Secure, compliant migration to AWS for a regulated financial institution

Opportunity The cloud as a regulatory simplification

In the world of finance, trust isn’t merely crucial — it is mandatory. When the security of financial assets becomes your mission, that trust needs to encompass every fiber of your business. And our customer — a leading, well‑established brokerage house — is dedicated to precisely this mission, especially as it operates under the rigorous oversight of the Polish Financial Supervision Authority (KNF).

The entirety of our customer’s operations is therefore contingent on strict regulatory compliance, while the market viability of its services hinges on the trust it is able to muster and carry. Where a certain degree of risk is inherent to the world of investment funds, special care must be taken not to introduce any additional risks where they can be avoided entirely — or at the very least mitigated to the point of practical nonexistence.

While navigating these dynamics and challenges unique to operating in highly-regulated sectors, one must simultaneously steer the business towards profit — customer trust and regulatory compliance are ultimately meaningless if the business can’t attract and retain clients.

How, then, does a relative newcomer garner the trust of well-established investment funds while at the same time presenting a competitive and profitable offer? If one considers modern technology as a solution, it turns the dilemma into a trilemma: how do we do the above with innovation and cutting-edge technology not only avoiding those proverbial cuts, but actually making our services — and thus by extension our client’s finances — safer and more secure?

As a joint endeavor of financial institutions experienced with fintech solutions, our client has been built from the ground up with a technological focus. Cloud adoption was not an afterthought — it was a natural direction towards reduced IT costs, primarily in infrastructure management and maintenance, along with its renowned and unparalleled flexibility — yet another crucial requirement when dealing with volatile financial markets. Fitting for an institution which strives to reduce risk for its clients, thanks to the cloud our customer could reduce its own setup risk, circumventing the capital expenditure traditionally associated with IT infrastructure in favor of the cloud’s pay-as-you-go usage model.

The company showed great foresight in its strategy, recognizing that cloud adoption — when done right — can in fact simplify security concerns, where many mistakenly hold the opposite as truth. Managed services handled by dedicated professionals can reduce our own attack surface, while offloading certain tasks onto a cloud provider mitigates our immediate compliance concerns. Regulatory audits in highly-regulated sectors are known to cause service friction and disruptions — why not let someone else worry about at least some of them? Someone, who has an immaculate compliance record… someone, who can be trusted?

With the direction set towards the services offered by AWS, all that was needed was an answer to the practical: how to do it right? And this is where we, Chaos Gears, came into the picture.

Solution Offloading complexity onto the cloud

Given our prior experience working with enterprises from highly-regulated sectors, we approached this cooperation with a certain level of understanding that was equally met by an understanding of our own areas of expertise, and mutual respect for all the nuances involved.

Past our initial meetings, once we started actual scope evaluations and planning within AWS’ Migration Acceleration Programme (MAP), and especially during our thorough Well-Architected Review, our recommendations and suggested courses of action were met with a level of professional trust and technological openness that felt refreshing for an industry notoriously entrenched in old habits and proven schemas. In other words — it was the cloud’s time to empirically prove all the things it has been luring financial entities with for years.

Even though each migration is as unique as each client, some steps are common to essentially all, and are performed routinely due to the unquestionable benefits these DevOps best practices bring to the table. As such, we kick-started the practical aspects of the migration process with a Landing Zone encapsulating multiple AWS accounts dedicated to specific environments (development, testing, and finally production). This fundamental isolation and robust architecture addressing network requirements is vital to both application safety and security, while simultaneously decoupling innovative development and experiments — risky by nature — from jeopardizing production systems.

While our customer started formally operating relatively recently, it is a brownfield endeavor formed on the combined experience and assets of industry veterans. In IT infrastructure terms this meant that the organization operated with a varied portfolio of proven applications — from flexible dedicated services to larger monoliths running in dedicated virtual machines. This mesh of sensitive interdependencies formed the bigger part of the challenge ahead of us (and ultimately directly contributed to the shape of the solution we implemented) — especially considering no form nor level of service disruption or data loss could be considered acceptable.

The other, albeit smaller part of the challenge, resided in regulatory compliance aspects.

Now, given this case study has already invested so much time into underlining the importance and complexities of operating directly under stringent rules — such as the provisions of the Polish Financial Supervision Authority — it may appear counterintuitive that this was in fact the smaller part of the equation. However, the design, governance and security measures of AWS’ platform naturally lend itself towards turning previously egregiously complex undertakings into green-by-default checkmarks on lists, or even nonissues altogether.

Our partner’s systems were deeply interdependent not just internally — they also had to consistently interface with mission-critical platforms, such as the Central Securities Depository of Poland (KDPW). If one now considers regulations that may require one to physically store certain types of digital data in armored safes, with each move — both physical and digital — meticulously documented, data center design becomes a challenge of its own, while the complexity necessary to support those designs becomes the fabric of an IT administrator’s nightmares.

Letting AWS handle all of that, one gets to eliminate this entire category of headaches in one fell swoop, and can instead rely on its extensive certification issued by countless trusted, independent third parties and government bodies all across the world.

What is then left to do, is to take care of security in the cloud, as per the Shared Responsibility Model.

Thus, we tied all of the above together in one Virtual Private Cloud setup. Taking care of secure connectivity across both services (in the cloud) and local workstations, this also extended to external services used by our customer’s platform (most importantly, the aforementioned Central Securities Depository of Poland). With sufficient redundancies in place, the setup we opted for is both resilient and secure, without sacrificing performance.

Boring and simple should also be high in demand when an organization’s expertise does not cover IT systems management — and security in particular. And this happens to apply to the majority of all businesses in the world. Where our client has a modern and responsible approach to those issues, it is always prudent to keep each and every attack surface minimal — both technical, and human. To err is human — and as such, logically, we want to minimize all opportunities to err.

With most management tasks which were previously handled internally now offloaded onto AWS or otherwise automated, we helped our client internalize and formalize a set of governance and security policies to retain a good security posture in the long term. Seeing the cloud’s benefits quickly materialize, the brokerage house was eager to put them into practice, and to proactively look for further modernization opportunities.

Observing such an attitude towards the results of our work, we confidently and happily finalized the setup with a convenience layer on top — AWS WorkSpaces gave the brokerage house’s employees secure virtual remote desktop access, while AWS Transfer Family services took care of secure and convenient file sharing across its internal network.

Simple — but effective.

Outcome Simplicity drives trust and transparency

During our ongoing cooperation with the brokerage house, we have helped this uniquely positioned organization navigate the intricacies and nuances of strictly-regulated business within the cloud by delivering on a simple, and yet seemingly counterintuitive promise — that it is in fact simpler, both on an organizational and on a technical level, to operate such a business by leveraging a trusted and certified cloud offering, such as AWS, than it is to tackle all of the fronts on one’s own.

The term “simple” turned into a leitmotif in the process, as we worked on proving that everything the cloud promises can in fact materialize — and with the right approach, it can also tangibly reduce complexity, letting you focus on your core competencies and services. Chaos Gears supports and maintains the AWS infrastructure, enabling the brokerage house to focus on delivering top-tier services to the financial market with confidence, knowing their application platform operates seamlessly at all times. In yet another counterintuitive twist, we helped our customer scale down — so that it can more easily scale up and out. This time around, thanks to the flexibility and reliability of the cloud, without being forced to invest into nor manage its own data center.

All of the above ultimately contribute to an infrastructure that is simultaneously more modern, practical, convenient, and secure.

With a trilemma to solve, the actual solutions don’t need to fall into a complexity trap. Experience has shown us time and time again that it is prudent to seek simplicity and boredom, where some might seek a thrilling engineering challenge — and end up with overengineering as a result. After all, simplicity is the ultimate sophistication.