Security3 min read

NatWest Group Optimizes User Experience Through Improved Security and Development Environments

Ciara McIlvenna

Founded in 1968, NatWest Group is a British banking and insurance holding company. It operates several high-street personal and business banking brands, along with private banking, investment banking, insurance and corporate finance services. Today, it has more than 59,000 employees and, in 2021, generated revenue of GBP £10.51 billion.

With a large and geographically diverse workforce and the enhanced security needs that come with being a major financial services organization, NatWest Group is constantly challenged to be ahead of the game regarding user experience and security. The group has a long history with VMware, implementing products such as VMware Cloud Foundation, VMware vCloud® Suite and VMware Carbon Black Cloud. Having already undertaken a significant migration from VMware vSphere® to VMware Cloud Foundation, the Group has an eye on future developments that will help it create a more agile infrastructure and application configuration, reducing the need for manual effort and enhancing security.

Improving user experience through enhanced automation

NatWest Group initially implemented VMware vRealize® Automation 7 to underpin its infrastructure as a service (IaaS) platform in 2017 as part of the Dell Enterprise Hybrid Cloud solution. However, this presented a range of interoperability challenges, which meant several processes—including deployment, testing and configuration—had to be completed manually, impacting developers’ time. It also resulted in frequent bugs in the code due to human error, slowing down the pace of the company’s cloud ambitions.

A shared development environment also contributed to conflicts. Joel King, development operations engineer, NatWest Group, explains, “We had a centralized development environment and wanted to get to a place where we could give people their environment, but we just couldn’t get there.” The net result was a user experience with plenty of room for improvement.

“We need to be able to deliver things to the customer based on their needs. For us, it’s all about how quickly we can make changes and deliver new requirements based on what customers are asking for,” says King, regarding the development team’s priorities.

A subsequent upgrade to VMware Aria Automation 8 (formerly vRealize Automation) and VMware Cloud Foundation introduced many required improvements. These new capabilities included native GitOps integration and support for infrastructure as code, which had been identified as a priority by the NatWest Group development team.

The solution’s distributed development environments, self-service onboarding and fully automated units, integration and post-deployment tests mean VMware Aria Automation 8 frees up developers’ time to spend writing code rather than troubleshooting problems. It has also improved code quality due to extensive automated unit tests running against new code before it merges into the central staging environment. These improvements directly translate into a reduction in costs due to fewer manual processes requiring fewer personnel hours to resolve. VMware Aria Automation 8 has enabled the team to get it right the first time. “This is where we wanted to get to. We wanted to make sure that, where there is manual interaction, it’s because it is required and not because we haven’t automated something,” says King.

The journey toward Zero Trust security

Meanwhile, the Group was also focusing on another, longer-term aim. “Our goal is to get to Zero Trust security, but it's a journey,” explains Ian MacKinnon, NSX product owner, NatWest Group. Working closely with VMware Carbon Black Cloud, the Group identified several issues around implementing a Zero Trust secure-by-default model.

“Some time ago, the bank decided we would operate a Zero Trust, secure-by-default model,” says MacKinnon. “When applications are deployed in our internal platforms, they are locked down by default: no access, no connectivity, no nothing.” While clearly secure, this model creates issues around a lack of access for application owners and developers. NatWest Group is taking a proactive approach to engage its teams in this essential new development phase.

“The journey to secure the platform is not so much a technology journey, but a people journey,” says MacKinnon. “We are working with our developers, application owners and product teams, setting up workshops and drop-in clinics to communicate with those developers and help them better understand their requirements.” With ongoing support from VMware, NatWest Group can now map out its next steps more accurately than ever. The team plans to evolve even further toward advanced threat detection and behavioral analysis with the implementation of intrusion detection systems and prevention systems. By mapping various users’ workflows and requirements, MacKinnon aims to improve disparate relationships and enhance understanding of the Group’s security journey. “We’re making Zero Trust everybody’s responsibility.”