Overview
This document describes the implementation of security in the development and operation of SaFi applications and infrastructure to ensure desired level of security is in place to protect our customers.
Attack Surface
SaFi Mobile App
SaFi mobile app implements access control in different areas.
In business logic domain, the mobile app uses SaFi Customer IDM to authenticate users to access SaFi products and services. And uses in-app functionalities to authorize users using Biometrics, eKYC, and Passcode mechanisms.
In network domain, it uses WebAuthN protocol which utilizes PKI technology to authenticate user devices to avoid hijacking attacks like MiTM over the network.
SaFi mobile app implements root based detection mechanisms to both iOS and Android environment to prevent running on untrusted environments.
SaFi mobile app implements zero trust for suspicious login scenarios.
SaFi users were prevented to login in multiple devices. Only 1 device is registered as trusted.
SaFi users which has failed login attempts will need to undergo MFA using eKYC or Passcode mechanisms.
Firewall
SaFi network infrastructure were protected using Cloudflare Firewall solutions.
Protection to SaFi internal network is done using Zero Trust Network Access (ZTNA).
Protection to web services is done using Web Application Firewall.
All firewall configuration is build on zero trust principle.
ZTNA implements Attribute based access control managed by SaFi IDM.
WAF implements custom rulesets on top of default managed rulesets (DDoS, OWASP Core, Exposed credentials, and Cloudflare default).
Custom rulesets includes:
Blacklisting any kind of traffics from Anti-Money Laundering Council (AMLC) banned countries. And also implement alerting mechanisms to strategize risk based response.
Grey-listed countries from AMLC were allowed but under high monitoring using custom alerting mechanisms as part of proactive response.
Bot mitigation
// TODO Ingress, Egress- IP Filtering to third party integrations
Cloud
In SaFi, everything is cloud native. And SaFi chooses Google Cloud to hosts its IT services.
SaFi leverage Google Cloud Security to secure SaFi’s data. See how Google’s secure everything in Google Cloud - https://cloud.google.com/security/.
Cloud management is handled by SaFi. IAM and configurations implements Zero trust principle and uses CI/CD model to builds, configurations, deployments, and orchestration. Everything were done automatically via Infrastructure-as-a-Code (IaaC) using Terraform solutions.
Internal Infrastructure
SaFi Back Office
Back Office access control implements Role Based Access Control (RBAC) using SaFi IDM (Okta). Each user roles has different access rights per features in Back Office and everything is configured using Terraform including user provisioning.
Back Office can only be accessed internally using Cloudflare ZTNA. Each user must have ‘ZTNA Access’ attribute included in their Okta account and authenticate in Cloudflare to access Back Office.
All user activities in the applications were logged and monitored via SaFi Security Information and Event Management (SIEM) using Grafana. Alerts were defined based on malicious behaviors.
Core Banking
SaFi uses Thought Machine as its Core Banking software.
No human is allowed to access Thought Machine directly. All activities (e.g., generation of statements, reports, journals, ledgers, etc.) will be performed using API integrated to Back Office.
Network policies were applied to prevent unauthorized access.
Customer Relationship Management (CRM)
SaFi uses Meiro as its CRM software.
No human is allowed to access Meiro directly. All activities (e.g., generation of customer metrics) will be performed using API integrated to Back Office.
Network policies were applied to prevent unauthorized access.
Data Warehouse
// TODO
Access Control
SaFi uses multiple Identity Management and Access Control to separate customer and employee’s. Each IDM has serve different purpose to which will have different security requirements.
Software | Okta | Vida |
|---|---|---|
Purpose | Employee IDM | Customer IDM |
Requirement |
|
|
Authentication |
|
|
Authorization |
|
|
Data Security
Data Validation
// TODO
Data in Transit
SaFi leverages built-in mechanisms of each solution to secure the data in transit.
All external communication going to SaFi is secured via Cloudflare ZTNA and WAF using TLS and configured rulesets.
All internal communication in cloud is secured by Google Cloud Security. See how Google secures data in transit on cloud - https://cloud.google.com/docs/security/encryption-in-transit.
All communication done in Kubernetes cluster is secured by Security context and Network policies.
Data at Rest
All data storage in cloud is secured by Google Cloud Security. See how Google secures data at rest on cloud - https://cloud.google.com/docs/security/encryption/default-encryption
Data loss prevention
// TODO
Resiliency Mechanisms
SaFi follows one standard for resiliency - https://owasp.org/www-project-application-security-verification-standard/ .
API Security
// TODO - Rate Limiting
Injections, Forgery, and Abuse Protection
SaFi implements OWASP Core Ruleset in Cloudflare WAF to protect SaFi applications to wide variety of attacks. https://developers.cloudflare.com/waf/managed-rulesets/reference/owasp-core-ruleset/
Hardening Configurations
SaFi follows the best practices documented in OWASP Cheat Sheet Series and based the internal coding standards to OWASP https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/migrated_content.
// Dependency Check - TODO
// Source code - Obfuscation
Security Testing
SaFi follows the security testing guide documented by OWASP.
Security Culture
// TODO - App Sec links
Application Monitoring
// TODO