Statement of intent and purpose

Proper access control and appropriate proliferation of critically-sensitive customer data across a variety of internal apps can be a complex beast. Using a few common-sense privacy principles along with a few architectural changes across the organization; it is straightforward to fortify and prevent data proliferation across the stack. At Zerodha, we have built a siloed, centralized application along with easy-to-use client libraries that allow internal apps to send communications to users (e-mail, SMS etc.) based on strict permissions without having to store or access sensitive user data. With this fellowship, I aim to document Data protection/security practices that we have implemented with this project and other organizations can easily incorporate into their stack.

This project acts as a gateway for all client communication. It allows apps to communicate with clients via SMS, email, push notifications, etc. without any direct access to the client data or sharing sensitive information such as email ID, phone number etc. All the outgoing communique are pre-templated with variables and this centralized system enriches the data from sensitive data sources that are never exposed to internal applications. When a request to send a message is queued, the templates are enriched with the requested data from the appropriate data sources based on the unique client identifier sent by the client library. This reduces any unintended data leaks due to data duplication or extraneous logs containing client information at the application end and eliminates the need to share networks between different kinds of internal applications and databases. This system operates at scale sending out millions of critical transactional e-mails, notifications, SMS etc.

This also helps us achieve broader regulatory compliance goals.

• Appropriate data retention for messages that are required to be retained for compliance is also configurable centrally and doesn’t need to be set up by each application. [SEBI.17]
• This also plays a key role in VPC Network segregation which is a compliance/regulatory requirement, as it allows us to silo data centrally and limit access. [SEBI.27]
• The cyber security framework suggests that no person by rank or position should have an intrinsic right to access data [SEBI.13]. The principle of least privilege should be adopted with access provided based on defined purpose and limited period of access to IT systems [SEBI.14]. Along with that, all user access must be logged [SEBI.17]. Using our system, we can restrict nearly all access to sensitive client information for our developers and still support seamless communication.

All of this ties together with our principle of not intrinsically trusting even our internal applications with privileged access or sensitive data.

I think that the output of the fellowship would best be useful as an article where we share a generic architecture that can be applicable across a variety of stacks along with code snippets. Alongside that, I will do a deeper dive into data privacy and how we can achieve goals pertaining to those broader goals. I think it would be good to cover the following:

• Principles and Foundational ideas
  • Reduce business risk and protect user privacy by exposing minimal data across apps
  • Standardized, Auditable, and Centralized Template Management
  • Access Control management
  • Log retention management
• Internals and Architecture
  • Machinery and Kafka
  • Worker Orchestration
  • Orchestrating and inserting/enriching data into templates
  • User/ACL management
  • Centralized logging + dashboards for auditing
  • Plugging in backends and datastores
  • Designing a stable and easy to implement HTTP API
  • Self-hosting email/wherever possible to minimize risks

[SEBI] SEBI/HO/MIRSD/CIR/PB/2018/147 - Cyber Security & Cyber Resilience framework for Stock Brokers / Depository Participants https://www.sebi.gov.in/legal/circulars/dec-2018/cyber-security-and-cyber-resilience-framework-for-stock-brokers-depository-participants_41215.html