Biopharma firm secures microservices platform against critical risks

A major biopharma firm partnered with Modus Create to standardize and strengthen security across its serverless microservices platform. The platform powered patient-facing forms and internal applications in more than 100 countries, but shared credentials, uneven defenses, and duplicate network paths put patient data and compliance at risk. Through a phased security program, the firm eliminated all critical vulnerabilities and demonstrated that enterprise-grade security can be achieved without slowing down innovation.

Our work involved

• Security assessment and roadmap
• Cloudflare integration with API Gateway
• AWS WAF v2 rule enforcement
• Amazon DynamoDB encryption
• Amazon CloudFront distribution consolidation
• Amazon Cognito implementation with MFA

Few industries balance innovation and responsible security as tightly as life sciences. Each digital innovation holds the promise of faster therapies, more efficient trials, and better patient outcomes. But every new platform also widens the attack surface and attracts greater regulatory scrutiny.

In biopharma, the stakes are particularly high. A single security breach costs more than $4.4 million on average. Yet, the real damage comes in eroded patient trust and disrupted scientific progress.

For one of the world’s largest biopharmaceutical companies, the risks had become too great to ignore. Its digital ecosystem spanned 100+ countries, powering everything from patient-facing applications to critical research platforms. The company’s shared serverless microservices platform gave developers speed and flexibility. But a major security concern was brewing behind the scenes.

Challenge

Fragmented and inconsistent security standards

The microservices platform provided a standardized infrastructure for web forms and supporting services to the company’s internal teams and external partners. This meant the platform processed both personally identifiable information (PII) and protected health information (PHI). As the platform scaled, the company’s leadership recognized three critical challenges:

• Fragmented tooling created vulnerabilities: Different teams had adopted their own security practices, leaving gaps and vulnerabilities across the microservices platform.
• Shared credentials limited accountability: Multiple developers often used the same login credentials, limiting auditability and accountability.
• Infrastructure sprawl increased complexity: Thousands of Amazon CloudFront distributions proliferated the platform, many duplicating one another and adding unnecessary complexity.

It was clear that incremental fixes would not suffice. Therefore, the biopharma company got in touch with Modus Create to strengthen the platform security and establish consistent standards across the organization.

Solution

Turning a patchwork of fixes into a secure platform

Our experts worked closely with Amazon Web Services (AWS) and the biopharma firm to standardize security across the shared microservices platform. They were especially careful not to disrupt existing processes or slow down ongoing development. That’s why the problem was tackled in a deliberate sequence, starting at the edge and working inward, before simplifying infrastructure and unifying oversight.

Phase 1: Closing gaps at the edge

The first priority for the team was consistent perimeter defense. Our team integrated Cloudflare with Amazon API Gateway and applied AWS WAF v2 at the stage level. This ensured that every request passed through managed rule sets, shutting down bypass paths and eliminating uneven protections across environments.

Phase 2: Building resilience into data

The focus then shifted to workloads and storage. Our team ran application services as AWS Lambda functions, each operating with least-privilege execution roles. Amazon DynamoDB provided encrypted persistence with 35-day point-in-time recovery, ensuring compliance while protecting patient data against loss or corruption.

Phase 3: Cutting complexity out of the network

With the edge and core secured, the team turned its focus on the network footprint. We consolidated thousands of legacy Amazon CloudFront distributions, removing redundant paths and simplifying management. This created a leaner and more maintainable infrastructure with fewer weak spots to defend.

Phase 4: Unifying monitoring and strengthening identity

Finally, the team centralized oversight and reinforced accountability. Using AWS Security Hub, we aggregated findings from Amazon GuardDuty, AWS Config, and planned Amazon Inspector scans into the existing security information and event management workflows, giving security teams a single view of risk.

Amazon Cognito replaced shared credentials with project-scoped role-based access and multi-factor authentication, tightening access controls. The team codified Infrastructure through AWS CloudFormation and AWS Serverless Application Model (SAM), making every control versioned, reviewable, and repeatable.

What began as a patchwork of controls transformed into a trusted platform, and the benefits were evident across both operations and security outcomes.

Impact

Complete mitigation of critical risks across the microservices platform

The project was completed in just four months. Its success was demonstrated by the fact that external penetration testing across multiple production services found zero critical or high-risk vulnerabilities. The operational benefits were equally significant:

• 90% reduction in network infrastructure code, simplifying the environment and reducing opportunities for error.
• Security automation closed gaps that had previously required manual oversight.
• Developers continued to move at speed, using standardized secure patterns that allowed new projects to launch without reinventing security controls.

Due to the success of the project, the biopharma company is extending the security model across new platforms, adopting AWS Control Tower for environment segregation, AWS Macie for automated data classification, and preparing AWS Inspector for Lambda functions to strengthen vulnerability management. The effort has evolved into a repeatable enterprise standard, proving that robust security can advance alongside digital innovation in life sciences.