QUALCO Enhanced its Global Financial Security with AWS ALB

About Customer

Qualco is a leading software and technology solutions provider in the Credit and Receivables Management sector. With over 25 years of proven experience, the company helps clients realize value through operational platforms, data insights, digital experiences, and domain knowledge. Qualco offers comprehensive solutions in loan origination and management, debt and receivables management, supply chain finance and factoring, and business process management.

Challenges / Problem

The End Customer (Bank in the Middle East) was facing challenges in implementing the Mutual TLS (mTLS) protocol i.e. “two-way” mutual authentication and encryption that negotiates SSL handshaking between server and client on the application server side.

The mTLS implementation is complicated considering the multi-region infrastructure’s network setup for the End Customer (Bank in the Middle East) as the applications span across 10 countries in regions such as Middle East Asia, Asia-Pacific, Europe, and the United States which was not done previously using ALB.

Solution

Ideally, the ALB supports two modes of operation with mTLS i.e.

mTLS verify mode
mTLS passthrough mode

In this case, the End Customer (Bank in the Middle East) is required to manage SSL/TLS certificates on the application server, hence we implemented the mTLS in “Passthrough mode”.

Mutual TLS in Passthrough Mode

In this mode, ALB forwards the entire certificate chain to the backend targets for client authentication in an HTTP header called AMZN-MTLS-CLIENT-CERT. The ALB inserts the entire certificate chain, including the server/client certificates, in URL-encoded PEM format, with +,=, and / as safe characters.

The backend targets must be able to parse this HTTP header, extract the certificate, and perform client authentication making it required to include in application logic/code. Use this mode if you want to retain control of the client authentication process.

Application Load Balancer (ALB) with mTLS in Passthrough mode:

The stages of mTLS using ALB in passthrough mode are as below:

The client initiates a TLS session with the ALB with an HTTPS request. During the TLS handshake, the client presents its TLS certificate.
The TLS session terminates once the ALB’s certificates are verified. During the TLS handshake, ALB presents the server-side certificate and receives the client’s certificates.
The ALB creates a new HTTPS session with the backend targets. ALB includes the entire certificate chain in an HTTP header called AMZN-MTLS-CLIENT-CERT and passes them to the backend target for further mTLS verification.
The backend targets receive the client certificates and use application code logic to parse the client certificate chain from the AMZN-MTLS-CLIENT-CERT HTTP header and to perform client certificate authentication.

Testing and Validation

Validation of Client Authentication: Ensure that only clients with valid certificates can establish a connection.
End-to-End Encryption: Verify that all data in transit was encrypted.
Service Availability: Ensure that mTLS did not impact the availability of services.

Conclusion

By implementing mTLS with AWS Application Load Balancer, the customer successfully secured its web applications and backend services, enhancing security and ensuring regulatory compliance. This case study highlights the importance of leveraging AWS services for effective and efficient security implementations.

Tools Used

AWS Elastic Compute Cloud (EC2): For deployment of applications.
AWS Network Firewall: For network protections of Amazon Virtual Private Clouds (VPCs)
AWS Application Load Balancer (ALB): For handling incoming traffic and terminating SSL/TLS.
AWS Certificate Manager (ACM): For managing and deploying SSL/TLS certificates.
AWS Web Application Firewall (WAF): For an additional layer of protection from web attacks that attempt to exploit vulnerabilities in custom or third-party web applications.
AWS Identity and Access Management (IAM): For securing access to resources.
AWS CloudWatch: To monitor ALB metrics.

Value Additions

Improved Security: Secure communication through encryption and mutual authentication.
Regulatory Compliance: Met strict regulatory requirements for secure data transmission.

Key Business Highlights

Operational Efficiency: Automated certificate management and streamlined mTLS implementation using AWS services.

Cost Optimization: 

In this case, the single ALB is deployed across the 10 countries hosted application and decommissions the NLB approach result, reducing the AWS NLB service cost by nearly 50% yearly recurring costs.
Previously customer used third-party SSL/TLS certificates, we reduced customer overburden by issuing and renewing of certificates by using AWS ACM service along with saved SSL/TLS costs of approximately 30% yearly costs.

PUBLISHED: 12th July 2024

Cloud Consulting, Strategy, and Migration

DevSecOps

Cloud Security Engineering

Application Assessment

Cloud Native Application Development & Testing

SaaS Product & Platform Development

Data Strategy

Data Governance and Engineering

Advanced Analytics

Cloud Governance & Reporting

Cloud Discovery & Optimization

DevOps Transformation (DoT)

cAssure

cSecure

SaaS Factory Model

BlazePulse

cSaver

Cloud and Platform Modernization

Cloud Security Operations

Conversational AI

Application Maintenance & Enhancement

Application Modernization

Managed Analytics

BI Modernization

Cloud Managed Services

How Analytics Helps Businesses Better Serve their Customers

Building Capabilities of Incident Response/Disaster Recovery on the Cloud

Impactful Cloud Computing Trends to Look For in 2022

Cloud-based End-to-End System Helped Feed Ontario Achieve ~60% Operational Optimization

Azure Cloud Hosting Enabled Etek to See ~40% Performance Improvement in their Website

Cloud Migration Helped Customer Achieve Uniform Platform and Reduce Rollbacks by Over 60%

Ebooks & Whitepapers

Augment Your Deployment Velocity With Terraform

Back to Business as Usual - Rightsizing Your AWS Cloud Cost

Call Us

Email Us

Financial Services

Banking & Insurance

Media & Entertainment

Telecom

Technology

About Us

Our Leadership

Customer Speaks

Strategic Partners

OneClan Life

Clouditects

Work With Us

Thought Leadership

Awards and Recognition

Media Coverage