Scratchpay
Scratchpay Security best practices and well-built architecture on GCP
Security best practices and well-built architecture on GCP
Industry
Bank & Financial Institutions
Technology
CASE STUDY scratchpay
Scratchpay is a financial service provided by Scratch Financial, Inc. hosting their workloads on Google Cloud Platform (GCP) Public Cloud infrastructure. Scratchpay is a US startup providing loans to private people for medical care (initially from pet and now extended to person). The company is fully integrated on GCP and having a support plan and services from Google.
Industry:
Bank & Financial Institutions
Technology:
Google Cloud
INTRODUCTION – SCOPE OF WORK
Scratchpay is a financial service provided by Scratch Financial, Inc. hosting their workloads on Google Cloud Platform (GCP) Public Cloud infrastructure. Scratchpay is a US startup providing loans to private people for medical care (initially from pet and now extended to person). The company is fully integrated on GCP and having a support plan and services from Google.
Scratchpay is hosting all services in GCP Cloud and the solution has been publicly in production for several years. The company is continuously improving the service offering. Many different GCP services are in active use, and others are being evaluated.
Scratchpay has an expert in-house team working on software development, data analysis, and business development. The company also has in-house team members specialized in information security, however, there are no dedicated GCP or other cloud computing experts in the team. Always interested in improving their use of GCP services following best practices and with a focus on security and optimization, Scratchpay was looking for a Security Assessment conducted by a GCP expert consultant. Since Scratchpay has a global team, including several members in Vietnam, it was considered advantageous to collaborate with a local partner.
Renova Cloud, a GCP Partner in Vietnam, was chosen by Scratchpay to evaluate and assess the existing GCP environment for best practices and well-built architecture methodologies. For the purposes of this assessment, security of the in-scope GCP projects was the main focus.
The project goal was to review the selected GCP Projects of Scratchpay existing GCP environment for the best practices, in particular fully-security compliance to ensure meet financial services and data protection standards. The result of the project was agreed to be an assessment document reviewing the findings, analysis and providing actionable insight of detected improvement suggestions, with detailed implementation guidelines.
SOLUTION – RENOVA CLOUD APPROACH
Together with Scratchpay team, Renova Cloud’s consultants identified the main workloads in need of a security assessment. A number of Google Cloud Projects were chosen as the subject of the assessment. Scratchpay’s infrastructure in the cloud is hosted under one GCP Organization and divided logically into a large number of GCP Projects, each having a focus on specific role of the service and environment. As an example, one project would be used to host the web frontend in production environment, while another project would be used for the same service in staging environment. This is a best practice to achieve a separation of concerns.
The projects jointly selected as subject of assessment are mostly production environments, highlighting the need to ensure security guidelines are followed in the actual live production sites and services. Besides, staging environments were also selected for the assessment, to ensure there is an organization-wide understanding of security also reflected in non-production environments, even the data and transactions managed there is of less sensitive nature.
For each GCP Project of interest, Renova Cloud conducted assessment of following topics:
- Identity Security focusing on IAM users and service accounts roles and permissions
- Network Security covering network isolation, firewall rules, DNS and VPN connections
- Infrastructure Security on compute and storage workloads policies, also Kubernetes
- Application Security access of applications and database, service credentials
- Data Security assessing data access and protection both at-rest and in-transit
- Vulnerability Scan to verify the status of any common vulnerabilities in the workloads
- Web Application Firewall Analysis assessing readiness against common exploits
- Logging and Monitoring Configuration of all infrastructure and error reporting
- Overall Review and Summary
The results were collected into a structured final review document shared with the customer.
Renova Cloud took a comprehensive approach utilizing industry standards, in particular the well-regarded CIS – Center for Internet Security benchmarks for GCP and GKE / Kubernetes to assess the compliance status of the reviewed systems. These benchmarks were used in a structured manner to cover each one of the aforementioned security topics.
The nature of Scratchpay’s workloads and GCP services used is cloud-native. The frontend solutions are largely based on Kubernetes clusters running multiple microservices with relational database backends, and a variety of supporting services such as file storage and search services. There are also a number of serverless functions supporting ad hoc and rapidly scaling workloads. As a financial service provider, Scratchpay puts special attention to the management of payments, and handles these in separate isolated projects which only share services with other projects when necessary. Scratchpay also runs an advanced analytics and reporting workflow which is managed in a separate project that aggregates data from other projects for BigQuery use.
After analyzing the inventory as well as business and technical contents of the system, Renova Cloud summarize the high level view and GCP services used as below:
Following the principles of least privilege, Renova Cloud conducted the assessment as read-only users, utilizing the Security Auditor predefined role in each GCP project in scope. Additionally, some relevant 3rd party services were included in the scope, in particular CloudFlare and the open-source vulnerability assessment scanning tools already used by Scratchpay.
RESULTS & DISCUSSION
Having completed the review according to CIS benchmarks and Renova Cloud’s own process, the team could confidently state the results: no serious security issues were found in Scratchpay’s systems. Having a structured security review find this state confirmed that the approach to cloud security taken by Scratchpay has been successful.
At the same time, the results unveiled a number of areas where improvement is possible, and gave Scratchpay actionable insights in how to achieve an even higher level of security for their workloads. Some of the general highlights of the confidential final report:
- Monitoring metrics collection needs be expanded and made in a more detailed manner
- Patching must be automated for all VMs to avoid any security risks
- Logging of all levels of access and anomalies needs to be improved
- Key policies must be documented and streamlined according to best practices
- Boundary to the public internet needs to be limited to reduce potential threat surface
- Any 3rd party tools used for vulnerability scanning need to be frequently checked
Renova Cloud presented the final report to Scratchpay including the actionable insights suggested to be taken by Scratchpay to further improve their security. Scratchpay swiftly took action and is now following the best practices as proven by the CIS benchmarks.
All of the above mentioned items are common issues which many companies face and need to address in their cloud security posture. Automation, increasing visibility by following monitoring and logging best practices, and reducing the potential threat surface are tasks for each and every organization hosting their workloads on the cloud. A security assessment conducted by an experienced GCP Partner company such as Renova Cloud is an effective way to fix this.