Uncategorized

Baked-in Platform Security Targets Pathways to Exploitation

How Synchrony Financial adopted Pivotal Cloud Foundry and reshaped how they approach product security.

Synchrony Financial isn’t a new kid on the block. The company, which specializes in private label credit cards for retailers and other businesses, has been around for over 85 years. But for 82 of those years, it was part of General Electric, and known as GE Capital. GE’s decision to spin out Synchrony into its own company gave technology leaders there an opportunity to rethink its approach to application development.

When the spin-out occurred in 2014, Mike Barber, Synchrony’s Senior Vice President for Customer Systems and Technology, and his colleagues found themselves competing in a fast-moving, dynamic market.

“Ten or fifteen years ago, financial services and payments was a sleepy space,” said Barber, speaking at SpringOne Platform. “We are in the midst of a very disruptive environment from a financial services point of view. A lot of large and small technology players all competing to figure out how to improve financial services for consumers, and in particular payments.”

Synchrony needed to “rapidly increase our ability to change, our ability to build new products and capabilities, and really our ability to compete in a marketplace in which change is much more prevalent.”

But it had to do so securely. Financial services is one of the most highly-regulated industries in the world. Failure to comply with applicable regulations, like the Payment Card Industry Data Security Standard (PCI DSS), which requires companies to process and manage credit card data in a secure way, can result in major fines. With over 70 million customer accounts, Synchrony can’t afford a mistake.

The question, then, was how can a company like Synchrony rapidly develop and iterate on new applications without letting necessary security functions slow down the process?

 

A Focus on Pathways to Exploitation

It turns out the best way to achieve robust security and, at the same time, maintain operational and developer efficiency is to embed as many security responsibilities as possible into the underlying cloud-native platform on which developers are building and deploying their apps.

“[I]f we can suck more of the security responsibility into the platform it means the organization can go faster and faster.” —Justin Smith

“Where you get a big boost in a modern platform is the platform handles a lot of the security for you. And that gives you huge operational boosts and saves in a lot of different ways,” said Justin Smith, Chief Security Officer at Pivotal. “So if we can suck more of the security responsibility into the platform it means the organization can go faster and faster. And we see this time and time again.”

But this doesn’t mean including generic security safeguards in the platform. At Pivotal, as Smith explained, the Pivotal Cloud Foundry security team takes a threat-centric approach. This means identifying and prioritizing defenses against actual, specific threats that exist in the wild, or “pathways to exploitation,” as Smith calls them. Those threats that are more likely to occur and cause the most damage get the highest priority.

“You don’t just want to have a defense for the sake of having a defense,” said Smith. “You want to make sure you’re mitigating the most number of threats you can with the fewest number of tools.”

One of the pathways to exploitation that the Pivotal Cloud Foundry team is focused on, for example, is an adversary putting arbitrary code on a guest OS, explained Smith. “And so that type of threat-centric perspective would be: How do we prevent that from happening? What are all the ways that that could possibly happen? How do we mitigate each and every one of those? And if that does happen how do we mitigate it?”

By embedding and automating the answers to those questions in Pivotal Cloud Foundry itself, organizations end up with better security than they had in their slower moving traditional environments. More often than not, this causes a dramatic increase in operational and developer efficiency, as the platform takes care of many previously manual security tasks and functions.

Said Smith:

“If you look at PCF and what we can do with Concourse and the constant updating of the platform, if you look at the number of pathways to exploitation or vulnerabilities that that single idea takes care of, that number could easily be in the hundreds. If you have an ephemeral cluster, and you have ephemeral and short lived VMs, and you have ephemeral application containers and you’re rebuilding your clusters as a function of automated systems doing the work as opposed to individual administrators, that takes care of a whole raft… of pathways to exploitation. And you’re mitigating those scenarios really with just technology. You don’t have to buy a bunch of bolt-on solutions. It’s really baked in.”

 

Achieving Security and Efficiency at Synchrony

Back at Synchrony, the company expected to deploy around seven applications to the platform in its first full year in operation. In fact, the company doubled that number, with 14 applications running in production on Pivotal Cloud Foundry by the end of 2017. Barber credits the platform’s built-in security capabilities, including automated patching and OS updates, as among the reasons for this success.

“The ability to [securely] manage the environment is hugely valuable for us because we used to spend an inordinate amount of time doing that in our existing environment.” —Mike Barber

“You’re unleashing this great capability to our application developers to move quickly, but the fact is [Pivotal Cloud Foundry] is an environment that provides more control devoted to patching, the ability to manage business continuity,” Barber said. “The ability to [securely] manage the environment is hugely valuable for us because we used to spend an inordinate amount of time doing that in our existing environment.”

With built-in platform defenses against so many pathways to exploitation, Synchrony’s operations team can spend more time extending the platform’s capabilities and less time fighting security fires. And developers are able to avoid security distractions and focus their attention on what really matters — building great software that delivers real business value to customers and the company.