The client, a pre-revenue FinTech payments and mobile commerce start-up acquired the technology assets from another firm and wished to bring a new offering to market in the mobile commerce and payments space within a 9-month timeframe. The assets acquired, however, were limited by a number of architectural short-comings:
- Insecure and poorly implemented API authentication framework.
- REST-based microservices architecture that was not scalable.
- No multi-tenancy capability, requiring a new production environment per client ecosystem.
- Insufficient encryption and perimeter security provisions, policies and governance to meet security best practices for payment card data requirements (PCI DSS).
GreySpark deployed a partner to fulfil the role of Chief Architect and interim CTO, to accelerate the remediation of these issues in order to make the platform client-ready. The delivery approach was as follows:
- Investigate and recommend appropriate technology solutions to handle the scalability requirements of a B2C internet business of this type.
- Deploy industry standard OAUTH2 authentication infrastructure as the API perimeter in order to allow authentication to be managed properly, and in one place.
- Redesign the data-models in the system to support multiple tenants in a single environment whist ensuring data segregation was maintained.
- Create a Card Data Environment (CDE) with appropriate encryption, firewall, and associated security policy, controls, and governance frameworks required to obtain a PCI DSS auditor certification.
GreySpark delivered the following during the engagement:
- A new approach to infrastructure based on DevOps best practices, that included the use of Docker and Kubernetes to provide internet scale and availability to the platform.
- The introduction of an API Gateway solution that enabled the deployment of OATH2 REST API authentication at the perimeter.
- A new network and security architecture that successfully passed a PCI DSS 3.2 audit.
- Changes to micro-service data models to support multi-tenancy.
- A much improve Continuous Integration and Continuous Delivery approach which resulted in multiple production deployments occur per week.
- PCI DSS certification was an essential pre-requisite to enable this pre-revenue start-up to start to sign up clients.
- The deployment of Docker and Kubernetes effectively ensured that the infrastructure (AWS-based) could be elastically scaled to support the loads predicted by the largest global clients.
- Hosting and infrastructure costs were significantly minimised through the deployment of a new multi-tenancy capable platform.