Case study: why a banking service provider migrated to containers
Christian Hüning, figo‘s system architect, who spearheaded this IT migration project, shares how the banking service provider built a containerised infrastructure to meet goals for speed, scalability, and security.
Founded in 2012, Germany-based figo is Europe’s first banking service provider. (In March 2019, figo and Berlin’s finreach joined forces, forming a European Software-as-a-Service API platform for financial products.) The company aims to make banking and payment services more open and accessible through its platform, enabling partners to develop new fintech applications and services (and expand into new industry use cases).
The banking platform makes it possible to read bank data, analyse financial sources, initiate transfers, verify account balances, categorise transactions, and aggregate finance sources into a singular customer experience. Partners use the banking platform to develop and then offer new capabilities to their customers; for example, completing credit checks or offering personalised financial advice based on account data (with consumer approval).
The technically-dense banking platform also provides partners with machine learning capabilities to further build out and customise their own solutions.
As the banking service provider scaled and expanded its platform to meet the varying requirements of more partners, figo encountered mounting costs and technical limitations stemming from its VM-based environment. To overcome these hurdles, figo decided to transition to a Kubernetes-based container service architecture. The thinking was that doing so could reduce complexity, provider greater application reliability, and induce more flexible horizontal scalability across the entire backend infrastructure.
The strategic roadmap decided, figo’s challenge then became to select and deploy interoperable technologies that could support the adoption of a containerised environment. This meant not only pursuing solutions that could help figo deliver superior internal operational efficiencies, but also technology capable of delivering risk management and effective container security measures – adhering to banking and privacy regulation compliance standards was, of course, non-negotiable for the container strategy to work. Accomplishing this meant deploying container firewall technology that could provide visibility and protection for internal “east-west” connections within the highly-dynamic container environment, as well as for external connections.
figo deployed a bare-metal container service architecture to provide the critical applications its banking services depended on, orchestrated with Kubernetes, a Linkerd 2 service mesh for mTLS between all services in the cluster, Cilium for API-aware network security filtering, and Rook for cloud-native Kubernetes storage.
To determine the most prudent strategy for meeting its container security and regulatory compliance needs, figo conducted a thorough evaluation of available technologies. As a result of this process, figo selected NeuVector for its container runtime security solution.
Traditional firewall security technologies are designed to protect environments from external threats, but attacks on container environments most often involve a “kill chain” of events. The kill chain involves leveraging container exploits to increase access via unauthorised connections and malicious processes within internal container traffic before doing harm. In dynamic container environments, countless containers are created and destroyed every moment.
While traditional firewalls lack the visibility to properly monitor internal container traffic, figo liked that the NeuVector solution could offer the necessary Layer-7 container network visibility and automation to detect and prevent malicious connections as they happen. This would ensure kill chains could be thwarted, protecting containers and hosts from attacks. To ensure effective data protection, figo also tapped HashiCorp Vault to store and manage all secrets and sensitive data, backed by hardware security modules.
With container strategy, orchestration tools, and security solutions in place, the figo banking platform’s container-based infrastructure has remained protected from threats such as malware, data breaches, and other malicious attacks. The platform also relies on these technologies to meet its stringent compliance requirements under banking and customer privacy regulations, including Europe’s General Data Protection Regulation (GDPR), Federal Financial Supervisory Authority regulations (BaFin), and the revised Payment Services Directive (PSD2).
Introducing the Kubernetes container architecture and the robust security solutions protecting it has vastly increased the flexibility of figo’s banking platform and what it can offer to the company’s partners. The new architecture delivers the stability, scalability, and performance to provide our platform with a strong foundation going forward, while the security solution partners ensure the safety of figo’s systems and data, and full compliance with regulatory protections.
Figo next plans to work with its technology partners – many that are open-source focused – to implement new features that introduce increasingly greater flexibility and reliability to its banking platform, with a focus on further empowering and supporting the innovations and creativity of its banking industry partners.