BUSINESS: Founded in 2010, G2A has grown to become the world’s biggest digital gaming marketplaces, where over 25 million users browse tens of thousands of products from hundreds of thousands of sellers
BUSINESS CHALLENGE: As it transitioned to an agile, microservices-based architecture, how could G2A ensure its global e-commerce platform, back-office systems, and everything in between are always protected against cyberattack?
G2A is one of the world’s biggest digital gaming marketplaces, with over 25 million customers and hundreds of thousands of sellers. Offering ultra-competitive prices across a wide selection of products, the company was ranked eighth by Cross-Border Commerce in its 2020 TOP 100 Marketplaces in Europe.
With operations in the Netherlands, Hong Kong, and Poland, G2A connects sellers and customers worldwide. A born-online business, information security has been a top priority for the company ever since its foundation—and G2A is constantly searching for more effective ways to protect its operations from cyber risks.
Konrad Rudy, IT Lead – Infrastructure at G2A, explains: "In the past, our e-commerce platform was based on a monolithic architecture. To cut time-to-market and deliver new products and features faster, we’ve been driving a major transformation initiative over the last two years. Our products are now built on a microservices architecture, supported by Kubernetes. Keeping G2A safe within this new and fast-evolving IT landscape is one of our primary goals."
G2A relies on hundreds of applications, databases, and microservices components to drive its customer-facing systems and back-office applications. Behind the scenes, the company operates a hybrid environment comprising 300 servers distributed across two on-premises data centers in Europe and in the Azure cloud. The company’s IT teams support the entire global workforce, managing an estate of around 700 endpoints that includes workstations and laptops running Linux, macOS, and Microsoft Windows.
Dominika Dzierga, Junior Security Support Specialist at G2A, confirms: "To maintain a strong security posture, it's critical that our endpoints have the correct patches installed. With hundreds of workstations and laptops across our international business, it’s very important for us to be able to quickly identify the most severe vulnerabilities and deliver the information to the system owners as quickly as possible."
Why G2A chose Enterprise TruRisk Platform:
Previously, G2A used open-source tools to deliver insights into the security status of its IT assets. However, this approach made it difficult to gain a clear overview of vulnerabilities and increased the amount of manual work required to drive the vulnerability management process.
"By automating more of our information security workflows, we saw an opportunity to spend less time collating data and more time on value-added work,", confirms Konrad Rudy.
To realize its goals, G2A decided to replace its existing tools with solutions from Qualys, a pioneer and leader in cloud-based security and compliance.
Using Qualys Vulnerability Management and Qualys Container Security apps—powered by the Enterprise TruRisk Platform—G2A can gather rich, accurate data on vulnerabilities across its entire IT landscape: from employee workstations in its offices to containerized applications on the Kubernetes platform.
Paweł Kowalik, IT Infrastructure Administrator at G2A, comments: "Qualys solutions significantly outperformed open-source tools for vulnerability management in terms of the depth and breadth of the information they provide. We also like the fact that we can access detailed reports via the Enterprise TruRisk Platform, which are available to us 24/7."
By deploying Qualys Cloud Agents across its servers and end-user devices, G2A gathers accurate information on the security status of its assets in near real time.
Dominika Dzierga adds: "The fact that Qualys Cloud Agents are so lightweight is a big advantage, as it means we get detailed data on vulnerabilities without any detectable reduction in end-user application performance."
She continues: "Using the Qualys solutions, we now have a single source of truth that shows which patches we need to deploy and which machines have end-of-life software to remove. Equally important, we can share data from the Enterprise TruRisk Platform directly with our Service Desk team, who can often patch many of the systems automatically."
With Qualys Container Security, G2A empowers its developers and product teams to build services that meet the company’s rigorous information security requirements.
"Within just a few months of deploying Qualys Container Security, we designed an automated workflow to support our continuous integration and continuous delivery [CI/CD] pipeline in Jenkins," explains Konrad Rudy. "By automatically scanning our Docker images before deployment, we help our DevOps teams to ensure that they do not push vulnerable software into production."
By embedding Qualys solutions in its information security process, G2A is achieving its objective of protecting its IT assets around the world against cyberattackers.
"G2A’s philosophy is that the users who are closest to a system should be the ones responsible for keeping it secure—but to put this idea into practice, it’s still important to have central visibility of vulnerabilities across the organization," says Paweł Kowalik.
"With Qualys, we can provide the insights our developers need to create secure services and the information our Service Desk needs to keep employee workstations patched. Crucially, we can track outstanding vulnerabilities and escalate as appropriate to ensure they are remediated in a timely manner."
The workstation security team at G2A is now using information from Qualys Vulnerability Management to help increase the speed and efficiency of its remediation efforts.
"Qualys Vulnerability Management is allowing us to significantly reduce the number of vulnerabilities across our IT endpoints," says Dominika Dzierga. "For example, in the last three months, we’ve cut the number of severity level five vulnerabilities by 92%, and severity level three to five vulnerabilities by an average of 85%. Data from Qualys also helps us prioritize our remediation work based on severity levels of the vulnerability and the business impact of the asset, which helps us to focus our attention where it’s needed most."
“Qualys Vulnerability Management is allowing us to significantly reduce the number of vulnerabilities across our IT endpoints. For example, in the last three months, we’ve cut the number of severity level five vulnerabilities by 92%, and severity level three to five vulnerabilities by an average of 85%.”
Junior Security Support Specialist, G2A
Looking ahead, G2A believes that Qualys will play an important role in the continuous enhancement of its security capabilities. For example, the company has recently formed a dedicated endpoint security team, which relies on reports in Qualys Vulnerability Management to steer its work.
"We greatly value our partnership with Qualys—whenever we’ve had a technical issue or requested a new feature, the team has always been responsive to our needs," concludes Konrad Rudy. "Qualys solutions are crucial to help G2A protect the buyers and sellers who use our digital platforms every day, and we look forward to working with Qualys to enhance our security capabilities in the future."