Challenges To maintain its security posture without a dedicated security team, Monument Bank needed immediate visibility into what developers were building in the cloud.
Monument Bank needed a scalable and efficient process for development teams to address issues quickly.
Monument Bank looked to identify repeated problems in production and shift left to fix them earlier.
Solutions Monument Bank has a single, real-time view across their entire AWS environment.
Developer teams can quickly understand and remediate risk in the cloud using Wiz’s actionable and contextualized reports.
Monument Bank maintains its secure by design strategy using Wiz guardrails to prevent recurring problems in the development process.
Unifying internal teams to secure its cloudMonument Bank offers its clientele of business professionals, entrepreneurs, and property investors a digital banking platform built on cloud technology. The startup neo-bank offers a range of savings and lending products using advanced in-app capabilities for client interactions. “We bring leading edge, modular technology together in a unique configuration, to redefine premium banking for the mass affluent,” says Graham Law, Monument’s Head of Cloud Ops.
Monument is also a regulated bank. “There are regulatory expectations, client expectations, and genuine threats out there,” says Law. “As a guardian of our client’s savings, we need to prepare for potential cyber-attacks.”
Two years into its journey, Monument is confident its cloud infrastructure is secure despite not having a dedicated security team. As part of its strategy, Monument aims to secure by design. “We've been doing that from day one on our app, but with AWS, there wasn't anything that we could plug in and make that happen,” says Law.
It all starts with visibility As the bank’s developers built out its application in the cloud, the security team wanted to ensure it was built to the highest security specs. “We wanted to know how we could gain assurance when those same developers were also the people building and configuring the native security tooling in AWS,” says Law.
Monument adopted a modern cloud-native software architecture that involved zero on-prem infrastructure. In addition, a lot of its ecosystem is SaaS driven. “It's not a case of just having a lot of traditional on-prem infrastructure that's now running in the cloud,” says Law. “It's much more modern services, microservices, an integration layer between APIs — it's a different type of security challenge, and many of the traditional approaches aren't designed for this type of environment.”
Easy deployment, fast results Monument had a knowledge gap it needed to fill. “Security changes on a daily basis. I don't have the time or knowledge to do my own audits of AWS,” says Law. Initially, the team tried more traditional penetration testing firms to do evaluations, but they didn’t provide enough return on investment. Monument even considered hiring an AWS security engineer role, but that’s a very expensive resource.
After exploring other options, they took a look at Wiz. “I was genuinely blown away by how easy it was to implement Wiz, and how immediate the benefit was, to the point where I said to the CTO, if you don't buy this, I quit, because I can't do my job without it.” Says Law, “Basically that was 20 minutes after we started the POV.”
The strength of the Wiz POV was that it's so quick and easy to set up. It wasn't going to be a three-month process—we were up and running in one afternoon.
Graham Law, Head of Cloud Ops, Monument Bank
Law was encouraged by the rapid benefits of implementation. “Within the first couple of hours of implementation, Wiz identified security gaps and issues that we weren't aware of, but we were able to get to work fixing these issues immediately,” says Law.
Prioritization made easy Law relies on Wiz to surface toxic combinations and list out critical risks so his team can prioritize the critical issues that need fixing. “Wiz’s risk scoring system creates actionable work,” says Law.
As a startup, we can't fix every single problem immediately, we don't have that capacity. Wiz allows us to quickly prioritize the changes that need to be made.
Graham Law, Head of Cloud Ops, Monument Bank
The Wiz dashboard provided the Monument Bank team a full view of their environment for the first time. “It’s always been in AWS, but we've never been able to see it,” says Law. “As we've tried to get management aligned and explain what Wiz is telling us, the Security Graph — and specifically the visualization of the issues— was a big help in understanding what the problem is and its scope.”
Monument is operationalizing Wiz by integrating with Jira to automatically create tickets for critical risks so they can quickly and easily be addressed by developers. In addition, Wiz provides actionable context so teams can identify, prioritize, and remediate those issues based on what is the biggest threat to the environment. “It stops us from having to go in to create the tickets and frees up my team to focus their attention on the most critical issues that need to be prioritized.”
Beyond shifting left to fix issues early in the development process and putting guardrails in place to maintain long-term consistency, Monument also looked to Wiz for a review of its risk management process. “Wiz allowed us to create a patching process that worked across all of our containers, app, OS package, AMI patching, and anywhere else it was needed. It was about getting the process right and identifying a strategic shift, even in how we do our container management, to enable better and easier patching.”
A different approach to security Law and team had a belief that they were doing things right but had no way of proving it. Wiz quickly provided the assurance they required. “Obviously, we found some things that needed to change, so we went through a very quick process of understanding what is right and what is wrong, and we fixed what was wrong,” says Law. “Now we can try to mature this approach and embed it as a long-term, sustainable way of baking security into our development and site processes.”
Law points out the importance of using a tool that enables developers to have a meaningful stake in the security conversation. “Wiz can highlight findings that they don’t necessarily understand where the risk is involved,” says Law. “Wiz does a good job of explaining, in an understandable way, why it’s giving something the rating it’s giving it.”
For Law the biggest benefit has been going from having conversations about why something was really a risk, to over time understanding what those risks are and realizing what needs to be prioritized. “The visibility realized through the Wiz Security Graph helps hugely with that. The focus on toxic combinations and the descriptions that accompany those are very readable for a non-security audience, highlighting why this particular combination is something you need to address.”
Compliance is another challenge that is on Monument’s future roadmap. “We’re implementing a mature approach to determining our real-world risk, not some arbitrary checklist,” says Law. “We’re taking the time to look at the compliance standards and what we already have in place and start laying the groundwork to get our environment into compliance. The pre-visibility we have is incredibly helpful as it will take a lot of the manual legwork out of that process.”
Wiz lets us look at the root cause of some of our issues, and how we can rapidly fix some of these problems with relative ease. Much of what we have found is preventable, as long as it’s caught early.
Graham Law, Head of Cloud Ops, Monument Bank
For Monument, Wiz is serving the role of security engineer and empowers security and developers to work more closely to identify fundamental changes that need to be made. “We still might need a security engineer one day. But with Wiz automating the more manual tasks, they can be working on more advanced capabilities,” says Law.
Want to learn how your cloud security program can achieve the same results as Monument Bank? Take a closer look at Wiz's cloud security solutions for financial services.