A high-security global cloud platform for investment research

Fill in the form to read the full story

We won't share your details with anyone

hidden

Your download has completed successfully.

A US investment bank moves its research operation to a cloud deployment, boosting productivity and cutting costs while maintaining a high level of platform security.

Background

An investment bank with headquarters in the US operates a research division of over 800 analysts at locations in the USA, Europe and financial centers throughout the world.

The division produces over 150k reports a year covering equities, securities, commodities, FX and derivatives for an international subscriber base of around 300k institutions and individual investors.

Subscribers access research content through a web portal, as well as receiving selected products by email and other contact channels.

Challenge

To prepare and distribute the research, the institution used a bespoke system based on MS Office applications.

With time the system had become unstable and inflexible.

In particular:

  • The introduction of new products and features was slow and laborious.
  • The platform had become complex and difficult to maintain and evolve.
  • Teamwork between analysts on complex products, such as multi-company reports, was not well supported, penalizing productivity.

The bank needs a solution that would simplify maintenance and development, while delivering improved collaboration and productivity, as well as facilitating the addition of new products and services.


The new solution represents a significant cost saving with respect to the earlier system.

Solution

Solution The reporting operation was moved to Eidosmedia’s Méthode editorial and publishing platform in conjunction with a Cobalt headless CMS as content distribution hub, feeding web and other digital delivery channels via advanced APIs.

The modular approach

Méthode handles report content at a more granular level than conventional editorial systems. This modular structure means a variety of report formats can be generated automatically from a set of components to create a range of delivery products from an e-mail newsflash to a full PDF report or a web page with interactive charts, audio or video.

The modular approach boosts productivity by allowing multiple users – even at different locations - to work in parallel on the same document, cutting time-to-market. All users see the complete document updated in real time. This kind of structured reporting also offers the possibility of personalizing research products automatically for different customer categories according to their preferences or subscription status.

Using a modular approach both the quantity and quality of reporting can be increased without growing the resource base.

Visibility and compliance

The solution made full use of Methode’s high-visibility workspace to speed collaboration between users. Automatic notifications inform users as soon as something requires their attention. Dashboards give supervisors a clear overview of the status of work in progress, while checkpoints ensure that reporting complies with regulatory standards and the organization’s own quality controls.

The public cloud option

Given the global dimensions of the research operation, cloud hosting was a natural option. As well as providing a stable, worldwide platform, a cloud solution would also reduce the TCO (total cost of ownership) of the solution by stripping out the costs of hosting and maintaining physical hardware and infrastructure.

A security challenge

However, cloud hosting presented a challenge – the need to secure the system perimeter of an operation that had to be accessible to a worldwide network of analysts and other staff. The existing on-premise platform was subject to the bank’s extremely stringent security regime. The cloud-hosted solution would have to provide an equivalent level of data protection in the cloud environment.

Eidosmedia’s cloud deployments were already certified to ISO/IEC 27017 levels – an internationally recognized set of security controls for cloud services.

In addition, the new platform had to satisfy extremely demanding security standards - those of the bank’s own security requirements.

The cloud-hosted solution would have to provide an equivalent level of data protection.

Cloud security

For the cloud deployment the choice was made of a single-tenant solution hosted on an Amazon Web Services (AWS) public cloud physically located in two separate regions chosen by the customer – an option available for all Eidosmedia cloud deployments.

The design encompassed a series of measures to provide extremely high levels of protection against data loss and unauthorized access across the worldwide research operation.

The provisions included:

  • Worldwide disaster recovery — AWS hosting in two different regions, each consisting of multiple AZs (availability zones) - isolated and physically separate group of data centers within a geographic area. This solution provides a complete DR failover facility in active-passive and active-hot standby modes.
  • State of the art SR — In addition to the ISO/IEC 27001 and 27017 controls, as part of the Shared Responsibility model adopted on AWS, the deployment complies with the policies defined by the CIS AWS Foundational Benchmark and AWS Foundational Security Best Practices standards.
  • MFA and SAML 2.0 support — User access is controlled through SSO (single sign-on) supporting SAML 2.0 identity providers and MFA (multi-factor authentication).

Encryption

  • Data in-transit is encrypted across the entire stack using TLS/mTLS (mutual TLS)
  • Public and private X509 certificates are used for securing services
  • Data at-rest are encrypted across the whole lifecycle using AWS infrastructure capabilities
  • Secrets are stored in encrypted format

AWS services used for managing encryption

  • ACM (Certificate Manager) for managing public certificates
  • Private CA (Certificate Authority) for managing private certificates
  • KMS (Key Management Service) for managing cryptographic keys
  • CloudHSM (Hardware Security Module): dedicated key store for KMS, certified up to FIPS 140-2 Level 3.

ALE (Application Level Encryption) – Content is encrypted at rest by the application, in addition to the infrastructure layer, leveraging customer managed keys from KMS/HSM.

These protocols and technologies, together with other tools and services, allowed the bank to provide easy access to the research operation for its worldwide workforce, while ensuring continuity and security for data and workloads.

Outcomes

Productivity – by speeding collaboration – especially on multi-author documents and compilations of multiple reports – the solution has cut time-to-market and boosted overall productivity. Automatic generation of PDF and digital formats eliminates manual work on research delivery.

Compliance – automatic checkpoints and controls ensure higher compliance while reducing supervisory workload.

Evolvability – Faster and easier extension of the product portfolio with the addition of new formats, report types, new features (interactive graphics) and media (podcasts, video). The Cobalt delivery platform, with its advanced APIs, opens up an unlimited spectrum of access modes for the division’s research.

The cloud platform also allows easy evaluation and adoption of innovative cloud-based AI and ML services from automatic semantic tagging to usage analytics and advanced CRM. The solution will shortly be extended with an cloud-based NLP service provided by Eidosmedia partner Amenity Analytics.

Cost reduction and predictability – The new solution represents a significant cost saving with respect to the earlier system. The cloud SaaS model results in a regular and predictable cost structure.

Explore more case studies: Financial, Media orGet in touch!