Security at scale: Plaid’s journey to creating a key management system

Plaid's journey to creating a key management system is a story of scalability, cost efficiency, self-serve empowerment, and operational excellence. Building an internal Key Management System (KMS) was crucial for managing sensitive data at scale, as it enabled the business to stay secure while preparing for future growth. By leveraging cryptography and overcoming challenges such as vendor-imposed limits and recurring expenses, Plaid's Security team successfully designed and operated a scalable KMS that empowered engineers to use secure solutions independently. The system uses gRPC, YAML files, and an SQL database, and relies on AWS KMS for root of trust. With Plaid KMS, engineers can provision long-term keys, define access control configurations, and integrate the client within their services without security intervention. The system requires operational excellence to maintain high availability and efficient performance, and has faced challenges such as workload segregation, optimized API usage, and legacy migrations. Through its journey, Plaid learned valuable lessons about ownership, migration strategy, and the importance of collaboration between service owners and the migrating team.