"Adopting AWS DevOps with the help of Commencis gave us a robust and complete experience. As PayCore, we are now able to deliver secure services for our European customers faster, cheaper and with even higher quality." Levent Keçeci - Head of Infrastructure at PayCore
About PayCore
The payment solutions company is also a leading player in emerging mobile payment, open-loop transit, and wearable payment technologies. PayCore’s PCI DSS, BKM, MasterCard and Visa certified Transaction Center, with its reliable infrastructure, serves a customer portfolio including the world’s leading companies in the financial sector. The company manages millions of credit and debit cards running on PayCore solutions.
Business Challenge
In today’s business environment, productivity is what makes a business stand out from its competitors. Therefore, PayCore had to switch to more advanced technologies to quit inefficient methods. As the old traditional methods of using installed or onsite software are getting replaced by real-time data access over the internet, there are many solutions for businesses to streamline their work processes like modernizing their data to centralized computing platforms, such as cloud-based systems. What’s more, PayCore also needed to improve its ability to scale up to cash markets. And to do so, the payment solutions company had to modernize business operations such as time tracking, invoicing, and billing processes to cloud-based systems.
PayCore developed its application in an on-premises environment. Their development, testing, and production environments (pilots) were all on premises. Although the customer had extensive experience with application development and security, they lacked experience with cloud environments, especially how to migrate their application to AWS according to well-architected guidelines.
After the migration of the application to AWS, a security assessment to check PCI DSS compliance could be done by a third-party company. Considering the findings in the security reports, remediation activities needed to be undertaken.
Solution
PayCore uses Red Hat OpenShift, and their existing environment is located in their on-premises datacenter (OpenShift Kubernetes Engine, MySQL Database). PayCore’s applications’ services run on the Kubernetes platform. The main goal of the project is to migrate PayCore’s SoftPOS application from on-premises OpenShift to AWS smoothly without interruption.
PayCore SoftPOS application is designed in a two-tier architecture pattern. Application logic is implemented in a Kubernetes cluster managed by Amazon Elastic Kubernetes Service and the Data tier is implemented in Amazon Relational Database Service and Amazon ElastiCache for Redis. Both tiers are scalable. For infrastructure administration and maintenance, a Bastion host is deployed in the public subnet. It is highly secure and created from a prebuilt AMI provided by AWS.
It allows SSH connections only from trusted IP sources. Application servers and database servers are hosted on private subnets. It is only accessible from the Bastion host. Servers are connected only by key pair authentication to avoid vulnerabilities. App server accesses the internet through NAT gateway for software installation.
PayCore SoftPOS application uses elastic load balancer to accept web requests. This traffic is routed to the backend Kubernetes services implemented by Amazon Elastic Kubernetes Service. The backend server takes care of processing the web request and returns the response to ELB which is then consumed by the end-user. ELB is deployed in a public subnet, and it is secured by a VPC security group which will allow only https inbound traffic from external sources. ELB accesses only the backend servers via the http/https protocol. To ensure high availability and uniform distribution of traffic, cross-zone load balancing is enabled. Apart from that, the load balancer is configured to support session persistence, maintaining idle timeout between the load balancer and the client.
MySQL, RDS, and ElastiCache are used as a database tier for the application. It is deployed as a cluster with read/write endpoints. Both servers and database instances are secured by a strong security group policy to avoid access from an untrusted network source.
Amazon Elastic Kubernetes Service makes it easy to deploy, manage, and scale your Kubernetes workloads. Amazon EKS service is set to be used for the application tier. After deploying the SoftPOS application to EKS, PayCore can continue to use kubectl to manage their application and environment, or they can utilize the EKS console, eksctl (EKS CLI), or the APIs.
Using AWS Database Migration Service, live migrations to Amazon RDS MySQL are performed from an on-prem MySQL database with minimal downtime. Site-to-Site VPN is implemented between AWS and PayCore datacenter before starting database migration.
AWS WAF is a web application firewall that helps protect PayCore SoftPOS web application against common web exploits that may affect availability, compromise security, or consume excessive resources. Fortinet’s Managed Rules package is implemented to automate rule management and keep the rules up-to-date.
For PCI DSS compliance, Amazon CloudWatch, CloudTrail, Inspector, and AWS Config are preferred to monitor and audit all services. Also, for the Intrusion Detection/Intrusion Prevention System (IDS/IPS) and File Integrity Monitoring (FIM) requirements, Trend Micro Cloud One Workload Security is implemented for the EKS instances. Cloud One is a SaaS product managed by Trend Micro, and it has many security features including IDS/IPS, FIM, Anti-Malware, Web Reputation and Application Control.
Use of Third-Party Applications or Solutions Used
TrendMicro: Cloud security (in addition to the AWS security services used)
AWS Services Used as Part of the Solution
There are several AWS Services used in the solution, including:
IAM, Route53, EKS, EC2, Elastic Load Balancer, Inspector, RDS, Elasticache, Config, CloudWatch, CloudTrail, Site-to-site VPN, AWS Database Migration Service, AWS WAF
Outcomes & Benefits
- Reduced lead time by saving time on environment setup and manual testing,
- Infrastructure built on every trigger of the pipeline ensured that done to deploy takes a max of 20 mins instead of a manual process that takes more than 3 hours.
- Catching bugs faster, finding more complex bugs, and reducing the code work for PayCore developers
- Helping to avoid repetitive tasks such as setting up testing environments and being able to spin up the environment PayCore needs to test the product without having to open a ticket with DevOps, leaving the DevOps team more time for other tasks.
- Increasing accuracy as deployment automation executes all steps flawlessly.