Privacy Best Practices Guide

The panel discussion consisted of three speakers - Ashwath Kumar, Staff Security Engineer at Razorpay; AVS Prabhakar, Chief Risk and Compliance Officer at Zeta; and Ankur Bhargava, Head of Product Security at PhonePe. The moderator leading the panel was K.K Mookhey, the founder of Network Intelligence.

The panelists lead the security teams at their respective organizations. The panel discussion focussed on various approaches to cybersecurity. The moderator started off the panel discussion by elaborating on what is driving companies to invest in cybersecurity and then opened up the debate to the panelists to speak of their experiences at their respective companies.

Key concerns

1. Ensuring speed and usability

• Ankur dove into the multiple arenas to handle when it comes to working with tech-based companies that focus on frictionless transactions and the background work that ensures maximum customer experience, ranging from the concerns of speed to security teams keeping up with agility and speed.
• Ashwath elaborated on how security teams need to strike a balance between usability and security, for when the former increases, the latter tends to drop, and this needs to be carefully tackled in order to make it easy for the developers involved in the process.

2. The need for visibility within Fintech Companies

• Prabhakar shed light on the need for visibility and the symmetric warfare that is at play within Fintech companies.

3. Steps that need to be taken in handling data security

• The panel further identified the steps involved in handling a data security problem, that is identifying all of the data sources, identifying the pieces of information that are sensitive, and going after the riskiest data source with the most exposure.
• Ashwath spoke of his experience with creating their own logging library that allows them to mask, encrypt and hash data. He shed light on the use of Semgrep as an open-source tool for finding security defects. This tool is used in the CICD Pipeline for scheduling scans and he also mentioned that they have written custom rules on Semgrep.

4. Shifting security left - To shift security left means to means to implement security measures during the entire developmental life cycle, rather than at the end of the cycle

• The panel then discusses the nuances involved in shifting security left and how data security has come up to speed, with regard to FinTech Companies today. Ankur elaborated on how the shift left mechanism has enabled the speed of security bugs and made identifying them quite easy in terms of identifying them early into the process.
• Elaborating on Semgrep, Ankur added that it is a tool that is picking up popularity and they’ve been writing up custom rules for the same.
• The panel threw light on the need for shifting left and the changes it is bringing to the table in terms of identifying and blocking dependencies.

5. Governance culture and awareness in FinTech companies

• In addition to the conversation in and around processes and tooling, Prabhakar, found it pertinent to bring his perspective on the question of governance culture and how awareness is necessary when it comes to understanding standard requirements.
• The governance culture today, he said, is such that nobody is under the obligation to let one know about their weak password policy, discrepancies in logging, etc, Prabhakar elaborates that there is a certain amount of awareness and sensitivity to data that comes along with the job that one needs to ingrain and keep in mind.

6. Tooling and Protection

• The panel fundamentally discusses the tooling involved in the data discovery exercise, some of the tools that the panelists mentioned was Macie - a managed solution by AWS that allows you to discover and evaluate sensitive data. Macie remains to be under evaluation as it didn’t quite work well for one of the panelists owing to the presence of multiple repositories. Razorpay also makes use of Apache Rangers which allows them to mask, hash or encrypt data as it comes along. One of the other panelists elaborates on how, unlike tooling, homegrown scripts have worked best for them since they have their own private cloud at PhonePe. The utilization of hardening base images was also discussed.
• Ashwath, upon being asked about container security broke the process down to three pieces. The first one being where the container images are stored in container repositories such as AWS ECR/Harbor, open source tools like trivy allow them to scan the container image to ensure the base is secure. The second piece involved the control plane of Kubernetes which can be monitored using a Cloud Security Posture Management (CSPM) tool such as Prowler, and the third piece involved the pods running on the Kubernetes cluster itself. The intricacy of this process involved looking at the manifest file and the configuration of the pod.
• Trivy, is a simple and comprehensive Vulnerability Scanner for containers and other artifacts. It detects vulnerabilities of OS packages and application dependencies.
• Prabhakar mentioned that at Zeta, they make use of the ELK stack that allows them to carry out security monitoring. Prabhakar further spoke about the need for visibility and the much-needed clarity when it comes to the protection of data and what is needed to be protected. He spoke of how one comes about identifying critical assets and arrives at the stage of building a new environment around them to ensure their protection with metrics.

7. Gauging metrics

• Ankur mentioned that they’ve been coming up with a central vulnerability management system in order to gauge their metrics and measure their success at shifting security left.
• Ashwath added on, having mentioned that they started off by doing their iterations manually but now it is all automated that makes assessing metrics much easier.

8. Regulations and regulatory pain points

• Razorpay has a dedicated planned audits team day in and day out and the key component of that is understanding the regulatory requirement and translating it into security requirements.
• At PhonePe, it hasn’t been much of a significant change as most of the regulations have already been taken care of.
• Prabhakar added that while the question of regulation is a pain point, it is also something that has come out of ensuring best practices that enable the production perspective and it hasn’t posed a major challenge to any of the companies present on the panel.

The panel was thus concluded and opened itself to questions from the audience and moderators that mainly dealt with the question of managing data discovery, endpoints, the percentage of budget assigned to the security teams, how revamping the budget comes about and how investors know the value in investing in security as it is a much needed necessity today.