Questrade, Inc: GKE Infrastructure Threat Modelling
About Questrade, Inc
Questrade, Inc. is a leading Canadian online brokerage firm that provides self-directed investment services to empower over 500,000 customers to take control of their financial future. With an innovative online platform and a market capitalization of over CAD 1 billion, Questrade offers affordable trading options and educational resources for easy portfolio management.
GKE Infrastructure Threat Modelling
The financial services provider, Questrade, Inc, sought guidance to assess the security of their GKE infrastructure. ControlPlane collaborated with Questrade, Inc to perform an architectural review and comprehensive threat modelling of their GKE infrastructure to identify security risks and vulnerabilities, derive security requirements, and provide prioritized security controls and a roadmap for enhancing the security posture of their GKE clusters.
Challenges
Questrade, Inc faced several challenges with their GKE infrastructure, including:
- Lack of prior threat modelling for the GKE clusters
- Absence of established internal threat modelling practices within the company
- Need for cluster segregation between business applications and infrastructure-as-code/pipeline runners in the GKE infrastructure
ControlPlane Solution and Results
ControlPlane addressed the challenges faced by Questrade, Inc by implementing the following solutions:
- Performing an architectural overview of the GKE infrastructure to gain a comprehensive understanding of its components and interactions
- Conducting scenario-based threat modelling for the GKE clusters, covering various threat scenarios such as compromised pods, compromised nodes, unauthenticated internet attackers, non-privileged insiders, and privileged insiders.
- Deriving security requirements from the identified threats and performing a Red, Amber, Green (RAG) risk assessment for each requirement
- Prioritizing security controls based on the threat model exercise
- Conducting a baseline assessment of the GKE infrastructure against the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) v4 control domains to align the organization with industry standards
Business Outcomes
The collaboration between ControlPlane and Questrade, Inc resulted in the following benefits:
- Questrade, Inc successfully obtained a banking licence from the Office of the Superintendent of Financial Institutions (OSFI) in Canada
- Enhanced security practices positioned them favourably for their successful application for a banking licence
- Baseline assessment against the CSA CCM v4 control domains allowed them to align with industry standards and best practices
- Gained insights into the security risks and vulnerabilities within their GKE infrastructure
- Prioritized security requirements provided a roadmap for improving the security posture of the GKE clusters
ControlPlane’s expertise in cloud-native security and threat modelling empowered Questrade, Inc to enhance the security of their GKE infrastructure, address potential vulnerabilities, and align with industry standards. The threat modelling exercise and CSA CCM v4 baseline assessment provided valuable insights and a roadmap for improving security practices. Questrade, Inc’s commitment to security and adherence to industry standards positioned them favourably as they pursued their application for a banking licence.