Financial Services

Securing cloud-first digital banking

With over 300,000 customers, MyInvestor is the largest neobank in Spain by business volume. Since its inception, MyInvestor has been a cloud-first company, making secure and uninterrupted online banking its top priority. “The cloud enables us to scale our services and customers at the pace we want,” says Héctor Alejandro Martos Gómez, infrastructure specialist at MyInvestor.

Even though MyInvestor uses a single cloud provider, the complexity of managing many virtual private clouds (VPCs), cloud accounts, and cloud regions creates complexity in deploying and managing security comprehensively. Moreover, as a financial institution, the company must comply with strict data protection and digital banking regulations. MyInvestor needed to reduce risk against increasingly sophisticated threats, such as ransomware, that could damage its reputation and erode customer trust.

Alejandro Delgado Ruiz, chief technology officer at MyInvestor, knew he must focus on significantly improving security so the company could build on a solid foundation as it scaled. A potential security incident could threaten its business, and there was no room for error.

For MyInvestor, ransomware, denial of service, and data exfiltration are the three top threats to its operations and reputation. “Besides potential data leaks and ransomware, we want our applications to be resilient to denial of service in order to prevent potential attackers or botnets from taking down our whole application,” says Martos.

To achieve resilience to advanced threats, Delgado wanted adequate visibility and control of workloads and applications. He also wanted to address the lack of centralized management of security policies.

MyInvestor used its cloud provider’s native security tools, such as web application firewall (WAF) and security groups, to define perimeter defense. These security groups provided a “default-deny” approach to controlling inbound and outbound traffic to their resources.

However, these security groups didn’t provide the levels of security needed for inbound and outbound traffic inspection and control, such as fully qualified domain name (FQDN) or URL filtering. In addition, due to the dynamic nature of containerized workloads, security groups had to be maintained for several services, which was cumbersome. “Applying fine-grained restrictions using security groups in a dynamic environment is a nightmare,” Martos explains.

A new approach: Discovering Cisco Multicloud Defense

When evaluating alternative solutions, Delgado narrowed down his requirements:

• Automated policy management for security policies that apply dynamically to new workloads
• Advanced capability to secure egress traffic to filter outbound connections on known malicious domains and to restrict outbound connections to an “allow list” of domains
• Block inbound external threats with ingress security tools, including intrusion prevention systems (IPS) and WAFs
• Reduce attack surface with capabilities known to block both inbound and outbound traffic from known malicious IPs

Delgado needed one security approach that could provide consistent and pervasive protection for workloads and data. “It’s all about visibility and control of inbound and outbound traffic within our environment. You can never 100% guarantee that an attacker can’t get in, but you want to make it increasingly difficult. And once they are in, you want to take away the opportunity to exfiltrate data or establish command and control by limiting external access to only what’s approved,” says Delgado.

Since MyInvestor’s workloads were within a cloud-native container and serverless environment, Delgado couldn’t rely on endpoint agents, endpoint detection and response, or cloud workload protection platforms.

While evaluating cloud-native, network-based security solutions, Delgado tried out the Cisco Multicloud Defense free trial and realized he had found something unique and well-aligned with MyInvestor's needs. After an architectural discussion with the Cisco Multicloud Defense team, he was excited about how this solution could support MyInvestor and its security goals.

“I could see the immediate potential of Cisco Multicloud Defense enabling us to create tag-based policies through the Terraform provider and apply those policies to the resources of the workloads that have those tags,” Delgado remarks. “With these tag-based policies, we can group resources with a similar allowed list of outbound domain restrictions. For new resources, tag-based policies enable agility as we simply had to add the appropriate tag.”

Centralized security simplifies operations

Cisco Multicloud Defense gave MyInvestor the desired visibility and centralized controls for ingress security, egress inspection, and east-west security.

“By taking advantage of Cisco Multicloud Defense, we can create an allow list and block list of domains for ingress and egress connections, and apply a malicious IP reputation list block,” says Martos. “The east-west security is unique to Cisco Multicloud Defense. It allows us to apply a policy to deny everything by default unless explicitly approved. This was difficult to do with our cloud provider’s native capabilities.”

Cisco Multicloud Defense also gave MyInvestor complete visibility into its cloud environment. “We have full visibility of every incoming IP or outgoing IP connection at a transmission control protocol (TCP) level that we didn’t have with the native security solution we used,” explains Martos. “The dashboard gives us the whole picture. We can see any incoming or outgoing connection that has been allowed or denied and the policies applied to this connection. It shows us all the virtual private clouds (VPCs), subnets, IPS applications, and security groups configured. This deep visibility is great both from a security point of view and for troubleshooting. We can detect and fix errors much faster than before.”

Martos adds, “The Investigate tab of the dashboard shows our connections, and it’s easy to filter by direction, incoming or outgoing IP, fully qualified domain name, or taken actions. We can see any outgoing or egress connection from our infrastructure in the dashboard. This is important because in case an advanced attacker gets in, you want to make it increasingly difficult to exfiltrate data.”

With capabilities including tag-based policies, Cisco Multicloud Defense drastically simplified MyInvestor’s security infrastructure and drove efficiency, thus creating a force multiplier for MyInvestor’s team to play bigger than its team size. “We can create a policy once and reuse it many times, applying the control in each application, security group, or subnet. This allows us to block everything by default and just allow communications from point to point if the tags are in place,” says Martos. “It saved us a lot of time. Once we create and implement these use-case-specific policies, we just have to apply those to the correct workloads each time. This has made ongoing security management and deploying new workloads much easier.”

Combining tag-based policy with the other values provided by Cisco Multicloud Defense enabled a new level of business agility. With the company’s previous approach, it might take a day or two to fully deploy security. When you multiply this effort times many app updates and deployments, valuable time is wasted. With Cisco Multicloud Defense, Delgado’s team was able to virtually eliminate the effort required to secure new apps.

MyInvestor uses Cisco Multicloud Defense to gain visibility and centralized control to secure its dynamic cloud workloads.

Consistent visibility for ingress and egress security

Multicloud Defense helped MyInvestor reduce risk by providing the company with a centralized security model across accounts that offered granular traffic protection. As part of this model, all workloads are deployed into private subnets while Multicloud Defense policy defines the application of security controls and routing to the public internet. By taking this approach, traffic can be inspected, and policy is applied regardless of workload type (containers, serverless, etc.). As a result, DevOps teams moved faster with less concern that a simple vulnerability or misconfiguration could result in a security incident.

“With Cisco Multicloud Defense, we can apply advanced security profiles to the ingress traffic, ensuring that no incoming connections get to our infrastructure from known bad sites. It gives us the protection of a second-level WAF. The anti-malware profile also allows us to use Cisco Talos rules for protection,” comments Martos.

In protecting egress traffic, Multicloud Defense gives Delgado’s team granular visibility. “In our egress use case, the malicious IP profiles block outbound traffic to malicious IP addresses, making data exfiltration more difficult,” Martos continues. “We use FQDN filtering to create an allow list of domains and restrict communications only to the points on the internet that we consider safe. If there’s an application dedicated to performing specific tasks by connecting to specific IP addresses, we apply the allow list, connect the domain name to the FQDN/URL, and deny any connection outside of that.”

If an advanced threat gets through MyInvestor’s cloud-native WAF service, Cisco Multicloud Defense prevents lateral movement of the threat. “The east-west policies of Cisco Multicloud Defense prevent an attack to move laterally on our network,” Martos explains. “This protects our critical assets in the production environment, such as applications and databases.”

Delgado’s team finds the fine-grain visibility per connection provided by Cisco Multicloud Defense extremely beneficial. Martos says, “If, due to a misconfiguration, an application attempts to reach into the production database, we can see that in Cisco Multicloud Defense. Specifically, we can see a connection request from a development VPC being blocked and immediately take action to fix it. This observability of Cisco Multicloud Defense enables us to get to the root cause much faster.”

Cisco Multicloud Defense enables DevOps to stay focused on deploying containers at the speed the business desires. Security adds no time to daily and weekly builds. This efficiency helps reduce the cost of operations.

MyInvestor extensively uses Terraform with Cisco Multicloud Defense to automate building the infrastructure as code. Martos explains, “Terraform provides documentation of our infrastructure. It’s like a blueprint that enables us to apply policies in compliance with security policies. We can check before we design the infrastructure to help ensure that what we deploy is secure from the beginning.”

With Terraform, MyInvestor can create and manage policies using resource outputs from the infrastructure. Infrastructure as code helps the company improve SecOps efficiencies.

Gaining customer confidence with advanced security

MyInvestor implements multiple layers of security to protect its cloud infrastructure. Martos says, “I consider Cisco Multicloud Defense the most powerful of all the layers. We implement it closest to our applications because we want to help ensure that the last resource of security is the most powerful one. The policies and profiles of Cisco Multicloud Defense should be able to protect us from anyone clever enough to trespass the other layers of security we have in place.”

Delgado consolidated multiple disparate services into a single platform with Cisco Multicloud Defense. Cloud networking, traffic routing, and security are all now run through Cisco Multicloud Defense and are defined via policy. “Cisco Multicloud Defense is fully integrated with our security ecosystem, and this makes us more agile,” says Delgado.

Robust and proactive security design is particularly critical for digital banks. “The most proactive control is full denial. With Cisco Multicloud Defense, we can implement a positive security model in a controlled way by defining allowed point-to-point connections at the IP address level. This minimizes risk to the business.”

Enabling a default-deny approach to security means that only what needs to be open to the internet gets exposed through Multicloud Defense Gateways. This approach mitigates inadvertent exposure through known vulnerabilities and reduces the possibility that a zero-day exploit will yield a major incident, causing costly downtime. Its value is priceless for a bank.

Reducing risks of downtime has helped MyInvestor become more resilient as an online bank. “While securing our infrastructure, it’s important we be able to prevent attacks, and the visibility from Cisco Multicloud Defense facilitates us achieving that. Our digital banking services can operate continually without being interrupted by security incidents, which is the biggest return on investment from Cisco Multicloud Defense,” Martos states. “Security is expensive, but it’s much more expensive to have an attack and the reputational damage that can cause.”

By relying on Cisco Multicloud Defense, MyInvestor can improve its security posture and thus boost customer confidence. “Our customers trust us as a resilient bank that has the appropriate security controls in place to protect their money and their personal identification data,” says Martos.

In the financial sector, it’s essential for businesses to stay compliant with regulations. “Compliance with European GDPR is critical for us, and we want to offer our customers and employees the best protection,” says Delgado. “Cisco Multicloud Defense allows us to deploy data loss prevention policies, audit network data, and review with zero trust policies, enabling us to better protect customer data.”

“Threats are too common these days. The internet is tough, and there are people continually looking to execute attacks,” says Martos. “The fact that with Cisco Multicloud Defense we haven’t had any successful attacks matters a lot for any organization, particularly for a bank like MyInvestor. Cisco Multicloud Defense protects all our use cases for ingress, egress, and east-west security and makes us confident about having a highly reliable layer of security.”