The Journey to Secure Part 1 – Tic:Toc

Guest post by Byron Pogson, Senior Solutions Architect, AWS

As a Solutions Architect with AWS, I’m lucky enough to get to work with a wide variety of customers across West and South Australia. This includes customers of various sizes and covering various industries. One topic that often comes up in conversation is how every customer can enable themselves to be secure in the cloud. Luckily for them, AWS allows customers of all sizes to have the same tools that large enterprises do. This week on the AWS Security Blog we will be sharing a post for startups and small teams on how they can improve their security in the cloud. We also want to share two customer stories about their journey to achieving a solid security backbone in the cloud. In this post, we hear from Tic:Toc, a fintech startup based in Australia.

I recently sat down with Gavin Orlicki, CTO at Tic:Toc. Tic:Toc launched in 2017 to offer digital home loans to consumers in Australia, and they were the first organization in Australia to provide the possibility of receiving an instant decision at the end of the application process. For example, they have delivered a home loan to a customer, with mortgage documentation, in less than an hour from the customer starting their online application. Following the Australian royal banking commission and the introduction of many new responsible lending obligations, Tic:Toc saw an opportunity to help the entire industry perform financial validation in a more responsible and efficient way, which would ultimately give more Australians a better customer experience.  To achieve this, they embarked on a new project to offer their digital financial validation technology as a SaaS product, XAI Validate. This solution enables clients to achieve the same process efficiencies and high lending standards that Tic:Toc Home Loans enjoys.

Tic:Toc started with a blank slate. This was their first project on AWS, and they engaged with their AWS account team early to get advice. For them, the key was to ensure that they had a strong security posture and the scale to support their customers. They were also interested in reducing the complexity of operating in the cloud and to get things right from the start. For their first phase, they looked to build a serverless application backed by data and analytics workload including AI. Leveraging as much of a serverless architecture as possible allowed Tic:Toc to reduced their security concerns as more responsibility fell below the line in the shared responsibility model for AWS to manage. They also leveraged the AWS Serverless Application Model or AWS SAM to define their infrastructure as code. AWS SAM builds on AWS CloudFormation to define additional feature for serverless applications. This allowed Tic:Toc to reliably push infrastructure to all their accounts and environments.

Figure 1. Tic:Toc Application Architecture 

The first thing that Tic:Toc did was to build out the main account and setup the core accounts needed to support their workload. This included federating their identity to their existing identity store and from there got used to the idea of switching roles between accounts as they put on different hats and undertook different tasks. This was also an opportunity for Tic:Toc to implement some guard rails. Using service control policies they ensured that tools such as AWS CloudTrail and Amazon CloudWatch were not able to be turned off in the child accounts for their organization. Consistent tagging was also enforced across their accounts to ensure that resources were visible and they could implement an appropriate security posture relevant to the workload.

Figure 2. Tic:Toc Account Structure

Overall, this was a 9-month project to build out the new XAI Validate platform, but the initial work to enable these foundations took them only 2 to 4 weeks of that journey. The largest piece of the puzzle for Tic:Toc was to understand what this pattern looked like and ensure they had the right CloudFormation baselines to support it. As a result, they’ve ended up with an environment that has strong separation of data such as keeping their dev, test, and prod environments apart, and they’ve ended up with less complexity due to a consistent baseline throughout each environment. Importantly, as they have to ensure that they are able to keep up with security to meet their regulatory requirements, they’re able to iterate quickly as they add additional controls and push them out through that baseline.

I asked Orlicki where he thought customers should start. His advice was to start with that initial small foundation; build the CloudFormation template to support it and then validate it by quickly moving a small workload. By being agile in their approach they’ve managed to build up to their target architecture as the project evolved without sacrificing speed or security.

To learn more about how you can achieve security for your start-up, head over to the AWS Security blog to read the post on building a secure AWS foundation. Also read the next part in this series where another customer, FYI share their journey.