No industry is safe from the threat of hacker attacks, and the financial sector has proven that much. And it’s not surprising, we are speaking about money, after all. From time to time we spot news in media headlines about hacker attacks on financial institutions and breached accounts. So, it’s evident that financial institutions and their operations need reliable and proven protection. Zoop's approach can be an excellent example of best security practices for other companies, not only financial ones.
In this case study article, we will look at Zoop, a Brazilian fintech technology leader, and how this financial services giant uses GitProtect.io to ensure the security of its GitHub critical data. You will learn about the security challenges the company has faced and the actions taken to overcome them.
Zoop is one of the biggest fintech companies in Latin America. In 2021 the British magazine Daily Finance included this young company into the list of “the best fintech startups that bring innovation to the services of the financial system”. At the same time Fast Company mentions Zoop, a Rio de Janeiro-based fintech service, as one of the TOP 10 Most Innovative Companies in Latin America “for helping small businesses bank up.” The company processes 2 billion+ financial operations monthly with its instant payment system.
More than 300 employees are working and developing Zoop’s innovative financial technologies - Zoop Payments and Zoop Banking. The company uses GitHub Enterprise and GitHub Advanced Security under an Advanced Security license. It has around 700 repositories in its organization and approximately 160 users.
Zoop explains its service simply: it is a solution that allows companies from any segment to start operating as a payment institution, and Zoop has already helped 1k+ companies with it. Working through a White Label platform, the company develops technology for payment terminals and offers its partners software for POS and MiniPos terminals. Beside that, it also offers APIs for online payments and other functionalities to make all the process easier, like split, anticipation, etc. It performs the implementation via APIs which makes the operations simple and fast, optimizing the launch time of the service.
Working in the financial sector requires a lot of responsibility and attentiveness to security. Companies should follow strict internal regulations and security requirements, like SOC 2, ISO27K, GDPR, PCI DSS, SOX, and many others. Financial sector deals with money, so the companies need to build an authentic security plan following all those strict security standards, and backup is one of the necessary requirements. In short, due to very stringent legal and internal requirements, financial organizations can be regarded as the best benchmark when it comes to security - and Zoop's responsible approach is the best example of this.
Thus, Zoop faced its biggest challenge - to have all its repositories and metadata backed up with an easy and fast restore model. Moreover, they needed to keep its environment always up to date and maintain only what is really productive.
First, Zoop considered backup of GitHub repositories as a necessary security measure. Though, later another reason appeared - compliance. We all know that GitHub repository backup is one of the major requirements of passing Security Audits. Even while GitHub is thought of as a very reliable git hosting service provider, it’s not a secret that it can experience outages and crises. Let’s just look at the track of GitHub-related most severe security incidents of 2022.
The company started to build its backup strategy on its own - the security engineers manually backed up each repository and stored them on Google Drive and its company S3. For a while this solution worked well, but it needed a lot of manual maintenance, as the company needed to authorize somebody from the team to write and perform this manual process of backup. And here a certain concern arose - this approach could lead to limited DevOps team resources and high long-term costs.
So, Zoop understood that it needed an automated backup solution. The company required the tool that would bring the ease of use - would provide with the possibility to create several backup plans according to the organization’s needs and would ensure a fast and efficient restore process.
Eventually, the company’s security engineers started looking for a more reliable GitHub backup solution and that's how our joint journey began.
Searching for a tool that would permit creating automated custom backups for its GitHub environment, Zoop’s team discovered GitProtect.io. After a careful analysis of this DevOps backup and recovery software, they understood that GitProtect.io was the most adherent tool to what they wanted for the reasons of functionality, practicalities, and values. And most importantly - it would let developers focus on generating growth and limit manual backup maintenance costs.
“GitProtect.io came to give more tranquility and security in the backup of our GitHub repositories“
The process of adopting the backup solution was easy as GitProtect.io´s Sales Team treated Zoop´s during POC with special attention and was always ready to respond and help. It supported the fintech team with all the concerns they have - the process of assigning the company’s own S3 bucket, setting a flexible backup scheduler, rotation schemes (Custom and GFS), and versioning.
As a result, Zoop no longer needs to make manual backups to Google Drive. It can automate the process and create multiple backup plans - stored either on their own S3 storage or on free GitProtect Cloud Storage included in the license. The ability to have several storages also allows them to replicate efficiently.
GitProtect.io is a leading maintenance-free GitHub Backup and Disaster Recovery software. Thanks to the numerous years in the field of backup (GitProtect.io is a product of Xopero Software), the backup solution has taken only the best traditional backup technologies and managed to build a reliable protection for repositories and metadata.
“We designed GitProtect.io with security in mind. That’s why each client’s service is strongly separated, which I think should be a standard in the backup-as-a-service solution“
Let’s look at some of the key technical features that allow GitProtect.io to solve the problems Zoop has faced.
Zoop’s stores its data in the cloud, so it’s vital for the company to have all their data encrypted and stored in unexecutable form. Backup is a final line against ransomware attack, and AES 256 encryption is one of those standards that helps to boost security of critical data. Keeping that in mind, the solution not only provides Zoop with encryption in-flight and at rest, but goes a few steps ahead - it permits the company to create its own encryption key.
Not without significance for the company was the fact that the GitProtect team successfully passed the most important security audits, such as SOC 2 and ISO 27001 ensuring them with security, availability, processing integrity and confidentiality.
The goal of any backup solution is to ensure business continuity in the event of a disaster. In the case of DevOps tools, it is also important to maintain an uninterrupted workflow and eliminate any downtime in the team's work. As a reminder, Zoop's goal was to find centralized and complete backup of all repositories and metadata that ensures them with the possibility of a reliable, effective, and extremely fast restore.
In particular, Zoop verified the possibility of immediate, granular restore of repositories and metadata from any point in time for the possible daily operations needs and Disaster Recovery technologies to prevent them from major failures, such as GitHub outages.
With this solution, Zoop gained Disaster Recovery technologies prepared for every possible scenario. In the event of a failure, they can instantly restore their environment to the same or a new GitHub account (cloud to cloud or from cloud to self-hosted and conversely), to a local machine, or even cross-over to another git hosting service, like Bitbucket or GitLab.
In a nutshell, GitProtect provides Zoop with custom, recoverable backups from any point in time. With granularity, it helps them perform an instant restore of only chosen repositories and metadata for daily operations. Finally, any disaster-scenario-ready DR technologies ensure Zoop and its customers with the reliability and security of their DevOps data protection processes.
The final results of GitProtect.io backup and recovery tool adoption turned out to meet all Zoop expectations and allowed them to solve their challenges in terms of security, automation of data protection, and instant, proven recovery.
“When we need to restore a repository, GitProtect brings speed, convenience and security to this process.“
GitProtect.io helped Zoop to resolve issues with decentralized and incomplete backups, and to ease compliance with certain security audits and GitHub's Shared Responsibility Model. The team was a totally transparent partner in this process, helping them on each step of DevOps backup adoption.