More than half of the United States largest businesses share a common vendor: Pacific Life. The gargantuan financial institution has earned its place in the Fortune 500 by providing services to most of the biggest corporate players around. That’s a lot of data. And so, Like many other large, modern businesses, Pacific Life has entered the cloud.
In 2013, the company started planning the migration of a part of its Retirement Solutions division to a public cloud provider. This journey would eventually lead them to the monolithic Amazon Web Services and, eventually, to Dome9 Security.
Pacific Life’s Manager of Information Security and Telemetry for its Retirement Solutions Division is Reza Salari and he has the scoop on how one of the nation’s largest financial institutions made the jump.
Dome9: Before you switched to the Public Cloud, how did your team process its workloads?
Salari: We only had three engineers that used an array of tools to manage our cross-country VMware data centers.
Our hope with moving to the public cloud was that we could optimize operations without increasing the size of the team size. After researching all of our options, we eventually decided that AWS would be the best fit.
Dome9: How did that initial transition go?
Salari: The first thing we did was move our actuarial grids over to the cloud. These workloads require very resource-hungry hedging models.
For example, we typically run about 100 EC2 instances in AWS. However, when we’re running our hedging models we need to burst to over 2,000 instances at a time while remaining cost-effective. AWS lets us do that.
Dome9: Now that you’ve settled into AWS, what has been your biggest area of concern?
Salari: Definitely compliance. Being a finance company, we’re obviously held to very high standards in everything we do. My team and I are responsible for adhering to national regulations like Sarbanes Oxley as well as regional requirements such as the New York Financial Responsibility Laws. Ensuring that all of our best practices are in line with these codes is a huge priority for us.
Dome9: How do you manage those compliance demands in AWS?
Salari: Through a combination of AWS security products, including CloudTrail, KMS, and third party tools such as Splunk for log analytics, and Dome9 Arc for cloud infrastructure security management.
Dome9: Why bring in third party tools?
Salari: Our AWS Network includes over 150 different security groups and each of these has between 5-20 individual security rules. In general, our network holds thousands of rules contained in a constantly changing elastic cloud environment. That’s a lot to keep track of.
We encountered some system issues early on that quickly taught us we would not be able to manage all of that with AWS native tools alone. So we built new networks leveraging both AWS, VPCs and even nested security groups (security groups that reside within other groups).
Dome9: How has Dome9 made that easier for you?
Salari: With Dome9, my team can continuously monitor their VPCs and security groups, and the system will provide real-time alerts in cases of misconfigurations, such as an open IP port. In addition, the team relies on the system to stop unauthorized users from modifying security groups and automatically reverts unintended or malicious policy configurations.
For example, if a user changes a security group policy to allow inbound SSH traffic, Dome9 Arc can detect this change, revert it, and alert the team.
Also, the Dome9 Arc platform’s powerful visualization tool Clarity, provides a real-time topology of security groups and an intuitive visual representation of VPC Flow Logs.This allowed my team to identify security risks and operational issues, visualize policies and remediate threats on all of their accounts, all from a central console.
Dome9: Has Dome9 Arc, and its deep visualization capability Dome9 Clarity, given you more confidence in the cloud since you migrated?
Salari: Absolutely. It’s helped us explain and defend the decision to use the public cloud to senior management. It was and still is a critical element in our cloud journey which eventually helped us save $1.1 million in 2016.
Dome9: What does the future hold for Pacific Life and the public cloud?
Salari: At Pacific Life, we’re now on a ten year roadmap to move our operations one hundred percent onto the public cloud.
Personally, I am planning to have the majority of my department’s specific assets running on AWS within three years and I’m confident Dome9 will be able to scale as we do.
Pacific Life’s services are used and trusted by millions of people across the US and beyond. Dome9 will continue to play a strategic role when it comes to remaining an agile, relevant and secure player in today’s financial sector.