FINGO and its secure and compliant cloud for SaaS solutions
Deployment date: 2024
Sector: finance
Google Cloud
FINGO decided to develop a web-based version of its on-premise application for obligatory reporting and embed it in the Google Cloud environment. With a view to ensuring an adequate security and regulatory compliance of the new solution, FINGO asked OChK for support. OChK experts audited the new infrastructure, helping to design relevant security architecture, and developed a compliance pack with comprehensive information on ensuring data security in the cloud. This allowed FINGO to plan further growth of its environment, in line with best security/compliance practices, and accelerate the road to market of its SaaS solutions.
About FINGO
FINGO offers end-to-end obligatory reporting systems (FINGO Systems), now used by more than 500 banks and financial institutions, including two central banks in Europe. It also supports digital transformation of financial and regulatory sector companies and startups, offering advanced software development services. The company’s focus on the quality and security of its solutions is evidenced by ISO 27001:2022 certification.
Challenges
Faced with rapid development of its aSISt obligatory reporting application, the need to adapt it to customer requirements, as well as new technological capabilities, FINGO decided to modernize the software. The goal was to embed the application in the Google Cloud infrastructure and change the way the product was delivered to a SaaS model.
A major challenge faced in developing the new service, eON SaaS, was to ensure an adequate level of security of the target environment. In order to meet the expectations of its customers, FINGO wanted to ensure early regulatory compliance of its service, especially with the processes and requirements of the so-called Cloud Communication of the Polish Financial Supervision Authority (PFSA).
FINGO decided to take a technological leap and turn a traditional desktop application into an innovative service accessible from a web browser. The company wanted to update its technical expertise with security/compliance know-how not only to ensure a smooth data migration to eON SaaS, but also to make the new solution work in line with changing regulations. The company was therefore in need of a business partner whose experience would support the project both legally and technologically. The choice was made for OChK.
Solution and implementation
In order to meet the challenges at hand, FINGO and OChK teams planned the following activities:
1. Cloud Security Assessment. In partnership with FINGO, OChK conducted a review and audit of the provided Google Cloud infrastructure, and then helped design adequate security architecture. The entire process was divided into three stages:
gathering the necessary information to get a complete picture of the client’s environment and cloud services setup,
overseeing the immediate implementation of some of the workshop recommendations,
gathering other recommendations and observations regarding the current level of cybersecurity, identifying risks, and developing a plan to mitigate them.
The audit covered aspects such as cloud identity management, authentication methods, CI/CD processes and GKE network configuration, shared VPC and SIEM rules.
The key aim of the audit was to identify potential vulnerabilities and areas that could be easily improved to mitigate or eliminate identified risks. These activities also helped develop assumptions for the Public Cloud Information Processing Risk Assessment.
2. Development of the Compliance Pack. OChK assisted FINGO in developing a documentation pack that provides comprehensive information on how to secure information in the cloud both in terms of technology and processes. The pack includes:
classification and evaluation of information in terms of acceptability for cloud processing,
risk assessment, taking account of risks identified in the so-called PFSA Cloud Communication,
business continuity planning (contingency and exit plans),
a test scenario for implementing cloud services,
encryption keys management,
descriptions of the required competencies,
plan for cloud data processing.
The final part of the Compliance Pack service was to conduct a workshop with one of FINGO’s first customers who decided to use the new service.
Technologies used
Google Kubernetes Engine
Shared VPC
Results
A technical workshop session with the FINGO team resulted in recommendations for migration planning and further development of the environment, in line with Google Cloud, Center of Internet Security (CIS), and PFSA practices. The company also gained the know-how necessary to carry out the service implementation process on its own and mitigate the effects of certain threats immediately when detected.
The know-how provided by OChK enabled FINGO to develop skills associated with Google Cloud infrastructure and test the resilience of FINGO Systems cloud products security.
The development of documentation in accordance with the requirements of financial supervision authorities allowed FINGO’s customers to gain extensive knowledge about the security of the solution, verify the application providers, efficiently implement and document the necessary processes, and then notify the PFSA of the intention to process information in the cloud.
Such a solution and its positive reception by customers also accelerated FINGO’s sales of SaaS solutions on a wider scale. More than 500 customers in Poland and abroad are now supported with regular reporting.
Entering into cooperation with OChK was an important step for us towards changing the strategy for products and services offered to demanding customers of the financial market. I think it is no exaggeration to say that FINGO Systems obligatory reporting solutions are now the best cloud solutions offered in this part of Europe. Yet, this would not have been possible without the initial support from OChK experts.
Bartłomiej Knapik
Release & Platform Manager, FINGO
What are your challenges?
Let's face them together!