The fintech space is growing by leaps and bounds, as more consumers shift their financial transactions online for both convenience and necessity during the COVID-19 pandemic. MANTL is a fintech startup providing banks and credit unions with the technology they need to meet the demands of their customers who want to do their banking from anywhere and on any device.

In this TechStrong TV interview, we speak with Ben Conant and James Qualls of MANTL and Elizabeth Zalman of strongDM to understand how strongDM’s technology is helping MANTL with access management for its backend systems to enable a strong user experience.

Step 1 of 7

14%

Which of the following best describes how you currently monitor and manage systems across your hybrid cloud environment?(Required)

Multiple separate tools for different environments

Multiple separate tools for different monitoring and management functions

Single consolidated dashboard

Custom built monitoring and management solution

No full monitoring and management solution

Don’t know

How valuable would it be for your monitoring and management solution to incorporate predictive analytics to help you identify and address system issues that are critical and not waste time or effort working through all the data and “noise” that is not critical?(Required)

Extremely valuable

Moderately valuable

Somewhat valuable

Slightly valuable

Not valuable

How do you most typically address potential system issues BEFORE they impact your operations?(Required)

Automated workflows and playbooks to remediate potential issues as soon as they are detected

An orchestrated response process that leverages automation, AI, and human expertise to rapidly respond to potential issues

Advanced monitoring tools such as predictive analytics and anomaly detection to proactively identify and address potential issues

Respond to issues as they arise, using manual processes and troubleshooting techniques

A combination of automated remediation, orchestrated response, and/or proactive monitoring to address potential system issues

Don’t know

Other

What methods does your organization use to control and monitor cloud/IT spending?(Required)

Centralized procurement processes

Pre-approved budget thresholds

Automated cost monitoring tools

Department-level spending controls

Regular cost audits and reviews

Cloud cost optimization platform

Approval workflows for resource provisioning

Native financial operations tools provided by the cloud provider

No formal controls in place

Don’t know

Other

Please specify:

Which methods do you rely on most to detect security vulnerabilities in your systems?(Required)

Automated scanning tools

Manual assessments

Vendor notifications

Threat modeling (for early detection)

None of these

Don’t know

Other

Please specify:

What are the TWO most common ways you prioritize vulnerabilities to address within your environment?(Required)

Based on potential impact

Based on exploitability

Regulatory compliance requirements

Based on CVSS scores

Risk-based analysis of multiple factors

First-in-first-out approach

No formal prioritization process

Don’t know

How do you typically handle system updates and security patches?(Required)

Automated updates and patches

Manually review and apply updates and patches on a regular schedule

A combination of automation and manual review

Apply updates and patches on an as-needed basis.

Outsourced update and patch management

No defined process

Don’t know

Other

Δ

Check out the interview below and follow along with the transcript to find out more.

Transcript

Alan Shimel: Hey, everyone. Thanks for joining us for another episode of TechStrong TV. In this segment, we’ve got three people, as you can see, and let me introduce them to you. I’m gonna start with the lady, Elizabeth, Liz Zalman of strongDM. Hey, Liz—welcome back.

Elizabeth Zalman: Thanks, Alan. Great to be here.

Shimel: Okay, and then we’ve got two guys. The guy up in space there is Ben Conant—he’s not really up in space, he’s in Tenafly, New Jersey, but hey, you know, with the magic of Zoom, he could be anywhere. Hey, Ben, welcome to TechStrong TV.

Ben Conant: Hey, Alan, thanks for having me.

Shimel: My pleasure. And then last but not least, we have James Qualls. James, I didn’t even ask you pre-hand—where are you from? Where are you coming in from today?

James Qualls: I’m in Harrison, New Jersey.

Shimel: Okay, so, we’ve got a bunch of Northeast—Liz is up in New York and I probably have the biggest New York accent of all of you guys, so, there you go.

But anyway, so, we have not—I don’t think we’ve ever covered MANTL on our show or even in any of our staging-devopsy.kinsta.cloud, Security Boulevard, Container Journal, I don’t think we’ve covered MANTL before. So, let’s start off with a little bit about who MANTL is and then, as part of that, James and Ben, tell us what your roles are at MANTL.

Conant: Sure. So, I’ll start. I’m Ben Conant, I’m the CTO and co-founder of MANTL, and MANTL is a fintech startup that provides banks and credit unions with the technology they need to meet the demands of modern customers. So, you can kinda think of us like Shopify, but instead of helping sort of medium-sized retailers have an online store without an engineering department, we do the same thing for American banks and credit unions.

So, like, there’s actually 13,000 financial institutions in America, and 96% of those financial institutions are not Chase or Bank of America or SoFi that pump millions if not billions of dollars into technology. And these financial institutions really don’t have access to technology vendors that they like, want to work with, or provide them with what they need.

So, that’s why MANTL exists. We are trying to reimagine what it can be to be a small bank, medium-sized bank in America or a credit union by providing technology that meets what they need.

Shimel: Very cool. James, do you wanna—what’s your role at MANTL?

Qualls: Yeah, so I’m the Director of Engineering here at MANTL and primarily responsible for infrastructure or liability engineering. I have the pleasure of architecting everything that MANTL runs on and we have the opportunity to run on a very modern cloud infrastructure. So, we use Kubernetes, everything’s configuration as code, running as Terraform. You know, we take advantage of as many cloud products as we can.

Shimel: Excellent. And then Liz, we’ve had strongDM before, but for people who may not be familiar, give us the strongDM story.

Zalman: The strongDM story is that the way people manage access to infrastructure has fundamentally changed since cloud. You’ve got an explosion of servers, database management systems, cloud providers. Kubernetes came into existence, and so doing it by hand or relying only on Active Directory, it doesn’t work anymore, and so strong creates a single control plane for you to both manage and audit the access of anybody who works for you—a contractor, an employee, service account to any infrastructure that is yours.

Shimel: Cool. So, for purposes of setting up the discussion of how strongDM works with MANTL, Ben, I’m gonna ask to give us an example of some of this technology and apps that you guys are creating or helping maintain and power for your fintech clients, for your small and medium banks, credit unions, stuff like that.

Conant: Yeah, so, the first product that we decided to develop for this market of sort of medium-sized banks and credit unions is a way for those banks to have a kind of open an account dot bank dot com website that was completely white-labeled and personalized to their brand, but really felt like signing up for Robinhood or Acorns or one of the sort of big fintechs that have a really slick sign up ________. Because a lot of these banks, you know, they don’t—in order to achieve the kinda deposit growth that they want to achieve, they have to go online, but they’re really suffering from not having a website that anyone would want to sign up for a bank account on, right? So, that was a very specific product, but there’s a huge market for it, so we decided to start with that.

And then, you know, from a technical perspective, what does that mean? It means, for us, we have node microservices running in a Kubernetes cluster. We’re also talking to post press data stores in GCP, and then we need to control access and have firewalls and UAT environments for the banks to test stuff out using Cloudflare.

So, you know, strongDM kind of ties into that, because as we grew and as we scaled, we needed to manage internal access to different pieces of our infrastructure, and we were actually thinking about building out our own little app to do this and have SQL access provisioning stored up in a database, but then, you know, through looking at vendors and finding strongDM, it seemed way better to sort of go with a company that was dedicated to providing that.

Shimel: Very cool. Now, it would seem to me and, you know, I’m not the expert here, you guys are, but Liz, you know, when they’re setting up this sort of account opening app or online account opening app, that seems like something that strongDM would definitely be of much help to, no?

Zalman: I think it was. I remember, James, I think, in our first conversation, you had very, I think the interesting thing about the MANTL team—whatever, it’s interesting about all my customers, but MANTL has a very clear point of view on the way that they want to do something in order to honor what their customers need. And so, James has always had a very clear point of view of, “We need something implemented like this, for these business reasons. I’ve tried on these other solutions. They don’t work for reasons X, Y, and Z, and so actually, MANTL is one of our most sort of forward-thinking, pushing the boundary customers that exist.

I remember, James, when it came to setting up HTTP access for your internal employees and talking about header redaction and—I think it was Vault?

Qualls: Vault.

Zalman: The hosting of Vault, yeah. I was like, “Alright!”

Shimel: Secrets.

Zalman: “Gotta upgrade that.” [Laughter]

Shimel: Yeah, no—Vault’s huge, right? I mean, you know, Vault is a little-known power—not little-known, but to those in the industry, it’s little-known, but outside of it? I mean, Vault may be HashiCorp’s biggest, you know, product, and they have some great products.

But so, James, you know, Elizabeth’s kinda thrown you under the bus here, a little bit—it all comes to you. [Laughter] So, you know, how did the mission—you know, what else did you look at? What are the kinds of things, right, and how did you come on strongDM?

Qualls: Yeah, so, I would say that we have, I would say the top three resources that we needed to gain access to—one, obviously, Vault, which, you know, it’s an HTTP based product, but you know, we could’ve gone with Cloudflare Access, ______ we could’ve gone with Google’s Identity-Aware Proxy. But the bottom line is that it’s much easier to manage and provision access if the system that you’re using is consolidated into one product, and I don’t want to have to manage access to these resources across three or four different products.

So, we continued to look around and when we found strongDM, the first thing that we provisioned access for was databases. That’s something that no other product on the market does better than strongDM. strongDM covers a number of database protocols, we happen to be obsessed with Post Press. But strongDM supports things like Cassandra, things like BigQuery—so, you’re not necessarily limited in terms of protocol.

There was an alpha that they were running where we got immediate access to the ability to not only proxy to databases through strongDM but also to proxy to HTTP based workloads. Vault happened to be the use case, and the e-mail that Liz is referring to is when I was talking about the audit logs and strongDM actually logging the Vault tokens in the early alpha and I requested that we have some kind of header redaction. And her team took our feedback immediately and within a very short period of time, they had implemented a fix or that. And to be honest, even in the alpha, the product was very usable. We were able to use it immediately and no one really knew that we were in an alpha, the product just worked. So, essentially, we were able to consolidate access to resources that we had actually been using private tunnel, a Pritunl, to run a VPN to those resources.

After migrating to strongDM and after finally providing access to all of our resources, we use Post Press, Kubernetes, Vault, and there are some other internal resources that we provide access to all through strongDM, we were finally able to kill that VPN. So, we are an entirely identity-aware system at this point, purely because of strongDM. And then we have an added benefit when COVID hit, we were able to entirely go remote, because we didn’t have to scale a VPN. And this product is super high performance. We haven’t run into any bottlenecks, either, so you know, we’ve quickly grown over the last two years from 11 to almost 50 people now. And we’re all—all of us are presently remote, and all of us are using strongDM.

Shimel: Very cool, very cool. And I don’t know the answer to this, and I hate asking questions I don’t know the answer to, but is there an application to use strongDM outside of MANTL’s own internal workforce for some of these banks, credit unions, you know, small to medium banks and credit unions as they—because, you know, there’s all kinds of financial regulations that you’ve gotta deal with here from q compliance standpoint and everything else. So, do you use strongDM beyond the internal MANTL team?

Qualls: Liz and I have had a conversation about that, about potential applications for strongDM’s technology. I would say that probably MANTL’s biggest technical hurdle, when we’re integrating with a new bank is setting up network connectivity. And traditionally, that is, it’s by and large, it is usually an ________ VPN that we’re connecting to. And I see a potential application for strongDM there, although we haven’t attempted to see if it would work, or if one of our customers would actually be—or find that acceptable. [Laughter]

Shimel: Ben, I’m curious what you think about that.

Conant: Yeah, I think there is a huge market of banks that, you know, beyond just connecting to MANTL and allowing MANTL to operate with their sort of legacy systems, there is a huge market within banks where they have exactly the same problem, right? Like, people who are analysts at banks need to access lots of different data that’s all siloed in different data sources and different sort of network resources. We’ve heard a lot of our customers really struggling to set up or scale their own VPN solutions. And we’ve also worked with them to kind of, like, try and help mitigate those issues.

But I think that strongDM is definitely a product that banks themselves should consider adopting, right? Because in the same way that it helps MANTL employees have highly compliant and secure and easy to manage access to the resources they need to do their jobs, banks have that problem but almost way larger than MANTL because they are 500 person organizations or 1,000 person organizations instead of a 50 person, you know, software company.

Shimel: Yeah. I mean, because that was my thought on it, too, is these banks—I mean, the kinds of issues you’re talking about, James, that you guys are dealing with at MANTL and why you would use a strongDM kind of solution, you know, the small banks, community banks, credit unions—they got this, they have the same issues, right? Maybe some of them still are, you know, on legacy infrastructure, but if anything, I would imagine this whole COVID thing is accelerating their transformation there as well.

Qualls: Absolutely. When COVID initially hit, you know, we had several banks, you know, just scrambling to scale their VPN infrastructure or bank—you know, some people were not actually even able to go beyond a certain point and they had to reconfigure their entire network topology as everyone was forced to go remote.

In terms of, you know, in terms of how strongDM can be applied, I think that with COVID being a driving force behind that, I think that there’s definitely an opening for banks to start adopting newer technology, and strongDM is so easy to operate. It’s literally a don’t even think about it product. When we deploy it, we have the pleasure of deploying it on Kubernetes, so, we literally don’t even think about it. Scheduling and everything happen automatically. But strongDM is very well packaged. It’s a small binary, you give it a token, and you start it on any server you want. Yeah.

Shimel: You know what, Liz, it sounds to me like James is giving you your new sales channel.

Zalman: I actually just wrote that down. “Kubernetes—we literally don’t think about deploying it.” [Laughter]

Qualls: Yeah. [Laughter]

Zalman: No, customers have the best way—customers are the best from a product marketing perspective because they perceive the industry as they perceive it as a practitioner, and I’m—well, we’re practitioners, we’re also vendors. And so, their language is always the best. And they always know the right way to do things, I think.

So, I can actually think of two product changes that James had requested. One was the header redaction in Vault, but the other thing was when strongDM deployed support for Terraform. The very first thing that James asked for was, “So, it’s great that you have a provider, but I need to be able to read in all of my configurations before I go and add strongDM to it, so when are you gonna support Terraform import?”

And so, it’s very similar, right? You have practitioners, you have very forward thinkers for, like, “This is the right way to do things, and can you help me align to that?”

Shimel: Excellent. Hey, Ben, I got a question for you. You know what? I love doing interviews with people like James and Elizabeth and we knock around things like, you know, Kubernetes and Terraform and Istio and maybe Cloudflare and stuff like that.

But Ben, you know, you’re CTO and co-founder, you’re going to talk to these small community banks and credit unions, and even their IT departments, do they, you know, when you start bandying about stuff like this and this is—you know, does that resonate with them, or do they just say, “Hey, that’s why we have you here. You deal with that stuff. We’re not interested in what Kubernetes and strongDM is”?

Conant: I think that there’s a very real sense in which the banks that are our customers are really purchasing as a service a large part of their company’s technology stack, right? So, if I’m the CTO or the CIO of the bank, you know, I’m trying to figure out, how do I move to the cloud in a way that is gonna make sense, right? And one big way to do that is to simply purchase MANTL. Because now your entire account opening stack is actually hosted on GCP, and you get all of the security benefits of that. And in the same way, you know, your—you want to be very involved with the decisions of, like, “Well, what technology is my vendor actually running?” Right?

So, I think that the forward-thinking banks really do take it seriously and ask a lot of questions about our stack. I think maybe more importantly, you know, there is a very intense vendor due diligence process that even the smallest banks in America go through before allowing themselves to work with a technology vendor, right?

And so, one thing that strongDM really helps us do is, you know, maintain a state of what we call perpetual compliance, right? So, we have an amazing Director of Security at MANTL, and we undergo SOC 2 audits, PCI audits, and other types of security audits every year. And, you know, having the capabilities that strongDM comes with out of the box allows us to, at a moment’s notice, produce the documentation that’s required for a SOC 2 audit for a lot of the stuff that we do. And that keeps our customers very happy. Because not only are they concerned with, “Oh, wow, you guys are on GCP, you’re using Kubernetes, you’re way ahead of the curve relative to the other vendors that we could go with,” but they also like the fact that we sort of breeze through these audits and are able to provide them with answers to the tough vendor due diligence questions that they do ask in the sales process.

Shimel: Excellent stuff, man. Liz, I’m wondering if what Ben says he’s seeing kinda is parallel to what you guys see as well that, you know, especially dealing within the financial industry and fintech, there is sort of a high bar of due diligence in terms of is strongDM really secure, compliant, no back doors or—you know, I’m not creating a bigger problem by solving, trying to solve another problem.

Zalman: Certainly. I think it’s twofold. So, companies get to a certain size where—and we’ve experienced this in fintech where they’ve rolled their own for some time, and then it gets to the threshold with respect to security RFIs they need to answer or they’ve hit a threshold in terms of employee base where they say, “Okay, I actually don’t wanna develop a core competency in identity and access management, and I want to offload that to a service provider.” Similar to how MANTL solves, essentially, a hosted web app and flow for credit unions to come into the 21st Century.

And then, certainly, as part of any diligence process with us, we get asked, “What are your security—you know, what do you attest to? What are the results of your pen tests?” We did SOC 2 type 1 when we were eight people large, because it was such a core part of the sales process. I think customers want to be able to buy something that they have confidence in every aspect—that it provides the services, that it’s high availability and doesn’t go down and that it is as secure and people do what they say. So, certainly, that’s been a big part of the software since 2016.

Shimel: Wow. That’s a while. Alright. Guys, we’re about out of time, but I realize MANTL, for people who want to get more information on a hot fintech startup out of Jersey there, where can they go on the web?

Conant: Well, MANTL.com, M-A-N-T-L dot com, and you can actually see on James’ shirt it has the correct spelling of our name. But that—

Shimel: Nice billboarding, James—good work.

Conant: [Laughter] If we were both wearing that shirt, then it would’ve been a little bit weird, but I’m glad that it’s James and not both of us.

Shimel: It wouldn’t go on the ISS anyway, so you know, you’re dressed appropriately, Ben—we’ll let it go.

Conant: MANTL.com is a great place, there’s also been a number of industry publications about us, talking about how we’re helping in American Banker and others, helping community banks really become fintech companies, which we believe is their future, right? We think that all these fintech companies are trying to become banks. If you look at SoFi or you look at Simple Bank or any of these up and comers—really, you’ve got these small banks that, if they just had a platform to move and really innovate from a technology perspective, they are going to become the fintech, you know, [Cross talk] of the future.

Shimel: It’s funny, they just, from both sides of the spectrum, converging on a common market is what you’ve got there. But Elizabeth, strongDM, for people who may not know, where do we go to get more information?

Zalman: strongDM—S-T-R-O-N-G-D-M. Here at strongDM, the DM stands for Dragon Matrix. [Laughter]

Shimel: Okay.

Conant: I did not know that. That’s awesome.

Zalman: Yeah, it came up at our last on-site—although, I gotta say, everybody wants T-shirts, and I’m like, “No, no, no. No T-shirts, I want a trucker hat.” But then that would look weird on camera—James’ shirt is much more effective on camera, so.

Conant: [Laughter]

Shimel: Yeah, no—the shirt works, James. Good work. Hey, guys, we’re gonna call it a wrap on this segment here for TechStrong TV. James Qualls, Ben Conant—did I mispronounce it? yeah okay—from MANTL, and of course, Liz Zalman, from strongDM. Thanks for joining us. This is Alan Shimel—we’ll be right back with our next guest.