About Bajaj Housing Finance Limited (BHFL)
Bajaj Housing Finance Limited (BHFL) is a 100% subsidiary of Bajaj Finance Limited – one of the most diversified NBFCs in the country with 19 product lines across consumer, commercial and SME finance, which makes it one of the most profitable companies in the category. BHFL continuously strives to meet its customer’s housing finance requirements, through its investments in technology, processes, people and a strong analytical approach.
Bajaj housing finance embraced cloud transformation to significantly ramp up the digital presence of its insurance businesses across the country and cater to the increasing need of the ability to make faster decisions, reduce their time to market, leverage unlimited scalability, and reduce their susceptibility to seasonal skews. This goal gave them an important point to work on.
Automated cloud security
Amid this digital revolution, and being part of a highly regulated industry, BHFL was required to comply with strict regulatory controls, improve their application security posture on AWS, and select the level of security and resiliency appropriate for their workloads.
To navigate through this environment, BHFL was seeking assistance in securing their public and private applications, protecting the data on EC2 and bastion servers. They were looking for a solution that would filter the outgoing internet traffic and apply a notification-trigger mechanism to audit the logs. This solution would play a crucial role to stand in-between the entire EC2 servers and internet and allowed only whitelisted domain and subdomains, based on strict regular expressions match.
They required a solution that could automate the patching based on need-basis and maintain the security of the EC2 servers at all times. Additionally, they wanted a secure line of communication between the on-premise network and the AWS infrastructure. Lastly, they wanted to maintain a software inventory check on the bastions servers on time for audit and compliance purposes.
Blazeclan proposed a multi-fold approach to support BFDL achieve the desired outcome. To begin with:
- The certified security professionals conducted security risk assessment reviews to identify the current environment and performed a gap analysis in their current architecture.
- AWS environment hardening was executed by leveraging custom cloud formation scripts, to ensure security best practices are used while setting the cloud environment.
- The team reviewed and implemented Indusface WAF, a 3 rd party solution to secure the web traffic coming from the public web, providing a high availability feature to the application.
- The team also implemented an AWS marketplace solution, DLP software product, that uses business rules to classify and protect confidential and critical information and curb unauthorized end users accidentally or maliciously share data to the outside world.
- With Blazeclan’s Cloud Security Automation service, deployments were accelerated with security as a part of the workflow.
- Service-specific security consulting included the following:
- For monitoring the production resources, the team advised the use of Amazon CloudWatch to capture and summarize utilization metrics natively for AWS resources.
- Setting up AWS CloudTrail helped them to log, continuously monitor, and retain account activity related to actions across their AWS infrastructure.
- Implementing bucket policies helped them to restrict access to their S3 resources.
- AWS Config rules were configured to run continuous assessment checks on their resources to verify that they comply with their security policies, industry best practices, and compliance regimes.
- AWS Key Management Service was introduced to encrypt EBS volume and RDS snapshots.
- AWS Direct Connect and VPN Tunnel were provisioned to create a secure and encrypted communication between their on-premise applications and AWS environment.
- Identity and Access management policies were leveraged to create and manage multiple users under a single AWS account.
- Proxy server/load balancers were set up to better control network and user traffic to their applications, the team. This load balancer acted as a network traffic filter alongside VPC NACLs and security groups which added an extra layer of security at the network layer.
- AWS SSM was provisioned to collect the information and display the software inventory on the AWS console for audit and compliance purposes.
- AWS SNS and simple scripted automation was implemented and scheduled to check the open CVE’s on every application and further notify the stakeholders.
- The team created a patching setup which was based on the open-source software Jenkins.
Overall, a complete upscale of their entire AWS account and environment based on security pillars of AWS well-architected framework was proposed to them.
- Optimized cloud environment: The customer identified the security disciplines in place under their legacy system and was able to create a similar secured AWS environment.
- Staying ahead of the security curve: The customer chose to stay ahead of the technology and we supported them in building secure frameworks for cloud deployments. The customer also got a chance to leverage emerging security technology.
- Automated security: Automating their security operations and integrating them into the deployment pipeline, allowed their application teams to scale their pace of deployment without compromising the overall security of the application.
AWS Cloudtrail, Amazon CloudWatch, AWS IAM, AWS KMS, AWS Config rules, AWS SSM, AWS SNS, AWS Direct Connect