Service mesh architecture provides a rich set of features for controlling and securing communications among services. Encryption in transit is a feature that will be critical for financial institutions and other industries working within regulatory frameworks, including PCI, HIPAA, and others.
For financial institutions moving to microservices-based architectures, they must maintain their compliance with rapidly evolving regulations and industry standards. FICO is a data analytics company best known for producing the most widely-used consumer credit scores that financial institutions use in deciding whether to lend money or issue credit. FICO has migrated several core applications, including myFICO.com and its flagship analytics platform, the Decision Management Suite (DMS), to AWS.
FICO started using Istio and rolled it out on their data management platform in 2019. They had the internal expertise to move to Kubernetes workloads, but they had noticed performance issues and sought out Tetrate’s expertise to address the complexities of operationalizing Istio for PCI compliance.
The problem
FICO started to move from a monolithic architecture to using microservices, and they needed to ensure that their new environment would maintain the same standard of PCI compliance as their legacy infrastructure.
PCI compliance mandates that all data is encrypted in transit and remains encrypted when ‘at rest’ in databases. FICO’s engineering teams were well skilled in Kubernetes but needed assistance to successfully implement the Istio control plane in their environment that would enable the data encryption they needed, including mutual TLS (mTLS) and certificate management and rotation.
FICO was already aware of the power of Istio and had started to implement it within their environment before engaging with Tetrate. They knew that service mesh would provide an easy, language-agnostic way to ensure all traffic is encrypted in transit but wanted the knowledge and expertise that Tetrate could provide to ensure that they were following industry best practices, and could successfully operationalize mTLS at scale.
The solution
Tetrate was able to accelerate FICO’s move to microservices and use of Istio in production by providing training and consulting on container security, Istio’s security capabilities, and compliance. Tetrate supported FICO in securing their workloads using mTLS, and expanded their knowledge of Istio to ensure that they were able to operate independently as their environment and utilization of microservices continued to grow.
During the initial consultation phase as Tetrate were getting to know the FICO environment, they discovered that FICO’s control plane performance was a major issue. The setup they had for PCI compliance wasn’t optimized for resource utilization – they were routinely using 160 pods to support their control plane.
In addition, FICO and Tetrate were able to work together on bridging the gap between enterprise organizations and the Open Source community, by taking existing issues and bugs that FICO had raised, and ensuring that they were triaged and received the necessary attention to resolve the problems they’d experienced.
Tetrate is further working with FICO to move their egress from Squid to Envoy to improve performance, resilience, and failover.
Impact
The impact of FICO’s partnership with Tetrate:
- Encryption in transit (PCI Compliance) via successful implementation of Istio
- Accelerated resolution of issues in community OSS
- Unexpected Resource Optimization and Utilization Improvement
- Foundation for success for migrating applications to microservices
- Operational efficiency and infrastructure cost optimization
- Knowledge transfer and domain awareness from industry experts
With assistance from Tetrate, FICO was able to reduce pod utilization by 90 percent by upgrading Istio and altering the load limits on Envoy sidecars.
The FICO and Tetrate partnership will have a long-lasting impact on the business:
“Thanks to Tetrate’s actionable recommendations, we’ve achieved significant improvements in all the areas we’ve sought to improve by adopting Istio: PCI compliance, resource utilization, and operational efficiency,” said FICO VP of Engineering Jeet Kaul. “Tetrate’s team has strong expertise, and with their support we look forward to extending service mesh to additional use cases.“
Tetrate content writers Eileen AJ Connelly, Tevah Platt, Sean O’Dell, and Tia Louden contributed to this article.
