PPRO (pronounced “p-pro”) is a leading fintech company that globalizes payment platforms for businesses, allowing them to offer more choice at the checkout and boost cross-border sales. Payment service providers, enterprises, and banks that run on PPRO’s infrastructure can launch payment methods faster, optimize checkout conversions, and reduce the complexities of managing multiple fund flows. Citi, PayPal, and Stripe are just some of the global enterprises that depend on PPRO to expand their platforms beyond borders.
It’s all made possible by a modern digital-payments infrastructure, engineered to process billions of payment transactions while maintaining the highest levels of security and data privacy protection. Building on a secure-by-design principle, PPRO’s information security framework ensures compliance with regulatory, legal, and technological best practices across the globe.
As a payments processor, PPRO must ensure compliance with a broad range of regulations spanning different industries and international borders. Maintaining robust systems and controls to combat fraud and attacks on customer infrastructure is a fundamental aspect of everything PPRO does. A single-second outage on the platform could lead to significant revenue loss, and a breach could damage the company’s reputation.
Katherine Garrod, PPRO’s chief information security officer, explains that “In order to meet the demands of our global financial services customers, PPRO must adhere to numerous global and regional standards including PCI/DSS, GDPR, Commission de Surveillance du Secteur Financier), the Financial Conduct Authority, and the Monetary Authority of Singapore, among others.” Further demonstrating that the necessary controls are in place across all aspects of their operations, PPRO received ISO 27001 certification for their systems last year.
At the same time, development teams work on more than 150 applications, distributed across multiple sites around the world. Adding to the complexity, PPRO’s customers can choose from hundreds of integrated third-party components needed to support their e-commerce initiatives. Gaining a single view into the company’s security posture across all these teams was a major goal for PPRO.
And, of course, in a rapidly changing industry it’s critical that all of this happens without slowing down business productivity. Products at PPRO are updated frequently throughout the day, clusters scale up and down to meet changing demands, and new customer-facing applications go live on a regular basis.
PPRO operations have moved aggressively over the past five years from in-house data centers to a true cloud native infrastructure built on Kubernetes, mostly running on AWS but with some applications on Microsoft Azure and Google Cloud Platform. The CI/CD pipeline is centered around Argo CD and Gitlab, with images stored in Amazon ECR.
The move to containers triggered a fresh look at security to achieve the “situational awareness” necessary to meet customer expectations and support audit activities. Visibility with existing security tools lacked an understanding of the more modern, complex, and dynamic environment, in terms of both configuration assurance and runtime controls.
PPRO first explored open source offerings as a potential solution and considered various options, including those from Aqua. In the end, given the time necessary to adapt something for their environment — and the resources needed to build, support, and maintain it — the team chose to go with a commercial solution.
Several legacy vendors claimed to have updated products to support cloud native implementations. However, as Vinicius Ferreira, Security Engineering Manager at PPRO put it, “Our team found that since they were not architected from the ground up to work with cloud-native applications, they lacked the necessary flexibility to support containerized workloads in a dynamic and elastic cloud environment.” Adding to the challenge were pricing models that didn’t match well with PPRO’s dynamic environment.
PPRO initially rolled out the Aqua solution on a custom-hosted instance, before Aqua’s release of a full software-as-a-service (SaaS) version. That early experience led the company to be an early adopter of the SaaS release, as it reduced the resources needed for updates. The PPRO team found Aqua’s Customer Success team to be incredibly helpful throughout the initial deployment and the migration to SaaS.
In an environment as complex as PPRO’s, there are always going to be thousands of vulnerabilities discovered at various stages from development through rollout to production. For most organizations, getting to a state of zero vulnerabilities is simply not realistic. “The challenge is to understand which ones represent real risk, which are most significant, and then putting in place the appropriate steps to mitigate that risk,” the PPRO team said. “Aqua provides the perfect tool to bridge the gap between the key stakeholders in development, operations, and security to have those conversations on an ongoing basis, in an efficient, productive way.”
Aqua prioritizes vulnerabilities based on numerous factors so that teams can quickly determine the ones to work on first, and where in the software development life cycle it makes the most sense to address them. Reports provide each team with the relevant threats to their specific applications or clusters. On a weekly basis, the teams meet to go over the key vulnerabilities, discussing which may not be applicable. Aqua helps the teams quickly reduce the number of issues requiring remediation actions by identifying vulnerabilities in components that aren’t in use. For example, code for Active Directory (AD) may have a known CVE, but if AD isn’t used in the application, the vulnerability may not pose a risk.
At those meetings, the security team can use filters to see which exploits are critical, then those that are remotely exploitable, and finally those are present in running workloads. They can then agree on a plan based on security policies, whether that means fixing immediately, monitoring for malicious activity at runtime, or flagging the non-compliant resource.
The time savings became obvious during the Log4J and Spring4Shell vulnerabilities, as the first instance occurred before PPRO had deployed Aqua, and the second vulnerability was discovered shortly after implementation of Aqua. When the first CVE was reported, the security team at PPRO took immediate action, writing scripts and running them against all known repositories. Creating and testing the script took hours, and then manually scanning all repositories was a daunting task.
Ferrier described the difference this way: “When Spring4Shell was reported, the team was notified automatically, and simply opened the dashboard and could immediately see all affected applications, essentially turning hours [or] days’ worth of work into a matter of a few minutes. Even better, key information on the vulnerability was already there, saving us significant research time on remediation.”
PPRO continues to find more and more elements of Aqua, and ways to use it, that add value in their environment. While scanning images for vulnerabilities, the security team discovered the ability to scan for secrets. And being able to run a CIS benchmark on all Kubernetes nodes wasn’t part of the original purchase but is now part of normal operations hygiene. PPRO is also exploring the addition of Aqua’s Software Supply Chain Security.
For PPRO, being secure is a given in the world of financial services but doing it well can yield a competitive advantage. PPRO customers appreciate that they can fully trust PPRO’s infrastructure, and engineers find satisfaction when security by design allows them to innovate at speed.