PAYPS is the complete solution for digitizing promotional offers for drugstores and cosmetics brands. As the first and only company offering immediate digital coupons in the pharmacy sector, PAYPS helps drive traffic to physical pharmacies and click-and-collect sites. Their multi-channel service can easily integrate into existing loyalty programs on a white-label basis, giving brands and pharmacies more flexibility. PAYPS is committed to keeping its solutions secure, reliable, and affordable as they grow to ensure a great experience for everyone.
Challenges
As PAYPS expanded, several key challenges emerged.
- First, due to rising cyber threats, PAYPS needed to strengthen security and protect sensitive data relating to pharmacy promotions and consumer transactions. Maintaining a secure environment was critical for PAYPS to ensure customer trust.
- Another challenge was ensuring a reliable platform, even during peak usage times. The web app’s performance is essential, especially when handling large-scale transactions at checkout, where any downtime could impact customer experience and pharmacy operations.
- Lastly, their rapid growth came with increased infrastructure costs. PAYPS needed to optimize its spending without sacrificing the performance or security of its web app.
Solution – WAFR
PAYPS partnered with Cloudvisor to address these challenges with a Well-Architected Framework Review (WAFR). WAFR is a structured assessment process designed to help organizations evaluate their cloud architectures against best practices established by AWS. This in-depth evaluation of PAYPS’s cloud infrastructure focused on three of WAFR’s six pillars: security, reliability, and cost optimization.
The review typically takes around a month to complete, allowing us to analyze PAYPS’s existing architecture and recommend actionable improvements. By leveraging WAFR, Cloudvisor provided PAYPS with a comprehensive roadmap for optimizing its cloud environment while addressing critical security and performance needs. By merging Load Balancers and using shared ones, putting resources in private subnets, and removing public IPs, we were able to reduce costs and make the infrastructure more secure at the same time.
Results
Cloudvisor engineers worked closely with PAYPS to identify vulnerabilities and improve their security. Through step-by-step tutorials and real-time guidance, the team helped reconfigure parts of the infrastructure to safeguard sensitive data and protect against potential cyber threats.
The engagement began with an initial assessment, where Cloudvisor’s team met with PAYPS stakeholders to understand their infrastructure and security concerns. Using tools like AWS Inspector and AWS Security Hub, the engineers conducted a thorough evaluation to pinpoint potential threats.
- New password policy: Designed a robust policy requiring minimum length and complexity to improve account security.
- Unused Access Analyzer: Activated AWS Access Analyzer to review IAM policies and roles, revoking unnecessary permissions.
- ALB logs to S3: Configured Application Load Balancer logs to store in an S3 bucket for secure and efficient log management.
- CloudTrail logs to S3 with Athena: Set up AWS CloudTrail to log API calls, with logs stored in S3 and queried via Amazon Athena for deeper insights.
- GuardDuty: Enabled AWS GuardDuty to continuously monitor threats within the PAYPS environment.
- Inspector: Deployed AWS Inspector for continuous vulnerability assessments, with regular scans for proactive security management.
- Security Hub: Configured AWS Security Hub to aggregate findings from various AWS services, providing a centralized view of security posture.
- CloudFront logs to S3: Configured Amazon CloudFront to distribute PAYPS’s content efficiently, with access logs stored in S3. This improves content delivery speeds and provides insights into traffic patterns for better monitoring.
- New private RDS instance: Launched a new Amazon RDS instance in a private subnet, isolating the database from internet access to enhance security while ensuring high availability and performance.
- New private and data subnets: Restructured the network architecture with private and data subnets, isolating different application tiers to protect sensitive data and critical services from public exposure.
- NAT Gateway for private subnets: Deployed a NAT Gateway for private subnets, allowing secure internet access for software updates without exposing instances to inbound traffic.
- Bastion host with SSM: Established a bastion host with AWS Systems Manager (SSM) for secure access, enabling the operations team to manage resources in private subnets without requiring open inbound ports, thus enhancing security.
After implementation, Cloudvisor provided training for PAYPS employees, ensuring they understood the new policies and tools. A final review meeting was held to discuss the changes, and documentation was provided for ongoing reference.
Cloudvisor also offered recommendations to enhance the platform’s reliability, ensuring PAYPS could handle increased traffic without interruptions. This improved user experience and supported the platform’s growing transaction volume. These improvements not only increased the reliability and performance of the PAYPS platform but also strengthened its security, allowing the platform to scale while safeguarding sensitive data.
By reconfiguring infrastructure and optimizing resource allocation, PAYPS achieved significant cloud cost reductions while maintaining high performance and security.
PAYPS leveraged WAFR using key strategies for cost optimization such as:
- Compute Optimizer: Used AWS Compute Optimizer to analyze EC2 usage patterns and recommend right-sizing instances, ensuring PAYPS used cost-effective instance types while meeting performance needs.
- Cost Optimization Hub: Established a centralized hub to provide insights and recommendations for managing and reducing cloud expenditures, offering strategies tailored to PAYPS’s specific usage.
- Cost Anomaly Monitor: Implemented a Cost Anomaly Monitor to detect unexpected spending spikes, allowing PAYPS to quickly address anomalies and maintain predictable budgeting.
- EBS Types Changed from gp2 to gp3: Transitioned Elastic Block Store (EBS) volumes from gp2 to gp3, improving performance and reducing costs, as gp3 offers better performance at a lower price point.
- New Elastic Beanstalk environment with private EC2 and shared Load Balancer: Set up a new Elastic Beanstalk environment with private EC2 instances behind a shared Load Balancer, optimizing resource utilization and reducing costs while maintaining secure access.
These measures helped PAYPS achieve significant cost reductions while improving the efficiency and effectiveness of their cloud infrastructure, maintaining a balance of performance and security. By engaging in Cloudvisor’s WAFR services, PAYPS positioned itself for continued growth that meets the evolving needs of its users and partners.
Fabrice Lefloch, the CTO of PAYPS, was particularly impressed by the ongoing support provided by Cloudvisor throughout the process.
“I was able to participate in the Well-Architected Framework Review program, which let me work with Cloudvisor engineers to receive outside feedback on how my infrastructure was built and how to make it stronger and more secure. I am really happy with the whole process. Dawid gave me general guidance along with step-by-step tutorials to help me reconfigure some parts of my infrastructure to make it more secure and more efficient at a lesser cost! What is really interesting is that this advice and support were not just a one-time shot, but I was able to get guidance for as long as it took to implement these guidelines. Regarding cost optimization, after optimizing my infrastructure, I was able to reduce my infrastructure cost by 35%. I highly recommend participating in WAFR to see real and quick benefits from it.”
Fabrice Lefloch
CTO at PAYPS
