Orca Enables Security Evolution for Banca Progetto, the First Italian Bank on AWS

Banca Progetto Is Italy’s First Bank to Operate Fully on AWS

Banca Progetto S.p.A., a fast-growing Italian challenger bank, born in 2015 from the reorganization of Banca Popolare Lecchese carried on by the Californian fund Oaktree, provides financing to households and corporates also through the digital channel. With  branches in Milan and Rome and a commercial network operating through the whole country, Banca Progetto is specialized in products for small and medium-sized Italian companies and retail customers, in particular savings accounts products targeting private and retail customers. 

Ever since, the bank has been undergoing a complete transformation of its business and operations. Today, the company has four primary business channels: lending to small and medium businesses in Italy as well as tax credits factoring and instant cash to PMI actual customers, savings accounts products such as deposit account and time deposit and in its most recent development, instant lending to non-customers retail clients.

In 2019, Banca Progetto started its cloud journey to unlock the full potential of its banking products. With the approval of the Italian regulator, Banca d’Italia, Banca Progetto worked closely with Amazon Web Services to deliver the best decoupling infrastructure and create a compliant ecosystem. By 2020, Banca Progetto had become the first Italian bank to operate fully in the cloud.

Among other key milestones for the bank, in 2020, the custom designed and developed Service Bus was launched on AWS, enabling customers to be onboarded in less than 10 minutes. In 2021, the core product of lending to small/medium enterprises went fully digital, making it possible for teams working across Italy to take advantage of a single platform to manage the entire lending process. The following year, Banca Progetto entered the Instant Lending market with Instant Cash PMI and the Cream application.

All these milestones represent a high rate of technological innovation for the bank. Having migrated all applications and infrastructure into the cloud, while building the new ones straight into it, allows the bank to be more responsive to customers’ evolving needs and to quickly launch new products and services.

A Complex Cloud Environment Needs Security Governance

Banca Progetto has a complex yet manageable infrastructure in which the cloud environment developed by the bank itself coexists with various individual third-party environments connected to it. There are multiple accounts involving three regions in which the front ends for customers, the sales network, and the local instances used by the bank’s back-office services are distributed. The middleware that enables communication among all components is the nerve center of this cloud environment. 

Giorgio Rocca is Banca Progetto’s Chief Information Security Officer and leader of the small security team. “Most of our work pertains to the governance of our security program,” says Rocca. “We have a SOC and many aspects of our security are outsourced to other players. So, the focus of our work is typically partner monitoring and cloud monitoring.”

The priority to monitor and audit all cloud environments is dictated by the cloud-centric nature of the bank’s development and growth. This prompted the security team to look for a cloud security posture management (CSPM) solution that could identify existing vulnerabilities and communicate with the bank’s SOC to properly monitor the operational scenario in real time. Particular attention was paid in finding a solution that works across multiple cloud providers. While most of the bank’s infrastructure and accounts are in AWS, the company does have some back-office services in Azure Cloud, and there’s always the potential for additional applications in other cloud environments in the future.

The Bank’s Requirements for CSPM

Rocca says his team had a list of requirements for the cloud monitoring solution in addition to the ability to support multi-cloud environments. “We have a cloud native architecture that adds complexity from a security standpoint,” he says. “We have virtual machines, containers, and even a serverless architecture for some applications. We need a solution that can scan all these components for vulnerabilities and configuration issues and report them to our SIEM.”

The bank also needs to observe compliance with various security frameworks, such as NIST (the U.S. National Institute of Standards and Technology), the MITRE ATT&CK framework, and the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM). Any chosen tool must help the bank determine its compliance posture.

Ease of use was a paramount concern, given that the security team is so small. Some people with governance responsibilities don’t have a technical background, so the cloud security tool had to have a simple user experience where all users can get the information needed as easily as possible.

“Previous experience with CSPM tools clarified our requirements and processes needed to make the best use of these tools. Orca more than meets the challenge.”
Giorgio Rocca

CISO

The Orca Beats Out Prisma Cloud in a Side-By-Side Comparison

Banca Progetto already had experience with Palo Alto Networks Prisma Cloud. However, the license agreement for Prisma Cloud was expiring, so this seemed like the best time to test the market for other solutions. Mauro Restante of the cyber risk consulting firm Cybersel Group suggested Rocca’s team try Orca Security, and so they began a week-long Proof of Concept. They were able to compare Prisma Cloud and the Orca Platform side-by-side.

“The Palo Alto Networks product seems more suited to companies with bigger infrastructure,” says Rocca. “The system is quite technical, and the dashboard is harder to manage. Also, it requires the installation of an agent, which increases the friction we have in trying to get our engineers to support it. They don’t necessarily want to change their processes to install and maintain agents.”

Orca is a much simpler solution in terms of onboarding, licensing, user experience and integration with the bank’s SIEM. “It took us just 5 minutes to onboard Orca,” says Rocca. “Our architect did it with no external support. This was the first sign that we should adopt Orca. Another important aspect is that it natively integrates with Sumo Logic, our SIEM. The other product requires an API to talk to the SIEM. We’d need specialized architects or a systems integrator to make it work for us.”

Other important aspects of Orca sealed the decision to make it the bank’s cloud security solution. “In many ways, Prisma Cloud and Orca are similar solutions,” explains Rocca. “They both offer compliance reporting, but Orca’s reporting is simple and concise for executives and 

the board to view. On top of this, Orca has MITRE compliance reporting for the totality of cloud infrastructure, applications, data, and identities, and that is an important security framework for us.”

“Orca gives us a single Security Score that indicates our adherence to various security frameworks. This clear number is what our executives want to see.”
Giorgio Rocca

CISO

Parallel use of both Orca and Prisma Cloud highlighted Orca’s greater accuracy in refining the search for critical issues, therefore producing a more meaningful overall security score. Orca has also a considerably simpler and more appealing user experience interface that allows ease of use even by staff who are not strictly technical but who are assigned to governance roles.

Even more important is that Orca is not just a security tool but also a development instrument, allowing the bank’s Dev team to “shift left” and build secure applications from the very beginning and not secure them afterwards. “Our Dev team uses Orca to verify the efficiency of updates before release in production, helping to optimize our development process. It is easier to understand the gap that we must remediate or mitigate before production and to secure the bank’s infrastructure,” says Rocca. “The other solution doesn’t have a development integration process, so it is solely for security. By comparison, Orca provides much more value overall.”

“Orca makes collaboration possible with IT, Dev and security giving a big value we get from this tool. We are working together to reach our objectives.”
Giorgio Rocca

CISO

Orca’s licensing approach is also much more attractive than that of Palo Alto Networks. “Orca provides simplicity in its licensing table. You can see what you want to spend or project to spend in the future because the licensing is tied to the virtual machine,” says Rocca. “The other solution has a more complicated licensing scheme tied to the individual component, so for example, every new container or every new transit gateway has a price. This is not good when you want to have a strategic view of your company’s expenses.”

Orca Delivers Results for Banca Progetto

Banca Progetto has been using the Orca Platform for just under a year and the results have been encouraging. It made it possible to integrate the security perimeter of the cloud environment with the classic SOC, thus completing Banca Progetto’s digital transformation in the security field. The amount of data in the compliance reports helps to identify specific key risk indicators, calibrated to the numbers provided by Orca, thus enhancing the internal security posture of the cloud environment, and complementing what had already been defined with security rating tools for the external side.

By supporting our architects in the shaping of Banca Progetto’s cloud architecture with valuable indications and precise configuration, Orca helped us to optimize the overall environment.

Finally, Orca has helped to facilitate full governance of security aspects by the bank’s IT security group, providing valuable feedback on the degree of security achieved.