Ant Group's Financial-Grade Cloud‑Native Security Architecture: Service Mesh, Secure Containers, and Confidential Computing

Ant Group reflects on fifteen years of technology innovation that supports over 1.2 billion users, and introduces a series of talks from the 2019 Hangzhou Cloud Expo that focus on cloud‑native security for finance.

Under the cloud‑native trend, security becomes a major obstacle for financial institutions; Ant Group therefore built a full‑link, financial‑grade cloud‑native security architecture spanning hardware to software, system to application.

The architecture emphasizes trust: security‑derived trust is an invisible product that underpins all financial services, and the industry maintains a strict "Zero Fault" stance demanding high stability and security.

Key components shared include:

Cloud‑Native Network Security – SOFAMesh : an Istio‑based service mesh enhanced with Golang‑implemented SOFAMosn, merged data‑plane mixer, improved Pilot, and support for SOFARPC/Dubbo. It provides policy‑driven traffic control, end‑to‑end encryption, and real‑time traffic hijack detection, all transparent to business developers.

Secure Containers – Kata Containers : a collaboration between Ant Group, Intel, and the OpenStack Foundation that isolates each pod in an independent sandbox, eliminating shared kernel risks. Recent improvements include shimv2, virtiofs, Firecracker, and a Rust‑based agent, dramatically reducing memory and CPU overhead.

Confidential Computing – SOFAEnclave : a middleware built on trusted execution environments (Intel SGX, ARM TrustZone) that isolates sensitive workloads in enclaves. It comprises Occlum LibOS, SOFAst, and KubeTEE, enabling multi‑process enclave execution and large‑scale deployment.

Ant Group has open‑sourced SOFAMesh (https://github.com/sofastack/sofa-mesh) and contributed Kata Containers to the community, aiming to make secure containers a cloud‑native standard.

Performance data shows that deploying SOFAMesh across more than 100 k containers added only ~5 % CPU and <0.2 ms latency, while some services saw a 7 % latency reduction after mesh adoption.

All these security components are integrated into a comprehensive, end‑to‑end cloud‑native security stack built on Alibaba Cloud and Kubernetes, with the goal of providing trustworthy, high‑performance financial services.