BUSINESS: Headquartered in Kochi, India, PearlDataDirect is the IT service provider to LuLu Financial Group, a financial services specialist with operations spanning the Indian subcontinent, GCC and APAC regions.
BUSINESS CHALLENGE: To help its parent company launch a new digital app, PearlDataDirect aimed to take advantage of cloud technologies. How can the company show its regulators that all systems—cloud and on-premises—are protected against vulnerabilities?
Migrant labor plays a vital role in the Gulf Cooperation Council region’s economy, and each year, workers send billions of dollars in remittances to family members living in their home countries. LuLu Financial Group serves this segment via an extensive network of more than 150 retail banking locations across the region. To make cross-border remittances faster, easier, and more secure, LuLu Financial Group aimed to make its services available 24/7 via a new mobile app: Lulu Money.
As the IT services provider for LuLu Financial Group, PearlDataDirect has a mandate to build, manage, and maintain the IT infrastructure that underpins its digital capabilities. To support the launch of the new mobile app, PearlDataDirect targeted the latest cloud technologies.
Midhun Kumar, Head of Infrastructure and Cloud Operations at PearlDataDirect, takes up the story: “We manage a wide range of IT services for our parent company, including collaboration platforms, line-of-business applications, and ERP systems. Operating in a highly regulated industry means that governance and compliance are always high priorities, and we knew it would be essential to demonstrate that our new cloud technologies are aligned with stringent information security requirements.”
In the past, PearlDataDirect used open-source tools to drive its vulnerability management processes. Although this manual approach had served the company well when most of its sensitive systems sat behind the corporate firewall, PearlDataDirect realized that it would present challenges as it extended its IT environment into the cloud.
“Our regulators place very strict controls on vulnerability management,” continues Midhun Kumar. “We must report on each vulnerability we detect, how and when we will remediate it, and whether any other remediation activities are delayed, among other data points. Our previous tool made it difficult to identify the relative severity and criticality of our vulnerabilities, which meant building regulatory compliance reports was a time-consuming process. To accelerate our compliance activities—and enhance the security of our cloud environments—we decided to look for a new approach.”
As it set out on its cloud journey, PearlDataDirect formed a dedicated Cloud Center of Excellence (CCoE) to define and enforce company-wide best practices for managing cloud environments across its AWS and Azure ecosystems. To meet the compliance objectives, the company decided to extend the scope of the CCoE to include security and compliance activities—and PearlDataDirect looked for a new solution that could support the vulnerability management lifecycle from end to end.
After evaluating solutions from four leading vulnerability management specialists, PearlDataDirect selected Qualys as the foundation of its new information security strategy. By choosing the Enterprise TruRisk Platform, the company gains an end-to-end solution that automatically gathers and analyzes security and compliance data in a scalable, backend. This means PearlDataDirect can consolidate its security stack by provisioning any natively integrated security and compliance apps from Qualys—including its industry-leading Vulnerability Management, Detection and Response (VMDR) solution—with one click.
In a single app, Qualys VMDR offers PearlDataDirect the four key elements of an effective vulnerability management program: an accurate inventory of all assets, real-time detection of vulnerabilities and compliance risks, and prioritization and remediation of vulnerabilities.
“One of the main reasons we chose Qualys VMDR is the fact that no other solutions we evaluated provided such a wide range of capabilities in a single package,” recalls Midhun Kumar. “Because the Qualys solutions are cloud-based, there’s no need for us to provision separate infrastructure for a scanning engine, which greatly reduces cost and complexity. Qualys VMDR is also extremely intuitive, which makes it fast and easy for us to train new users.”
Why they chose Qualys:
PearlDataDirect’s IT environment comprises core systems hosted at an on-premises data center in the UAE, and other environments hosted on AWS and Azure, totaling approximately 350 servers. Qualys VMDR gives PearlDataDirect a 360-degree view of potential threats, accurate insights to help prioritize remediation work, and even guidance on potential fixes.
To help gather intelligence on cyber threats, PearlDataDirect uses Qualys sensors to automatically detect IP-connected systems in real time and send rules-based alerts to information security stakeholders.
To cover systems where network scanning is impractical, the company deploys lightweight Qualys Cloud Agents. These eliminate the need for manual, time-consuming scanning processes, and ensure the entire IT estate is being monitored and protected 24/7. Finally, Qualys offers PearlDataDirect immediate visibility of emerging threats across the network, such as changes to open ports, newly installed software, and expiring certificates.
“The difference between our previous scanning technology and Qualys is night and day,” adds Midhun Kumar. “Using sensors in Qualys VMDR, we can continuously monitor all network traffic to build up a complete picture of all the assets in our environment for the first time. Qualys Cloud Agents are truly a gem, as they enable us to capture real-time data on each of the assets on our network. By tagging assets based on attributes such as operating system, network, and criticality, we can rapidly determine which vulnerabilities we should focus on first.”
Crucially, Qualys is empowering PearlDataDirect to accelerate and enhance its regulatory reporting process. “Qualys allows us to instantly see the maturity of our compliance policies across AWS and Azure, based on Center for Internet Security [CIS] benchmarks,” explains Midhun Kumar.
Using the same data collected for VMDR, PearlDataDirect can demonstrate compliance with security regulations via the Qualys Policy Compliance app. PearlDataDirect can also map secure configurations to the best-practice standards mandated by its regulators, allowing it to automatically generate detailed mandate reports and demonstrate that all systems meet the standards that auditors expect.
Midhun Kumar adds: “Qualys Policy Compliance has dramatically simplified our approach to key regulatory processes. When we are going through an audit, or our parent company is applying to operate in a new region, our cybersecurity program is one of the first things that regulators ask about. With Qualys Policy Compliance, we can now generate accurate, in-depth regulatory reports in seconds.”
Today, the cloud CCoE relies on Qualys to protect its IT estate from cyber threats. The company now uses automated deployment workflows to extend VMDR further by sending vulnerability data captured via Qualys Web Application Scanning to Jenkins and Azure DevOps, ensuring that all issues are remediated before code goes into production.
Most importantly, the solution helps demonstrate that the company’s cloud environments are fully compliant with international regulatory requirements—empowering its parent company to quickly bring its new mobile app to market.
“Thanks to the work we’ve done with Qualys, our parent company is now supporting over one million migrant workers with fast, secure, and convenient mobile services to send money back to their families,” adds Midhun Kumar.
“Qualys VMDR provides a wide range of capabilities in a single package. Because the Qualys solutions are cloud-based, there’s no need for us to provision separate infrastructure for a scanning engine, which greatly reduces cost and complexity. Qualys VMDR is also extremely intuitive, which makes it fast and easy for us to train new users”
Head of Infrastructure and Cloud Operations, PearlDataDirect
Looking ahead, PearlDataDirect plans to build on its work with Qualys to further strengthen its information security posture. For example, the company is currently trialing Qualys Patch Management to automate its remediation processes, which could ultimately support more than 150 employees working remotely as a result of the COVID-19 pandemic.
“We’re now exploring Qualys Patch Management for a subset of our Linux systems,” comments Midhun Kumar. “Once proven, we could expand the solution to support our remote employees—ensuring our systems are protected at all times, regardless of whether they are inside the firewall or on an external network.”
Midhun Kumar concludes: “In Qualys, we’ve found a complete vulnerability management and compliance solution that meets all our core requirements. We see Qualys as a true partner, and we look forward to continuing our close collaboration as we take the next steps on our cloud journey.”