AWS re:Invent 2025 - Solving the Cloud Privilege Problem at Scale: A Fiserv Case Study (COP213)

Solving the Cloud Privilege Problem at Scale: A Fiserv Case Study

Overview

This presentation discusses how Fiserv, a global financial services company, partnered with Sunry to address the challenge of managing cloud permissions and access at scale across their multi-cloud environment. The key points covered include:

1. Fiserv's cloud management challenges
2. How Sunry's tools helped solve these challenges
3. The implementation process and business impact

Fiserv's Cloud Management Challenges

• Fiserv is a large, global financial services company that has grown through mergers and acquisitions, resulting in a complex, multi-cloud environment.
• Managing permissions and access across thousands of accounts and cloud resources was a significant challenge, especially with the rise of new AI and cloud services.
• Fiserv had tried to implement some controls, but faced issues like unintended service disruptions due to problems with SCP (Service Control Policy) inheritance.
• The company needed a solution that could provide visibility, control, and automation for their cloud permissions and access management.

Sunry's Solution

• Fiserv discovered Sunry at AWS re:Invent, where Sunry demonstrated their ability to automate the creation and deployment of SCPs.
• Fiserv conducted a Proof of Concept (POC) with Sunry, which revealed several key capabilities:
  1. Excessive Permissions Identification: Sunry's tools could identify IM users and roles with excessive permissions that were not being used, allowing Fiserv to take action to prevent their misuse.
  2. Zombie Identity Management: Sunry could identify and quarantine "zombie" identities that had not been used, helping Fiserv clean up unused and potentially risky access.
  3. New Service Enablement/Disablement: Sunry provided visibility into which new AWS services were being used across Fiserv's accounts, allowing the company to enable or disable them as needed.
  4. Third-Party Access Monitoring: Sunry's tools could identify and monitor third-party access to Fiserv's cloud resources, enabling better control and visibility.
  5. Regional Service Deployment Tracking: Sunry helped Fiserv track the deployment of new AWS regions and ensure that applications were only running in the required regions.

Implementation and Business Impact

• After the successful POC, Fiserv decided to move forward with Sunry's solution, despite some initial internal questions and concerns about adding another tool.
• The implementation process was relatively straightforward, with Fiserv able to set up the necessary cloud formation templates in about 30 minutes.
• The analysis of Fiserv's cloud permissions and access data using Sunry's tools revealed significant opportunities for optimization and control:
  • Fiserv estimated that they saved over 1,000 hours of manual work by automating the creation and deployment of SCPs, which would have required approximately 384 lines of code per SCP across their 1,000+ accounts.
  • Sunry's tools helped Fiserv identify and address excessive permissions, unused identities, and unnecessary service deployments, improving their overall cloud security and compliance posture.
• Fiserv now uses Sunry's tools as part of their AI Center of Excellence, enabling them to better manage and control access to new AI services as they are deployed.

Key Takeaways

• Fiserv's experience demonstrates the challenges large, multi-cloud organizations face in managing cloud permissions and access at scale.
• Sunry's solution provided Fiserv with critical capabilities for identifying and addressing cloud security and compliance issues, including excessive permissions, unused identities, and unnecessary service deployments.
• The implementation process was relatively straightforward, and the business impact was significant, with Fiserv estimating over 1,000 hours of manual work saved.
• Fiserv's use of Sunry's tools as part of their AI Center of Excellence highlights the importance of having robust cloud access management in place as organizations adopt new cloud-based technologies and services.