CASE STUDY — FINANCIAL SERVICES How a Regional Investment Firm Modernized Its Cloud Security Posture and Reduced Its Attack Surface by 60%
7/2/20264 min read


Registered investment advisers and broker-dealers operate under a specific combination of security pressures that makes their cloud security posture particularly consequential: they hold highly sensitive financial data for clients, they are subject to SEC and FINRA cybersecurity rules that have become significantly more prescriptive since 2023, they manage client assets in ways that make them attractive targets for financial fraud, and they typically operate IT environments built incrementally over years without a unified security architecture.
The client in this case study is a regional investment advisory firm with $2.4 billion in assets under management and 87 employees. They had migrated the majority of their operations to Microsoft Azure in 2021 but had done so primarily as a lift-and-shift migration — moving existing workloads to the cloud without redesigning the security architecture for cloud-native environments. By late 2025, their compliance officer had identified that the SEC's updated cybersecurity disclosure rules required a formal security assessment, and the results of an internal review had raised significant concerns.
Cloud migration without cloud-native security redesign is one of the most common patterns we encounter in financial services organizations. The workloads move. The perimeter-based security assumptions move with them. The result is an environment that has the attack surface of a cloud deployment and the security controls of an on-premise environment — combining the vulnerabilities of both without the mitigations of either.
The assessment findings
We conducted a comprehensive cloud security posture assessment across their Azure environment, supplemented by a review of identity, endpoint, and data security controls. The findings revealed systemic issues across five areas:
• Cloud misconfiguration: 23 Azure storage accounts had public network access enabled, including three containing client financial data and correspondence. Seventeen virtual machines had management ports open to the public internet — a direct exposure that enabled brute-force attacks against those endpoints. Network security groups had accumulated permissive rules added during troubleshooting sessions that were never removed
• Identity and access: 41 user accounts had Azure subscription-level permissions broader than required for their roles. Twelve former employees had active Azure Active Directory accounts, including two with Contributor-level access. Service principals used for application integrations had Owner-level permissions on resources they only needed to read
• Endpoint security: the firm had deployed Microsoft Defender for Endpoint but had not configured it beyond the default settings — leaving advanced threat protection features inactive and missing the behavioral detections that require specific policy configuration to enable
• Data governance: no Azure Information Protection labels had been applied to classify client data by sensitivity, leaving the organization without visibility into where their most sensitive data lived or appropriate controls for how it was handled and shared
• Logging and monitoring: Azure Monitor was collecting some logs but was not configured to alert on the security events that would indicate an active compromise — failed authentication attempts, unusual access patterns, configuration changes to security settings, and privilege escalation events
The remediation
The remediation was executed over twelve weeks with priority sequencing based on risk severity. First priority: closing the immediate exposure items — public storage access removed, management ports closed, former employee accounts disabled, and overly permissive service principal permissions scoped down. These changes were completed within the first two weeks and required no architecture changes, only configuration corrections.
Second priority over weeks three through eight: Defender for Endpoint advanced policy configuration, Azure Information Protection deployment with sensitivity labels for client data categories, network security group audit and cleanup, and Azure Monitor alerting configuration for key security events. Third priority over weeks nine through twelve: role-based access control restructuring to apply least privilege across all user accounts, implementation of Privileged Identity Management for just-in-time access to high-privilege roles, and documentation of the security baseline configuration for ongoing compliance.
The quantified outcome
Attack surface reduction: the number of externally accessible attack surfaces — public storage accounts, open management ports, over-privileged accounts that could be used for lateral movement — was reduced from a baseline of 94 identified items to 37 after the initial remediation phase and to 11 following the full twelve-week engagement. The 60 percent attack surface reduction represented the aggregate of these specific, measurable changes.
Compliance outcome: the firm's compliance officer completed the SEC cybersecurity assessment documentation with findings that demonstrated a substantially improved security posture. The assessment also identified that several of the controls required by SEC Rule 206(4)-9 for investment advisers — written policies, risk assessment documentation, incident response planning — required documentation updates that were completed as part of the engagement.
Cost outcome: the cloud configuration changes required no additional licensing spend. The Defender for Endpoint advanced features were already included in their existing Microsoft licensing. The Azure PIM deployment was included in their existing Entra ID P2 licensing. The entire security remediation was achieved within existing licensing, with professional services as the only incremental cost.
The compliance officer's comment: "We knew we had cloud security gaps. We did not know they were this specific or this addressable. The fact that most of the remediation was configuration rather than new spending was not what we expected."
What financial services organizations need to prioritize
The pattern above reflects what we consistently find in financial services organizations that have completed cloud migrations without cloud-native security redesign: the misconfiguration and access control issues are specific, addressable, and frequently remediable within existing licensing — the primary investment is the expertise to identify and remediate them, not new tooling. SEC and FINRA cybersecurity requirements continue to become more prescriptive, and the window for proactive remediation before regulatory examination is narrowing. Sigma Technology Consulting conducts cloud security posture assessments for financial services organizations within the specific regulatory context that applies. Contact us at sigmatechconsult.com.
Sigma Technology Consulting, Inc.
25 Years of Experience, Vetting & Procuring Technology Vendors
Contact Us
Support
© 2026. All rights reserved.


