Mercury offers radically different banking*. Unlike traditional banking that simply holds money, Mercury merges banking with software built for precision and speed to help entrepreneurs accomplish everything they want with their money. With banking, credit cards*, and financial software, Mercury helps more than 200K ambitious companies build great things.
Wanted: a great user experience and granular access controls
When Head of Information Security, Branden Wagner first joined the team, Mercury was using a traditional VPN to access internal shared resources, including those hosted on AWS. As Mercury’s business and team grew, it became apparent that the existing VPN could not scale as the business did. As Branden said, “Its user experience made it hard to manage. As the team grew, we needed the ability to lock down resources based on roles and groups. The VPN lacked the capabilities to enforce this level of micro-segmentation across the network.”
Mercury started searching for a replacement, focusing on solutions providing zero-trust access controls. He added, “At the time, our infrastructure team was six people. They were responsible for maintaining our production infrastructure, keeping our network online, and managing the VPN. We evaluated many of the major players, but quickly realized they weren’t a good fit. They aren’t very user-friendly and would require dedicated teams to maintain. We couldn’t put that load on our team.”
“When I joined Mercury, there were 240 people. Today, we have over 1000 employees. Tailscale has been a great partner and has done a good job of security without overcomplicating.”
Interoperability across any infrastructure
Beyond the concerns of increasing the team’s overhead, Mercury wanted a solution that also improved the experience for all users. The ease of use of Tailscale made it stand out in a crowded field. The team at Mercury created a tailnet for the entire company within days. They streamlined infrastructure provisioning using existing Terraform workflows, set up access control lists (ACLs) to lock and restrict access based on a user’s identity, role, and group, and centralized management of their clients within the GUI.
As Tailscale became available to new teams, subnet routers became a critical piece to build trust. Branden recounted, “As we incrementally rolled out Tailscale throughout our network. We used subnet routers to connect resources securely while funneling that traffic through our AWS firewalls. This helped build familiarity with admins new to Tailscale.”
As an added bonus, Tailscale has various resources on how to integrate Tailscale with NixOS. Mercury had already adopted NixOS to help build systems and manage packages. “The number of vendors that supported NixOS was very limited. Tailscale stood out as one of the few that had dedicated resources on how to set up Tailscale with NixOS. This made it easy for our teams to test before deciding to roll out.”
A shared approach to safeguarding data
Mercury has a unique approach when it comes to security. “We try to be a transparent security department. We only collect the absolutely necessary pieces of data that are required to keep the business secure while maintaining privacy.” Mercury also has a privacy portal, where employees can see the data that's been collected about them and their devices. Before joining Mercury, Branden served in the US Navy. Those experiences informed his unique perspective. By protecting the privacy of individual users, you can create a safer overall enterprise.
“In the military, we captured every packet we could. It skyrocketed our SIEM ingest into the 1000s of terabytes. Despite the high costs, the return was minimal, as that data provided little investigative purpose.” This data can contain sensitive information like user data or login credentials that could be exploited to elevate privileges and infiltrate entire networks.
Tailscale was designed to encrypt all internal traffic, in transit and at rest. Each node generates a set of public and private keys, however, the private one never leaves the nodes. Only the node can encrypt or decrypt packets. Tailscale cannot view or store the content of your packets. As a result, only configuration and network flow logs can be streamed to SIEMs to aid in security investigations. “I don’t actually need to see the details of what actual activity happened, just the metadata on the connection itself. It tells me who connected, how many gigabytes they transferred, and what systems they accessed,” shared Branden.
The right partner for every stage of growth
“When I joined Mercury, there were 240 people. Today, we have over 1000 employees. Tailscale has been a great partner and has done a good job of security without overcomplicating.” Another added benefit is Mercury’s ability to cut down drastically on their onboarding. “Before we had hour-long sessions with new hires to train them on the existing VPN. Now we have a one-pager that gives them instructions on how to get started.”
That change reshaped how the infrastructure team operates. Instead of being bogged down by onboarding, maintenance, and constant troubleshooting, they’re now free to focus on core objectives — because Tailscale just works as they scale.
*Mercury is a financial technology company, not a bank. Banking services provided through Choice Financial Group and Column N.A., Members FDIC. The IO Card is issued by Patriot Bank, Member FDIC, pursuant to a license from Mastercard®.
