Bayad, a leading payment platform in the Philippines, is utilizing Aqua’s portfolio of cloud-native security solutions to ensure security and compliance of its digital wallet platform, biller aggregator service and bills payment platforms.
Bayad (CIS Bayad Center, Inc.) is the largest multi-channel payment platform in the Philippines, and the country’s pioneer in outsourced payment collection.
Bayad offers a suite of solutions ranging from dependable bill collection for corporate partners to reliable, convenient payment services for the public. Bayad emphasizes security of sensitive data and high availability, which allow businesses and customers to confidently accomplish their financial and commercial interests.
Bayad uses Aqua’s portfolio of cloud-native security solutions to ensure security and compliance of its digital wallet platform, biller aggregator service and bills payment platforms.
The challenge
Bayad has been investing in a shift to cloud-native application methodologies, using container and serverless technologies to increase agility, scalability and resilience of key applications.
As part of this initiative, the organization must enable developers to focus on writing code while eliminating roadblocks to secure deployment. Operating in a highly regulated industry required Bayad to overcome some critical challenges, including:
- Ensure that stakeholders, from development to security, have visibility into the risk posture and compliance status of development artifacts, running applications and cloud environments.
- Detect and resolve information leakage across the application and cloud ecosystem.
- Facilitate an evolution from legacy systems that are unable to meet the growing demands and expectations of the market.
- Establish unified security standards and security control points for more than a thousand functions across multiple web applications, mobile applications and APIs.
- Support compliance requirements of the Banko Sentral ng Pilipinas (Central Bank) and PCI-DSS certification.
By shifting to a cloud-native architecture, we could generate greater business value and deliver on customer expectations more quickly.
“Going serverless enables us to run our new Bayad applications smoothly,” explains Lawrence Ferrer, President and CEO, “paving the way to an improved payment experience for Filipinos as they continue to navigate their way in the new normal.”
The evaluation
When evaluating potential tools to overcome Bayad’s challenges and elevate its standard for cloud-native security, stakeholders from the cybersecurity department identified solution requirements and selection criteria. These included:
- Security controls that support automation across agile DevOps workflows and cloud-native development pipelines.
- Extensive integration support for a variety of Amazon tools and services, including AWS CodePipeline, AWS CodeBuild and Amazon Landing Zone.
- Ability to analyze container images and prioritize vulnerabilities for remediation.
- Ability to detect security risks in serverless functions, supporting Lambda and Fargate.
- Ability to detect, prevent and respond to anomalous activity at runtime.
“Given Bayad’s direction for cloud adaptation,” states Mel Migriño, Meralco Group CISO, “we had to prioritize security controls in this new environment to ensure that the environment remains secure and intact.”
Bayad’s evaluation included market research to establish a viable short list of potential vendors, followed by providing requirements to candidates, collecting detailed responses from each
and accomplishing a cost-benefit analysis.
“Based on the assessment of our team,” continued Migriño, “Aqua offers the capabilities that best match our environment from containers all the way to serverless.”
Additionally, the team regarded the strong solution competency and rapid response to communications by Aqua’s local partner as positively influential in their evaluation.
The solution
Bayad selected Aqua’s cloud-native application protection platform to secure its Digital Transformation. The chosen Aqua solutions and critical capabilities include:
- Container image vulnerability scanning
- Serverless function security scanning
- Cloud security posture management (CSPM)
- Cloud workload protection and runtime security
- Risk-based insights (vulnerability prioritization and triage)
- Flexible security policies with audit/enforce modes
- Deep integration with key Amazon solutions for DevOps
At inception, Bayad involved stakeholders from security, development and cloud deployment teams. Initial implementation activities were deliberate and gradual, accelerating for subsequent
projects.
“In the first application integration,” explained Migriño, “we held weekly project meetings and daily deployment and troubleshooting activities with the local Aqua partner to ensure the
successful integration of the solution.”
With Aqua, Migriño and team are able to assess security risks in the pipeline before applications get pushed into production.
This includes detecting and remediating vulnerabilities in container images and serverless functions, security misconfigurations in cloud environments, and the presence of hidden secrets and sensitive data in application artifacts.
Aqua is also being used to extend security controls into production environments, where Aqua detects and prevents anomalous or disallowed behaviors at runtime.
Additionally, Bayad is better prepared to adhere to industry best practices and compliance requirements, supporting principles of least privilege, detecting anomalies at runtime, and hardening cloud infrastructure.
“Using the Aqua solution has helped prevent potential exposure of sensitive information, credentials, and keys that could have led to account takeover and system compromise,” said Lawrence Ferrer, President and CEO.
As a result of their relationship with Aqua and its local partner, Bayad has realized its vision for greater security of critical applications, protection of sensitive business and customer data, and compliance with industry requirements.
“With Aqua, we now have visibility on the vulnerabilities of our cloud-native applications,” stated Migriño, “and it helps us prioritize remediation of these so our security operations
team is not overwhelmed.”
“We are satisfied with the Aqua product and its feature enhancements,” expressed Ferrer. “We also like the visibility and support given by their local partner. In the past 12 months, we
have expanded Aqua’s footprint twice and added new capabilities to our implementation.”
We asked Mel Migriño, Meralco Group CISO, further questions to find out more.
Can you describe how your legacy systems were falling short of your company’s requirements?
Once we had made the decision to move to a fully cloud-native architect, we were experiencing several challenges with our existing systems. We found that there was a lack of visibility on workloads and the cloud environments. We were wasting time verifying components in the registry.
On a broader level, we wanted systems more suited to our transition from DevOps to DevSecOps and provide assurance to our stakeholders that new practices brought by this transition are effective and stable.
What was the thinking behind the decision to ‘go serverless’ and move to a cloud-native architecture?
We decided several years ago to take a proactive stance to carry out our Digital Transformation journey. The appeal of ‘going serverless’ and moving to a cloud-native environment was that it offered our developers more agility when building and running applications.
We also wanted to take advantage of the inbuilt benefits of the serverless environment – it’s more scalable and flexible, which lets us focus on writing the code that will create the most business value. We can now run new Bayad applications more smoothly, which leads to an improved experience for our customers.
With Aqua, you are able to assess security risks in the pipeline before applications get pushed into production. Why is this so important to you?
The shift to the left is a vital part of our overall security strategy. It’s becoming widely recognized that security needs to be prioritized at the earliest possible stage, to catch potential security risks before they can become a true danger. That is the best way to reduce outages that would have a detrimental business effect.
Also, as a major contributor to the country’s critical infrastructure, we wanted to show our millions of customers and business partners that our services are resilient.
Can you explain how Bayad has been able to achieve greater security of critical applications and protection of sensitive data?
With Aqua, we have better visibility on the vulnerabilities of our cloud-native applications. This allows us to prioritize remediation of these, which prevents our security operations teams from being overwhelmed.
Can you explain how Bayad is now better prepared to adhere to industry best practices and compliance requirements?
We are now better able to secure our data and digital platforms through Aqua’s robust functionality, which is a key imperative for adhering to industry best practices. Aqua’s solution helps us prevent the potential exposure of sensitive information, credentials and keys that could have led to account takeovers or system compromise.
Furthermore, Aqua’s solution provides much greater visibility, which is vital in highly regulated industries. We are now able to monitor the entire application lifecycle, which is crucial for enforcing compliance.
Why did you choose to work with the vendor?
We did our research! We established a viable short list of potential vendors, then provided our requirements to candidates and collected detailed responses from each. Aqua offered the best capabilities to match our journey to serverless.
We were also impressed by the fast and helpful communications from Aqua’s local partner, and with the customer service and support they have provided throughout the process.