3 Ways GoodData is Delivering Security Compliance and Assurance

January 23, 2019
Tomas Honzak's picture
Chief Information Security Officer
Tomas Honzak serves as the Chief Information Security Officer at GoodData, where he built an Information Security Management System compliant with SOC 2 and HIPAA, enabling the company to help Fortune 500 companies distribute customized analytics to their business ecosystem. Tomas finds his passion in enabling synergies between agile methodologies and standards-based process approach and is a DevOpsSec enthusiast. Prior to his position at GoodData he led the Quality, Business Processes and Security department at Acision, a former Logica Mobile Networks division. He lives in Prague, Czech Republic and holds anMSc. from Charles University, the oldest university in Central Europe.

As GoodData’s Chief Information Security Officer, I spend a lot of my time talking to customers about security. It makes sense that this topic is front of mind for many companies today. High-profile breaches are in the headlines, and new regulation like GDPR has made it more critical than ever for companies to ensure that sensitive data is handled appropriately and kept secure. This is especially true for large enterprises, which tend to have more demanding security assurance processes than smaller or medium-size companies.

This kind of challenging business environment led us to create Enterprise Shield, an addition to our security compliance framework tailored to ensure the highest level of data protection and assurance. Built for customers who require above-standard assurance on data accessing and data handling protocols, custom security compliance reviews, as well as reporting on key security KPIs, Enterprise Shield delivers robust security compliance and assurance—while still maintaining full flexibility and functionality. I’m tremendously excited about today’s launch of Enterprise Shield, which directly addresses some of our customers’ most frequently cited needs.

We know that our customers want security to be treated as part of their enterprise ecosystem. No longer content with data protection that exists in its own sphere, enterprises are looking for security to be aligned with the way they manage enterprise risk and for the ability to integrate a framework into data security compliance. With Enterprise Shield, these enterprises get exactly that: security that’s an integral part of their enterprise, a true partnership with proactive notifications on emerging threats and security risks, so that both parties can collaborate on mitigation and remediation strategies.

1. Increased detailed due diligence

Enterprise customers’ security standards have enterprise risk management programs that include continuous monitoring, and their due diligence on the vendors goes well beyond checking that the service provider has obtained an SOC report and is on track to correct the exceptions. Enterprise Shield was designed to do exactly that.

Customers who subscribe to this package may not only ask for completion of their customized security questionnaires on an annual basis, but they may also receive regular reports on our security processes to ensure end-to-end oversight. In addition, they benefit from notifications regarding agreed-upon high risks, security KPI deviations, and other security events in a manner that fits into their compliance monitoring. With Platform Event Audit Log, which is another feature of the Enterprise Shield, customers may integrate security event reporting from GoodData into their SIEM for real-time alerting on user access exceptions and possible security issues.

2. Advanced data protection procedures

For the protection of PII and of other enterprises’ sensitive data, our customers asked us to introduce additional security assurance management. In Enterprise Shield, that takes the form of a full audit trail of all data access or more robust security assurance on the implementations our Professional Services carry out. At the same time, customers want to keep their agility and ability to update their solutions very quickly to respond to the needs of their clients—and no one wants to maintain multiple copies of the same solution.

With Enterprise Shield, a customer can select a subset of their workspaces, which will be updated as usual in the agile delivery life cycle, while the protected workspaces will be updated only once the assurance cycle is completed. Thanks to GoodData life cycle management tooling, both subsets can be deployed from the same code base. Then as they onboard additional customers or as some of their customers move to the enterprise segment and start to require additional assurance, it’s easy to add workspaces both to the agile train as well as to the Enterprise Shield protected subset or to move customers between these segments. In addition, it enables enterprises to separate standard users from those who require additional safeguards, with GoodData ensuring that there is no access to raw data outside a strictly controlled environment.

3. Compliance with data protection laws and regulations

GDPR is front of mind for companies right now. GDPR compliance is available to all GoodData customers at no additional costs, and Enterprise Shield allows the right level of protection for sensitive personal data (“special categories”) under GDPR Article 9. Similarly, Enterprise Shield is the package of choice for HIPAA, and while we will continue to offer special add-ons for all these regulated use-cases to tailor the contractual documentation to the strict requirements of these regulations, Enterprise Shield provides the right level of protection to ensure that all sensitive data is taken care of properly. Perhaps a company doesn’t need compliance support currently, but they know they’ll need it when they expand globally. We now offer flexible choices to meet your business requirements as they grow and change. GoodData complies with a variety of data protection standards, and we build our security practices with industry standards in mind. That way, whatever developments occur in the future, our enterprise customers know we can support them.

I was recently on the phone with a potential customer who was expressing many of the concerns common to enterprise customers. When I explained our Enterprise Shield offering, he was delighted. He shared that this was exactly what he needed: a compliance offering that addresses the needs of enterprise clients from sectors where there are no end-to-end security and compliance standards. I look forward to continuing to work with our enterprise customers to ensure that Enterprise Shield is the best, most useful product it can be.

This post is an overview of the security features of Enterprise Shield. For more information on the security measures applied to the GoodData platform and on the concepts and techniques that assure security in the cloud, download our security whitepaper.