New Zealand’s largest locally-owned life insurer Fidelity Life is one year into a multi-million dollar, five-year transformation to reimagine life insurance for New Zealanders. Microsoft Azure is front and centre in a programme to recast the insurer’s products, services, and experiences for a new generation of digital customers. Building on its progress in the cloud, Fidelity Life turned the spotlight to security standards and controls to maintain application development at full speed, without inviting risks.
Software developers today combine agile approaches with clever tools and orchestration in Azure. However, when the faster pace of modern software development is stifled by traditional approaches to security, developers are more likely to take shortcuts and sometimes even show willful ignorance that can leave cloud environments vulnerable.
Fidelity Life was making good use of Azure Platform and Azure DevOps to build, deploy, and host its core line of business applications. However, multiple vendors developing business applications in Azure followed their own approaches to security and controls. The lack of consistency created potential holes and pitfalls in infrastructure code, applications, and Azure itself, slowing development and inviting unnecessary risk.
Leaven (now CCL) was commissioned to review Fidelity Life’s security posture in Microsoft Azure, applying a three-pronged approach – called DevSecOps – to gauge, fix, and then harden the insurer’s cloud platforms.
CCL engineers scanned Fidelity Life’s Azure subscriptions to identify and grade potential security issues, before jointly agreeing items for remediation. Using tools including RBAC controls from Microsoft Azure AD, Azure policy, Azure ARM templates, and Azure DevOps, CCL applied secure ‘front door’ fixes to secure a baseline position in a matter of hours.
With the front door of Fidelity Life’s Azure Platform now securely closed, attention turned to protecting application code. CCL’s verification testing and scans detected vulnerabilities in application and infrastructure code as it was checked in to Azure DevOps.