Skip to main content
banner-vector

Zero Trust Philosophy at a Canadian Bank

INDUSTRY

Financial Services

Arctiq helped a bank adopt a Privileged Access Management (PAM) solution with HashiCorp Vault Enterprise and HashiCorp Boundary Enterprise.

A Canadian bank offering commercial and residential lending and saving services set on a journey to adopt a fully digital strategy. As part of their digital initiative this bank’s vision was to implement more modern, simple and strategic technology solutions to improve customer experience.

Goals Achieved

Dynamic and automated secrets management and PAM solution offering a peace of mind and a philosophy of “trust nothing and authenticate everything”. Arctiq reviewed existing architecture and design, validated the suitability of customer use cases. We developed a migration pattern from the old PAM methods used (powershell-based automation scripts, user-driven workflows) to a Hashicorp-based solution that is using powershell-based automation scripts enabled with HashiCorp Vault, user-driven workflows enabled with Boundary. Arctiq also developed infrastructure-as-code (IAC) with Terraform for deployment of solutions.

Challenge

For any customer today security is paramount. This customer was looking to standardize on a modern PAM solution offering future peace of mind from the security angle. Outdated password management solution was used by privileged users to store static passwords often reusing the same passwords when accessing windows/linux machines. At the same time,there was no solution in place to be able to create dynamic and rotating credentials.

Solution

The customer had already selected HashiCorp Vault as their secrets management solution and they were very open to work closely and collaboratively with Arctiq and the HashiCorp Boundary product teams to test drive the Boundary product. Hashicorp Boundary tool was introduced for brokering the credentials. Hashicorp Vault was onboarded for generating dynamic credentials for Windows Servers : Openldap secret engine and Linux Servers : SSH-OTP secret engine. Arctiq made use of the Hashicorp Terraform Cloud for configuring both Vault and Boundary while using Azure AD for Boundary authentication. Installation of DR and HA clusters for both Vault and Boundary was also done as part of this engagement.

"Working with the customer, partner and the HashiCorp Boundary product team to contribute to product feature improvements based on real-world use cases was a nimble and collaborative process. Knowing that our inputs went into what the Enterprise version of the Boundary tool looks like today is a pretty special thing to have been part of."