Belvo Earns ISO 27001 Certification, Grows Rapidly Using AWS Security Services
Operating in the highly regulated financial services industry, financial technology (fintech) startup Belvo needed an ISO 27001 certification to prove compliance and open doors to new and larger customers. By using Amazon Web Services (AWS) to automate security and compliance processes, Belvo was able to certify the entire company in 6 months. Earning this certification helped the company grow its customer base five times over and increase its API call volume by a factor of 10.
The scalability of AWS services means that we have never found ourselves in a situation where we couldn’t grow at will.”
Vice President of Engineering, Belvo
Innovating Fintech Options for Latin American Consumers
Adding Automation to Security and Compliance
The ISO/IEC 27001:2013 certification is internationally recognized as the benchmark for information security management best practices and comprehensive security controls. Using AWS security services, Belvo began the certification process in March 2021 and concluded it in September 2021. This certification widened Belvo’s sales pipeline; gave it access to larger organizations, regulated financial institutions and new markets; and made vendor screening more efficient for its clients, saving time and money for everyone involved. The company uses certified AWS services, so it can show prospective clients that its solution provider facilitates compliance. Plus, it can expand into new markets with ease using AWS.
Maintaining compliance as the company grows is also important. “You want to be compliant every day, not just once a year when an auditor looks at a snapshot of the company,” Ciotta says. “We built in automation so that the system performs all the security checks required to comply with the ISO 27001 standard every day.”
AWS offers a wide variety of security-related tools and resources, and Belvo uses many of them to maintain its compliance and security posture. To manage these tools, Belvo uses AWS Config, which lets companies assess, audit, and evaluate the configurations of their AWS resources and automatically evaluates recorded configurations against desired configurations. The company pairs that with Amazon Inspector—an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure—to gain insight into its security posture.
As part of its suite of security services, Belvo also relies on Amazon GuardDuty, a threat detection service that continuously monitors customers’ AWS accounts and workloads for malicious activity. To control application access, it uses AWS Key Management Service (AWS KMS), which makes it easy for customers to create and manage cryptographic keys and control their use. And to help it make sure that keys and credentials stay safe, Belvo uses AWS Secrets Manager, which helps protect secrets needed to access applications, services, and IT resources.
“We started using AWS Config, AWS KMS, Amazon Inspector, and all these services, and they essentially gave us continual monitoring of our compliance and security posture,” Ciotta says. “That’s how we tackled our main challenge—and we got it done in fewer than two quarters; we certified the whole company.”
Emphasizing automation not only helps Belvo maintain security but also frees up time for Belvo’s engineers to focus on higher-value tasks. That’s also why the company prioritizes managed services. For example, Belvo uses Amazon Relational Database Service (Amazon RDS), which makes it easy to set up, operate, and scale a relational database in the cloud. “Using managed services, we can focus on our differential value, which is financial innovation, business processes, and application logic, not maintaining a database,” Ciotta says.
Achieving Exponential Growth
Since its 2019 founding, Belvo has multiplied its customer base by five, and in the last 6 months alone, the company has seen an increase in monthly API call volume by a factor of 10. The company has also grown from 20 employees to 110 employees, and it expects to sustain this growth moving forward.
In the future, the company plans to obtain additional certifications and grow its service even further. The Belvo team is investigating the AWS Architecture Center—which provides reference architecture diagrams, vetted architecture solutions, and more. “The scalability of AWS services means that we have never found ourselves in a situation where we couldn’t grow at will. Elasticity is a major factor for a company like ours that is growing very fast.”
Belvo is a leading open-finance API platform in Latin America that helps fintechs and innovative financial institutions access and interpret their users' financial data to create more modern, accessible, and inclusive products.
Benefits of AWS
- Earned an ISO 27001 certification in only 6 months
- Multiplied its customer base by a factor of five
- Increased its API call volume by a factor of 10
- Grew employee base from 20 to 110
- Freed up staff to focus on innovation
- Improved security
AWS Services Used
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
AWS Trusted Advisor
AWS Trusted Advisor provides recommendations that help you follow AWS best practices. Trusted Advisor evaluates your account by using checks. These checks identify ways to optimize your AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas.
AWS Key Management Service (AWS KMS)
AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys.
Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure.
Organizations of all sizes across all industries are transforming their businesses and delivering on their missions every day using AWS. Contact our experts and start your own AWS journey today.