Sign up for our newsletter
Technology / Cybersecurity

Online betting: How is Paddy Power Betfair doing secure DevOps?

For most businesses, being knocked offline temporarily is not an existential threat, but for the online betting industry it is crippling.

This can be a hamper on innovation, as potentially innovative bookmakers grapple with the danger of their site being knocked out through a glitch or a deliberate attack.

It is this availability danger that Paddy Power Betfair aims to address with its recent deployment of Balabit technology, which will help to support innovation in the company while allowing it to stay online.

Online betting is extremely time-sensitive and fast-moving, as evidenced by the large funds spent by bookmakers securing advertising during major sports events (according to the figures compiled for the Guardian by media analysts Nielsen, the industry spent £118.5m on TV spots in 2015). Odds change at a moment’s notice according to current events, and bets are often made on a whim.

White papers from our partners

Other companies that are less dependent on interaction at a specific moment or those that do not conduct the core transactions with their customers online have less to fear from availability being taken out.

William Hill has been hit by a DDoS attack.
William Hill has been hit by a DDoS attack.

This is why the recent distributed denial of service (DDoS) attack against bookmaker William Hill has been followed with such interest; it could be costing the company millions in missed transactions and perhaps as much again in lost brand loyalty.

Like any company, though, the betting industry needs to adapt, which is why Paddy Power has been working with contextual security company Balabit since 2015, before its merger with Betfair. However, the solution has only increased in importance since the merger and is now being deployed at Betfair as well.

“After the merger with Betfair we wanted to make sure we could focus on improving product delivery,” said Vasile Dorca, Head of Security Compliance and Assurance at Paddy Power Betfair.

Paddy Power Betfair has a DevOps strategy, continuously evolving its products and then feeding the results of the updates back into development.

“We needed controls to reduce the risk around access management for the developers. We want to make sure we create a better sense of ownership, where the ones who build the code will support it to production,” says Dorca.

The Shell Control Box (SCB) solution monitors developer activity on the site as part of its DevOps strategy. It creates an audit trail of what developers do during the product development process so that their work can be evaluated by the IT department.

Users can only connect to the production platform through SCB. The activities are monitored by a dedicated team, which can look at the records both in real-time and retrospectively.

Although it provides an additional layer of security for data, securing customer data is not the main role of the solution. As Dorca explains, developers would only have access to relevant data anyway and so the possibility of ex-filtration is limited.

Where it is mainly useful is in tackling the availability issue above.

One of the main hazards of software development is that vulnerabilities can easily be introduced, either intentionally or unintentionally.

Dorca says that developers could by mistake introduce commands that could stop availability of the service itself. More maliciously, they could introduce malicious code that could take over production systems.

The online betting industry is a special case, but the example shows how the risks of innovation can be mitigated if good controls and visibility are established.

Firms struggling to secure software in the DevOps world, says HPE report


This article is from the CBROnline archive: some formatting and images may not be present.