PayNet partners with Cloudflare for DDoS protection & Zero Trust authentication

Payments Network Malaysia (PayNet) develops and operates Malaysia's payments network and shared central infrastructures to enable financial institutions, merchants, and government agencies to standardize and integrate electronic payments. Its mission is to promote more inclusive, efficient, and collaborative financial ecosystems in Malaysia. PayNet shareholders do not receive dividends in support of this mission. PayNet, on the other hand, reinvests its profits to ensure that Malaysia's financial market infrastructures and payment ecosystems are resilient, competitive, and accessible to all.

Thanks to PayNet’s Duitnow QR service, DuitNow, which lets consumers instantly transfer funds using their mobile number, national ID card number, or other proxy options, electronic real-time payments have become as popular as cash among consumers in Malaysia (1). Merchants also benefit from Duitnow because it enables them to sign up with just one acquirer (bank or eWallet) to accept all QR payments, avoiding multiple onboarding processes and performing multiple reconciliations of separate QR statements (2).

Challenge: Secure public API endpoints while moving closer to a Zero Trust security architecture

The Malaysian financial services relies heavily on on-premise legacy equipment, such as mainframe systems. For this reason, PayNet has historically built up private connectivity to banks, offering services that were not accessible via the public Internet. However, as cloud-based electronic payment providers emerged, PayNet’s connectivity with banks had to evolve, transitioning to public API endpoints.

This transition from private connectivity to public API endpoints made it necessary for PayNet to move towards a Zero Trust security architecture so that PayNet could continue to provide secure and trusted transactions. PayNet also needed to ensure that their API endpoints were scalable and protected from DDoS attacks, which could negatively impact availability and reliability.

Prior to partnering with Cloudflare, PayNet used an on-premise web application firewall (WAF) and DNS service, with DDoS protection provided by their ISP. However, the on-premise WAF and DNS service were complex and time-consuming to configure and manage. While the DDoS service provided only L3 and L4 protection, it left L7 vulnerable.

None of these solutions were easily scalable, nor did any provide PayNet with visibility into their web traffic or support a modern Zero Trust security architecture. PayNet wanted easy-to-use, scalable, cloud-based solutions that would provide the visibility they needed while simultaneously moving the company closer to Zero Trust.

PayNet chose Cloudflare over a competing vendor due to its ease of use, rapid pace of innovation, transparency, customer-centric approach, and competitive pricing. After deploying the DNS service and WAF, PayNet also deployed Magic Transit, a cloud-based solution that uses the Cloudflare global network to protect entire IP subnets from DDoS attacks while also accelerating network traffic, and Mutual TLS (mTLS), which ensures that traffic between a client and server is both secure and trusted in both directions.

Magic Transit and the Cloudflare WAF provide easy configuration and valuable analytics on web traffic

Since deployment, Magic Transit has mitigated all DDoS attacks within minutes. Magic Transit provides the scalability, ease of use, visibility, and protection at the L7 layer that PayNet’s previous DDoS solution lacked.

“Magic Transit’s scale, dashboard analytics, and dynamic capabilities add a lot of value to the solution,” says Preman Padmanabhan, senior principal engineer. “We get immediate attack alerts, and we can see where the attacks are coming from.”

Magic Firewall, a network-level firewall that Cloudflare provides to all Magic Transit customers, enables PayNet to easily block common attack vectors using simple API calls or directly from the dashboard. For example, PayNet has blocked the Remote Desktop Protocol application protocol, which is a common attack vector that PayNet does not use.

“Previously, if we needed to block a particular port, we had to call our ISP and request that they do it,” Padmanabhan explains. “With Magic Firewall, we simple make an API call. It’s easy and much faster than calling our ISP.”

The Cloudflare WAF is much easier to use than PayNet’s previous on-prem solution, and it provides PayNet with additional visibility into its web traffic. This visibility enables PayNet’s engineers to rapidly pinpoint the root causes of problems and resolve them quickly, ensuring that its services remain fast and secure, and allowing PayNet’s engineering team to focus on internal projects instead of getting bogged down with security issues.

“We have a small security team, and our engineers need to focus on product development,” explains Kenny Tse, Head of Information Technology Security. “Cloudflare has the security expertise to provide and maintain built-in WAF rules that are far more current and comprehensive than what we could have come up with.”

PayNet now has much better insights into its threat environment and security posture thanks to Magic Transit, Magic Firewall, and the Cloudflare WAF. PayNet uses these insights not only to harden its security but also to ensure that its services scale rapidly to accommodate increasing demand.

“Prior to partnering with Cloudflare, we had limited visibility into our web traffic,” says Julian Gomez, head of technical services. “Cloudflare Magic Transit, Magic Firewall, and WAF enable us to see what types of attacks we’re getting, take proactive measures to prevent them, and share relevant data with all internal team members.” As an example, PayNet shares Magic Transit and WAF analytics with applications developers so that they can better perform capacity planning and optimize application response times.

The analytics provided by Magic Transit and the WAF also simplify compliance reporting.

“Compliance mandates require DDoS and WAF protection on every app that has a public endpoint,” Gomez explains. “Cloudflare’s analytics and reporting let us prove that our protection isn’t just sufficient, but significantly better than what we had previously, helping us remain compliant.”

mTLS helps PayNet provide scalable Zero Trust authentication for an upcoming product

PayNet deployed mTLS because it needed a way to move TLS away from its own web server in preparation for a new online e-commerce service with Malaysia’s Debit Card Scheme rolling out in July 2021. In Malaysia, the ability to make online payments is largely restricted to consumers who have online bank accounts. This new service will make it easier for more Malaysians to purchase goods and services digitally, even if they don’t have an online banking account.

mTLS provides PayNet with a dashboard interface to manage TLS certificates, negating the need to have a certificate on the server itself. Cloudflare handles all external connectivity and encryption, simplifying PayNet’s tech stack and providing a consistent architecture across services. mTLS also provides the high scalability that PayNet needs for what they expect will be a high-demand service that will require continued innovation.

“mTLS gives us the scalability we need to rapidly expand our product’s user base and add new features without sacrificing performance,” Tse says.

mTLS is helping PayNet accelerate its adoption of modern Zero Trust security standards by authenticating web requests that are not logging in with an identity provider, including from mobile phones and point-of-service (POS) terminals.

“A Zero Trust implementation is a marathon, not a sprint,” Tse points out. “By helping us with user authentication on our new service, mTLS gets us one step closer to our ultimate goal of a full-on Zero Trust architecture.”

Cloudflare DNS simplifies DNS configuration and helps PayNet avoid vendor lock

Prior to switching to Cloudflare DNS, the PayNet team dedicated significant planning and engineering effort time to install, configure, and maintain new network security hardware for on-premise DNS and WAF solutions. PayNet also had to lease IP space from multiple providers, which restrained growth and subjected PayNet to vendor lock-in. If PayNet required additional IP address capacity, they had to ask their providers to allocate it. Furthermore, if another provider offered a better deal on bandwidth, PayNet would be unable to easily switch.

Cloudflare DNS was able to simplify configuration and enable PayNet to more easily switch ISPs and drive better commercial outcome. PayNet no longer has to worry about maintaining their DNS server and securing against cyber attacks.

The PayNet team appreciates the ease of having an integrated set of security solutions provided by one vendor.

“Before deploying Cloudflare, I had more systems to manage than I had time,” says Gomez. “With Cloudflare handling routine maintenance of all its solutions, I have peace of mind, and I can channel engineering time to other business projects.”

PayNet intends to build a long-term partnership with Cloudflare and is exploring the possibility of using additional Cloudflare solutions for security and serverless computing.

Related Case Studies
Key Results
  • Magic Transit mitigates attacks at PayNet’s L7 layers within minutes.

  • Mutual TLS allows PayNet to move toward Zero Trust security by authenticating web requests from various endpoints.

  • Magic Firewall allows for blocking attacks with less complexity than their previous provider.

  • Magic Transit and Cloudflare WAF analytics simplify compliance reporting and give PayNet better insights into its threat environment.

Cloudflare Magic Transit, Magic Firewall, and WAF enable us to see what types of attacks we’re getting, take proactive measures to prevent them, and share relevant data with all internal team members.

Kenny Tse
Head of Information Technology Security

A Zero Trust implementation is a marathon, not a sprint. By helping us with user authentication on our new service, mTLS gets us one step closer to our ultimate goal of a full-on Zero Trust architecture.

Kenny Tse
Head of Information Technology Security