May 10, 2022

min read

Lookout Helps Leading Fintech Company Improve Compliance

When a leading financial technology provider began experiencing record success and rapid customer growth, it needed a holistic security strategy to protect its customer data and comply with regulations like the Payment Card Industry Data Security Standard (PCI DSS) and the California Consumer Privacy Act (CCPA).

In 2021, the firm’s platform delivered a record-breaking year, facilitating hundreds of thousands of new accounts amounting to billions of dollars in personal loans. As the platform scaled and new features were added, the need for proper visibility into cloud data and application usage became increasingly apparent to the firm’s IT and security teams. With this growth, they determined three main IT security challenges that needed to be addressed: 

  • Too many security platforms: Managing multiple security solutions and enforcing uniform data protection policies across all apps was arduous and inefficient.
  • Difficulty maintaining compliance: Aligning with compliance regulations became increasingly difficult as the customer base and volume of sensitive compliance-related data each grew.
  • AWS configuration errors: Ensuring proper configuration of Amazon Web Services (AWS) cloud infrastructure and various AWS services, including S3 cloud object storage, was difficult and prone to error.

To solve these challenges, the firm Slack turned to the Lookout Cloud Security Platform and implemented a new security strategy that helps them stay compliant with government regulations. Here are the steps they took to leverage the Lookout platform:  

Step 1: Converge into one financial security platform using Lookout Secure Cloud Access 

The firm turned to Lookout to help secure their AI-powered, online financial platform hosting more than a million customer accounts. With our cloud-native platform, they were able to consolidate multiple point solutions into a single integrated platform, reducing network and security complexity while increasing organizational agility.  

Lookout Secure Cloud Access with native data loss prevention (DLP), which is part of the Lookout platform, was deployed to secure customer data while ensuring regulatory compliance. All traffic from the customer flows through a common inline proxy where it can be intercepted and monitored. From this vantage point, security administrators can apply a cohesive package of advanced data security controls through a common set of IT security policies. 

Step 2: Simplify DLP to reduce risk and increase savings

A DLP policy defines how organizations share and protect data. It provides guidance on how data can be used in decision-making without exposing it to anyone who shouldn’t have access.

As the firm’s SaaS portfolio expanded to include Slack, Box, Microsoft 365, and GitHub, configuring and maintaining DLP rules became increasingly complex. With each app offering its own DLP features, the resulting DLP tool sprawl led to:

  • Multiple owners of DLP capabilities
  • Unnecessary or overlapping policies
  • Holes in data visibility and coverage
  • Decreased operational efficiency and security

Lookout Secure Cloud Access provided the firm’s IT and security team with a converged platform that offered complete data visibility, consistent policies and operational efficiency across all apps. It provided a common interface through which uniform DLP policies could be defined across all SaaS apps. 

Because these policies are context-aware, they’re able to adapt based on the data and apps accessed, the user’s risk score, and the risk posture of the device. With pre-configured policy templates, the customer was able to create consistent rules for protecting sensitive data across all apps. 

By consolidating DLP point products into a unified platform, the firm was able to reduce risk, realize cost savings, and most importantly, have confidence in their data security.

Step 3: Implement a privacy compliance program

Facilitating personal loans and credit cards requires collecting personal information such as bank accounts, credit history, social security numbers (SSNs), and home addresses. This sensitive data, stored in cloud apps like Box and Microsoft OneDrive, is also shared internally via Slack messaging. A data security policy must be established to correctly identify and protect the customer’s data privacy and comply with regulatory requirements. 

Security policies enable IT administrators to define and enforce rules and take action at various enforcement points in the system. Actions such as masking, redacting, watermarking, or encrypting the data ensure that it stays protected even if it moves outside the company’s boundaries, whether intentionally or unintentionally. For example, individual security policy rules can be set up to block a sensitive document from passing through Slack to unauthorized recipients based on predefined attributes. Because security systems are only as effective as the policies that guide their actions, policy management must be as intuitive and straightforward.

Typically, an admin would have to go into each cloud app individually to configure a uniform set of policies via different user interfaces. This approach was both complex and incredibly inefficient.

Lookout consolidated this myriad of DLP engines into a single, unified system where a common set of IT security policies could be applied and enforced. This model offered the best security and overall user experience, ensuring the firm meets compliance requirements without hindering employee productivity. 

Step 4: Reduce risk with continuous monitoring setup

Like many organizations, the firm uses AWS for reliable and scalable cloud computing and storage. Data is stored in Amazon Simple Storage Service (Amazon S3) as objects within “buckets.”  

Misconfigured or “leaky” AWS S3 storage buckets can expose massive amounts of data to the internet. In fact, Amazon S3 buckets have been at the heart of countless data breaches in the last few years. It's common for “leak hunters” to use automated search tools to find thousands of open S3 buckets that include data companies would not want public.

Lookout introduced cloud security posture management (CSPM) as part of the same unified security platform to help organizations correctly and appropriately secure the data they hold in cloud storage instances. CSPM is an IT security tool designed to identify misconfiguration issues and compliance risks by continuously monitoring cloud infrastructure for gaps in security policy enforcement.

With large amounts of private data stored in S3, Lookout CSPM helps the firm ensure that their AWS resources are properly configured and sensitive data is protected from public access. It provides actionable reporting on exactly which resources failed the assessment and how to remediate those issues. 

Sample CSPM view from a Lookout test environment

CSPM can also be applied to other cloud platforms likeAzure, Microsoft 365, and Salesforce. Knowing these foundational resources are correctly configured provides IT and Security teams the certainty they need to perform their day-to-day tasks while feeling confident that customer data is safe and in regulatory compliance.

Step 5:  Ensure future growth is secure with Lookout

As the firm grows, the volume of data they collect will only increase. In a high-growth company with a rapidly expanding digital footprint, it can be challenging to ensure that all data is protected and remains in compliance with privacy regulations. 

With Lookout’s unified, cloud-native security platform, the customer is confident that they will be able to scale their security as they grow while maintaining visibility and control over their data. 

Book a personalized, no-pressure demo today to learn:

  • How adversaries are leveraging avenues outside traditional email to conduct phishing on iOS and Android devices
  • Real-world examples of phishing and app threats that have compromised organizations
  • How an integrated endpoint-to-cloud security platform can detect threats and protect your organization

Book a personalized, no-pressure demo today to learn:

  • How adversaries are leveraging avenues outside traditional email to conduct phishing on iOS and Android devices
  • Real-world examples of phishing and app threats that have compromised organizations
  • How an integrated endpoint-to-cloud security platform can detect threats and protect your organization

Book a personalized, no-pressure demo today to learn:

Discover how adversaries use non-traditional methods for phishing on iOS/Android, see real-world examples of threats, and learn how an integrated security platform safeguards your organization.