EQ Bank is the digital platform of Equitable Bank, based in Toronto. Founded over 50 years ago, Equitable manages more than $40B in assets and has grown to serve more than a quarter-million Canadians. Launched in 2016 as Canada’s first-born digital bank, EQ Bank has fueled rapid growth by challenging traditional banks with a completely branchless experience and smarter banking solutions.
As a leader in digital banking and the first bank in Canada to fully host a core banking system in the cloud, security and availability mean everything to EQ. But what if an expired certificate brings down underlying infrastructure or halts productivity for IT teams? That’s exactly the challenge David Yu, VP of Security Architecture, needed to solve in the face of rapid digital transformation and business growth.
“Two years ago, we noticed that we were using a lot more certificates for the applications we run within the business and the applications we develop internally,” says David Yu. “We had DigiCert for publicly trusted certificates, but we didn’t have an internal certificate authority (CA), and there were only ad hoc processes for application owners to request and provision certificates. IT and infrastructure teams would just issue their own certs in development environments and move on.”
Ad hoc certificate issuance made it difficult for them to maintain comprehensive visibility and provide reports to internal auditors. Without defined processes, they could not track how other teams across the company were provisioning certificates. As a result, unknown and untracked certificates would expire without their knowledge, causing applications to stop working, and pulling key resources away from their day-to-day tasks to remediate outages.
Historically, the security team was able to manually manage a few certificates in spreadsheets; they also dabbled in Active Directory Certificate Services (ADCS), sometimes referred to as Microsoft CA, to issue certificates for limited internal use cases. However, the IT team has since expanded from 20 to more than 150, a rate of growth that was impossible to support with their limited Microsoft CA deployment and manual certificate management processes.
An independent audit and gap analysis from a long-time IT partner confirmed that a certificate management solution was critical to improve their security posture and prevent further outages — a risk amplified by the widespread use of machine identities in their sprawling Azure and DevOps infrastructure. That’s where security architecture became involved in the project.