Teleport Launches Beams — Trusted Agent Runtimes For Infrastructure
Learn More
Support
LOG IN
Try for FreeContact Sales

Customer Case Study

Exness Elevates Global Kubernetes & Infrastructure Security with Teleport

Background image

Exness is one of the world’s largest trading technology companies, serving global financial markets with high-performance trading infrastructure, data-driven analytics, and proprietary algorithms. As a regulated financial services provider, Exness treats security as a core business priority — foundational to protecting client trust, platform reliability, and compliance with standards such as PCI DSS, SOC 2, and ISO 27001 certifications. With rapid expansion into new regions, the company has doubled its infrastructure footprint in recent years and opened new data centers to support increasingly low-latency trading needs. To support this growth and maintain the highest security posture, Exness undertook a multi-year initiative to enhance and optimize its entire infrastructure security model. Teleport became a critical pillar in this transformation, enabling unified identity and secure access to Kubernetes, databases, hosts, and sensitive internal applications across a large, globally distributed environment.

*Exness does not offer services to residents of certain jurisdictions including the U.S., Canada, Iran, North Korea, Europe, the United Kingdom, Russia, Belarus and others.

Challenge

As Exness expanded, so did the complexity of its infrastructure:

  • Hundreds of Kubernetes clusters across on-prem and cloud environments
  • Dozens of development teams operating with broad freedom in their technology choices
  • Strict regulatory and internal security requirements
  • Processes that served well in the past but were based on manual access routing and permanent privileges

These challenges underscored the need for an Infrastructure-as-Code-compatible, Kubernetes-native solution. Exness required full automation, GitOps readiness, SSO support, and machine identity — all in one platform. Teleport was the only evaluated solution that met every requirement.


Before Teleport, Exness faced several critical barriers:

  • Fragmented Access Workflows: For instance, a K8s-related incident response may involve access to both Kubernetes API and SSH nodes, but no single solution provided unified access. The Security team had to stitch together tools and manually orchestrate approvals.
  • Heavy Operational Burden on Security & DB Teams: Permanent or manually granted temporary access resulted in high volumes of approvals and operational load, with database bottlenecked behind the DB administration team.
  • No Single, Security-Owned Access Layer: Identity lived in systems owned by other teams, forcing Security to create request tickets for access changes — slow and inefficient for critical operations.
  • Shadow Access Pathways: Multiple ways to access Kubernetes (cloud-native tooling, auth certificates, external platforms) created audit blind spots that might lead to inconsistent security enforcement.

Solution

Exness began with Teleport Community Edition, validating the platform in full production conditions using the open source license before shifting to the Enterprise Edition. Teleport was deployed via Helm and Terraform across two high availability (HA) data centers, backed by Postgres and fronted by active-active load balancers.
Teleport became the unified access layer for:

  • Kubernetes clusters (on-prem and EKS)
  • SSH access to nodes
  • Production databases
  • Sensitive internal applications
  • CI/CD pipelines via Machine ID

Key Architectural Choices

  • Terraform Provider used for all Day-2 operations (roles, resources, access policies).
  • Teleport Machine ID integrated with GitLab for short-lived CI/CD credentials, replacing a 3rd-party solution used to provide permanent non-flexible access tokens, thus improving pipeline security.
  • Two Teleport agent replicas per cluster for resilient access and rapid failover backed by real-time monitoring based on the native agent metrics.
  • Security Operations Center alerts triggered if any access path bypasses Teleport.

 

Teleport is a flexible solution and one that provides a solid foundation for building unified access-control, thanks to its IaC- and automation-native design.

Roman Levkin

Technical Lead - Platform & Kubernetes Security, Exness

Results

Team Based Just-In-Time (JIT) Access

The biggest improvement was the creation of team-approved JIT access, eliminating permanent write privileges for developers and shifting approvals from a bottlenecked security team to the team closest to the workload.

  • Developers request elevated access in Slack
  • Any peer with equivalent permissions can approve
  • Double approvals required for the most sensitive environments

This dramatically reduced operational load, improved response times, and tightened security.

Teleport eliminated hundreds of manual approvals every week. Security and DB teams finally regained their time because access became peer-approved instead of bottlenecked.

Removal of All Permanent Database Credentials
Using Teleport Database Access, Exness eliminated all local DB credentials. Development teams now execute their own database write operations under Teleport-mediated, JIT-approved sessions, freeing the DB team from dozens of weekly manual tasks.

Unified Access Provisioning
Teleport became the first security-owned, unified platform to grant access across Kubernetes, servers and databases — removing the need to orchestrate changes among other internal departments.

More Secure CI/CD Push Model
Teleport Machine ID replaced permanent Kubernetes tokens used in GitLab pipelines, enabling secure short-lived credentials for push-based deployment workflows.

Elimination of Shadow Access Paths
Security now enforces Teleport as the exclusive access method for several types of infrastructure assets, with SOC alerts triggered whenever bypass attempts occur. This significantly elevated auditability and reduced risks.

Stronger Compliance Posture
Exness continues to prove its compliance with global regulatory requirements such as PCI DSS, SOC 2, and ISO 27001 certifications, with Teleport providing the fine-grained auditability, JIT controls, and identity-driven access required for regulated FinTech environments.

Future Plans

Exness plans to deepen its Teleport deployment by:

  • Exploring additional asset types, e.g. Vertica database
  • Working toward more granular logic of Teleport “deny” policy rules and managed sessions
  • Seeking licensing models better aligned with Kubernetes cluster lifecycles
  • Evaluating Windows access once agent privilege requirements and RDP limitations improve

Teleport remains a foundational component of Exness’ long-term infrastructure security roadmap.

Key Takeaways

Before Teleport: Manual workflows, fragmented access tooling, permanent credentials, shadow access paths, operational bottlenecks.
After Teleport: Unified, identity-driven access across critical assets; team-based JIT; reduced operational load; stronger security posture; improved auditability.
Impact: Faster incident response, elimination of credential sprawl, more secure CI/CD pipelines, and a scalable foundation for rapid global growth.
Looking Ahead: Continued integration of assets, improved logic of K8s “deny” rules andmanaged sessions, and licensing optimization.

HQ

Cyprus

Industry

Global (outside of the U.S.)*

  • Mission
  • Exness is a global FinTech company providing advanced trading technology and financial services solutions across multiple regions, with a strong emphasis on reliability, performance, and security.
n Security \u0026amp; DB Teams: \u003c/strong\u003e\u003c/span\u003ePermanent or manually granted temporary access resulted in high volumes of approvals and operational load, with database bottlenecked behind the DB administration team.\u003c/li\u003e\u003cli data-list-item-id=\"ec67ff17ef0097234d4425bc601c63be0\"\u003e\u003cspan style=\"color:#651FFF;\"\u003e\u003cstrong\u003eNo Single, Security-Owned Access Layer:\u003c/strong\u003e\u003c/span\u003e Identity lived in systems owned by other teams, forcing Security to create request tickets for access changes — slow and inefficient for critical operations.\u003c/li\u003e\u003cli data-list-item-id=\"e8109cf5bd4cb80fcbfb186197db1d4ff\"\u003e\u003cspan style=\"color:#651FFF;\"\u003e\u003cstrong\u003eShadow Access Pathways:\u003c/strong\u003e\u003c/span\u003e Multiple ways to access Kubernetes (cloud-native tooling, auth certificates, external platforms) created audit blind spots that might lead to inconsistent security enforcement.\u003c/li\u003e\u003c/ul\u003e\u003ch2 class=\"homepageHeading2\"\u003eSolution\u003c/h2\u003e\u003cp\u003eExness began with Teleport Community Edition, validating the platform in full production conditions using the open source license before shifting to the Enterprise Edition. Teleport was deployed via Helm and Terraform across two high availability (HA) data centers, backed by Postgres and fronted by active-active load balancers.\u003cbr\u003e\u003cspan style=\"color:#651FFF;\"\u003e\u003cstrong\u003eTeleport became the unified access layer for:\u003c/strong\u003e\u003c/span\u003e\u003c/p\u003e\u003cul\u003e\u003cli class=\"ck-list-marker-bold ck-list-marker-color\" style=\"--ck-content-list-marker-color:#651FFF;\" data-list-item-id=\"e1f29589b538ffbf1a331908273e22493\"\u003e\u003cspan style=\"color:#651FFF;\"\u003e\u003cstrong\u003eKubernetes clusters (on-prem and EKS)\u003c/strong\u003e\u003c/span\u003e\u003c/li\u003e\u003cli class=\"ck-list-marker-bold ck-list-marker-color\" style=\"--ck-content-list-marker-color:#651FFF;\" data-list-item-id=\"e3f9d80354177c70fcdd0b48aeea89ee4\"\u003e\u003cspan style=\"color:#651FFF;\"\u003e\u003cstrong\u003eSSH access to nodes\u003c/strong\u003e\u003c/span\u003e\u003c/li\u003e\u003cli class=\"ck-list-marker-bold ck-list-marker-color\" style=\"--ck-content-list-marker-color:#651FFF;\" data-list-item-id=\"e43d4c9c1d62e94d4f36d38052c73b6aa\"\u003e\u003cspan style=\"color:#651FFF;\"\u003e\u003cstrong\u003eProduction databases\u003c/strong\u003e\u003c/span\u003e\u003c/li\u003e\u003cli class=\"ck-list-marker-bold ck-list-marker-color\" style=\"--ck-content-list-marker-color:#651FFF;\" data-list-item-id=\"e3f21dc77e34b4c1ed02fb9f057777c37\"\u003e\u003cspan style=\"color:#651FFF;\"\u003e\u003cstrong\u003eSensitive internal applications\u003c/strong\u003e\u003c/span\u003e\u003c/li\u003e\u003cli class=\"ck-list-marker-bold ck-list-marker-color\" style=\"--ck-content-list-marker-color:#651FFF;\" data-list-item-id=\"e6496220610e7fa792fedeab1d6316809\"\u003e\u003cspan style=\"color:#651FFF;\"\u003e\u003cstrong\u003eCI/CD pipelines via Machine ID\u003c/strong\u003e\u003c/span\u003e\u003c/li\u003e\u003c/ul\u003e\u003ch3 class=\"homepageHeading3\"\u003eKey Architectural Choices\u003c/h3\u003e\u003cul\u003e\u003cli data-list-item-id=\"e8cd1869d81d85a08f9102da7f3df7f66\"\u003eTerraform Provider used for all Day-2 operations (roles, resources, access policies).\u003c/li\u003e\u003cli data-list-item-id=\"eed7c00881d0e6c090124dc50df22bace\"\u003eTeleport Machine ID integrated with GitLab for short-lived CI/CD credentials, replacing a 3rd-party solution used to provide permanent non-flexible access tokens, thus improving pipeline security.\u003c/li\u003e\u003cli data-list-item-id=\"e6cbc4e333d9c338136e3a3498a1949a8\"\u003eTwo Teleport agent replicas per cluster for resilient access and rapid failover backed by real-time monitoring based on the native agent metrics.\u003c/li\u003e\u003cli data-list-item-id=\"e58cc82c34cfb6f2614ac4313e407eaf2\"\u003eSecurity Operations Center alerts triggered if any access path bypasses Teleport.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u0026nbsp;\u003c/p\u003e"},{"__typename":"ComponentFieldComponentsQuote","quote":"Teleport is a flexible solution and one that provides a solid foundation for building unified access-control, thanks to its IaC- and automation-native design.","author":"Roman Levkin","authorTitle":"Technical Lead - Platform \u0026 Kubernetes Security, Exness","blogStyle":null},{"__typename":"ComponentPageModulesTextBlock","body":"\u003ch2 class=\"homepageHeading2\"\u003eResults\u003c/h2\u003e\u003cp\u003e\u003cspan style=\"color:#512FC9;\"\u003e\u003cstrong\u003eTeam Based Just-In-Time (JIT) Access\u003c/strong\u003e\u003c/span\u003e\u003c/p\u003e\u003cp\u003eThe biggest improvement was the creation of team-approved JIT access, eliminating permanent write privileges for developers and shifting approvals from a bottlenecked security team to the team closest to the workload.\u003c/p\u003e\u003cul\u003e\u003cli data-list-item-id=\"e4e1d259818a7699607904aabadc3a02d\"\u003eDevelopers request elevated access in Slack\u003c/li\u003e\u003cli data-list-item-id=\"e88f4f21f5614beadf98f5f9d2ea4606d\"\u003eAny peer with equivalent permissions can approve\u003c/li\u003e\u003cli data-list-item-id=\"e59fe2bd32c035835312d609cd38c0f72\"\u003eDouble approvals required for the most sensitive environments\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThis dramatically reduced operational load, improved response times, and tightened security.\u003c/p\u003e"},{"__typename":"ComponentFieldComponentsQuote","quote":"Teleport eliminated hundreds of manual approvals every week. Security and DB teams finally regained their time because access became peer-approved instead of bottlenecked.","author":null,"authorTitle":null,"blogStyle":null},{"__typename":"ComponentPageModulesTextBlock","body":"\u003cp\u003e\u003cspan style=\"color:#512FC9;\"\u003e\u003cstrong\u003eRemoval of All Permanent Database Credentials\u003c/strong\u003e\u003c/span\u003e\u003cbr\u003eUsing Teleport Database Access, Exness eliminated all local DB credentials. Development teams now execute their own database write operations under Teleport-mediated, JIT-approved sessions, freeing the DB team from dozens of weekly manual tasks.\u003c/p\u003e\u003cp\u003e\u003cspan style=\"color:#512FC9;\"\u003e\u003cstrong\u003eUnified Access Provisioning\u003c/strong\u003e\u003c/span\u003e\u003cbr\u003eTeleport became the first security-owned, unified platform to grant access across Kubernetes, servers and databases — removing the need to orchestrate changes among other internal departments.\u003c/p\u003e\u003cp\u003e\u003cspan style=\"color:#512FC9;\"\u003e\u003cstrong\u003eMore Secure CI/CD Push Model\u003c/strong\u003e\u003c/span\u003e\u003cbr\u003eTeleport Machine ID replaced permanent Kubernetes tokens used in GitLab pipelines, enabling secure short-lived credentials for push-based deployment workflows.\u003c/p\u003e\u003cp\u003e\u003cspan style=\"color:#512FC9;\"\u003e\u003cstrong\u003eElimination of Shadow Access Paths\u003c/strong\u003e\u003c/span\u003e\u003cbr\u003eSecurity now enforces Teleport as the exclusive access method for several types of infrastructure assets, with SOC alerts triggered whenever bypass attempts occur. This significantly elevated auditability and reduced risks.\u003c/p\u003e\u003cp\u003e\u003cspan style=\"color:#512FC9;\"\u003e\u003cstrong\u003eStronger Compliance Posture\u003c/strong\u003e\u003c/span\u003e\u003cbr\u003eExness continues to prove its compliance with global regulatory requirements such as PCI DSS, SOC 2, and ISO 27001 certifications, with Teleport providing the fine-grained auditability, JIT controls, and identity-driven access required for regulated FinTech environments.\u003c/p\u003e\u003ch2 class=\"homepageHeading2\"\u003eFuture Plans\u003c/h2\u003e\u003cp\u003eExness plans to deepen its Teleport deployment by:\u003c/p\u003e\u003cul\u003e\u003cli data-list-item-id=\"ea3a90a0639278c13f3a02cd86d24084a\"\u003eExploring additional asset types, e.g. Vertica database\u003c/li\u003e\u003cli data-list-item-id=\"eff109ef1b1281d8a7ae3d7fd642511e1\"\u003eWorking toward more granular logic of Teleport “deny” policy rules and managed sessions\u003c/li\u003e\u003cli data-list-item-id=\"efa4153ab33d036cc1665ea244b3b4996\"\u003eSeeking licensing models better aligned with Kubernetes cluster lifecycles\u003c/li\u003e\u003cli data-list-item-id=\"e8a8784266bf662f94dd4b20a243b63c4\"\u003eEvaluating Windows access once agent privilege requirements and RDP limitations improve\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eTeleport remains a foundational component of Exness’ long-term infrastructure security roadmap.\u003c/p\u003e\u003ch2 class=\"homepageHeading2\"\u003eKey Takeaways\u003c/h2\u003e\u003cp\u003e\u003cspan style=\"color:#651FFF;\"\u003e\u003cstrong\u003eBefore Teleport:\u003c/strong\u003e\u003c/span\u003e Manual workflows, fragmented access tooling, permanent credentials, shadow access paths, operational bottlenecks.\u003cbr\u003e\u003cspan style=\"color:#651FFF;\"\u003e\u003cstrong\u003eAfter Teleport:\u003c/strong\u003e\u003c/span\u003e Unified, identity-driven access across critical assets; team-based JIT; reduced operational load; stronger security posture; improved auditability.\u003cbr\u003e\u003cspan style=\"color:#651FFF;\"\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e\u003c/span\u003e Faster incident response, elimination of credential sprawl, more secure CI/CD pipelines, and a scalable foundation for rapid global growth.\u003cbr\u003e\u003cspan style=\"color:#651FFF;\"\u003e\u003cstrong\u003eLooking Ahead:\u003c/strong\u003e\u003c/span\u003e Continued integration of assets, improved logic of K8s “deny” rules andmanaged sessions, and licensing optimization.\u003c/p\u003e"}]},"redirects":[],"metaData":{"description":"Exness is a global FinTech company providing advanced trading technology and financial services, with a strong emphasis on reliability, performance, and security.","image":null,"titleSuffix":"Teleport","noIndex":false,"showHeader":true,"purpleHeader":false,"showFooter":true,"footerSubscribe":false,"title":null,"schemaType":null,"complianceStandard":null}},"pageType":"Casestudy"},"__N_SSG":true},"page":"/[...slug]","query":{"slug":["case-study","exness"]},"buildId":"0ijZT5XYOhhrXuxHsM4GE","isFallback":false,"isExperimentalCompile":false,"gsp":true,"scriptLoader":[]}