Cloud Security Challenges:
- Eliminate the noise of too many alerts; and focus on critical issues that could lead to a security incident or data breach
- Get comprehensive coverage for different use cases for Fast’s cloud-native infrastructure–all applications are fully containerized, with Kubernetes orchestrating the workloads
- Assess compliance with key benchmarks, such as CIS and PCI
Orca Security Results:
- 100% coverage of cloud accounts with full visibility and prioritized remediation—all with zero impact on the production environment
- Gained coverage for use cases—including vulnerability management, asset inventory, regulatory/benchmark compliance, file integrity monitoring, incident alerting, and prioritized remediation
- Dashboards provide a quick assessment of compliance to benchmarks
Securing Customer Data Is Inherent in Fast’s DNA
Headquartered in San Francisco and backed by several venture capital firms, Fast is a privately held fintech startup established in March 2019. Its mission is to make buying online faster, safer, and easier for everyone. Its Fast Login and Fast Checkout products work on any browser, device, or platform, enabling a single-click sign-in and purchasing experience that makes it easier for buyers to buy and merchants to sell in a consistent, stress-free manner. Fast is entirely consumer-focused and invests heavily in its users’ privacy and data security.
Anshu Gupta is its VP, Security. “As a financial services company, we have a strong need for continuous security and compliance,” says Gupta. “We’re always looking for best-in-class security partners to help us in letting people make online payments in a secure fashion, where they have trust in our product and know we’re working with state-of-the-art technology to secure our customer data.”
Orca Security Provides Value from Day One for Fast’s Cloud-Native Infrastructure
Fast is a cloud-native company running 100% on AWS. All applications are fully containerized, with Kubernetes orchestrating the workloads. Gupta says they looked at various solutions for securing this dynamic cloud environment.
“At first we looked at Amazon’s inherent security tools such as Security Hub. Although it has a lot of capabilities, it falls short in unifying information within a single-pane dashboard and telling us what we really need to focus on,” says Gupta. He looked at a cloud security posture management (CSPM) product, but it wasn’t mature enough to meet Fast’s needs. Another tool—derived from open-source—yielded too many alerts that didn’t make sense. Gupta really needed an enterprise-grade tool that could fit many use cases and prioritize alerts so his security team knows what to work on first. Upon testing Orca, he knew he had found the best cloud security platform.
This is where Orca comes into play. “We want to be able to see our whole environment—not just the devices that have an IP address, that might be accessible, and that we know about,” says Hill. “Orca is a great solution for us because we want to give developers the power to be innovative, but need to scan close to real-time without impacting the operations.”
Orca checked the box on a number of use cases, providing comprehensive coverage. It satisfies Fast’s need for vulnerability management, asset inventory, regulatory/benchmark compliance, file integrity monitoring, incident alerting, and prioritized remediation.
Gupta says Orca provided value from day one in helping Fast protect its infrastructure. He showed his executive team the extent of help the security and DevOps teams get from it, especially when it comes to remediation. “They immediately saw the value and gave us purchase approval,” he says.
Orca’s Ability to Distill and Prioritize Alerts Enables Fast to Focus on What’s Most Important
Other tools provide far too many alerts to be of any value. “Some issues are of low impact and aren’t worth acting upon right away,” says Gupta. “Orca tells us straight away what we should focus on in relation to what’s urgent for Fast. When we look at alerts, whether they’re remediation advisories or interactions between infrastructure components, we can immediately visualize their real impact. Orca helps us triage and prioritize issues.”
Fast is still early in its journey with Orca, but both the DevOps and security teams are getting good value from its findings. “Orca has helped us reduce operational incident management time significantly. And now we aren’t dealing with so many issues because our environment has been sufficiently hardened,” says Gupta.
One area where he struggled with other tools is in recognizing when an issue had been remediated. With Orca’s near-real-time visibility, it’s quickly reflected in the dashboard when an issue gets fixed. “One time when I was showing Orca in a presentation, we witnessed an issue disappear from the dashboard in real-time—an engineer had easily pushed code into production that fixed it.”
Meets Multiple Controls to Satisfy Compliance Needs
Given its role in financial services, Fast is strictly held to regulatory standards for protecting customer data. “For PCI compliance, we’ve ideally been looking for a single solution that helps us meet multiple controls, be they vulnerability scanning, file integrity monitoring, system hardening, or compliance with frameworks such as CIS. Being feature-rich, Orca is one of the few available tools that help us meet our compliance requirements —including PCI,” says Gupta.
Orca reports show proof to auditors that vulnerabilities have been found and remediated. They show that Fast has its security program under control.
“One of the things I like most about Orca is that it’s constantly innovating,” says Gupta. “When Orca’s CEO frequently reaches out for our feedback, I take that as a sign he wants his product to be the best. He really listens to security professionals who constitute his customers to incorporate our ideas into the product. I’m glad we’re part of Orca’s journey, just as it’s part of ours.”
Gupta’s advice to his fellow CISOs is, “Give Orca a shot. If you’re evaluating multiple solutions for cloud security and haven’t looked at it, you’re doing yourself a disservice. Orca is easy to deploy and use; it doesn’t disrupt your production environment and you realize great value early on.”