INDUSTRY: Financial Services
BUSINESS: Founded in 2013 and headquartered in Larkspur, CA, Uphold is a digital wallet and trading platform that makes cryptocurrencies and other assets affordable and accessible for everyone
SIZE: 150 Employees
BUSINESS CHALLENGE: As its business—and its cloud infrastructure—continue to grow, Uphold aims to enable industry-leading vulnerability management capabilities while reducing the cost and complexity of essential PCI DSS compliance activities.
Uphold Inc. is on a mission to change the way people use money, and it provides borderless access to financial services not typically available through banks. Offering frictionless foreign exchange and cross-border remittance in more than 30 traditional and cryptocurrencies, the company has powered more than US$4 billion in financial transactions since 2015.
A leading innovator in the sector, Uphold uses cutting-edge cloud and container technologies to deliver its services. The company’s infrastructure is based on a multi-region, active-active cloud architecture, providing high availability for mission-critical processes.
To maintain a rock-solid information security posture, the company continually scans its cloud environments for vulnerabilities. In addition, Uphold creates regular reports that demonstrate to regulators that its payments systems comply with the Payment Card Industry Data Security Standard (PCI DSS).
In recent years, Uphold has driven successful growth and scaled out its IT infrastructure significantly to accommodate a larger customer base. With more than 1,000 containers and hundreds of virtual machines across its global business, Uphold aimed to protect the larger attack surface without driving up the cost and complexity of its information security and compliance processes.
Paul Lee, CISO at Uphold, explains, “Every quarter, we engage an Approved Scanning Vendor [ASV] to assess our PCI DSS compliance, which involves an assessment against several key business controls. In the past, we had to swivel between multiple systems to collate the data—a complex and time-consuming process.”
He continues, “As well as making it difficult to gather the data we needed, our previous ASV also required the user to manually compare each piece of evidence against each business control and determine whether it met the appropriate standards. Each year, our senior IT leaders would spend around 10 days on PCI compliance assessments—diverting them from other core duties.”
Why Uphold chose Qualys:
As its business continued to grow, Uphold targeted a more scalable and cost-effective approach to PCI compliance. The aim was to accelerate the process, liberating senior decision-makers to focus on value-added activities.
After reviewing several solutions for PCI compliance, Uphold selected Qualys as its new ASV. Using Qualys PCI Compliance, the company gains a streamlined solution for the end-to-end process: from compliance testing to reporting and submission.
“One of the things we appreciate most about the Qualys solution is the way it aggregates the relevant PCI data for each business control in a single, easy-to-digest view,” recalls Lee. “Using Qualys PCI Compliance, I can assign compliance tasks to my team, track whether the outcomes are positive or negative, and ensure we take the necessary steps to meet the PCI standards. We can even submit our reports to Qualys for review before we submit them, which gives us the peace of mind that we’re always on top of the current regulatory obligations.”
By combining the solution with Qualys File Integrity Monitoring (FIM), Uphold preserves a complete audit trail of every file change in its PCI environments—another key compliance requirement.
Lee adds, “Another thing that really impressed us about Qualys was the expertise, professionalism and dedication of their team. Throughout the implementation process and beyond, we have always been able to count on Qualys to give us the support and guidance we need.”
To build on Qualys PCI Compliance’s capabilities, Uphold decided to augment its information security platform with Qualys VMDR: an integrated solution for vulnerability management, detection, and response.
“Using Qualys VMDR, we gain timely, accurate and fine-grained visibility of our assets and their vulnerabilities,” continues Lee. “Crucially, VMDR lets us explore these vulnerability insights based on criteria such as the type, severity and operating systems affected. The reports are extremely intuitive, and the rich, actionable intelligence they provide makes it easy for us to build efficient, risk-based remediation plans.”
Uphold knows that security is an active, continuous process. To help protect its IT environments against cyber threats, the company uses Qualys Container Security to verify that sensors are deployed across its 1,000 container assets and ensure that users can only deploy new containers using images from trusted repositories.
To help harden its environment against new exploits and attacks, Uphold has launched a bug bounty program. To verify bugs detected through the bounty program, the company uses Qualys Web Application Scanning (WAS) to identify vulnerabilities and misconfigurations.
“We feel that the bug bounty model offers considerable advantages over a traditional penetration testing regime since it more closely matches real-world scenarios,” explains Lee. “Qualys WAS plays an important role in enabling our bug bounty program and is making a significant contribution to our overall security posture.”
Since it switched to the Qualys Cloud Platform, Uphold has achieved its goal of streamlining the compliance process and liberating its top talent to focus on value-added work.
“The automated, guided approach in Qualys PCI Compliance helps us save two full-time equivalent days per quarter,” comments Lee. “As our business continues to grow, scalable back-office processes will be crucial to keep operational cost and complexity under control—and that’s exactly what our Qualys solutions are allowing us to do.”
“With the Qualys Cloud Platform, we don’t just shine a light on the issues in our environment, we gain clear insights into how to fix them.”
CISO, Uphold, Inc.
As Uphold continues to expand its business and connect new global customers with innovative financial services, the company is confident it can protect its growing cloud and container environments without sending costs soaring.
Lee concludes, “Information security threats thrive in the dark. With the Qualys Cloud Platform, we don’t just shine a light on the issues in our environment, we gain clear insights into how to fix them. Although our journey with Qualys is just beginning, we’re delighted with what we’ve achieved so far and are looking forward to exploring opportunities to further enhance our cybersecurity capabilities.”