The financial world has been far ahead of the curve when it comes to serverless adoption. This seems shocking at first, given how reticent banks and insurance companies have been about moving the cloud in the first place. Once they made the decision to take the plunge, they seem to have gone all in on FinTech serverless computing. One common reason cited is the lack of cloud-based legacy. For many financial institutions, the move to the cloud has coincided with a significant revamping of their entire software stack, and leapfrogging right to a serverless architecture in FinTech makes a lot of sense.
- FinTech systems often fit well with serverless architecture, for several reasons:
Large financial institutions run highly sensitive applications that need to operate reliably, and robustly, at huge scale. The applications often need to service hundreds of millions of actions per day, across diverse geographies, and moving to serverless shifts this burden of system health and scaling over to the cloud providers.
- Financial systems often have highly variable loads. Transactions have peak hours; people cash their paychecks weekly or monthly; trading volumes change rapidly. Traditional scaling is not only complicated and labor intensive, but it is costly and unreliable. Building these services with a serverless architecture allows customers to pay for exactly what they consume, and not for all that is idle.
- Financial services must operate highly robust transactional systems. In many cases, the ability to decompose complex processes into small provable nano-services helps the developers of these critical systems avoid mistakes that can be catastrophic.
FinTech Serverless Security
The shift to a serverless FinTech cloud creates several key security challenges and opportunities that financial organizations need to address and embrace:
- Financial application deployed on a public serverless cloud often have stringent compliance requirements. Meeting these requirements and enabling proper certification and auditing calls for clear security controls across the entire lifecycle of the application, from development to production.
- Financial cloud services typically comprise hundreds of serverless functions, each handling some specific transaction or flow. For each function, it is imperative that a FinTech serverless security solution apply least privilege. This ensures that each of these functions can access only the services and actions it requires, drastically shrinking the attack surface, and reducing blast radius should an attack occur.
- Given the high volumes that financial services applications can incur, it’s crucial that serverless security for FinTech is in place to prevent attacks, and that this runtime defense incur virtually zero overhead on the application. Even an extra 50 milliseconds spent per-request on security can have a significant impact on customer experience and cost.
FinTech Serverless Security
Protego’s cloud-native application security solution has been built ground-up to take advantage of the security opportunities serverless affords, and to reimagine the way AppSec is done at the speed of serverless. For financial technology serverless cloud applications, there are several features of the solution that help make these applications far more secure than their serverful counterparts.
- Protego enables deployment of customized policies across the account that enables assurance of compliance during development, inside the CI/CD pipeline, during staging and testing, and in production in the cloud. At each stage, Protego ensures that the rules and policies needed for compliance are being enforced.
- Protego Proact automates the process of posture assurance at dev, CI/CD and production. For FinTech serverless applications, Protego ensures that all functions are running with least privilege while empowering developers to move as fast as they need to.
- Protego Defend provides a runtime defense solution that has been designed to seamlessly and automatically protect serverless functions, with nearly no overhead in function duration and function resource consumption. This means security doesn’t come at the cost of performance degradation.