A platform for financial services must have an extremely high level of security since it is an obvious target for cybercriminals. Pismo uses broad security measures to protect its banking and payments platform and meet the financial industry requirements.
These measures include a security-by-design approach to software development, a “blue team” continuously enhancing the platform defences, and a “red team” uncovering weak spots by trying to attack the platform. Pismo also automates many security procedures to improve efficacy.
Moreover, since our platform is 100% cloud-based, we employ various Amazon Web Services (AWS) features to ensure system security. Leonardo Carmona, Chief Information Security Officer at Pismo, discussed some of these services at this week’s AWS Summit São Paulo conference.
Carmona shared the stage with Tuanny Bairos, Enterprise Solutions Architect at AWS, who provided an overview of the security tools available on the AWS cloud.
“Our infrastructure is monitored seven days a week, 24 hours a day,” says Tuanny. “It employs data encryption and other technologies to secure customers’ data and applications. However, our customers are responsible for implementing the security controls according to their chosen services.”
Identity management
Carmona explains Pismo built its security stack step by step, adding more protection layers as new needs arose. He mentions access control as an example:
“When I arrived at Pismo three years ago, we were a small team, and everybody knew each other. So it was easy to ensure only authorised people had access to our systems. As the company grew and spread to several countries, we had to deploy more granular access control.”
The Pismo security team implemented a zero-trust policy and role-based access control (RBAC). The company employs Okta to manage identities and enable single sign-on. “We have a set of tools to validate users and devices and ensure only authorised users will have access to each resource.”
Robust data backup
Another challenge the Pismo team had to overcome was building a robust data backup system. Besides protecting data against failures and ransomware attacks, this system must meet industry regulations.
“Central banks and other government bodies regulate financial services, and their requirements vary according to the country. Since we operate in many countries, we had to ensure our data backup procedures met these requirements.”
Pismo adopted AWS Backup to manage the backup process. This service includes a Vault Lock feature that ensures the stored data cannot be deleted or modified until it expires. We can be sure the saved data will be available if needed.
Moreover, our backup process can provide a very short recovery time if an incident happens. “In the case of DynamoDB databases, we take a snapshot every second,” adds Carmona. “I couldn’t even imagine this happening when I started working in security 16 years ago.”
A secure architecture
Pismo employs AWS WAF and Firewall Manager to protect its applications from external attacks. “With Firewall Manager, we centralise the administration of policies and rules. So we ensure, for example, that no TCP port is left open by accident.”
Shield Advanced, another AWS tool, provides Pismo with further protection against DDoS attacks. It employs advanced routing techniques for automatically mitigating these attacks. “If infrastructure resources scale up during an attack for some reason, Shield Advanced will ensure that we don’t have a brutal impact on our infrastructure costs.”
Carmona concludes by reflecting on security tools’ huge advancements since he started working as a specialist in this area: “Now we have a broad set of security services ready to use on AWS. So we don’t need to implement them individually. We must only choose the appropriate services, configure, and activate them to have fundamental security measures in place.”
Download our whitepaper to learn how we use Chaos Engineering to improve system resiliency:
Build it up, tear it down: How chaos engineering creates platform resiliency
