Headquartered in Wellington, New Zealand, Xero provides a global online platform for small businesses and their advisors. The company has built trusted relationships with 1.6 million subscribers, enabling them to thrive through better tools, information and connections. Innovation is fueling growth at a blistering pace. To support its growth, Xero did more than simply migrate to the Amazon Web Services (AWS) public cloud—it completed a massive transformation that wove security and agility into the very fabric of its product development, security engineering, and partner relationships, with AWS and Check Point as key partners.
Transforming Infrastructure and Security
In 2014, Xero identified a challenge with its infrastructure and security. The company was managing a premises-based infrastructure that supported almost 700,000 subscribers but often found itself spending time and resources on controlling the environment, which limited the teams ability to fully support product innovation. Xero decided that only a public cloud infrastructure could provide the capabilities needed to support its next wave of growth.
In addition to scaling to support millions of new customers, Xero wanted to reduce its cost of service delivery, ensure high infrastructure availability, and defend effectively against evolving cyber threats. Agility is fundamental to Xero. Hundreds of product-based teams release more than 1,200 product features and updates each year. Xero wanted to reduce the time it took to build out DevOps infrastructure from weeks, to days, to hours, to milliseconds. It also needed to support internationally recognized security standards, so the new infrastructure had to be secure by design.
“High-growth environments have changed the way security must be delivered,” said McKeown. “Security teams aren’t traditionally built for speed, but if we can’t keep up with our DevOps teams, they’ll just work around us. We had to transform ourselves to enable our product teams to move fast, use the tools they want, and do it in a secure way.”
Xero chose AWS for its breadth of compute, storage, and networking services. McKeown praises the AWS Well-Architected framework for helping his team build a secure, high-performing, resilient, and efficient infrastructure possible for the company’s applications. The AWS environment gave Xero the opportunity to reduce costs, avoid downtime, and support its growth goals.
Of equal importance was security and the team chose Check Point as a trusted enterprise security partner for securing internal and outbound traffic. “Security was the first thing we thought about,” said McKeown. “We had to think about data encryption, inbound and outbound traffic connectivity, and protection against web-based attacks like DDoS, cross-site scripting, and SQL injection attacks.”
The Xero team worked closely with Check Point to implement security at every level of the infrastructure stack. Together, they deployed 130 Check Point Gateways across 100 different AWS accounts running Check Point CloudGuard Network Security (CGNS) to keep data and assets safe from even the most sophisticated threats. Check Point CloudGuard Network Security delivers automated, multi-layered, elastic security that scales with the dynamic AWS environment.
Xero deployed Check Point CloudGuard Network Security using a Transit VPC-style architecture. This enables traffic to be directed to a defined “security zone” for security scrubbing based on any number of attributes—regulatory requirements, policy, type of traffic, and others.
Micro-segmentation capabilities enable Xero to secure east-west data traffic, as well as traditional north-south traffic flows. Integration with native AWS controls enabled rapid deployment while supporting dynamic scalability and consistent control across all environments. As a result, Xero gained advanced security that moves with its applications, simplifying the overall migration without compromising protection or compliance. Check Point R80 Security Management brings the entire infrastructure into a single pane of glass with deep visibility.
“I chose best-of-breed partners that could walk with us through the journey and keep up,” said McKeown. “We built best-practice environments and pushed them to the limits months before we migrated our first customer.”
Success and High Fives
During a nine-month period in 2016, Xero successfully moved 700,000 customers, 59 billion records, and $1 trillion worth of transactions to its fully managed AWS public cloud environment. McKeown attributes success to his teams and also to Xero’s partners who were engaged across their entire organization.
“We built a security culture and strong relationships with our partners through the process,” said McKeown. “They understand that they aren’t competing with each other in our environment—they’re competing with the speed of our developers and with AWS. Together, we successfully migrated to a next-generation infrastructure while working at development speed.”
Comprehensive Cultural Transformation
In traditional organizations, DevOps and security teams work independently, and security controls are often viewed as roadblocks to rapid innovation. If the security team can’t keep up with the pace of innovation, developers simply go around them. McKeown set out with the aim of instilling a security culture across the organization to avoid the security risks associated with traditional development. He gave Xero’s developers ownership of their AWS accounts and the ability to make their environments more secure.
“A significant number of Xero employees are technical resources,” said McKeown. “Instead of putting up security ‘gates’ that require developers to stop and seek security assistance or input, we can deploy ‘guardrails’ that help developers stay on the road without impeding their progress. We now have the freedom to accelerate development and grow without limits, while still protecting our brand.”
Xero’s teams operate with autonomy to build features and tools using whatever AWS capabilities, technologies, and microservices they need. The on-demand computing power of AWS enables developers to experiment with new features and products in ways that were not possible before.
CheckPoint R80 Security Management gives the security engineering team deep visibility into the security posture of all AWS accounts. With visibility, security became less of a business hurdle to overcome, it’s a capability woven into the fabric of the business that accompanies every other function. In Xero’s agile environment, the security engineering team works to improve data protection, eliminate downtime, and deliver value-added services to the DevOps teams.
“Check Point automation is instrumental in building a fully automated infrastructure,” said McKeown. “Automation gives our developers freedom to choose the platforms they use and the ability to roll out projects in an automatic, repeatable, and secure manner.”
Freedom to Focus
With a global customer base, Xero is subject to a wide range of international regulatory requirements. In the past, monitoring and demonstrating compliance required lots of spreadsheets and extensive manual effort. Check Point, as a key security partner enables the Xero security risk management team to automate compliance management. Automation gives them the immediate visibility they need to assure auditors that the proper checks are in place and frees them for their key initiatives.
With on-demand cloud and security infrastructure scalability, Xero can confidently ensure that peak usage periods deliver the high performance that customers expect. At the same time, during lulls in activity Xero is not paying for capacity that sits idle. The AWS cloud and Check Point enabled Xero to achieve its primary goals of reducing service delivery costs while assuring high service availability.
Partnering for the “Next-Next” Generation
McKeown’s approach to sharing responsibility for success between the security team, product teams and cloud and security partners provides a strong base for Xero to lead its industry to the “next-next” generation. Working closely with Check Point and AWS, the Xero security engineering team is building Check Point R80 Security Management capabilities into “management as a service” for itself and the Xero development teams. A fully automated security stack will enable self-service—eliminating the need to raise a ticket or wait for assistance. Automated security enables dynamic changes and positive, proactive interaction between security engineering and product development teams, giving everyone better visibility and control.
“Check Point and AWS have released Xero from the constraints of traditional management and security practices,” said McKeown. “Together we enable a strong, positive security culture across the business without limiting growth in any way.”