Alkami Technology Achieves A+ Security and Scalability with NGINX Plus

Providing Flexibility to Ensure a Skyrocketing User Base is Protected

 

Alkami Technology NGINX Plus Security and Scalability Case Study Logo

 

Situation

In 2009, Alkami Technology set out to transform ordinary online banking into a high‑value experience for both financial institutions and their end users. At the time, “Web 2.0” companies like Twitter and Facebook were focusing on delivering superior user experiences, but the online banking experience was lagging behind. The team at Alkami Technology began creating a compelling user interface for online banking that would not only be friendly and intuitive, but also enrich the lives of end users.

Beyond traditional online banking activities, Alkami Technology offers features in its platform that help end users become more educated about finance, build long‑term wealth, and monitor and improve their spending habits. Alkami’s platform revolutionizes the mobile and online banking experience by offering a valuable end‑user experience and helping financial institutions strengthen their relationship with their customers.

Alkami initially anticipated that customers would prefer an on‑premises software solution in the short term to a hosted offering. However, they quickly found that even large financial institutions were already looking ahead five to ten years and were making strategic decisions to move to hosted software solutions. Financial institutions increasingly don’t want to own and manage their own data centers. In addition, the Federal Financial Institutions Examination Council (FFIEC) – the group responsible for setting regulations and standards for financial institutions – provided guidance that adopting cloud technologies was permissible.

With the financial industry embracing cloud and software‑as‑a‑service (SaaS), Alkami’s hosted platform for online and mobile banking quickly took off. Today the company serves well over 1 million users. The Infrastructure and Security team at Alkami works behind the scenes to continue improving the scalability and security of the application architecture to better serve the needs of the company’s growing user base, and to ensure that financial data is well protected on all fronts.

Alkami partners with a service provider to manage some pieces of its infrastructure, which is part of its strategic decision to focus on its core competency of building great online banking applications while a partner builds and manages the data center that hosts them. On the advice of the service provider, Alkami first used Riverbed Stingray (now Brocade vADC) appliances for load balancing. However, Alkami quickly found that Riverbed Stingray didn’t have the security capabilities it needed. At the time, Riverbed Stingray didn’t support TLS 1.2, the most recent version of the secure protocol.

“We want to be not just on the forefront of online banking in terms of features, but also forward leaning in our security practices. Not having TLS 1.2 available in Riverbed Stingray was a deal breaker for us. We want the highest marks possible on security, and we want to be ahead of potential security issues, not react to them. Riverbed Stingray didn’t take us where we needed to be from a security protocol standpoint,” says Sean McElroy, VP of IT and CISO at Alkami Technology.

Alkami then replaced Riverbed Stingray with Citrix NetScaler virtual appliances for load balancing, but they ran into the same problem again. At the time, only Citrix NetScaler hardware appliances supported TLS 1.2, not virtual appliances. In addition, the NetScaler virtual appliances could not scale to the level Alkami needed.

“In order to get certain types of TLS encryption and the scale we needed, we found out that with Citrix NetScaler we would need to add physical appliances to our environment. But we’re virtual. We’re not going to go back to physical appliances at a certain scaling point. It just doesn’t align with our strategy of being nimble and scalable to, at a certain threshold, have to move to a physical version of the product because a feature is not available in the virtual offering,” explains McElroy.

Alkami also found that the NetScalers didn’t allow the administrator to specify the selection order for SSL/TLS ciphers. In initiating an SSL/TLS connection, the web browser or app sends a list of the ciphers it supports to the server, which compares the list to its own list of supported ciphers and selects the most secure cipher that overlaps. Alkami wanted fine‑grained control over cipher ordering in order to guarantee selection of the cipher that provides the strongest security for its users.

 

Alkami Technology online banking runs on NGINX Plus

Solution

As an online banking platform provider responsible for protecting a growing number of users’ financial details, choosing a reliable, industry‑validated solution was crucial for Alkami. On its ongoing quest to enhance both security and scalability, Alkami ultimately found NGINX Plus. Alkami looked at NGINX Plus not just because of its reputation for performance, but because some of the largest websites in the world have chosen it.

“We knew that NGINX had widespread adoption for TLS termination and as a web server. And we know that large enterprises don’t usually depend on a technology unless it’s been validated on many different levels. With that level of industry acceptance, we worked with our managed service provider to start evaluating NGINX Plus internally in our environment,” says McElroy.

Alkami first used NGINX Plus for TLS termination in front of the Citrix NetScaler load balancers to fill the gaps in security features and give it the flexibility and control to tune the ordering of ciphers in the TLS selection process.

NGINX Plus worked so well for TLS termination that it wasn’t long before Alkami looked into using it for more than just a security layer. The Citrix NetScaler load balancers were struggling to handle the increasing traffic load as Alkami experienced organic growth – including ever larger customers – in the success of its online banking software. “To get the concurrent connection counts that we were wanting to be able to plan for, the virtual or physical Citrix NetScaler devices weren’t going to be as scalable as we needed,” notes McElroy.

After verifying in a load‑test environment that NGINX Plus could scale to handle the anticipated level of traffic, Alkami completely replaced the frontend Citrix NetScaler load balancers in its production environment with NGINX Plus. NGINX Plus easily handled the traffic load without any issues.

Alkami then continued by replacing the Citrix NetScaler load balancers another layer down in its infrastructure, between the app servers and web servers. With NGINX Plus handling traffic at the frontend and between components, Alkami achieves security and scale throughout its architecture, without the limitations of the previous solutions from hardware vendors.

Alkami Technology products rely on NGINX Plus (image)

Results

A+ Security Rating

The industry standard for rating security is the Qualys SSL Labs Server Test. With NGINX Plus’ security features, Alkami’s customers earn an “A+” – the highest possible score on the test – for their online banking sites, which validates that Alkami offers the best level of security to its customers.

Specifically, NGINX Plus enables Alkami to easily leverage TLS 1.2, the latest and most secure approved version of the TLS protocol. In addition, with NGINX Plus Alkami can control the SSL/TLS cipher preference order, staying on top of rapidly evolving security trends and ensuring the strongest cipher is always selected.

“We wanted to be using the solution that was most relevant for security best practices today, and have full control to advance as better security approaches are established. NGINX Plus gives us the flexibility and configurability to reorder ciphers and to achieve the highest level of security,” explains McElroy.

Forward-Looking Architecture

Given Alkami’s rate of growth, an architecture that works for its current user base isn’t enough. It needs a forward‑looking architecture that’s ready for future growth as well.

“When we were looking at NGINX Plus, one of our requirements was to build an architecture that works for the number of users we have today, and scales out vertically and horizontally for the future. We wanted to develop that recipe once, and not have to redo it in six months time,” says McElroy.

To date, NGINX Plus has done the job, working phenomenally well as Alkami has grown.

Right now NGINX Plus is supporting well over 1 million users in our environment. That environment is going to grow 200% this year as well. Based on what we’ve seen, we feel very confident that not only can NGINX Plus grow and scale with us, but that we can even pack things denser. We just don’t foresee it becoming a bottleneck.
– Sean McElroy, VP of IT and CISO at Alkami Technology

Increased Operational Visibility

One of the biggest benefits Alkami sees with NGINX Plus is the live activity monitoring dashboard and the increased visibility it gives into the traffic being load balanced.

“One of the key value‑adds for us has been the ability to provide our production operations team with more visibility into the way that the load balancers are functioning by using the NGINX Plus dashboard. This is tremendous for us.” McElroy elaborates, “just being able to show the traffic flowing, and the errors as they’re happening; that heads‑up display we get is invaluable and that’s something that we didn’t have with the other solutions.”

If an issue pops up with the application or infrastructure, it’s the operations team that identifies the root cause and solves it. With the real‑time load and performance metrics on the NGINX Plus dashboard, the team at Alkami can troubleshoot issues faster than ever before.

The NGINX Plus dashboard provides detailed statistics for monitoring and managing your infrastructure

Straightforward Deployment and Increased Automation

After validating NGINX Plus in its load‑testing environment to make sure it could handle its traffic loads, Alkami found the actual deployment process to be simple and straightforward.

McElroy’s team was able to implement NGINX Plus quickly in the environment in part due to strong documentation and award‑winning support. When asked whether his staff needed to contact NGINX Plus’ dedicated support team, McElroy says, “We had a few clarifying questions but it was really a very straightforward implementation. The documentation is great, and so is the support from NGINX.”

In addition, Alkami’s deployment process leverages the automation capabilities of NGINX Plus. Whereas Alkami’s previous load balancers had a GUI interface that required manual configuration, NGINX Plus’s command line interface enables Alkami’s engineers to easily script the deployment process and automate configuration.

“The fact we can do scripted deployments of configuration files with NGINX Plus is great. It’s very straightforward, it’s easy to manage, and it has simplified our application deployment process,” McElroy explains. “As we further automate, knowing that NGINX Plus will be able to support our automation efforts is awesome.”

About Alkami Technology

Based in Plano, Texas, Alkami Technology, Inc. provides online and mobile banking solutions to credit unions and banks. The company’s flagship product, the ORB Platform, offers security, flexibility, extensibility, and a superior architecture for the future of digital banking. With its modern interface, intelligent content‑delivery system, and customizable feature set, the ORB Platform is the ultimate digital banking solution for financial institutions. Alkami provides the ORB Platform as a SaaS solution. For more information about Alkami, please visit www.alkami.com.