How 6 Fintechs Transformed Their IaC with These Key Features

Building a commercially successful fintech that aligns with security and compliance best practices is difficult, but some innovative organizations have cracked it — including several we have worked with at Spacelift. The secret? Remove manual effort as much as possible. 

Here are some of the ways we have helped ambitious fintechs automate and streamline their infrastructure as code (IaC), remaining secure and compliant and freeing their engineers to work on productive tasks that add real business value.

The Spacelift platform is built around the concept of policy as code, which uses a high-level programming language to express rules and treat them as you would treat code, essentially extending the IaC approach to the rules governing the infrastructure and the platform that manages it.  

All-in-one payments platform Moov started using Spacelift when they discovered they could do more with it than they could with their existing IaC management tool. Once they started following Spacelift’s approach to policy, their developers’ productivity levels really took off. The Moov team is now starting to restructure their Terraform to make policy management easier, with the aim of using policies to reduce developers’ manual workload and accelerate the deployment process. Read Moov’s case study here. 

Another company that leverages Spacelift’s policy approach is the customer loyalty platform Airtime Rewards. As an organization that handles payment card information, it is governed by strict policies and procedures including the PCI DSS, which means much of the company’s infrastructure must be policy-driven to ensure rules and decision-making are codified and executed in an automated way. Using Spacelift meant the company “could still have the CI/CD goodness, but we could put in guardrails. We didn’t have to depend on humans to do approvals; we could just move as fast as we needed to,” says Director of Technology Gareth Lowe. Read the Airtime Rewards case study here. 

Policies were also a game-changer for infrastructure and financial services fintech Pomelo. Before working with Spacelift, they relied on a largely manual approach to IaC, working locally and pushing changes individually. This became an issue as the company grew, but Spacelift gave the DevOps and platform teams the flexibility a scaling company needs. As staff platform engineer Luis Barrueco explains, “If you want to segregate permissions for different things to be able to use different stacks, you can create a policy describing everything that you want to accomplish, and you can use the flexibility of policies to implement it yourself.” Read Pomelo’s case study here. 

Configuration drift is something fintechs need to manage carefully. Inconsistencies between the desired and the actual state of the infrastructure managed by your tool of choice are inevitable, but if it is not handled properly, drift can lead to errors, failures, security risks, and compliance issues. 

Software and payments company SpotOn was using individual repositories for each of its AWS accounts, resulting in highly segregated infrastructure code that required at least seven pull requests to make a change and promote it across all the relevant environments. This created an operational burden that was becoming impossible to handle — particularly without the ability to identify when drift happened.

Spacelift’s drift detection feature was one of the reasons they chose the platform. SpotOn “wanted to put everything into one repository and promote it using a third-party tool,” recalls DevOps engineering manager Alex Siegman. The Spacelift platform organized everything in one place and integrated seamlessly with the SpotOn workflow, exposing configuration drift in an easy-to-consume way. Read SpotOn’s case study here.

Auditing is a vital function for detecting malicious activity. Spacelift is SOC2 Type II certified, which requires an annual renewal audit, and Spacelift also engages at least once a year with external security firms to perform audits and penetration testing. In addition, the internal security team performs regular internal audits. This powerful blend of audits helps Spacelift detect vulnerabilities faster and determine whether security defenses work as expected. 

This reassurance was vital for mortgage servicing platform Brace. Auditing is a requirement in Brace’s highly-regulated environment, and Spacelift’s approach to it integrates well with their systems. As Eric Berg, Brace’s lead DevOps engineer, points out, “Spacelift has made it simple, so it’s had a positive impact on the company as a whole.” Read Brace’s case study here.

By automating tasks that were previously completed manually, Spacelift helps customers like Checkout.com increase efficiency company-wide. The global payments platform now receives almost immediate feedback on what their code will do, and they can apply those changes quickly by triggering a pipeline and relying on GitHub commits instead of using laborious manual processes. That increased efficiency has an impact across the company. They can effectively advertise and share their Terraform code across multiple teams and organizations. 

“Spacelift has enabled Checkout.com to scale from a handful of deployments per day to averaging over 500 per day,” says Joe Hutchinson, Director of Engineering – Developer Platform. “Our peak was 926 tracked runs on a single day. Everything these days at Checkout is about efficiency: How can we set up all of our tools in a programmatic way? And with Spacelift that means setting up with IaC and enabling teams just to build services — not build all the infrastructure around those services.” Read Checkout.com’s case study here.

Seamless integration with existing workflows also ensures that fintechs can get on with what they do best without having to worry about their IaC. This is something Spacelift does for SpotOn. “The great thing about Spacelift is it does what we need it to do without getting in the way. Once we had it installed and configured, it faded into the background of our workflow, letting us operate more efficiently with no hassle,” says DevOps engineering manager Alex Siegman.

Policy as code, drift detection, auditing, and seamless integration with current workflows are just some of the ways Spacelift can help fintechs stay compliant, secure, and competitive. Other useful features include:

• Spacelift Self-Hosted, which allows organizations to install a self-hosted version of Spacelift into an AWS account that they control. 
• Spaces, to allow companies to delegate partial admin rights to teams without giving them full access to a whole account and other teams’ environments. 
• Custom Inputs, so that you can easily integrate security tools in your workflows
• Blueprints, which are templates for environments so you can automate, audit, secure, and continuously deliver your infrastructure.

Automating key processes has transformative effects for both security and efficiency, making IaC a powerful tool for ambitious fintechs. The experiences of companies such as Moov, Brace, SpotOn, Checkout.com, Pomelo, and Airtime Rewards demonstrate why using a flexible platform like Spacelift to manage IaC can help innovative companies in the financial services sector scale safely and successfully. 

Wondering if Spacelift is right for your infraHow structure needs? Book a demo or experiment with a free trial to find out!