Ailos Cooperative Fortifies App and API Security with F5
Brazilian Ailos Cooperative has a digital transformation strategy intended to expand the financial services that foster economic growth for individuals, businesses, and urban centers. The goal is to achieve 2 million customers by 2025. Renowned for its innovation, Ailos pioneered instant and free transfers that predated PIX, the Brazilian Central Bank’s instant payment system. The organization safeguards its digital assets with F5 Distributed Cloud Services.
Business Challenge
Established 20 years ago in Santa Catarina, Brazil, Ailos Cooperative serves 1.6 million customers nationwide. In cities like Presidente Getúlio, 90% of the population are Ailos customers. Recognizing their role in this ecosystem, Ailos’ leaders have been revamping processes and applications to enhance the customer service experience. They’ve also focused on building scalable infrastructure to support the Cooperative’s future business expansion.
As part of this journey, the core Ailos banking environment relies on a legacy monolithic application that coexists with modern cloud-based applications on AWS and Azure. The Cooperative also relies on MuleSoft, a cloud-native platform that facilitates API publishing. Customers access these applications and services via the Ailos website and mobile app.
The Ailos Cooperative’s application and API development, publishing, and consumption processes adhere to DevSecOps best practices. While the Ailos team designs the apps, development occurs in collaboration with third-party partners and must meet the highly agile requirements of the financial services business. To ensure data integrity, the company needed a multi-cloud solution that would provide consolidated visibility and control for all its APIs and apps, regardless of where they were deployed.
In addition, the security of critical data that resides on-premises and in the cloud requires an integrated platform that can serve the organization’s distributed infrastructure. Latency was a key factor in selecting a solution. For instance, if a businessman from Santa Catarina traveled to Germany, the Ailos platform in Europe would need to deliver comparable performance to that experienced in Brazil.
Finally, Ailos managers focused its future technology investments on SaaS and software to reduce capital expenditures. They aimed to treat all resources, including digital security, as software to enhance flexibility and management efficiency. By embracing a software-based security and performance platform capable of providing insights across the spectrum of legacy applications and modern APIs, Ailos aimed to streamline management of its growing environment and phase out labor-intensive manual management tasks across various platforms. Ailos initiated an RFP in early 2023 to find the right solution to meet these ambitious goals.
Solution
For years, the Ailos Cooperative relied on F5 BIG-IP Local Traffic Manager (LTM) and F5 BIG-IP Application Security Manager (ASM) to ensure the performance and security of its core application. However, the rise of modern apps and the proliferation of APIs drove a need to embrace a cloud-first security model. After conducting several proof-of-concept (POC) evaluations with multiple vendors, Ailos leaders opted to deploy F5 Distributed Cloud Services to safeguard 200 apps and thousands of APIs.
Services deployed by Ailos include F5 Distributed Cloud Network Connect, Distributed Cloud DNS Load Balancer, and Distributed Cloud App Stack. This infrastructure is deployed in a hybrid SaaS model. For public-facing applications, Distributed Cloud Network Connect provides SaaS-based service delivery between AWS, Azure, and MuleSoft public clouds over the F5 global network to the F5-managed Regional Edge sites, ensuring continuous support for processes reliant on the Ailos public clouds.
Meanwhile, in the on-premises data centers, Ailos opted to deploy an F5 Customer Edge (CE) software package to support the company’s on-premises application, removing any reliance on the Regional Edge sites for service delivery while also ensuring the application is not publicly advertised to the Internet. The CE functions in an automated capacity akin to a mini-PoP within the Ailos data centers. Lifecycle management of these instances is managed from the central SaaS console. Together these deployment models provide a hybrid approach to safeguarding and enhancing the performance of the entire Ailos app and API catalog.
The F5 global cloud infrastructure ensures performance and security for Ailos customers worldwide. Whether accessing the Ailos banking core from Santa Catarina or Berlin, customers interact through the company’s website or app. Access is rigorously filtered and verified by multiple instances of Distributed Cloud Services, which use AI and machine learning (ML) for precise behavioral analytics, ensuring optimal performance while protecting the digital experience. Subsequently, traffic is routed to an Ailos private or public cloud, where apps and APIs are processed to fulfill customer needs. The F5 Distributed Cloud Web Application and API Protection (WAAP) solution plays a crucial role in identifying and thwarting potential attacks on Ailos apps and APIs.
The strategic importance of APIs within the Ailos digital ecosystem also led to the implementation of Distributed Cloud API Security with API discovery capabilities. This cloud-native platform operates 24x7, providing comprehensive insights into published and consumed APIs worldwide. A key feature is its ability to identify shadow APIs—non-compliant and often undocumented or unsupported APIs in use—while distinguishing legitimate APIs critical to the business. Automated controls prevent Ailos developers from accessing third-party APIs that could jeopardize security.
As part of the migration to Distributed Cloud Services, Ailos revamped its security policies to establish sustainable management for its distributed networks, apps, and APIs. This transition will help Ailos eventually decommission its monolithic application and rely solely on cloud-based systems.
Results
Reduce time spent managing diverse, distributed environments by 75%
The introduction of F5 Distributed Cloud Services marked the beginning of a new era for Ailos, simplifying the management of heterogeneous and distributed environments through a single platform. The solution provides insights into apps and APIs across the network infrastructure, from on-premises environments hosting the original banking core to the AWS, Azure, and MuleSoft public clouds.
“We started with an analysis of our environment’s current and future risks and, from there, sought a solution that would support the expansion of our business,” says Sidnei Fernando da Silveira, CISO at Ailos. “We concluded that an integrated solution with low administrative complexity was essential. F5 Distributed Cloud Services emerged as the reliable solution, enhancing productivity for our team and providing comprehensive visibility of different environments—all managed from a single platform.”
Analysis by Daniel Devegili, Information Security Analyst at Ailos, indicates a 75% reduction in time spent managing the company’s multiple environments. He says, “Before adopting F5 Distributed Cloud Services, we had to operate four different platforms and subsequently perform manual actions to correlate the data generated by each dashboard to have a holistic view of the environment.”
Achieve 100% API visibility
A top concern was strengthening the security of Ailos’ financial services APIs, which face escalating threats. “A budget reallocation was made to include in the RFP dynamic and automated technologies for identifying and blocking malicious APIs,” said Silveira.
“With F5 Distributed Cloud API Security, the Ailos cybersecurity team achieved 100% visibility of APIs,” says Devegili. Several types of attack—including DDoS attacks—are focused on APIs. The F5 solution acts in a predictive way to identify those threats, even discerning shadow APIs from legitimate ones. Automated blocking streamlines the work for Ailos developers, who can now consume APIs pre-verified by F5.
In addition, Ailos managers now have day-to-day visibility into on-premises and public cloud environments as well as the associated apps and APIs. Through a single dashboard, they can conduct granular analyses and optimize their app resources. This streamlined approach allows the team to focus on innovation and enhancing secure digital financial services.
Ailos can also compare the gains from migrating to F5 Distributed Cloud Services from the Cooperative’s previous hardware-based solution. Devegili says, “Now the company has advanced beyond visibility to observability in which data from several platforms is crossed in F5 Distributed Cloud Services, generating an accurate and granular diagnosis of what is happening with the company’s APIs.”
Accelerate app and API publishing by 120%
The company’s reliance on web pages and apps for financial transactions make software development the core of its business. That’s why Silveira considers establishing a development pipeline aligned with DevSecOps best practices one of his company’s major cybersecurity battlefronts. “Today, 60% of our efforts are focused on this area. Infrastructure protection issues are well addressed, therefore accounting for 40% of our focus.”
Distributed Cloud WAAP was deployed as part of a broader strategy focused on enhancing developers’ awareness of app and API security. The resulting automation guarantees developers will have access only to software components that have already been checked, verified, and authorized for use in the company’s development pipeline by Distributed Cloud API Security.
According to Devegili, the result of this strategy has accelerated secure Ailos app and API publication. He says, “We achieved a 120% gain in the speed of the application and API publishing process.”
- Reduce time spent managing diverse, distributed environments by 75%
- Achieve 100% API visibility
- Accelerate app and API publishing by 120%
- Secure a multi-cloud environment for apps and APIs
- Automatically identify and block malicious APIs
- Speed and secure app and API development