Brought to you by

RSA: Architecting a large-scale migration to AWS, securely

Posted 5 months ago in Tech by Aaron McKeown
Posted by Aaron McKeown

In a session at this year’s RSA Conference in San Francisco, I shared with some of my cybersecurity industry peers how, at Xero, we orchestrated our massive migration to Amazon Web Services.

It was a project which saw 59 billion records, $1 trillion worth of transactions, thousands of servers and hundreds of databases transitioned to the public cloud, It took more than two years to architect and execute. But before this could happen, we had to come up with a rock-solid security plan.

How we transferred the equivalent of 60,000 blu-ray movies

The security team spent almost a year mapping out how we would securely transfer the records of our more than 862,000 subscribers without slowing down growth. It was a mammoth effort, and one that few technicians and developers had ever completed — especially in the APAC region.

Growing as fast as we are, we didn’t know the full extent of the project until we started. We had to rebuild everything in the AWS ecosystem. That meant we had to learn how to do all of this for ourselves, rather than have the host do it for us.

We came up with two key principles for encryption: all data had to be encrypted in transit and in rest. However, because of the massive amount of data we needed to transfer between Rackspace and the AWS environment, we hit the limits using current technologies pretty quickly. This meant we had to come up with our own transfer methods to move the data.

Coming up with our own method

We used VPN technology as a starting point and built from there. We used techniques which enabled high throughput traffic while maintaining security.

To do this we worked with partners to build best practice environments where we pushed to the limits. We had to build it all months before we migrated our first customer. It was the first thing that we thought about. We had to be secure by design.

We had to think about data encryption, connectivity of both inbound and outbound traffic, and protecting the environment from web-based attacks like DDoS, Cross Site Scripting and SQL Injections.  All the while we also had to build an agile environment that could be adapted as we grew to more than one million customers.

High growth environments have changed the way security needs to be delivered. We need to be able to protect and defend our environment while we move at a blistering pace. To protect the financial data of millions of users, we’ve taken the best of enterprise security platforms and merged it with the next generation of platform technology, like AWS, to build our overall security strategy.

We’ve now successfully transitioned more than 1.4 petabytes of data, the equivalent of 60,000 blu-ray movies. This puts us in the unique position. We can now apply agile security tactics and advanced machine learning to our vast database. We can not only innovate, but help protect our customers from fraud.

Fighting fraud – a billion dollar industry

Each year, fraud costs financial institutions around the world billions of dollars. It’s a figure that, with the growth of online business, e-commerce and mobility, has continued to balloon. But the very technology that made it easier for fraudsters is now closing the gaps.

In environments like AWS, technology companies are taking a layered approach to fraud detection. We’ve implemented machine learning algorithms and artificial intelligence to improve on the previous rules-based approach. Now, machines get smarter and better at detecting anomalies, the more data they process.

For this technique to work, security teams need to be restructured. They need to be agile and deeply aligned within the organization so they can continuously iterate and deploy product updates. Different skills are needed and cross-functional teams are important. This extends not only to your own team, but those of your partners. In this new security environment, security and speed are not mutually exclusive.

Agility in security

If a security team isn’t agile, it can block the pace of the organization. Previously, security was about having gates. But under the agile method we use guardrails so our developers stay on the road, rather than having to stop to open said gate.

Layering on machine learning modules to our infrastructure also enables us to bust fraud in real-time. We can intelligently block malicious traffic by building zoning and parameters around what is normal behavior, and what is considered an anomaly. This data is fed to our operational security team, which aggressively looks at our traffic and blocks malicious activity.

By operating in an agile environment, security professionals are improving data protection, eliminating downtime, and transitioning what was once seen as a hurdle in a business to a function that runs alongside every other function.

As Xero scales to serve millions of customers, rebuilding the infrastructure behind the platform enables us to leverage machine learning technology. We can now deliver fast-paced innovation, improved margins and increased uptime.

2 comments

Andy
February 21, 2017 at 8.59 am

Nice work Aaron!

Kevin
February 22, 2017 at 10.39 am

Good article Aaron. Yet another reason Xero is a world leader.

Leave a reply

Your email address will not be published. Required fields are marked *