← Back to Case Studies
Enterprise / Cloud

Enterprise Data Platform

AWSTerraformIAMKMSSnowflakeRBAC + ABACPolicy-as-Code

Our role: Cloud infrastructure, integration & security architect.


The Challenge

The client — an FTSE-100 healthcare leader — had data scattered across 5+ siloed warehouses, each built by a different vendor team with its own security model, access controls, and governance standards. This fragmentation made enterprise-wide analytics nearly impossible and blocked any AI initiative that needed cross-domain data. There was no unified security posture and no consistent governance — and past efforts had a habit of losing their architectural know-how when the vendors handed over and left.

Solution & Approach

We led the cloud security, infrastructure, and integration architecture for the platform's re-platforming. Working within the enterprise's strict controls, we designed least-privilege IAM roles and expressed the access model itself as Terraform — each module granting roles only the minimum they need to function, with tag-based (ABAC) conditions and federated enterprise identity. Resource-level policies and an explicit-deny posture protected the sensitive stores (S3, KMS, Secrets), while a layered network, security-group, and encryption design made cross-cloud integration (Azure, Salesforce, Snowflake, on-premise) safe without over-permissioning. The data modelling, pipelines, and Snowflake build were delivered by the data engineering teams; this secure foundation became the bedrock for the production AI systems built on the platform.

The hard call — speed vs. governance. Consolidating fast is tempting, but ungoverned speed creates a security mess. We engineered the trade-off instead of choosing a side: an open sandbox for discovery, then access tightened to least-privilege by code as each service matured — so the higher environments were governed by construction.

  • Access as code — Least-privilege IAM roles and resource-level policies defined in Terraform, with tag-based (ABAC) conditions and federated enterprise identity.
  • Explicit-deny posture — Resource-level denies that override role grants, so even admins can’t reach the most sensitive permissions.
  • Defence in depth — Private-link networking, per-resource security groups, role-based access, and encryption with per-key policies and strict cross-cloud key exchange.
  • Foundation for AI — The governed platform became the bedrock for the production AI systems built on top, including the NL-to-SQL assistant.

Outcome

Five-plus siloed warehouses became one governed platform — still running, and the foundation for multiple production AI systems, including the natural-language-to-SQL assistant that let business users query it in plain English. Security and governance were implemented as code by design, so the platform consolidated and stayed governed across clouds. And the architectural know-how stayed in-house: a senior core team held the design while vendors did the build.

The long version: this build has a field note in our journal — the decisions, dead ends, and judgment calls behind it. The layer underneath the data →


Let's discuss your next challenge.

Ready to bring AI-powered intelligence to your organisation?

Start the Conversation