long banner inside article post image 1

CASE STUDY scratchpay

Scratchpay is a financial service provided by Scratch Financial, Inc. hosting their workloads on Google Cloud Platform (GCP) Public Cloud infrastructure. Scratchpay is a US startup providing loans to private people for medical care (initially from pet and now extended to person). The company is fully integrated on GCP and having a support plan and services from Google.

SCRATCHPAY

Industry:

Bank & Financial Institutions

Technology:

Google Cloud

INTRODUCTION - SCOPE OF WORK

Scratchpay is a financial service provided by Scratch Financial, Inc. hosting their workloads on Google Cloud Platform (GCP) Public Cloud infrastructure. Scratchpay is a US startup providing loans to private people for medical care (initially from pet and now extended to person). The company is fully integrated on GCP and having a support plan and services from Google.

Scratchpay is hosting all services in GCP Cloud and the solution has been publicly in production for several years. The company is continuously improving the service offering. Many different GCP services are in active use, and others are being evaluated.

Scratchpay has an expert in-house team working on software development, data analysis, and business development. The company also has in-house team members specialized in information security, however, there are no dedicated GCP or other cloud computing experts in the team. Always interested in improving their use of GCP services following best practices and with a focus on security and optimization, Scratchpay was looking for a Security Assessment conducted by a GCP expert consultant. Since Scratchpay has a global team, including several members in Vietnam, it was considered advantageous to collaborate with a local partner.

Renova Cloud, a GCP Partner in Vietnam, was chosen by Scratchpay to evaluate and assess the existing GCP environment for best practices and well-built architecture methodologies. For the purposes of this assessment, security of the in-scope GCP projects was the main focus.

The project goal was to review the selected GCP Projects of Scratchpay existing GCP environment for the best practices, in particular fully-security compliance to ensure meet financial services and data protection standards. The result of the project was agreed to be an assessment document reviewing the findings, analysis and providing actionable insight of detected improvement suggestions, with detailed implementation guidelines.

SOLUTION - RENOVA CLOUD APPROACH

Together with Scratchpay team, Renova Cloud’s consultants identified the main workloads in need of a security assessment. A number of Google Cloud Projects were chosen as the subject of the assessment. Scratchpay’s infrastructure in the cloud is hosted under one GCP Organization and divided logically into a large number of GCP Projects, each having a focus on specific role of the service and environment. As an example, one project would be used to host the web frontend in production environment, while another project would be used for the same service in staging environment. This is a best practice to achieve a separation of concerns.

The projects jointly selected as subject of assessment are mostly production environments, highlighting the need to ensure  security guidelines are followed in the actual live production sites and services. Besides, staging environments were also selected for the assessment, to ensure there is an organization-wide understanding of security  also reflected in non-production environments, even the data and transactions managed there is of less sensitive nature.

For each GCP Project of interest, Renova Cloud conducted assessment of following topics:

  • Identity Security focusing on IAM users and service accounts roles and permissions
  • Network Security covering network isolation, firewall rules, DNS and VPN connections
  • Infrastructure Security on compute and storage workloads policies, also Kubernetes
  • Application Security access of applications and database, service credentials
  • Data Security assessing data access and protection both at-rest and in-transit
  • Vulnerability Scan to verify the status of any common vulnerabilities in the workloads
  • Web Application Firewall Analysis assessing readiness against common exploits
  • Logging and Monitoring Configuration of all infrastructure and error reporting
  • Overall Review and Summary

The results were collected into a structured final review document shared with the customer.

Renova Cloud took a comprehensive approach utilizing industry standards, in particular the well-regarded CIS – Center for Internet Security benchmarks for GCP and GKE / Kubernetes to assess the compliance status of the reviewed systems. These benchmarks were used in a structured manner to cover each one of the aforementioned security topics.

The nature of Scratchpay’s workloads and GCP services used is cloud-native. The frontend solutions are largely based on Kubernetes clusters running multiple microservices with relational database backends, and a variety of supporting services such as file storage and search services. There are also a number of serverless functions supporting ad hoc and rapidly scaling workloads. As a financial service provider, Scratchpay puts special attention to the management of payments, and handles these in separate isolated projects which only share services with other projects when necessary. Scratchpay also runs an advanced analytics and reporting workflow which is managed in a separate project that aggregates data from other projects for BigQuery use.

After analyzing the inventory as well as business and technical contents of the system, Renova Cloud summarize the high level view and GCP services used as below:

CLOUDFLARE

Following the principles of least privilege, Renova Cloud conducted the assessment as read-only users, utilizing the Security Auditor predefined role in each GCP project in scope. Additionally, some relevant 3rd party services were included in the scope, in particular CloudFlare and the open-source vulnerability assessment scanning tools already used by Scratchpay.

RESULTS & DISCUSSION

Having completed the review according to CIS benchmarks and Renova Cloud’s own process, the team could confidently state the results: no serious security issues were found in Scratchpay’s systems. Having a structured security review find this state confirmed that the approach to cloud security taken by Scratchpay has been successful.

At the same time, the results unveiled a number of areas where improvement is possible, and gave Scratchpay actionable insights in how to achieve an even higher level of security for their workloads. Some of the general highlights of the confidential final report:

  • Monitoring metrics collection needs be expanded and made in a more detailed manner
  • Patching must be automated for all VMs to avoid any security risks
  • Logging of all levels of access and anomalies needs to be improved
  • Key policies must be documented and streamlined according to best practices
  • Boundary to the public internet needs to be limited to reduce potential threat surface
  • Any 3rd party tools used for vulnerability scanning need to be frequently checked

Renova Cloud presented the final report to Scratchpay including the actionable insights suggested to be taken by Scratchpay to further improve their security. Scratchpay swiftly took action and is now following the best practices as proven by the CIS benchmarks.

All of the above mentioned items are common issues which many companies face and need to address in their cloud security posture. Automation, increasing visibility by following monitoring and logging best practices, and reducing the potential threat surface are tasks for each and every organization hosting their workloads on the cloud. A security assessment conducted by an experienced GCP Partner company such as Renova Cloud is an effective way to fix this.

RELATED STORIES

6 1
Cloud Reselling White 1

GSM

GSM’s Journey with Amazon EKS

GSM has decided to adopt Amazon EKS, entrusting its container orchestration capabilities would provide a robust solution for GSM’s complex IT infrastructure.Read more>
6 1 7
Cloud Reselling White 1

Ngân hàng Thương mại Cổ phần

Joint Stock Commercial Bank successfully accelerated growth by migrating to AWS

The competitive digital race among banks is increasingly fierce, focusing on attracting technology-savvy customers. The commercial bank wanted to stay ahead of the competition and required scalable, reliable and cost-effective back-end infrastructure for rapid growth.Read more>
IMV web 610x400 1
Cloud Reselling White 1

IMV

IMV’s Business Intelligence Empowered by AWS Data Management Solution

The former infrastructure of IMV lacked the scalability required to accommodate the growing volumes of data and the increasing demand for business intelligence and analytics. Read more>
web 610x400 5
Cloud Reselling White 1

E-wallet

Vietnam’s Prominent E-wallet Migrated Its Two Most Critical Workloads to AWS

The E-wallet in question is one of Vietnam’s largest online payment platforms, developed and published by one of the most dominant technology players in the region. Read more>
web 610x400 8
Cloud Reselling White 1

F88

F88’s Journey to a Secure and Centralized Data Management with AWS Cloud Solutions

Established in 2013, F88 stands as the forerunner network of secure lending in Vietnam, focusing on serving micro & small enterprises as well as individual customers. Receiving substantial financial support from renowned global Read more>
web 610x400 12
Cloud Reselling White 1

Greenfeed

Greenfeed Data optimization solution with AWS

Greenfeed's mission is to provide consumers with a clean food chain from farm to table with the 3F Plus process - FARM FEED FOOD. Read more>
web 610x400 3
DevOps Transform White 1

Startup oi

RENOVA – STARTUP OI – SUCCESS STORY

Startup Oi is a new social media and tech talent platform. Startup Oi has an ambitious goal to focus on professional needs of tech engineers and developers, building a digital community and connecting with job opportunities and tech events. Read more>
web 610x400 5
Cloud Reselling White 1

Vietcetera

VIETCETERA – MIGRATION JOURNEY TO AWS

Founded in 2016, Vietcetera is a first-of-its-kind multimedia digital platform producing editorial content along with video series and podcasts in both Vietnamese and English.Read more>
imv photo
Cloud Reselling White 1

IMV

IMV – ON-PREMISE TO CLOUD JOURNEY

International Minh Viet Joint Stock Co. is a distribution company which entails general trade, modern trade, as well as an e-commerce channel. Read more>
smartpay illustration photo
Cloud Reselling White 1

Smartpay

SmartPay Rehost and Replatform Migration on AWS

SmartPay is an important contender in the Vietnamese payment apps landscape and experiencing growth with new vendors, partners, and users. Read more>
pepsico case study product scaled
Cloud Reselling White 1

Pepsi Co Myanmar

Accelerate SAP S/4HANA Transformation With AWS

Pepsi Co Myanmar was looking to modernize their existing systems and launch a new platform for their users and applications utilizing the up-to-date technology solutions and choose SAP S/4HANA on AWS. Read more>
engineers working photo
Cloud Reselling White 1

Nutifood Group

AWS Immersion Day with Nutifood Group

The goal of this educational workshop was to empower N Group's IT team and leadership to confidently use the AWS platform for their benefit, and unlock new business opportunitiesRead more>
photo 1571247865791 9d7ed2ddf033
Cloud Reselling White 1

Tadiran

Serverless application implementation on AWS for Tadiran Group

Tadiran is a leading technical and electrical appliances manufacturer company. Some of the company’s more famous product lines include batteries and air conditioners. Read more>
webinar blog banner
Cloud Reselling White 1

Scratchpay

Scratchpay Security best practices and well-built architecture on GCP

Evaluation and assessment of the existing GCP environment for best practices and well-built architecture methodologiesRead more>
UAB CLOUD NATIVE APPS 1
uab white 1

UAB - Connect. Create. Change.

UAB BANK CLOUD NATIVE APPS

As a part of the modernisation and digitalisation strategy, UAB is expanding its services to build mobile apps for payment and e-Wallet purposes to serve the growing Myanmar consumer banking marketRead more>
YOMA MIGRATION MANAGED SERVICES 1
yoma white 2

Yoma

Yoma Transformation to AWS Cloud

The increasing demand for Yoma’s applications and business across different verticals requires to have a digital transformation journey with an effective migration to the cloud.Read more>
AQUA AUTOMATION DEVOPS 1
aqua white 1

AQUA

AQUA – Migration & CI/CD

AQUA is able to improve operations as result of the migration and CI/CD on AWS as well as able to release new features faster with minimal time and disruption to the end users.Read more>
SOVIGAZ PROTECTS CRITICAL SYSTEMS ON AWS 1
sovigaz white 2

SOVIGAZ

Sovigaz – migrating to AWS

The agility of the new infrastructure help Sovigaz to relieve the burden of on premise infrastructure management and limitations as well as access to advanced services offered on AWS platform. Read more>
KAOPIZ AUTOMATION CI CD 1
kaopiz white 2

KAOPIZ

Kaopiz’s Infrastructure Automation

Automate the processes on AWS and create an environment to test new features to support the Development & QA team to deliver jobs faster, automated and without a deep level of experience and skills on AWS.Read more>
NAVIGOS MIGRATION BACKUP 1
navigos white 2

NAVIGOS

Navigos’ journey to the Cloud

As part of the company commitment to it’s customers, it is essential to secure a robust disaster recovery process. Navigos’ application requires to have a fast and effective reaction in the disaster recovery scenarios.Read more>
SABECO MIGRATION WELL ARCHITECTED 1
sabeco white 1

SABECO

Sabeco Case Study

Having migrated to AWS, Sabeco is capable of quickly responding to increased traffic and services’ usage when necessary, making running marketing campaigns and launching new features less risky.Read more>
Nkid case study image 1
Nkid white 1

NKID’S

Nkid’s journey to the Cloud

Nkid Group is running a number of Microsoft workloads in various environments including on-premises, local data center in Vietnam, Microsoft Azure and AWS.Read more>