Building the foundations of security at Numeral

As a software platform handling payments at scale, Numeral sits at the intersection of multiple customers, vendors, and partners. All the data we process for our customers and banking partners is sensitive. And therefore, information security is at the core of how we build our business. For us, this was a priority since day one and our platform’s first line of code.

But security is not just a technological endeavour. It touches on every part of the business, from product design to vendor selection to organisation. And we believe it needs to be an integral part of the culture to provide the right foundations to serve our customers’ businesses. 

From the inception of Numeral in July 2021, we chose to rely on the ISO 27001 international standard on information security management. ISO 27001 provides a clear framework for building a strong security governance and its implementation can be impartially sanctioned by a third-party certification body.

After we officially received our ISO 27001 certification on December 16th, 2022, we thought we should share more details about what we have built and how we have built it.

In this article, we outline our philosophy of building a tech company with security at heart. It highlights our approach to security as a culture and some of the concrete steps we take to ensure the security of the data of our customers and banking partners.

Security is organisational

Develop collaboratively

We knew from the beginning that our main challenge was establishing security as a core element of our company culture. This is a requirement for the security-aware mindset to spread and infuse into every corner of the organisation.

Building a culture relies on a few keystones:

• Clear, understandable, and agreed objectives

• Transparent communication

• Efficient processes to foster trust and adherence

That is why we wrote our corpus of security policies collaboratively. The objective was to build them from a bottom-up approach so that they come from the whole team, who would have to endorse and comply with them afterwards. It also guarantees their best adequation to our lean and agile work at Numeral.

This is how we made sure to equip ourselves with a consistent and adequate house of rules.

Thorough risk analysis

We approached risk analysis with the same mindset.

By following a carefully tailored method that we internally defined (on an assets, threats and vulnerabilities principle), it took us no less than ten days of collaborative workshops to identify and evaluate the information security risks.

Every single teammate contributed to these workshops, from our two co-founders to our squad leads and each one of our developers.

All these collaborative works have produced the complete documentation for our information security management system (ISMS), covering critical topics such as:

• Information security policies (overarching policy and specific topic-related ones)

• Roles and responsibilities

• Assets management

• Classification of information

• Identity and access management

• Incident management

• Privacy and protection of personally identifiable information (PII)

Security integrated into our project management

As a software company, it is key to integrate security at the core and throughout each step of our development lifecycle.

We worked jointly with all the stakeholders, from product managers to QA engineers, to establish the security activities and validation gates all along the product, engineering and operations phases. For instance we established that the security team: contributes to the product roadmap, specifies security requirements, can mandate ad-hoc penetration test audits (pentests) to external partners, …

This results in our reference process called secure software development lifecycle (S-SDLC). It’s applied transversally to all product and development projects at Numeral.

Security is about the people

Hiring

Even when despite themselves, individuals remain one of the weakest links in the chain. Whatever the strength of other kinds of security controls, the human factor has to be carefully worked on.

This means implementing dedicated controls, beginning with attentively screening candidates on both their soft and hard skills, but also on the reality of their previous professional career. We are very attentive to this and systematically perform reference checks.

The contractual responsibilities of Numeral staff are closely looked after and clearly explained, as well as their rationale.

Training and culture amplification

We pay particular attention to training each of our employees in their duties and areas of responsibility.

We deployed a recurring awareness and training program. Beyond the usual training upon staff onboarding, we set up monthly security events, whose content is contextualised to Numeral current stakes and security news: cryptography, secure software development, authentication patterns, etc.

Recurring company-wide gatherings are also first-choice opportunities to strengthen this culture of security. We organise social events such as capture-the-flag contests among all staff, including non-tech employees, and have fun while learning jointly.

The main goal is to constantly keep security as a critical topic in everyone's mind and keep internal knowledge sharp and up-to-date.

Security is technological

A comprehensive palette of modern security controls is deployed at Numeral. We use the topmost modern paradigm/patterns and state-of-the-art tooling.

DevSecOps

Numeral tech stack is built on a full cloud microservices architecture. Our software factory is built around a fully automated continuous integration / continuous deployment (CI/CD) platform.

We leverage this tool suite to implement and continuously refine an overall DevSecOps philosophy.

Every single line of code systematically goes through security gates. Merge requests, in addition to pair reviews, are also reviewed by our security team each time they relate to a security function. Our source code and its external libs and dependencies, as well as each produced Docker image, undergo automated security scans. Any change can only be promoted to the next stage (staging, testing, and production) if all the lights are green.

Importantly, all our infrastructure is defined and configured as code. Treating infrastructure-as-code (IaC) the same way as any other source code allows it to go through these exact same gates for checks, scans and testing. Moreover, IaC also means all our infrastructure definition and configuration, including networking and network security, is version controlled, thus easily templatizable, rollbackable, repeatable (deployments are guaranteed to be identical), etc.

Immutable infrastructure

Adopting such a full cloud-based platform induces us to handle computational resources as cattle, not pets. This approach allows us to embrace the immutable infrastructure pattern. As a result, we only manage workloads as immutable Docker containers, eliminating many risks since our workloads only embed the bare minimum number of dependencies and not even a shell (we use distroless base images).

These paradigms streamline vulnerability management; thus creating the opportunity for its automation and natural handling by our CI/CD pipelines which redeploy freshened and patched versions of our workloads.

Authentication

Authentication is at the heart of our security focus, through the centralization of our internal identity platform and heavy use of SSO mechanisms as well as the rigorous usage of multi-factor authentication (MFA). We extended our MFA security policies to enforce the usage of hardware security keys as MFA devices for all privileged (administrative) accounts.

Access is only provided based on the principle of least privilege (PoLP) and the business need.

Encryption

Encryption is not optional at Numeral. Encryption is enforced by policies and is constantly monitored at the infrastructure level by CI/CD security scans and under permanent surveillance by our cloud security posture management platform (CSPM). It also applies to Numeral products, as we enforce AES-256 encryption for data at rest and TLS1.2 with modern ciphersuites for in transit.

Monitoring

Efficient monitoring and alerting are key to incident management, forensic, traceability and non-repudiation. Thus we deployed a modern and efficient log management system: all logs, either being produced at the infrastructure or application level, are collected, centralised and archived in dedicated read-only long-term storage.

They are constantly monitored, analysed and searched for abnormalities to ensure early detection of suspicious activity.

Penetration testing

On top of all this, we also run annual global pentests campaigns. We entrust their execution to specialised external partners. Working with external organisations brings both expertise and unbiased opinion.

This helps us to keep up with the latest threats and take proactive measures to protect against them.

Security is a journey

During each step of this journey, the framework provided by the ISO 27001 standard allowed us to follow a clear path to implementation. That’s why we are very proud to have achieved this major milestone by getting officially certified on December 16th 2022. This is a strong third-party stamp of approval for Numeral’s security management system.

ISO 27001 is an international standard that provides a framework for managing sensitive information and protecting against cyber threats. It's a rigorous certification process that requires organisations to demonstrate their compliance with a set of security controls and best practices.

We have always been committed to ensuring the security and privacy of our customers' information. As part of this commitment, we have implemented a comprehensive approach to cybersecurity that includes technical solutions, strong policies and procedures, incident response planning, employee education and awareness, and regular risk assessments.

And this is just the beginning, we are committed to continuing to make information security a top priority and to staying up to date with the latest threats and best practices. We will continue to work hard to protect our customers' sensitive information and earn their trust.