Data security is paramount in the financial services industry, where institutions handle vast amounts of sensitive information. As one of the largest banks in North America, a major financial institution has embraced a “Digital First” strategy, driving the need to innovate and modernize its data management processes while ensuring strict compliance with cybersecurity requirements. This article examines how this institution leveraged Amazon Redshift and AWS Lake Formation to create a secure, scalable, and efficient analytic environment that meets stringent data protection standards.
Challenges in Data Security and Compliance
The institution’s commitment to digital transformation required them to secure personally identifiable information (PII), Payment Card Industry (PCI) data, and high privacy risk (HPR) data. Given the sensitivity of this data, they needed a solution that provided fine-grained access control, encrypted data storage, and robust identity management.
The primary challenge lies in implementing field-level encryption and managing access control for different user roles. The diverse user base, including business analysts, data engineers, and data scientists, required customized access to data based on their specific roles and responsibilities. The bank needed to ensure that only authorized personnel could access sensitive data in clear text, whether it was stored in Amazon Redshift or their Amazon S3 data lake.
Solution Overview: Integrating Amazon Redshift with AWS Lake Formation
The institution addressed these challenges by integrating Amazon Redshift with AWS Lake Formation, two powerful tools that enable secure and efficient data management.
Amazon Redshift is a fully managed data warehouse that offers industry-leading security features, including built-in identity management, single sign-on (SSO), and multi-factor authentication. Redshift’s Spectrum feature allows direct querying of data stored in Amazon S3, enabling the institution to modernize its data platform without sacrificing performance or security.
It provides fine-grained access control, allowing the bank to implement tag-based access control (TBAC) and ensure that only authorized users can access specific data.
Implementing Role-Based Access Control (RBAC) and Tag-Based Access Control (TBAC)
To meet their security requirements, the institution implemented a combination of role-based access control (RBAC) in Amazon Redshift and tag-based access control (TBAC) in AWS Lake Formation. This approach allowed the bank to manage permissions based on data classification rather than creating complex permutations of roles across different business lines.
1. RBAC Implementation in Amazon Redshift
The institution defined multiple AWS Identity and Access Management (IAM) roles aligned with their data classifications. These roles were mapped to user groups in an external identity provider (IdP), which was integrated with Amazon Redshift for seamless SSO. For example, users in the “lob_risk_public” group were granted access to less sensitive data, while those in the “lob_risk_pci” group could access PCI data.
The RBAC implementation in Amazon Redshift ensured that users could only access data relevant to their roles, thereby minimizing the risk of unauthorized access to sensitive information.
2. TBAC Implementation in AWS Lake Formation
AWS Lake Formation’s TBAC features allowed the institution to apply fine-grained access control to data stored in Amazon S3. The bank created Lake Formation tags corresponding to different data classifications (e.g., PII, PCI, HPR) and assigned these tags to specific tables in the AWS Glue Data Catalog.
This approach enabled the institution to restrict access to data based on the user’s role and the classification of the data. For example, a user with the “Classification” tag could access tables containing PCI data, while a user with the “Classification” tag could only access non-sensitive data.
Technical Solution: Streamlining Data Security
The integration of Amazon Redshift and AWS Lake Formation enabled the institution to streamline its data security processes while maintaining high performance and scalability.
1. Data Ingestion and Classification
The institution ingested data into Amazon S3, categorizing it according to its sensitivity (e.g., PII, PCI, HPR). AWS Glue crawlers were used to automatically catalogue this data into databases and tables, which were then assigned appropriate Lake Formation tags.
2. External Schemas and IAM Role Mapping
The institution created external schemas in Amazon Redshift that referenced the catalogued data in Amazon S3. These schemas were mapped to specific IAM roles, ensuring that users could only access data in accordance with their permissions.
3. Automated Access Provisioning
To simplify access management, the institution developed an automated provisioning framework. A central repository of users and their access levels was maintained in Amazon S3. Changes to this repository triggered updates in Amazon Redshift and AWS Lake Formation via AWS Lambda functions, ensuring that access controls were consistently applied.
Results and Benefits
By implementing this solution, the institution achieved several key benefits:
- Enhanced Data Security: The combination of RBAC and TBAC provided robust security controls, ensuring that sensitive data was only accessible to authorized users.
- Scalability and Performance: The integration of Amazon Redshift with AWS Lake Formation allowed the institution to handle large volumes of data efficiently while maintaining compliance with industry regulations.
- Simplified Management: The use of IAM roles and Lake Formation tags reduced the complexity of managing data access, making it easier for the bank to enforce security policies across its diverse user base.
- Compliance with Industry Standards: The solution met stringent cybersecurity requirements, including field-level encryption and access control for PII, PCI, and HPR data.
Conclusion
This major financial institution’s strategic use of Amazon Redshift and AWS Lake Formation demonstrates how financial institutions can leverage cloud-based solutions to enhance data security while supporting their digital transformation initiatives. By implementing role-based and tag-based access controls, the institution successfully secured its sensitive data, ensuring compliance with industry standards and protecting the privacy of its customers.
