About Bajaj Finserv Direct Limited (BFDL)

Bajaj Finserv Limited is the holding company for the businesses dealing with the financial services of Bajaj Group. It serves millions of customers in the financial services space by providing solutions for asset acquisition through financing, asset protection through general insurance, family protection and income protection in the form of life and health insurance, and retirement and savings solutions.

The Challenge

BFS Direct – Digital business unit of Bajaj Finserv Ltd embarked on a digital transformation journey by leveraging AWS infrastructure with a focus on enhancing the customer experience through BFSDirect.in. This goal gave BFS direct an important task to comply:

Automated cloud security

Amid this digital revolution, and being part of a highly regulated industry, BFDL was required to comply with strict regulatory controls, improve their application security posture on AWS, and select the level of security and resiliency, appropriate for their workloads.

To navigate through this environment, BFDL was seeking assistance to monitor their production resources. They wanted to secure their storage which was the biggest vulnerable place. The traffic coming in and out of the AWS environment required to be controlled. The volume of storage and the RDS data needed to be secured.  The movement from the on-premise to the AWS environment must be secured in order to have safe communication.

Additionally, the auditing of all the resources in the AWS infrastructure, inventory management, administrative control over the resources, mandatory tagging issues, and detecting threat for any malicious activities was required to ensure security visibility in fast-moving AWS environments and demanded an automated approach.

The Solution

Blazeclan proposed a multi-fold approach to support BFDL achieve the desired outcome. To begin with:

    1. The certified security professionals conducted security risk assessment reviews to identify the current environment and performed a gap analysis in their current architecture. AWS environment hardening was executed by leveraging custom cloud formation scripts to ensure that security best practices are used while setting up the cloud environment.
    2. The team assisted in protecting the critical servers and endpoints running on the cloud. This activity included setting up NGAV, EDR, and IDR in a server environment.
    3. Cloud Perimeter Security was activated by hardening their account from a network perspective and setting-up and installing a network-based firewall for their (web) application.
    4. With Blazeclan’s Cloud Security Automation service, deployments were accelerated with security as a part of the workflow, automated threat and vulnerability management, and incident response for the cloud environment.
      1. The repeated tasks were automated by setting up HashiCorp Packer for automatic AMI creation and setup DevOps pipeline for most of their applications.
      2. Use of AWS Lambda was proposed to automate code deployments and for generating health reports of different environments for the team.
      3. The team proposed writing a scheduled task (automation script) to start-stop jump hosts, reboot database engines and cleaning of EBS volumes.
      4. From a security perspective, a PIM solution CAPAM was implemented that was integrated with their Active Directory service for recording user sessions.

Service-specific security consulting included the following:

    1. For monitoring the production resources, the team advised the use of Amazon CloudWatch to capture and summarize utilization metrics natively for AWS resources.
    2. Setting up AWS CloudTrail helped them to log, continuously monitor, and retain account activity related to actions across their AWS infrastructure.
    3. Implementing bucket policies helped them to restrict access to their S3 resources.
    4. AWS Config rules were configured to run continuous assessment checks on their resources in order to verify that they comply with their security policies, industry best practices, and compliance regimes.
    5. NACL was configured to control inbound and outbound traffic in the AWS environment.
    6. AWS Key Management Service was introduced to encrypt EBS volume and RDS snapshots.
    7. AWS Direct Connect and VPN Tunnel were provisioned to create a secure and encrypted communication between their on-premise applications and AWS environment.
    8. Identity and Access management policies were leveraged to create and manage multiple users under a single AWS account.
    9. Amazon GuardDuty was set up to continuously monitor for malicious activity and unauthorized behaviour and protect their AWS accounts and workloads.
    10. For vulnerability assessment purpose, the team recommended the use of Amazon Inspector.

Blazeclan’s certified security experts migrated customer’s infrastructure from Singapore region to Mumbai region to adhere to the compliance standards and integrated their existing Active Directory users to AWS Directory services for better management of users. Lastly, an antivirus solution was induced in their environment to help them establish a patch cycle for all their EC2 instances. To safeguard their application layer, 3rd party tools including Akamai – CDN, WAF and a DNS service was recommended.

Benefits

  1. Optimized cloud environment: The customer identified the security disciplines in place under their legacy system and was able to create a similar secured AWS environment.
  2. Staying ahead of the security curve: The customer chose to stay ahead of the technology and we supported them in building secure frameworks for cloud deployments. The customer also got a chance to leverage emerging security technology.
  3. Automated security: Automating their security operations and integrating them into the deployment pipeline allowed their application teams to scale their pace of deployment without compromising the overall security of the application.

Tech Stack

AWS Lambda, AWS Active Directory, AWS Direct Connect, Amazon Inspector, Amazon GuardDuty, AWS Config Rules, AWS KMS, AWS IAM, Amazon CloudWatch, AWS CloudTrail

Service Tags: , ,