Security practices at Zerodha

April 12, 2021

In light of recent events, we’ve received several questions from our clients about how we ensure the security of your account at Zerodha. We’ve explained the security practices we adhere to in this post. We are extremely cautious and security as a practice is baked into our processes when writing code and when managing our infra. Here are some of the common-sense practices we follow to ensure the safety of your data:

  • Regular internal and external penetration testing and audits.
  • Regular human and automated reviews of infrastructure.
  • Only things that really need to be exposed to the internet are exposed. Disconnected from the internet is the default policy for all new pieces that get added to the infra. This is reviewed regularly.
  • We have Cloudflare in front of all public endpoints that provides web app firewall, bot and DDoS protection.
  • Different systems are located on different networks to isolate them from each other.
  • All our internal employee systems are on VPN and require 2FA to access.
  • We self-host pretty much all internal/CRM systems on private networks without the involvement of any IT vendors, eliminating 3rd party maintenance and access.
  • Employees from different departments get access to different systems based on their roles.
  • This role-based access is embedded as a practice in our compliance department that clears access and their processes as well.
  • No key or password-based access on AWS cloud resources.
  • Developers use passwordless certificate (+2FA) based SSH logins to critical systems. Only devs who really need access to a system have access to that system.
  • A significant majority of non-tech employee computers also run Linux to reduce the large attack surface of Windows systems.
  • For client accounts, we support real 2FA with app-based TOTP (enable in Kite -> Account -> Password and security).
    Instant alert for client logins from unfamiliar geographic locations.
  • All client-facing apps like Kite, Coin, Console, etc. use a single login (SSO) + 2FA.
  • SEBI has official cybersecurity guidelines that all brokers have to adhere to. Brokers get audited on this.

Being cautious of security and applying whatever possible common-sense security principles is all one can do. In complex, interconnected systems, it could just be one tiny slipup, technical or a human error (often it is seemingly silly human errors), that opens up Pandora’s box.

To add some perspective, all Intel processors globally became vulnerable pretty much overnight (MELTDOWN, SPECTRE vulnerabilities) in 2018, sending the world into a tizzy. Similarly, the Heartbleed vulnerability (2014) rendered a significant majority of the internet and its security infra (SSL / TLS) vulnerable. Or the Stuxnet malware (2010) that attacked a specific nuclear powerplant that was not even connected to the internet, which shows that a powerful actor such as a state can trump even the best of security measures.

Thus, 100% security does not exist and eternal vigil, technical and otherwise, as a practice, is the best anyone can do. We do whatever we can and are always very cautious. For any questions on this topic, post your question on this Trading Q&A thread.

India's largest broker trusted by 1.3+ crore investors.


Comments are closed.