Written by Tomas Honzak |
Among the barriers that prevent cloud adoption, security and privacy concerns are the most common. Why? For many, choosing a cloud-based vendor means giving up a certain level of control--and that makes people uncomfortable. It’s easy to know if a platform’s product capabilities fit your needs, but predicting how that company will protect your most precious assets is another story.
Information security certifications can be useful. Be it SOC 2 or Skyhigh Networks’ Enterprise-Ready CloudTrust Ranking, which GoodData was recently awarded, all apply a similar approach and provide customers with some assurance. But what lies behind the certifications? Can you trust that the company truly lives up to the requirements of the standards and does not just build a nice “security theater” for the auditors?
For us at GoodData, the security and privacy of customer’s data is our number one priority. Remember Heartbleed? Even before we assembled the security incident response team, our engineers had applied the patch to the OpenSSL packages and prepared an immediate release for the production environment. The incident response team then sat for hours analyzing the impact and planning the response.
This commitment to security takes dedication and adoption from the whole organization. Here’s how we do it:
Reason #1: Everyone at GoodData is passionate about security
This passion begins with the engineers who work day and night to ensure our platform is impenetrable, but is that enough? No. Statistics show that in more than 50% of attacks, existing user or employee accounts were used. Most breaches are due to social engineering techniques or incidental - like confidential attachments sent to the wrong person.
So how do we stay secure for our customers? We integrate security into our daily lives. We avoid sharing credentials. We never download any confidential data from our systems. We require everyone not to reuse their passwords and we use password managers to simplify this task. When we have to share credentials, we send them encrypted. We talk about security, we educate ourselves on security, we live security. We keep the passion alive.
Reason #2: We manage security both horizontally and vertically
We have a dedicated Security Officer and a Security Management Team that consist of the senior representatives of all key stakeholders and takes care of security governance from A to Z. Risk management, check. Security strategy, check. Policies and processes, of course. And we could go on.
But we primarily manage security vertically. To ensure we maintain our “Skyhigh” standards, our dedicated team of security engineers owns “Security 101,” from firewall rules to security groups to monitoring and alerting and more. We cooperate with professionals who test the limits of our security controls, in the platform and any new components. Our seasoned architects ensure we build the security both into the platform and into all new features and fixes.
Our Security Management Team leverages the knowledge of the entire Engineering and Operations department with industry standards and customer requirements to make all the tactical and strategic decisions. This holistic and systematic approach ensures our customers’ data is secure.
Reason #3: Where the traditional approach relies on formal processes with heavy paperwork and segregation of duties, GoodData prefers teamwork and automation
We encourage cross-team and cross-department communication from the beginning. This means we begin our security reviews during the creation of our initial architecture. The engineers, who have a comprehensive understanding of the role of security in their project, can deliver the code as securely as possible--and any deviations are spotted immediately, whereas in the traditional process they would not be discovered until the “security review” once the coding was complete. GoodData’s processes require no “paperwork” handovers and instead implement automated continuous integration and delivery. This keeps the production free from non-compliant changes.
Reason #4: We built our trusted solution using trusted infrastructure
When it comes to the security of our platform, it all begins with infrastructure. Security must be built in end to end, which requires extensive trust and partnership. That is why we rely on best-in-breed technology partnerships with Rackspace, AWS S3, and Splunk.
Reason #5: Plan, Do, Check, Act (PDCA)
Thanks to W. E. Deming, everyone who wants to improve has a simple yet effective framework at hands. We at GoodData have built improvement into all levels of our daily operations. Regular reviews of all kinds and at all levels, be it the releases, incidents, major projects, scrum sprints, penetration tests, internal audits or regular reviews of the policies and processes, all provide invaluable lessons that help us continue to improve.
But at the same time we remain humble. The Heartbleed vulnerability proves that regardless of what security standards we adhere to, the Internet is always insecure. “Achieving security” is an illusion. We succeed for our customers because we never cease pushing ahead.
Written by Tomas Honzak |