KFINTECH migrates Application Workloads to AWS with Workmates

KFINTECH serves the mission-critical needs of asset managers with clients spanning mutual funds, AIFs (alternative investments), pension, wealth managers and corporates in India and abroad. The company provides SaaS based end-to-end transaction management, channel management, compliance solutions, data analytics and various other digital services to asset managers across segments, as well as outsourcing services for global players.

KFINTECH had their IT infrastructure deployed at CtrlS. The IT landscape was provisioned with 150+ Virtual Machines spanning across 12 applications. The application workload was mainly spilt in 4 categories – AIF, IQBOT, LIC and Hexagram. Each application has a similar purpose of polling data from a remote system and update their UI based on a continuous flow of information from BSE and NSE servers.

The customer was looking for a partner who could help them migrate all the 150+ VMs split across 12 applications in a timely manner using all the best practices followed by AWS. They wanted the partner to evaluate their existing infrastructure for Cloud Readiness, provide a detailed utilization report, perform right-sizing and present them with the cost and performance benefits of migrating to the AWS Cloud.

Major Challenges:
• The customer had lots of issues regarding availability, scalability, uptime and assurance from the existing vendor. The customer was looking to build a stable platform to support the growing business (as they have now a presence across many states) needs but was not able to do so with the existing vendors.

• The customer wanted to migrate to the cloud and choose AWS as a target cloud, but lacks the skill set and were looking for a partner who has industry experience with large scale migrations. The company also wanted to make best use of the Scalability, Agility, Fault Tolerance and High Availability features of the AWS Cloud to create a resilient application infrastructure with minimum RTO and RPO and high degree of data durability.

• The customer’s Developer and product teams were performing many manual operations, which reduced their capacity for innovation. As a result, the customer’s product development process was slowing down, and they were struggling to introduce new products in a timely manner. To address this issue, they desired to transition to automation, allowing their teams to concentrate on bringing innovative ideas to the table and working on product development.

• As the business must adhere to strict compliance standards, data security and threat detection and response were areas that concerned the existing vendor.

• Workmates wanted to holistically support the customer to meet both their business and technical objectives as part of this program. The Workmates Team involved in an exhaustive discussion with KFIN Technologies’ technical and management teams to gather information about their existing application infrastructures and the pain points associated with them. Inputs were taken from them to understand their expectations from the Workmates Team and the AWS Cloud infrastructure.

• To better understand the business and the current capability gaps, a migration readiness assessment was performed. It was performed to understand business, people, technology, IT process are ready to adopt cloud journey. The AWS MRA Tool was used on the gathered inputs to generate relevant reports like the Heatmap and Radar which helped in understanding the existing strengths and weaknesses of the existing infrastructure for the forward journey to the AWS Cloud. The MRA Report helped in designing a solution plan for a smooth journey to the AWS Cloud by building upon the current weaknesses.

• The Cloudamize Tool was used with the customer’s consent to give a detailed utilization report of their existing infrastructure and to obtain the instance right-sizing information for hosting the corresponding virtual servers on the AWS Cloud. The customer was presented with a detailed report highlighting the 3-year cost and performance benefits of migrating their current application infrastructures to the AWS Cloud with right-sized server instances.

• The dependencies for the existing application infrastructure were determined and the applications were migrated to the AWS Cloud in various phases using the Cloud Endure tool following AWS best practices.

• For migrating the customer’s Oracle and MSSQL databases, the AWS Database Migration Service (DMS) was used, adhering to all AWS specified best practices.

• All the Application and Database servers were migrated to private subnets. The public subnets were provisioned with Application Lod Balancers to provide secure access to the applications by external Internet users.

• SSL Certificates were implemented on the Application Load Balancers to provide HTTPS based secure access to all applications.

• The Application Load Balancers were associated with Web application Firewalls (WAF) for monitoring the HTTPS traffic traversing through them, wherever required, as in the case of the Hexagram application Workload.

• SSL VPN servers were implemented on the public subnet to provide RDP and SSH based access to the technical team for administrative and application development activities.

• NAT Gateways were created in the public subnets for providing safe and secure Internet access to the Application and Database servers in the private subnets.

• AWS enterprise tool CloudWatch was implemented for monitoring server resources and trigger alarms in case of any service outage issues.

• AWS S3 with an object-based storage was provisioned as a native backup site to accumulate the data backups of the database servers daily. To protect unwanted access to backups, the S3 buckets were encrypted with SSE-S3.

• AMIs of the server instances and EBS snapshots of the server hard disks were scheduled to be regularly taken to restore the server instances in the rare case of any service outage.

• The servers were configured with the latest updated versions of Windows and Linux Server OS according to customer requirements. The root EBS volumes for all servers were kept only for the OS. An additional EBS volume was used for data related to the applications and databases.

• Periodic patching activities for the servers were configured through AWS SSM Patch Manager.

1. Using IAM, users and groups were restricted to access specific AWS resources only as per the customer’s requirement.

2. AWS Multi-Factor Authentication was enabled for privileged accounts.

3. Quarterly Patch Management and Patch Automations was carried out using AWS SSM. During patching activities, all the security patches and OS critical patches were applied.

4. Deep visibility into API calls was made possible through AWS CloudTrail, including who, what, and from where calls were made. All user related activities were tracked and logged.

5. All the SSH ports were bound with OpenVPN server and default ports numbers were customized.

6. The DB servers were made accessible only through the Application containers and through the VPN. All servers were hosted on private subnets.

7. For Configuration Management and Policy as a Code, AWS Config was used, which would help detect any configurations drifting within the AWS Account.

8. Trusted Advisor Checks were carried out every week to ensure that all the security criteria are met properly.

9. All the CloudTrail and CloudWatch logs were sent to AWS Guard Duty for threat detection and for identifying malicious activities in the account.

10. AWS Secrets Manager was used to store the DB credentials encrypted using KMS.

11. AWS WAF was used to monitor the web traffic traversing through the Application Load Balancers.