Online Payments Innovator Fast Gets Cloud Security Confidence with Orca Security

Securing Customer Data Is Inherent in Fast’s DNA

Headquartered in San Francisco and backed by several venture capital firms, Fast is a privately held fintech startup established in March 2019. Its mission is to make buying online faster, safer, and easier for everyone. Its Fast Login and Fast Checkout products work on any browser, device, or platform, enabling a single-click sign-in and purchasing experience that makes it easier for buyers to buy and merchants to sell in a consistent, stress-free manner. Fast is entirely consumer-focused and invests heavily in its users’ privacy and data security.

Anshu Gupta is its VP, Security. “As a financial services company, we have a strong need for continuous security and compliance,” says Gupta. “We’re always looking for best-in-class security partners to help us in letting people make online payments in a secure fashion, where they have trust in our product and know we’re working with state-of-the-art technology to secure our customer data.”

Orca Security Provides Value from Day One for Fast’s Cloud-Native Infrastructure

Fast is a cloud-native company running 100% on AWS. All applications are fully containerized, with Kubernetes orchestrating the workloads. Gupta says they looked at various solutions for securing this dynamic cloud environment.

“At first we looked at Amazon’s inherent security tools such as Security Hub. Although it has a lot of capabilities, it falls short in unifying information within a single-pane dashboard and telling us what we really need to focus on,” says Gupta. He looked at a cloud security posture management (CSPM) product, but it wasn’t mature enough to meet Fast’s needs. Another tool—derived from open-source—yielded too many alerts that didn’t make sense. Gupta really needed an enterprise-grade tool that could fit many use cases and prioritize alerts so his security team knows what to work on first. Upon testing Orca, he knew he had found the best cloud security platform.

Orca checked the box on a number of use cases, providing comprehensive coverage. It satisfies Fast’s need for vulnerability management, asset inventory, regulatory/benchmark compliance, file integrity monitoring, incident alerting, and prioritized remediation.
Gupta says Orca provided value from day one in helping Fast protect its infrastructure. He showed his executive team the extent of help the security and DevOps teams get from it, especially when it comes to remediation. “They immediately saw the value and gave us purchase approval,” he says.

“I can confidently say that Orca is an enterprise-grade tool that’s doing its job when it comes to securing our infrastructure and giving us the visibility we need.”
Anshu Gupta

VP, Security

Orca’s Ability to Distill and Prioritize Alerts Enables Fast to Focus on What’s Most Important

Other tools provide far too many alerts to be of any value. “Some issues are of low impact and aren’t worth acting upon right away,” says Gupta. “Orca tells us straight away what we should focus on in relation to what’s urgent for Fast. When we look at alerts, whether they’re remediation advisories or interactions between infrastructure components, we can immediately visualize their real impact. Orca helps us triage and prioritize issues.”

Fast is still early in its journey with Orca, but both the DevOps and security teams are getting good value from its findings. “Orca has helped us reduce operational incident management time significantly. And now we aren’t dealing with so many issues because our environment has been sufficiently hardened,” says Gupta.

One area where he struggled with other tools is in recognizing when an issue had been remediated. With Orca’s near-real-time visibility, it’s quickly reflected in the dashboard when an issue gets fixed. “One time when I was showing Orca in a presentation, we witnessed an issue disappear from the dashboard in real-time—an engineer had easily pushed code into production that fixed it.”

Meets Multiple Controls to Satisfy Compliance Needs

Given its role in financial services, Fast is strictly held to regulatory standards for protecting customer data. “For PCI compliance, we’ve ideally been looking for a single solution that helps us meet multiple controls, be they vulnerability scanning, file integrity monitoring, system hardening, or compliance with frameworks such as CIS. Being feature-rich, Orca is one of the few available tools that help us meet our compliance requirements —including PCI,” says Gupta.

Orca reports show proof to auditors that vulnerabilities have been found and remediated. They show that Fast has its security program under control.

“In the financial services space, a single incident can be catastrophic, so we simply can’t afford to make mistakes. Orca provides us with total confidence we don’t have pending issues we need to be worried about.”
Anshu Gupta

VP, Security

Orca Innovation

“One of the things I like most about Orca is that it’s constantly innovating,” says Gupta. “When Orca’s CEO frequently reaches out for our feedback, I take that as a sign he wants his product to be the best. He really listens to security professionals who constitute his customers to incorporate our ideas into the product. I’m glad we’re part of Orca’s journey, just as it’s part of ours.” Gupta’s advice to his fellow CISOs is, “Give Orca a shot. If you’re evaluating multiple solutions for cloud security and haven’t looked at it, you’re doing yourself a disservice. Orca is easy to deploy and use; it doesn’t disrupt your production environment and you realize great value early on.”