Conversation with Monzo: Ensuring Compliance for a Digital Bank with Tigera Calico
I was fortunate to have the opportunity recently to sit down and chat with Chris Evans, the platform team lead at Monzo.
Here are some highlights of the conversation:
Maybe, Chris, you could start off with a bit of an introduction to Monzo?
Sure… We are a digital bank. Everything is centered around using our app. We offer all the same guarantees you’d get from any other current account here in the UK. Our USP is that we give you fantastic visibility over your money… reducing the cognitive load of dealing with finances.
What does it take from a technology perspective in practice? What have you built as an application and how is that deployed?
We operate almost entirely out of AWS. We run everything pretty much on Kubernetes. We’ve got a microservice architecture on top of that.. 700 or so services growing by the day. We have two small data center presences as well, which are out of necessity to connect to things like the Mastercard payment network.
Our biggest use [of AWS] is EC2, so that’s like instances, load balancers, block storage. We also use S3 as our primary object store. We use Direct Connect which is our direct connection to the physical DCs. We obviously pay for support and use a few other things in specific areas.
How do you enforce security in this environment?
We take that really seriously. The way that people interact with everything in AWS is over VPNs. Our office we like to treat that in the same way as we would treat a cafe that you’d go in and connect to public wifi. For example, to make changes to any kind of application you would connect to the VPN, we have services that we’ve written that manage the deployment of new applications and they do all sorts of checks to assert that you are the right person you say you are, and we have all sorts of authentication and authorization stuff going on there as well.
We do use Calico, that is our overlay network in the cluster. Prior to that we were using flannel. The migration was driven primarily by the requirement that we wanted to be able to enforce better security controls on what things can talk to other things. I think the original proposal for using Calico we put together back in July. The primary driver was that we wanted to be able to secure what workloads can talk to the infrastructure we have in our data centers. Our VPNs all terminate in pods within the Kubernetes cluster and we wanted to be able to have specific VPNs, specific endpoints, that different roles of users within Monzo can talk to. So for example we want to say a customer operations person only needs to be able to talk to this very very small subset of workloads that run within Kubernetes and Calico gave us that control to do that.
A nice side effect of the move to Calico as well was that we performance benchmarked it and it performed better.
Could you share a bit more about the migration to Calico?
That was a very interesting project for us. The original plan was to spin up a new cluster and migrate those workloads across, which is something we did before we were on Kubernetes. We were running on Mesos/Marathon and we did move the entire bank at that point. This time we were really keen not to go through that disruption. It took quite a while to figure out how that would actually work. What we ended up with was having two overlay networks and we were able to have workers on the flannel range and workers on a separate Calico range and get them working between each other. The actual act of moving was relatively straightforward.
What’s the impact been on the business?
For us, the primary driver was that we wanted the increased security controls. So we wanted to manage the network policies through Kubernetes. The kind of levers that it allows us to pull and the changes that we can put in place to secure and be very deliberate about what things can talk to what other things is the main benefit.
Things that come into PCI scope we can massively restrict the range of things we have to talk about. We have quite a narrow PCI scope, but can narrow it down even further. For example, when you’re paying someone with MonzoMe, which is our web interface which allows you to request money from people, we can say this very specific set of services and not the entire 700 services in our cluster are the things we need to focus on here because we have network level enforcement that says that is the only things we need to discuss right now.
And likewise, the ability for us to massively restrict things and say only this very small subset of engineers that have privileged access are able to do these things because we have Calico in place that is enforcing the controls that guarantee that. That’s been a big help for us.
In other scenarios people will actually have a completely separate cluster just for the PCI workloads, so you’re able to get greater efficiency out of having everything in the same cluster and doing a logical separation.
That’s a really good point. That’s I guess a hidden benefit. We like the fact we run everything in one cluster, we don’t have to treat workloads specially. Having the kind of controls at the Kubernetes level, keeping everything in one place which means we don’t have to manage multiple clusters and all the headaches that come along with that, that’s a really big benefit.
Awesome. Since you are so far along this path of deploying Kubernetes, any words of wisdom or advice you can share with AWS users and Kubernetes users in general, on pitfalls to watch out for or things that you’ve learned?
We operate Kubernetes entirely our own way. We don’t use any of the tools like kops or kubeadm to deploy Kubernetes. That’s mainly because when we started our journey a lot of those tools were immature or not available. Over the years we’ve been running it, we’ve got really good at running it.
There are a lot of services now that you can use that would make that getting started on Kubernetes a lot easier. I know that EKS is relatively in its infancy, but I believe it’s good and I think it’s a really good proposition for anyone who’s keen to get started in a really fast way.
Long story short, don’t run it yourself unless you absolutely have to!
That’s fantastic. Really appreciate your time today. I wish I lived back in the UK so I could open an account and look forward to when you come out to California!
Great. I’ll let you know… watch this space!
For the full conversation, check out the video.