NeoPay: Secure Cloud Payment Infrastructure

Solution

Kloia designed a comprehensive solution based on the AWS Well-Architected Framework, delivered in two phases over a 10-13 week timeline.

Architecture & Infrastructure

The core architecture implemented a multi-region design concept within the single UAE region (specifically the AWS Bahrain/Middle East region) using three Availability Zones (AZs) for maximum resilience.

• AWS Multi-Account Strategy: A robust organizational structure was established using AWS Organizations to segregate environments and responsibilities:
  • Management Account (Root): For overall governance and consolidated billing.
  • Network Account: Centralized hub for hybrid connectivity (Direct Connect, VPN) and shared networking services (Transit Gateway).
  • Workload Account (Production/Staging): Isolated accounts dedicated to running application services.
  • Security Account: Centralized logging, auditing, and security services.
• Hybrid Connectivity: Established secure, high-throughput connections:
  • AWS Direct Connect: A dedicated, private connection to NeoPay’s existing on-premises data centers, routed through a Direct Connect Gateway for high-bandwidth, stable data transfers.
  • Site-to-Site VPN: Configured as a redundancy layer to the Direct Connect link, ensuring network continuity in case of physical link failure.
• Compute & Database Stacks: The two workloads were separated for optimal performance and management:
  • Legacy/Core Services Stack: Utilized Amazon EC2 instances running Windows Server with Amazon RDS for SQL Server for the core database. This was deployed in a Multi-AZ configuration with automatic failover to ensure the database layer had a 99.95% uptime SLA.
  • Microservices Stack: Designed for modern, containerized applications. This stack utilized Amazon Aurora PostgreSQL-Compatible Edition for transactional data, paired with Amazon ElastiCache Redis for high-speed session management and caching. All components were deployed across the three AZs.
• Load Balancing & Scalability: Implemented Application Load Balancers (ALB) to distribute traffic and Auto Scaling Groups (ASG) for compute resources, ensuring the platform can automatically scale to handle peak payment processing loads and maintain cost efficiency during off-peak hours.
  
  
  

Security & Compliance Deep Dive

Security was the non-negotiable foundation, specifically addressing the UAE Central Bank's data residency rule and the rigorous PCI DSS standards.

• Data Residency Enforcement: All services, data storage (S3, RDS, Aurora), and backups were strictly confined to the AWS Middle East (Bahrain) Region. Service Control Policies (SCPs) within AWS Organizations were used to programmatically prevent any resource deployment outside of this region.
• Network Segmentation (PCI Scope Reduction): The architecture implemented strict VPC and subnet segregation. Sensitive PCI-scoped components (e.g., payment card environments) were isolated in their own private subnets, only accessible via a layered security approach and Bastion Hosts for administrative access.
• Defense-in-Depth:
  • Perimeter Security: Implemented AWS WAF (Web Application Firewall) on the ALBs to protect against common web exploits (e.g., SQL injection, XSS) and DDoS mitigation using AWS Shield Standard.
  • Identity and Access Management (IAM): All human and machine access adhered to the Principle of Least Privilege. AWS Managed Microsoft AD was integrated for centralized identity management.
  • Encryption: All data was encrypted at rest using AWS Key Management Service (KMS) with customer-managed keys (CMKs) and in transit via TLS/SSL, meeting PCI DSS requirement 3 (Protect Stored Cardholder Data).
• Continuous Monitoring & Audit: AWS CloudTrail captured all API activity for immutable logging, stored securely in an S3 bucket with Object Lock for tamper-proof auditing. Amazon GuardDuty provided continuous threat detection, monitoring network activity, and account usage for malicious behavior.

Managed Services & Operational Excellence

Kloia provided a complete managed service wrap to move NeoPay to a modern, automated operational model.

• Infrastructure as Code (IaC): Terraform was used exclusively to define and provision all cloud resources, enabling faster disaster recovery, consistent environments, and simplified change management. All changes were subject to a rigorous GitOps workflow.
• 24/7 NOC and SLA: A dedicated Network Operations Center (NOC) provided 24/7/365 monitoring and support with a contractual 99.99% infrastructure uptime SLA.
• Monitoring & Observability: Integrated Amazon CloudWatch and third-party monitoring tools for comprehensive metrics, centralized logging, and proactive alerting. Critical alerts were routed to the NOC team via automated runbooks to ensure the strict 2–3 minute RTO for critical failures.
• Patch Management: Automated patch management was implemented using AWS Systems Manager Patch Manager to ensure operating systems were consistently updated, minimizing vulnerability windows in adherence to compliance policies.