Cloud Security Challenges:
- Wants to perform security assessments as close to real-time as possible
- Needs to protect the cloud environment without constraining developers or getting contentious with IT
- Must meet FDIC compliance requirements for cloud security
Orca Security Results:
- Can now get full visibility of risks and vulnerabilities in near real-time
- Can support DevOps procedures without interrupting operational and production access, and without installation of agents
- Positioned to fully support FDIC guidelines and future requirements for cybersecurity in the cloud
Live Oak Bank’s Homegrown Technology Is a Big Differentiator
Live Oak Bank is different from most banks in many respects. Started as an internet bank, Live Oak continues to operate without physical locations. The company is focused on small businesses and has domain expertise in 20+ specific verticals—such as veterinary practices, pharmacies, agriculture, healthcare, and other industries. Unlike its competitors, Live Oak bankers get deeply involved in helping customers run—and succeed in—their own businesses. Its partnership approach has resulted in a loan default rate of less than 1%—far below the industry average of 3%.
The company has embraced the cloud from the beginning. Rather than build its business on a traditional, datacenter-based banking platform, Live Oak developed its own software. Some of the company’s technology has been spun off into new software entities. Many of these fintech companies are still partnered with Live Oak Bank to create an in-the-cloud, API-driven core. Cloud technology is central to everything Live Oak does.
Thomas Hill joined Live Oak Bank six years ago as CIO. As the company grew and its homegrown technology portfolio expanded, there became a need to separate IT and security roles, so Hill assumed the CISO position. “We want our business to be fast, real-time. We want the business to be able to move and change at the speed of light,” says Hill. “My job is to make sure we can do that securely and within the bounds of all regulatory constraints.”
Empowering DevOps (Without Getting in the Way)
Steeped in the heritage of a company that creates its own software, the DevOps team is encouraged to be bold and innovative. A traditional security leader can hamper DevOps by imposing demands on them to slow down and consider security every step of the way. But Hill refuses to be an impediment to the development team. “The last thing we want to do is constrain our developers,” he says. “We want them to think outside the box and create new things, so we give them the power to spin up what they need, but in a responsible way.”
“In the old days—and I literally mean three months ago—we were scanning our environment once a month,” according to Hill. “In the back of my mind, I worried about a developer spinning off a script that builds a whole environment, builds a new stack, and they start testing things. They could be one misconfiguration away from putting all that out on the internet. We need to detect that but scanning once a month wasn’t going to do it. When you work in real-time, you need to see everything in real-time.”
This is where Orca comes into play. “We want to be able to see our whole environment—not just the devices that have an IP address, that might be accessible, and that we know about,” says Hill. “Orca is a great solution for us because we want to give developers the power to be innovative, but need to scan close to real-time without impacting the operations.”
“The IT infrastructure team is happy, too, because we’re taking a view of the total environment, setting it aside, and doing the scanning completely offline. We aren’t asking them to do anything —like install agents—to support this process,” says Hill.
Orca Does the Work of Several Tools in the Security Toolbox
Hill’s team did a PoC with Orca and knew within days how useful it would be. The visibility it gives the security team is unlike anything other tools can provide—even those with agents installed on devices. “I can’t understate the importance of getting visibility of the whole cloud in an offline fashion so as not to interrupt any operational and production access. Orca’s SideScanning™ method is truly innovative,” says Hill. “It takes away any friction with our IT group.”
Live Oak had been using traditional industry leading vulnerability scanners for cloud assessments. Hill sees that Orca does a more complete job of scanning the cloud assets without the need for cumbersome agents. “The best practice for running agent-based tools is monthly. I’m not comfortable going that long between scans,” says Hill. With Orca, he can run it daily without any impact on production.
Orca Facilitates Compliance with Federal Regulations for Financial Institutions
Live Oak Bank has a sprawling AWS estate. Hill says they have over a dozen orgs—each being its own AWS mini-datacenter. In addition, the bank has fintech partners that use both AWS and Azure, with Live Oak’s systems interconnecting them.
As a chartered bank, Live Oak must comply with data privacy and security regulations. Here, the FDIC, as a member of the Federal Financial Institutions Examination Council (FFIEC), issued a statement addressing the use of cloud computing services and security risk management principles in the financial services sector. “The FDIC statement letter is just guidance today, but we expect it to become a requirement soon,” says Hill. “Orca helps us convey the security posture of our cloud environments, which is extremely important for us as a bank. Our corporate risk group finds it very advantageous to have a tool like Orca to meet this need.”
Due to regulatory requirements governing financial data, Live Oak uses a hybrid-SaaS version of Orca Security, called Orca Pod. It permits the bank to keep its data in its own environment while only transferring metadata to Orca.