HIGHLY SECURE FILE TRANSFER

About the customer

The Customer is a financial institution, part of a large banking group, based in Luxembourg, financing small and medium enterprises.

The challenges

Being part of a banking group, the Customer applies and adheres to the group Cloud/security policies: their security cloud policy forbids the storage of strictly confidential document in “the Cloud” unless there are clear and strict “compensating controls”:

• How to technically protect the system from “US Cloud Act”, that could be triggered by an US agency to order “repatriation of data”? Same may apply to any accidental data loss or improper access to data where they are physically stored.
• What to propose as additional and “undisputable” security control that will make the storing of sensitive content acceptable to our “Information Security committee”?

To address those concerns, the Customer selected Arηs Spikeseed as their cloud partner for this crucial mission.

The project

ARHS Spikeseed supports the Customer by providing the following services:

• Advisory for Cloud Architecture

  Arηs Spikeseed Cloud Architects helped the Customer by advising on the best architecture, managed services and products, following-up the project from the design phase to the production go-live.

• Infrastructure as Code Development

  Arηs Spikeseed Cloud Engineers implemented and deployed a Landing Zone, relying on CloudFormation IaC and enabling automated environment replication.

• Managed Service Provider

  As a strategic pillar of Development of Arηs Spikeseed, the “Managed Service offering” builds up on substantial internal investment and extensive experience. As a result, Arηs Spikeseed is operating the solution on the AWS Cloud.

Project Solution

The file sharing solution features FileCloud to synchronise automatically and in a hyper-secure way local folders with AWS Cloud (similarly to OneDrive, for instance). It has been designed, implemented and operated by Arηs Spikeseed, and leverages the following key components:

• 01.

  The FileCloud client scans local folders to detect any change, synchronize and eventually merge with content stored on AWS Cloud

• 02.

  Public and Private certificates are managed with AWS Certificate Manager, enabling Encryption at REST (client and server sides), and supporting Private Certificate Authority

• 03.

  Bring Your Own Key (BYOK) and Bring Your Own Encryption (BYOE) are enabled thanks to AWS Key Management Service (KMS) and Thales CipherTrust templates and deployed with Ansible

• 04.

  A dedicated physical Hardware Security Module (HSM) performs cryptographic operations, and is integrated with AWS KMS via Amazon CloudHSM

• 05.

  Infrastructure is automated with AWS CloudFormation templates and deployed with Ansible

• 06.

  High performance and scalability are achieved thanks to AWS Auto Scaling Group and Elastic Load Balancers

Project Results

The delivered platform successfully meets the customer challenges:

1. The entire solution provided is protected against eventual US data access request under the “US Cloud Act”
2. Sensitive data is not accessible, even for the operations team
3. The Customer is in total control of the solution, in particular for the encryption (keys generation and data encryption) which is fully under his responsibility and independent from AWS
4. Solution is fully automated, and environments may be replicated at will

Success factors

Arηs Spikeseed acts as a one-stop shop for their customers, from start-ups and companies to EU institutions and bodies: the wide range of expertise provided helps to answer most of the IT needs. In this particular case, thanks to the combination of AWS Managed Services and specific products (namely Thales CipherTrust and FileCloud), all challenges have been tackled in a timely and qualitative manner.