Belvo Earns ISO 27001 Certification, Grows Rapidly Using AWS Security Services

Operating in the highly regulated financial services industry, financial technology (fintech) startup Belvo needed an ISO 27001 certification to prove compliance and open doors to new and larger customers. By using Amazon Web Services (AWS) to automate security and compliance processes, Belvo was able to certify the entire company in 6 months. Earning this certification helped the company grow its customer base five times over and increase its API call volume by a factor of 10.

The ISO/IEC 27001:2013 certification is internationally recognized as the benchmark for information security management best practices and comprehensive security controls. Using AWS security services, Belvo began the certification process in March 2021 and concluded it in September 2021. This certification widened Belvo’s sales pipeline; gave it access to larger organizations, regulated financial institutions and new markets; and made vendor screening more efficient for its clients, saving time and money for everyone involved. The company uses certified AWS services, so it can show prospective clients that its solution provider facilitates compliance. Plus, it can expand into new markets with ease using AWS.

Maintaining compliance as the company grows is also important. “You want to be compliant every day, not just once a year when an auditor looks at a snapshot of the company,” Ciotta says. “We built in automation so that the system performs all the security checks required to comply with the ISO 27001 standard every day.”

AWS offers a wide variety of security-related tools and resources, and Belvo uses many of them to maintain its compliance and security posture. To manage these tools, Belvo uses AWS Config, which lets companies assess, audit, and evaluate the configurations of their AWS resources and automatically evaluates recorded configurations against desired configurations. The company pairs that with Amazon Inspector—an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure—to gain insight into its security posture.

As part of its suite of security services, Belvo also relies on Amazon GuardDuty, a threat detection service that continuously monitors customers’ AWS accounts and workloads for malicious activity. To control application access, it uses AWS Key Management Service (AWS KMS), which makes it easy for customers to create and manage cryptographic keys and control their use. And to help it make sure that keys and credentials stay safe, Belvo uses AWS Secrets Manager, which helps protect secrets needed to access applications, services, and IT resources.

“We started using AWS Config, AWS KMS, Amazon Inspector, and all these services, and they essentially gave us continual monitoring of our compliance and security posture,” Ciotta says. “That’s how we tackled our main challenge—and we got it done in fewer than two quarters; we certified the whole company.”

Emphasizing automation not only helps Belvo maintain security but also frees up time for Belvo’s engineers to focus on higher-value tasks. That’s also why the company prioritizes managed services. For example, Belvo uses Amazon Relational Database Service (Amazon RDS), which makes it easy to set up, operate, and scale a relational database in the cloud. “Using managed services, we can focus on our differential value, which is financial innovation, business processes, and application logic, not maintaining a database,” Ciotta says.

Since its 2019 founding, Belvo has multiplied its customer base by five, and in the last 6 months alone, the company has seen an increase in monthly API call volume by a factor of 10. The company has also grown from 20 employees to 110 employees, and it expects to sustain this growth moving forward.

In the future, the company plans to obtain additional certifications and grow its service even further. The Belvo team is investigating the AWS Architecture Center—which provides reference architecture diagrams, vetted architecture solutions, and more. “The scalability of AWS services means that we have never found ourselves in a situation where we couldn’t grow at will. Elasticity is a major factor for a company like ours that is growing very fast.”