Cloud-Native Security and Compliance in Financial Services: The Nationwide KMaaS Case Study

Introduction

In the rapidly evolving landscape of financial services, security and compliance are not just regulatory checkboxes—they are foundational to trust, innovation, and business agility. As financial institutions accelerate their cloud adoption journeys, the need for robust, scalable, and certifiable security solutions becomes paramount. Nationwide Building Society, the world’s largest building society, recognized this imperative and, with the support of Publicis Sapient, embarked on a transformative journey to implement a cloud-native Key Management as a Service (KMaaS) solution. This case study explores how Nationwide and Publicis Sapient tackled technical and organizational challenges to deliver a secure, compliant, and future-ready key management platform that enables multi-cloud flexibility, cost savings, and accelerated product delivery.

The Security and Compliance Imperative

Financial institutions operate in one of the most regulated and risk-sensitive environments. The proliferation of digital channels, cloud-native applications, and multi-cloud strategies has expanded the attack surface and increased the complexity of managing cryptographic keys, secrets, and certificates. Nationwide’s legacy approach to key management was fragmented, costly, and exposed the organization to operational and compliance risks. The absence of a centralized, automated system for provisioning and managing keys across cloud and on-premises environments made it difficult to:

• Ensure consistent security controls and auditability
• Avoid vendor lock-in with cloud service providers (CSPs)
• Integrate seamlessly with modern DevSecOps pipelines
• Scale securely as new digital products and services were launched

Recognizing these challenges, Nationwide set out to build a solution that would not only meet today’s security and compliance requirements but also provide the flexibility to adapt to future needs.

The Transformative Solution: Cloud-Native KMaaS

Nationwide, in partnership with Publicis Sapient, designed and implemented a cloud-native KMaaS platform leveraging HashiCorp Vault and native hardware security modules (HSMs) from leading cloud providers. The solution was architected as a stretch capability across AWS and Azure, providing centralized control over cryptographic keys for applications, containers, and infrastructure—regardless of whether they run in the cloud or on-premises.

Key Features and Architecture

• Multi-Cloud and Multi-Region Resilience: The KMaaS platform is accessible across AWS, Azure, and on-premises environments, ensuring that applications remain functional even if a single CSP experiences an outage. This eliminates vendor lock-in and supports seamless workload migration between clouds.
• Centralized Key and Secrets Management: All cryptographic keys, secrets, and certificates are managed centrally, reducing operational overhead and risk. Automated provisioning and lifecycle management are integrated with CI/CD pipelines, supporting modern DevSecOps practices.
• Security and Compliance by Design: The solution is compliant with FIPS 140-2 standards and is backed by HSMs, meeting the highest security requirements for financial services. Penetration testing confirmed zero high-severity vulnerabilities, and the platform supports robust audit trails for regulatory reporting.
• Rapid Deployment and Cost Efficiency: The KMaaS solution was conceived, prototyped, and brought to production in under 10 months. By optimizing licenses and IT resources, Nationwide achieved significant cost savings while reducing manual intervention and operational risk.
• Seamless Integration: Out-of-the-box integration with popular DevSecOps tools (e.g., Jenkins, Kubernetes) enables teams to adopt KMaaS with minimal friction, accelerating the onboarding of new projects and applications.

Overcoming Technical and Organizational Challenges

Implementing a cloud-native, enterprise-grade KMaaS platform was not without its hurdles. Nationwide and Publicis Sapient faced several challenges, including:

• Balancing Value and Governance: Achieving the right mix of rapid value delivery and rigorous governance required close collaboration and agile delivery practices. Some enabling technologies, such as HSM integration, were not fully mature and required creative interim solutions.
• Change Management: Migrating existing projects from legacy Vault clusters to the new KMaaS platform required careful planning, stakeholder engagement, and phased onboarding to minimize disruption.
• Technical Debt: Temporary workarounds for immature capabilities introduced some technical debt, but the teams prioritized continuous improvement and technical excellence to address these over time.

Despite these challenges, the partnership between Nationwide and Publicis Sapient fostered a culture of innovation, resilience, and shared ownership—enabling the successful rollout of KMaaS on an aggressive timeline.

Business Impact: Security, Compliance, and Agility Unlocked

The implementation of KMaaS delivered tangible business benefits for Nationwide:

• Enhanced Security and Compliance: Centralized, automated key management ensures consistent enforcement of security policies and regulatory controls across all environments. The platform’s auditability and FIPS 140-2 compliance provide confidence to regulators and internal stakeholders alike.
• Cost Savings: By consolidating key management and optimizing resource usage, Nationwide reduced licensing and operational costs. Automation further decreased manual effort, freeing up teams to focus on innovation.
• Accelerated Product Delivery: Fully automated deployment of encryption, secrets, and certificates enables faster onboarding of new products and services. Nationwide can now bring digital offerings to market more quickly, with security built in from day one.
• Multi-Cloud Flexibility: The ability to operate seamlessly across AWS, Azure, and on-premises environments empowers Nationwide to avoid vendor lock-in and adapt to changing business and technology requirements.

Conclusion: A Blueprint for Secure Cloud Transformation

Nationwide’s KMaaS journey, enabled by Publicis Sapient, demonstrates how financial institutions can achieve world-class security and compliance while accelerating digital transformation. By adopting a cloud-native, multi-cloud key management platform, Nationwide not only strengthened its security posture but also unlocked new levels of agility, cost efficiency, and business resilience. This case study serves as a blueprint for technology, risk, and compliance leaders seeking practical, real-world solutions for secure cloud adoption in financial services.

As the regulatory landscape continues to evolve and digital innovation accelerates, the ability to deliver secure, compliant, and flexible technology foundations will define the market leaders of tomorrow. Nationwide’s KMaaS success story is a testament to the power of partnership, engineering excellence, and a relentless focus on security and compliance in the cloud era.

Relevant Links

• Sapient and Murex Deliver Treasury Transformation at Nationwide Building Society
• Exploring Treasury Transformation in Mid-Tier and Regional Banks: Lessons from Nationwide’s Success
• La transformation digitale de la conformité réglementaire dans la titrisation européenne : un nouveau standard pour la transparence et l’efficacité (Europe)
• Sapient and Murex Deliver Treasury Transformation at Nationwide Building Society
• Modernización de la Tesorería Bancaria en América Latina: Un Camino Escalable para la Eficiencia y el Cumplimiento (LATAM)