulnerabilities) was done which concluded with zero high-severity issues. This certifies that KMaaS is adhering to all the cloud controls.
“It’s great to see that with partners like Publicis Sapient, Nationwide can build world class infrastructure such as key management as a service which was deployed on multiple regions and cloud providers under 6 months. This helped Nationwide to achieve fully automated deployment when it comes to encryption, secrets, and certificates and reduced overall deployment of products which means we can get products to our consumers faster than ever before.”
Saeed Abdi , Security Principal Lead, CTO Cloud Platform (Nationwide Building Society)
Initially, Publicis Sapient onboarded new Nationwide projects/applications on to the KMaaS tool. Following this, we gave existing projects time to migrate their applications from the current Vault clusters to KMaaS before sunsetting the existing clusters. Many Nationwide new projects started using KMaaS which allowed them to centrally store, manage and maintain a huge number of cryptographic keys safely and efficiently.
-
![]()
Customer Data Platform: Switch on Your Sixth Sense
Publicis Sapient was born in the digital age, for the digital age. We offer customer-first insights and solutions to ensure our clients get the right CDP for their industry and individual challenges — fast.
-
![]()
Our Customer Data Platform (CDP) Quickstart Approach
This fast, deployable solution provides the cloud-native components to make it easier for companies to build an open source customer data platform (CDP). The tools are here to create a platform that enables data independence and customer centricity for everyone.
-
![]()
Building an Intelligence-Driven Consumer Products Firm
For CP firms, data transformation is about making better decisions that directly support critical business problems. This means establishing a process to capture, organize and analyze data across multiple sources to inform decision-making across the entire organization.
