Putting the AWS Security Audit program to the test in FinTech

Brett Gillett

In a recent post, I shared details of the AWS Security Audit program offered by Curious Orbit.

Today I want to show you how this program helped a real customer.

3rd party validation to verify security requirements

CASHiQ is a FinTech startup company based in Hamilton, Canada. The company produces a third party application that financial advisors can use to improve efficiency through online interactions.

For example, the app can be used to store documents, share portfolio information, and even correspond with clients in real time. However, because this app enables sharing of sensitive client data, CASHiQ knew it must ensure that it met the extremely high-security standards to be adopted by financial institutions.

By engaging with us and using the AWS Security Audit offered from Curious Orbit, CASHiQ was able to run a comprehensive assessment of its app’s security and core services used by the CheckiQ application—including Amazon Web Services Identity and Access Management (AWS IAM), Amazon Simple Storage Service (Amazon S3), and Amazon Relational Database Service (Amazon RDS).

The AWS Security Audit checked nearly 100 items against industry best practices. (In fact, the Audit program was developed leveraging guidance provided by AWS and independent organizations.)

Don’t overlook “mundane” issues

Many security audits miss the “mundane” issues—things like proper AWS account setup or appropriate access right for IAM users. While essential, though, these issues can create serious vulnerabilities if left unattended.

CASHiQ was focused on tactical security, like managing digital identities and protecting records during transmission. The company didn’t realize, however, that security also means building robust security into the platform itself, such as using secure and vetted components and software. This is a common issue that we see in almost all audits.

When Curious Orbit engaged with CASHiQ, we educated the company about these risks and provided guidance. This not only helps the company address any current issues it may have but also gives the knowledge toolset to assess its security moving forward.

Triage issues for prioritized remediation

A common concern around security audits is what to do after you receive your audit report. You may have a list of issues but aren’t sure which are the key things to focus on or which will take the most team resources and time.

At Curious Orbit, we make it our priority to outline your priorities clearly. Issues are clearly delineated by the level of priority and risk, which enables customers to begin with the highest priority (or most severe) issues.

During the engagement with CASHiQ, Curious Orbit created a prioritized list of actionable items, starting with those that the FinTech company could use to position its application and AWS account better to meet strict AWS security requirements.

AWS security

As an AWS customer, your organization will benefit from the data centre and network architectures built to meet the requirements of highly security-sensitive organizations. Your organization will also have access to the tools and services that enable you to achieve a better security posture than in your on-premises environment.

AWS instances can scale up and down on demand, and by leveraging pay-as-you-go pricing, you can obtain the security you need without any upfront hardware investments. AWS enables you to keep your data safe, meet compliance requirements, realize more control over your environment, and increase privacy, all at a lower cost.

Brett Gillett


Like what you read? Why not subscribe to the weekly Orbit newsletter and get content before everyone else?