#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
TO SOC2/TYPE2 VIA AWS
Clarke Rodgers, CISO, SCOR Velogica
• SCOR Velogica
Business unit within SCOR Global Life Americas
Location: Charlotte, NC
Home to the Velogica automated life insurance underwriting
Over 2.5 million underwriting recommendations have been
issued by the Velogica Service since its inception.
• Our Customers
Direct Life Insurers
Focused on Velogica platform’s business agility and security of
their customer’s data.
Security questionnaires & related due diligence taking up too much
time and resources during sales cycle. How do we prove to our
future and existing clients that we have best in class security?
Obtain an internationally recognized and accepted third party
assurance report attesting to the security controls in place at
Provide report to clients (and prospective clients) in lieu of
spreadsheet exchanges, meetings, etc..
Do it quickly.
What is SOC2/Type2?
• Set of standards (Trust Principles) developed by the
- Security (base report)
- Confidentiality (additive)
- Availability (additive)
- Processing Integrity (additive)
- Privacy (additive)
• Controls are reviewed and tested annually (at
minimum) by a third party auditing firm.
• Becoming the de-facto standard of third party
assurance reports for security controls.
learn more at www.aicpa.org
SOC2 by way of AWS
For SCOR Velogica, the best path to achieving SOC2/T2 attestation
was to move to AWS by:
Focusing on OUR expertise: the controls, development & operations that
are key to our business (e.g. the Velogica web service)
Relying on best of breed trusted third parties (e.g. AWS, 2nd Watch & Alert
Logic) to do what THEY do best:
AWS – cloud computing infrastructure, management platform &
2nd Watch – (MCSP) professional services [design& migration]
and managed cloud operations.
Alert Logic – (MSSP) security monitoring, log correlation and
24/7 security operations.
Key Decisions – SCOR Velogica AWS Migration
1. Develop cloud expertise
2. Migrate to AWS platforms &
services or perform a “lift and
shift” of our existing platform?
3. How do we
communicate/educate our clients
on the move?
Pro tip: Don’t assume everyone knows that Amazon is in
the datacenter business.
A note about Trust
The more you know about a provider, and their ability to be
transparent about their services instills trust in their offerings
and ability to execute.
1. Reviewed (under NDA) available assurance reports for
each key provider.
2. Made site visits, interviewed key personnel and asked
detailed questions that mattered the most to our business.
3. Met with current customers to get their insights on the
It is YOUR responsibility to thoroughly vet your providers.
For your further investigation
Has more certified platforms and services (for your workloads) than
any other cloud provider… and the list keeps growing.
Internal operations are validated and published (under NDA) for
customer review (see aws.amazon.com/compliance for more info)
Maintains SOC2/Type2 attestation.
Audited by AWS under partner program agreement.
Maintains SOC1/Type2 and SOC2/Type2 attestations.
Audited by AWS under partner program agreement.
Our Enhanced Security Posture in AWS
If it logs, we
If it can be
SCOR Velogica’s Cloud Security Program
Each member of
the team excels
Foundational cloud platform with resilient
architecture. Security baked into every product and
service. API driven. Strong security partner ecosystem.
Security operations expertise. Threat & vulnerability
management, log monitoring & correlation. Security
intelligence & threat research, etc…
Secure cloud design and best practices. Patching,
Antivirus, Web Proxy, Active Directory, Hardened builds,
IAM, Infrastructure & application monitoring, etc…
Overall Responsibility of Program. Secure application
development, Access Review, Security Awareness,
Incident Response coordination, Reporting, Client
Oversight of the entire program is the customer’s (your) responsibility. If your
vendors aren’t measuring up, find different ones, coach the ones you have or
do it yourself.
So what does “All-in AWS” mean exactly?
Three pieces of
NOT in AWS:
• Desk Phones.
Secure MFA access to AWS Workspaces from
anywhere on any supported device.
Customer facing Velogica Web Service - in AWS.
All application development – in AWS.
All customer billing & operations – in AWS.
All core infrastructure (e.g. Active Directory, network
file shares, etc..) – in AWS.
Business Continuity - in AWS.
Disaster Recovery – in AWS.
All new technology products and services purchases are either AWS friendly or
other third party SaaS offerings (e.g. Office 365). If not, we don’t buy it!
Non SOC2 related benefits of our move to AWS
Failure is cheap.
Granular control over our costs.
Real time detailed inventory of everything we have.
Built in metrics of what is being used and what isn't.
We are at the cusp of the cloud computing revolution. It is really
just starting and we’ve positioned ourselves to take full advantage
of all the innovations yet to come. Exciting times!
Next steps for SCOR Velogica
Maintain SOC2/Type 2
Exploit the AWS platform to our business advantage:
Continue the automation of our entire software development
Build an automated, event driven security program to
address human errors/misconfiguration.
Duplicate the application environment when needed to
support international expansion of the Velogica platform
Continue maturing our DevOps/DevSecOps culture
within the development & infrastructure/ops teams.
Training & Certification path for everyone who wants it.
Final Thoughts: What business are you in?
At SCOR Velogica, we provide the leading automated
life insurance underwriting platform in the industry. We
are experts in automated life insurance underwriting.
We are not:
In the datacenter management business.
In the enterprise infrastructure/cloud management
In the security monitoring/threat analytics and log
There are others who will operate in the above spaces
with an expertise that will be hard to match, because
that is their focus.
• AWS Compliance - https://aws.amazon.com/compliance/
• AWS Security - https://aws.amazon.com/security/
• AWS Contact for SOC1, SOC2 & PCI Compliance packages -https://aws.amazon.com/compliance/contact/
• PCI FAQs, including which AWS services are in scope -https://aws.amazon.com/compliance/pci-dss-level-1-faqs/
• Introduction to AWS Security - https://d0.awsstatic.com/whitepapers/Security/Intro_to_AWS_Security.pdf
• Cloud Security Whitepaper – https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf
• Cloud Security Best Practices - https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf
• AWS Well Architected Framework - https://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf
• AWS Cloud Adoption Framework Documents:
• AWS Blogs to Read Every Day - https://aws.amazon.com/blogs/aws/ ; https://blogs.aws.amazon.com/security/
• AWS Case Studies - https://aws.amazon.com/solutions/case-studies/enterprise-it/?hp=tile
• AWS Global Infrastructure -https://aws.amazon.com/about-aws/global-infrastructure/?hp=tile
• Example of what can be done in AWS that can’t be matched on premise (from Security perspective) - https://securosis.com/blog/event-driven-security-on-aws-a-
• Must attend events: https://aws.amazon.com/summits/ ;https://reinvent.awsevents.com/
• Training Resources (other than official AWS courses): https://cloudacademy.com/
• Books – Consumption Economics by J.T. Wood & The Phoenix Project by Gene Kim and Kevin Behr