Sela. | Cloud Better.

Fundguard

FundGuard is a cloud-based investment funds operating system powered by artificial intelligence. It helps asset and fund managers administer investments across mutual funds, ETFs, hedge funds, insurance, and pension. The platform leverages modern cloud technologies, artificial intelligence, and a revolutionary multi-dimension real-time design to transform an underserved industry that is limited today by archaic, primarily on-premise, batch based and non-scalable technology.

The challenge

As a cloud-based investment company, FundGuard requires SOC 2 compliance. As a result, they required a solution with a secure, highly available infrastructure and a disaster recovery mechanism that minimized lost data and brought the system back online quickly.

SOC 2 compliance required firm security roles, which would be strictly enforced. As a multi-tenant solution containing sensitive data, resources needed to be secured within each account, as it was vital that there be no data leaks between clients. Within each global account, FundGuard required account-level separation between Development and Production accounts.
On the user side, FundGuard’s clients are spread across the globe. The company needed a system that would deliver content quickly and provide an outstanding user experience.

The solution

Sela architects based their design on the guidelines presented in AWS’ Well-Architected Framework.

FundGuard’s SaaS platform needed to be secured at every layer of the stack. Therefore, the team decided to combine several services and practices together. Two different accounts were created for production and development. Access to those accounts was gained through IAM roles and multi-factor authentication (MFA). Integration with Azure DevOps and relevant pipelines were created. AWS ECR serves as the repository store for the docker images that were used.

API Gateway was used as the service “front door” with Cognito to support end user authentications and relevant resources that were authorized. This allowed scalable and secure entrance to the service. API Gateway was connected to a private subnet via private link to the application load balancer. Therefore, all communication behind the API Gateway was in a private, secure zone.

Instances at private subnets were not configured with any public IP addresses for production or development. Public egress to the system was only available through a NAT Gateway. All public access points were protected by AWS Security Groups (SG) and Amazon S3 access control lists (ACS), and only permitted over HTTPS protocol. CloudFront was used for both security and to improve the user experience through hosting the client application. This allowed FundGuard to deliver content from the closest possible edge points.

Instances at private subnets were not configured with any public IP addresses for production or development. Public egress to the system was only available through a NAT Gateway. All public access points were protected by AWS Security Groups (SG) and Amazon S3 access control lists (ACS), and only permitted over HTTPS protocol. CloudFront was used for both security and to improve the user experience through hosting the client application. This allowed FundGuard to deliver content from the closest possible edge points.

In the event of a complete region failure, the CDK stacks allow for recovery into a region that is still operational. Fully functional new environments can be up and running within 90 minutes. All the infrastructure components are also covered by CDK stacks. Relevant data is copied/replicated to different regions and is ready in case of a regional disaster.

The data layer includes DynamoDB, a super-fast data store. Redis was used as a caching service to reduce latency even further and the number of requests to the database. Kafka’s managed service was used for several other flows and Elasticsearch was used for application auditing requirements.

The results

The final design that was implemented is highly available, highly scalable, and met all of FundGuard’s needs, including their SOC 2 compliance requirements. The usage of the IaC discipline with the CDK deployment and integration together with the already known CI/CD tools enabled developers and the DevOps engineers to easily take full ownership of the solution provided