Simplifying Cloud Security and Compliance assets

Problem Statement

CONTEXT

All products on the DLT Apps cloud platform are within the highly regulated space of financial services, and are expected to host confidential / PII data of customers including those from financial transactions. Our clients require us to meet high security and compliance standards akin to SOC2 and ISO compliance requirements.

CHALLENGES

One of our first products required us to meet 127 requirements across governance risk and compliance, Identity and Access management, Data protection, Security Incident Response, Personnel Security, Training and Awareness, Network Security, Operations Security, Physical Security, as well as Software Development and Hosting.

All of this had to be accomplished in a short period of time to meet the compressed launch timelines (5 months) and evidenced to the information security reviewers.

Solution

The secure platform was designed in line with due consideration to

Data encryption and network security

Well-defined Identity and Access Management

Endpoint protection and data loss prevention

Our team built a secure platform adopting various AWS Security services to implement necessary security controls listed below:

All confidential data was encrypted using keys managed using BYOK client-managed keys.

A secure network hub with centralised egress and ingress controls was set up using AWS Network Firewall, and AWS WAF.

Azure Active Directory and Privileged Identity Management were used to set up a secure identity.

Access management as well as the JML process. All access controls to various tools and cloud provider were managed via Azure AD.

Microsoft Intune-based endpoint protection was rolled out to all developer assets and access was controlled via conditional access policies.

A secure workstation solution with limited access to production was configured using AWS Workspaces including endpoint protection software to implement data loss prevention controls.

Security events are streamed to Elastic SIEM, and alerts were generated via OpsGenie.

Technologies

Impact

All 127 controls were implemented and ready for product launch within five months. The platform has successfully been through multiple assurance audits by our client and penetration tests.

The platform is live with confidential / PII data, and all data access procedures have been tested and used for production support.

All critical SIEM alerts have been set up to notify of any anomalies in the network, Identity and Access, and data movement.

Simplifying Cloud Security and Compliance assets

Problem Statement

CONTEXT

DLT Apps was established with the aim of incubating multiple financial products. One of our first flagship products is a fund administration platform that would host confidential user data of our clients on the cloud. This would be the first major cloud-based deployment of confidential data at such a scale for our client, their own cloud solution was delayed by a few years. We needed to build a secure, reliable cloud foundation at pace. It was also important to ensure the platform was extensible and scalable to support additional product propositions in the future.

CHALLENGES

Building a cloud foundation that would meet our client’s security, and governance requirements, along with balancing the implementation and run costs of a startup.

The need to set up the platform rapidly to meet the growing demands of the engineering and product teams, as well as client expectations.

The platform had to support multiple technologies (java, go, python) and micro-services based architectures. Engineers needed sufficient tooling to enable them to safely build and progress their changes across multiple environments.

Once live, we needed our support teams and reliability engineers to maintain the solution and identify and resolve incidents quickly.

Solution

We outlined four areas of focus during the strategy phase

Cloud Controls and Business Continuity

Hosting Platforms

DevOps Tooling

Monitoring and operations

Technologies

Impact

Multiple live services – The cloud platform now hosts multiple beta testing and production environments for our clients with full controls. The platform has been vulnerability assessed and penetration tested by third parties with minimal minor findings.

Successful third-party review – A well-architected review from AWS was also conducted with two minor findings. It has also been through the client’s third-party assurance process and satisfies 127+ controls required from third-party SaaS solutions.

Zero data loss and a 30-minute recovery time – The platform has successfully completed a business continuity test with zero data loss and an RTO of 30 minutes.

Simplifying Cloud Security and Compliance assets

Problem Statement

CONTEXT

The sale of automobiles, whether new or used, is a complex process that has adhered to established norms for a significant period. In a typical scenario, multiple parties are involved, including a buyer, a seller, a government agency responsible for registering ownership, and a financial lender who holds a lien in cases where the buyer has taken out a loan. Recognising this friction within the automotive buying and selling ecosystem, one of our clients who specialised in automotive financing aimed to modernise process and significantly reduce time taken for the transfer of ownership.

CHALLENGES

There were multiple parties involved and all had disparate sets of ownership that required verification before a transfer could be completed.

To solve this problem a distributed network based on a consensual model was required that could bring all the parties together so that they could have access to the relevant state of ownership data and title transfer process.

A digital representation of the car title had to be created and published to a private and public blockchain platform upon the successful completion of the transfer. The transaction could then be available in an immutable ledger that needed to be shared amongst all participants.

For expensive cars, there was also a requirement to mint a non-fungible token that was available on NFT marketplaces for trading as a non-fungible asset.

Each of the actors, the sellers including car showrooms, government bodies and financial institutes would run a blockchain node to manage car title ownership.

Solution

Technologies

Impact

With our core expertise in Distributed Ledger Technologies, we were able to accelerate the outcome by designing and delivering a fully functioning application that allowed buyers and sellers to initiate transfers, while also facilitating lenders and government agencies to review and approve the transfers. This was accomplished in less than four months, including UX design, front-end & back-end design and build, as well as complex infrastructure provisioning and delivery.

Simplifying Cloud Security and Compliance assets

Problem Statement

CONTEXT

Migrating data from one platform to another is a complex endeavour, especially within regulated Financial Services. A global Fund Administration product that DLT Apps had incubated was migrating a complex dataset of £20 billion of assets under management (AUM) from a leading Asset Manager. This needed a solution that could securely migrate data at speed and at scale.

CHALLENGES

The target system was new and not yet functionally proven.

The source data from the legacy application had data quality issues and lacking consistency across datasets.

The extraction and mapping of important information was reliant on time and effort-intensive manual processes that caused concerns with scalability and accuracy.

Solution

TerraAi – an AI/ML-enabled data migration engine powered the migration of this complex dataset. We achieved this by

Adopting modern architectural principles that enabled rapid test cycles that reduced the overall migration timelines to a few hours.

This was achieved by implementing end-to-end automation that removed all the associated manual processes and focussed on data migration issues.

Enabled real time data profiling which helped data fixes at source.

Visualising real-time migration dashboards.

TerraAi brought together multiple facets to tackle the challenge of a seamless migration

Adopting the config over code principle, which enabled standardisation of our platform.

Automation of proof points for migration success criteria eliminates manual effort.

Adoption of distributed microservices architecture enables horizontal scaling.

Real-time dashboards to provide record-level status and progress during migration events.

Auditing every run of the migration cycle for transparency.

Technologies

Impact

Post the successful migration, our in-house fund administration platform now seamlessly manages £20 billion in assets, enhancing operational efficiency, accuracy, and scalability.

This achievement has fortified TerraAi’s position in the financial domain, offering stakeholders unparalleled transparency, speed, and agility in asset management.

Through meticulous planning and execution, we've not only ensured data integrity and security but have also paved the way for innovative, data-driven strategies to maximise asset growth and deliver superior value to our clients.

Simplifying Cloud Security and Compliance assets

Problem Statement

CONTEXT

Our client is a well-known UK brand that amongst a few businesses also provide retail lending products including personal and car loans. Our client faced challenges with their outdated legacy application. These challenges hindered their growth, innovation, and ability to offer a differentiated customer experience. These challenges meant that they were unable to meet their business objectives of customer acquisition and achieving straight-though lending decision processes.

CHALLENGES

Our client intended to offer affordable, flexible, simple lending products to their customers, but felt technology was a hindrance in achieving their growth targets.

There was too much friction in the end-end journey with too many manual interventions.

Technology to support making incremental changes to the proposition based on customer feedback

Ability to innovate and facilitate ‘plug-and-play' architecture

Solution

DLT Apps were involved in defining the target architecture driven with Domain Driven Design that facilitated:

An architecture that was loosely coupled based on composable architecture to enable our client switch retail lending service providers as required

Insource loan application decisions within the business to enable consistency and transparency

Enable reliable releases of application code to facilitate innovation and listening to customer feedback

Implement a leading cloud infrastructure architecture with necessary security controls in line with cloud architecture best practices

Technologies

Impact

Embracing modern composable architecture transformed our client within the retail lending business to enable an architecture that can respond to customer needs.

By addressing the core challenges that they faced, the new system enabled operational efficiency, providing a superior user experience, and driving significant growth in key performance metrics.

Our strategy not only bolstered current business outcomes but positioned the company for sustained future growth in the competitive retail lending landscape.

Simplifying Cloud Security and Compliance assets

Problem Statement

CONTEXT

In 2018, buying cryptocurrencies was difficult and expensive due to several factors. There existed many barriers of entry for new investors who were unfamiliar with the complex and technical nature of the cryptocurrency market. As a result, many potential investors were deterred from entering the market, limiting the growth potential of cryptocurrencies as an alternative investment asset class. Our client wanted to build a platform for buying, selling, and storing cryptocurrencies as well as traditional fiat currencies, that could address these challenges.

CHALLENGES

There was a lack of a user-friendly platform that simplified buying and trading cryptocurrencies for new users.

The fees associated with buying and selling cryptocurrencies were often high, making it an expensive investment option for many people.

A limited number of exchanges were available, resulting in a lack of competition and high fees.

Solution

Our client needed a clear and simple process to address the challenges faced by the potential investors, and we split the task into three parts

Simplify onboarding journey

Smoothen trading steps

Gain investors

User-centric design and journey mapping

Each aspect of the platform was built with the foundational tenet of simplifying the user journey. We created processes and designs that brought end-to-end clarity and transparency. This made the buying, selling, and storing cryptocurrencies easily understandable and more importantly actionable for new users as well.

Technologies

Impact

Our client became the fastest-growing platform for buying, selling, and storing cryptocurrencies, as well as traditional fiat currencies.

By March 2021, our client had surpassed 50,000 customers and was valued at £100 million ($137 million).

In May 2021, an American Financial Services company that rolled out a cryptocurrency wallet to more than 2million users, had considered acquiring our client for around $170 million. However, the deal fell through as confidence in the cryptocurrency market began to erode following a series of high-profile incidents and the deal was called off. Despite this setback, our client continues to operate and grow its customer base.

Simplifying Cloud Security and Compliance assets

Problem Statement

CONTEXT

Within the dynamic realm of Financial Services, DLT Apps continuously nurtures innovative product concepts, both for internal use and client solutions. On this journey, we recognised the imperative need for a cloud-native development accelerator. This accelerator empowers our engineers to create and deliver robust, secure, and cloud-based applications with ease, liberating them from the complexities of cloud infrastructure management.

CHALLENGES

Most product teams require environments to be provisioned or cloned quickly to perform various development and testing activities, across multiple runtimes namely Go, Java, JavaScript, and Python.

Since all our products have microservices-based and event-driven architectures, teams require access to multiple databases (such as Postgres and Cassandra) and message queues (such as Kafka).

An accelerator in Financial Services needs to incorporate a multitude of necessary controls across secure code reviews and scans, automated testing, vulnerability and OSS scans, as well as versioning and change management, to be deployed consistently across all products.

Solution

The accelerator was constructed on the foundational tenets of:

Cloud-native environments

Usage of industry-leading tools

Scans and verifications

The custom CI/CD and cloud-native environments accelerator integrates tools such as Jenkins, Jfrog, Spinnaker, Vault, SonarQube, Selenium, JMeter, Git (Bitbucket), and Kibana. It incorporates automation for code scans, tests, and vulnerability scans. It also provides full traceability of artefacts deployed in any of our environments down to the actual commit. A promotion process allows controlled propagation to higher environments post testing/verification and confirmation from clients.

Technologies

Impact

Onboarding a brand-new product proposition can be performed in less than a week, including the provisioning of key services. The provisioning of new environments for an existing product can now be performed in hours with the accelerator.

The platform is fully self-serviced, and building a new microservice and deploying it to an existing environment can be completed by the developers/engineers themselves. In addition, engineers also have access to tools to troubleshoot any issues that may occur using build and monitoring capabilities provided on the platform.

The platform is available at a fixed cost for a predefined capacity and has been built to prevent the fluctuations of a typical cloud infrastructure. This has helped us save up to 50% on infrastructure costs when compared to running on typical cloud infrastructure.