Rosbank is the first in Russia to increase the level of application infrastructure protection using Prisma Cloud

    13 February

Rosbank and IT-company “Infosystems Jet” realized the first project in Russia on the implementation of the Prisma Cloud platform for application infrastructure protection.  By using it, the credit organization already provides security for two remote banking applications and plans to scale the solution for new developments.

Automation of security functions allows Rosbank to improve the quality of services with minimal impact on time-to-market. In order to reduce this parameter, the credit organization uses a wide range of tools that speeds up the process of development and delivery of software to end users. For example, programmers actively interact with IT infrastructure and solution operation specialists. At the same time, different teams use the same approaches for creating applications and the same tools for automating code development and testing. Another component of time-to-market acceleration in Rosbank was the gradual transition from a monolithic application architecture to a microservice one: for this purpose, the credit organization uses container environments based on the OpenShift container management platform.

In order to build a reliable protection of the new infrastructure that meets all information security requirements and has a minimal impact on the time-to-market, the bank decided to implement the Prisma Cloud platform, a solution by Palo Alto Networks, previously presented on the market under the Twistlock brand.

"Using practices and tools to speed up the software development process opens up great opportunities for the development of banking services. At the same time, this poses new challenges: classic tools are not suitable for protecting the ever-changing microservice architecture, and security should not slow down the release of applications. In this regard, it was decided to launch a project to implement Prisma Cloud to protect the new application infrastructure, which we implemented together with specialists of “Infosystems Jet”, one of the leading players in the Russian market of system integration in the field of information security, " Mikhail Ivanov, Director of Information Security Department of Rosbank.

During implementation, the project team had a task to protect the architecture that the bank used to develop two applications: 80 microservices deployed on 543 containers. “Infosystems Jet” experts have developed their own framework for creating a comprehensive model for protecting the containerization environment, taking into account all stages of the container's life cycle — the Jet Container Security Framework (JCSF). Focusing on the best practices in the field of information security, experts decomposed all threats and security controls into three levels: cluster, orchestrator, and containers.

"In order for security not to become a threat to time-to-market, it must be seamlessly integrated into all stages of software development based on the DevSecOps principles. This is how we approached the project to protect the microservice architecture used by Rosbank. The developed framework helped us to understand what bottlenecks could be fixed with the help of the implemented platform, what risks could be taken, and what needed to be improved, "Dmitry Klyuchnikov, Head of the DevSecOps Department of the information Security Center of Infosystems Jet.

To determine the points of integration of the solution and the formation of requirements for it, the integrator's specialists, together with representatives of Rosbank, analyzed the development pipeline. The development of processes, including vulnerability management and compliance, was carried out in close cooperation between the IS experts of Infosystems Jet and the development teams of Rosbank. As a result, a scheme was developed in which information about the most critical vulnerabilities in the application is added to the team's JIRA space, and tasks for their elimination are set within the framework of planning the next sprint. Also, the integrator and credit institution specialists worked together on the target architecture of the solution.

"When designing the Prisma Cloud solution, it was necessary to take into account the features of the OpenShift cluster in the bank. The specificity was to meet the requirements of the international payment card security standard PCI DSS in terms of the isolation of certain types of data. It made it more difficult to get images and vulnerability data from the Palo Alto Networks cloud. We managed to solve this and other non-trivial tasks thanks to productive interaction with Rosbank specialists, " Anastasia Ditenkova, Senior Design Engineer at the Information Security Center of “Infosystems Jet”.

The final stage of the project was the installation of the solution at the credit organization facilities by the joint efforts of the integrator's project team, Rosbank's IT and IS specialists. The implemented platform protects containers in real time and allows timely detection and prevention of vulnerabilities throughout the application lifecycle. Currently, up to 20 users can work with the system at the same time, and Rosbank plans to scale the solution to other development teams in the near future.