Cloud security transformation case study

Accelerate secure cloud adoption for mission-critical workloads

A major North American bank builds up cloud security governance, cloud data security and architecture capabilities to fast-track its cloud adoption ambitions.

Client: North American financial institution
Today's issues: Cybersecurity, Privacy and Financial Crime
Services: Cybersecurity
Country: Canada


A major North American bank with a focus on cloud-first technology expansion reached out to us to make sure the work underpinning its cloud-first journey was clearly evaluated and understood by key stakeholders.


The client needed a comprehensive view of the cloud security governance capabilities and how they should operate. To make sure cloud adoption efforts are managed, a detailed target operating model for public cloud was required. In addition, the client needed a way to integrate cloud-specific controls with enterprise control objectives and ensure the roles and responsibilities for securing public cloud would be well understood by many technical teams and partners.


We clearly understood our client’s challenges and built a governance program to account for people, process and technology. Listed below are some of the key actions our team took to help build technical and business alignment.

  • Cloud security target operating model: Helped our client define a target operating model to clearly outline the roles and responsibilities of each team and individual, built an interaction model and performed a gap analysis.
  • Cloud workload assurance: Conducted a gap analysis and revised the existing cloud control matrix based on industry-leading practices and popular frameworks, such as NIST, CSA and CIS. Defined the security requirements for the cloud workload assurance and aligned them with the cloud control matrix and industry-leading practices. Created a Responsible-Accountable-Consulted-Informed (RACI) chart and interaction model as well as an event monitoring and remediation process.
  • Cloud security maturity assessment: Assessed the current state against the cloud adoption roadmap and provided a means for tracking progress towards it. Provided a measurable and objective way to communicate cloud adoption progress and gaps with stakeholders, and identified areas of improvement as an input for planning and budgeting.
  • Cloud security reference architecture: Developed a target state architecture for public cloud, a cloud capability map and cloud architecture patterns for specific priority areas.
  • Cloud data security framework: Developed cloud key data security governance artifacts, including a governance process and cloud data discovery, classification and protection policy. Assisted our client with cloud secrets management solution design and processes on the public cloud.


Designing of the cloud security target operating model ensured alignment on ownership, technical decisions, executable roadmap and downstream initiatives, and it enabled decision making by providing traceability of scope to the overarching strategy, vision and anticipated benefits.

By uplifting security controls and filling the existing gaps and a well-defined security configuration and protection program for cloud workloads (cloud workload assurance), we helped increase visibility and stakeholder trust. Furthermore, we helped our client identify security improvement opportunities in their enterprise delivery pipeline to increase performance through automated security checks.

The target-state architecture deliverables have been maintained by an enterprise architecture team and have been leveraged in many instances for architecture decisions and as a standard reference for architecture verifications. In addition, the capability map has been leveraged to develop a maturity roadmap and assessment framework for the cloud transformation program.

Cloud data security deliverables have enabled the bank to migrate the corporate data analytics platform to the cloud and benefit from virtually unlimited computing and machine learning capabilities.

Follow PwC Canada

Required fields are marked with an asterisk(*)

By submitting your e-mail address, you acknowledge that you have read the privacy statement for this site and you consent to our processing the data in accordance with that privacy statement to include international transfers. If you change your mind at any time, please send an email message to the Chief Privacy Officer.

Contact us

Alvin Madar

Alvin Madar

Partner, Cybersecurity, Privacy and Financial Crime and National Cybersecurity Leader, PwC Canada

Tel: +1 604 806 7603

Kyle Bassett

Kyle Bassett

Partner, Cloud Practice Lead, PwC Canada

Tel: +1 416 687 9079

Puneet Dahiya

Puneet Dahiya

Director, Cloud Security Services Leader, PwC Canada

Pouria Ghatrenabi

Pouria Ghatrenabi

Senior Manager, Cloud Security, Cybersecurity, Privacy and Financial Crime, PwC Canada