Cloud Platform
Support
Contact us

Uphold Protects a Growing Cloud Infrastructure to Securely Deliver Innovative Financial Services to New Customers

Accelerating PCI DSS compliance reporting and enabling targeted remediation for vulnerabilities with a central, automated information security platform.

www.uphold.com

INDUSTRY: Financial Services

BUSINESS: Founded in 2013 and headquartered in Larkspur, CA, Uphold is a digital wallet and trading platform that makes cryptocurrencies and other assets affordable and accessible for everyone

SCOPE: International

SIZE: 150 Employees

BUSINESS CHALLENGE: As its business—and its cloud infrastructure—continue to grow, Uphold aims to enable industry-leading vulnerability management capabilities while reducing the cost and complexity of essential PCI DSS compliance activities.

SOLUTION:

  • Qualys Cloud Platform with Container Security
  • Qualys File Integrity Monitoring
  • Qualys Web Application Scanning
  • Qualys PCI Compliance
  • Qualys VMDR

Uphold Inc. is on a mission to change the way people use money, and it provides borderless access to financial services not typically available through banks. Offering frictionless foreign exchange and cross-border remittance in more than 30 traditional and cryptocurrencies, the company has powered more than US$4 billion in financial transactions since 2015.

A leading innovator in the sector, Uphold uses cutting-edge cloud and container technologies to deliver its services. The company’s infrastructure is based on a multi-region, active-active cloud architecture, providing high availability for mission-critical processes.

To maintain a rock-solid information security posture, the company continually scans its cloud environments for vulnerabilities. In addition, Uphold creates regular reports that demonstrate to regulators that its payments systems comply with the Payment Card Industry Data Security Standard (PCI DSS).

Driving Growth, Cutting Risk

In recent years, Uphold has driven successful growth and scaled out its IT infrastructure significantly to accommodate a larger customer base. With more than 1,000 containers and hundreds of virtual machines across its global business, Uphold aimed to protect the larger attack surface without driving up the cost and complexity of its information security and compliance processes.

Paul Lee, CISO at Uphold, explains, Every quarter, we engage an Approved Scanning Vendor [ASV] to assess our PCI DSS compliance, which involves an assessment against several key business controls. In the past, we had to swivel between multiple systems to collate the data—a complex and time-consuming process.

He continues, As well as making it difficult to gather the data we needed, our previous ASV also required the user to manually compare each piece of evidence against each business control and determine whether it met the appropriate standards. Each year, our senior IT leaders would spend around 10 days on PCI compliance assessments—diverting them from other core duties.

Why Uphold chose Qualys:

  • Eliminates two FTE days of work from Uphold’s quarterly compliance processes, liberating senior leaders to focus on other value-add activities.
  • Delivers timely vulnerability insights for more than 1,000 containers and hundreds of cloud instances.
  • Facilitates risk-based vulnerability management decisions, empowering Uphold to prioritize remediation tasks efficiently.

Targeting a New Approach for Compliance

As its business continued to grow, Uphold targeted a more scalable and cost-effective approach to PCI compliance. The aim was to accelerate the process, liberating senior decision-makers to focus on value-added activities.

After reviewing several solutions for PCI compliance, Uphold selected Qualys as its new ASV. Using the Qualys Cloud Platform app for PCI Compliance, the company gains a streamlined solution for the end-to-end process: from compliance testing to reporting and submission.

One of the things we appreciate most about the Qualys solution is the way it aggregates the relevant PCI data for each business control in a single, easy-to-digest view, recalls Lee. Using Qualys PCI Compliance, I can assign compliance tasks to my team, track whether the outcomes are positive or negative, and ensure we take the necessary steps to meet the PCI standards. We can even submit our reports to Qualys for review before we submit them, which gives us the peace of mind that we’re always on top of the current regulatory obligations.

By combining the solution with Qualys File Integrity Monitoring (FIM), Uphold preserves a complete audit trail of every file change in its PCI environments—another key compliance requirement.

Lee adds, Another thing that really impressed us about Qualys was the expertise, professionalism and dedication of their team. Throughout the implementation process and beyond, we have always been able to count on Qualys to give us the support and guidance we need.

Enhancing Vulnerability Management Processes

To build on Qualys PCI Compliance’s capabilities, Uphold decided to augment its information security platform with Qualys VMDR: an integrated solution for vulnerability management, detection, and response.

Using Qualys VMDR, we gain timely, accurate and fine-grained visibility of our assets and their vulnerabilities, continues Lee. Crucially, VMDR lets us explore these vulnerability insights based on criteria such as the type, severity and operating systems affected. The reports are extremely intuitive, and the rich, actionable intelligence they provide makes it easy for us to build efficient, risk-based remediation plans.

Delivering End-to-End Protection

Uphold knows that security is an active, continuous process. To help protect its IT environments against cyber threats, the company uses Qualys Container Security to verify that sensors are deployed across its 1,000 container assets and ensure that users can only deploy new containers using images from trusted repositories.

To help harden its environment against new exploits and attacks, Uphold has launched a bug bounty program. To verify bugs detected through the bounty program, the company uses Qualys Web Application Scanning (WAS) to identify vulnerabilities and misconfigurations.

We feel that the bug bounty model offers considerable advantages over a traditional penetration testing regime since it more closely matches real-world scenarios, explains Lee. Qualys WAS plays an important role in enabling our bug bounty program and is making a significant contribution to our overall security posture.

Saving Time, Strengthening Security

Since it switched to the Qualys Cloud Platform, Uphold has achieved its goal of streamlining the compliance process and liberating its top talent to focus on value-added work.

The automated, guided approach in Qualys PCI Compliance helps us save two full-time equivalent days per quarter,” comments Lee. “As our business continues to grow, scalable back-office processes will be crucial to keep operational cost and complexity under control—and that’s exactly what our Qualys solutions are allowing us to do.

“With the Qualys Cloud Platform, we don’t just shine a light on the issues in our environment, we gain clear insights into how to fix them.”
Paul Lee
Paul Lee

CISO, Uphold, Inc.

As Uphold continues to expand its business and connect new global customers with innovative financial services, the company is confident it can protect its growing cloud and container environments without sending costs soaring.

Lee concludes, Information security threats thrive in the dark. With the Qualys Cloud Platform, we don’t just shine a light on the issues in our environment, we gain clear insights into how to fix them. Although our journey with Qualys is just beginning, we’re delighted with what we’ve achieved so far and are looking forward to exploring opportunities to further enhance our cybersecurity capabilities.