25 Nov 2020
As the saying goes, Trust is earned not given. At Centili it is one of our most valuable assets, permeating the organization. Client companies entrust us with critical parts of their business. Mobile network operators and payment providers trust us to connect to their billing systems. Apps and digital services trust us to process millions of purchases correctly and securely. Trust of our employees and communities is key to our long-term success, as well as the integrity and confidence that have come to be tied with our brand.
While we have earned the trust of our clients and partners over the course of 9+ years, we know that it is fragile, and one incident can potentially wipe out the years of hard work and the reputation. A stunning amount of information and purchases is circulating online, far from the immediate physical control of people. This fact, paired with publicized data breaches and security scandals in the last two decades, has led many consumers to start questioning the ability of companies to securely handle data, purchases and personal information. Therefore, it is valuable if a company can build trust in its ecosystem and maintain it for a decade.
We are also operating in the world where the technology landscape is changing at an unprecedented rate and new and more sophisticated threats, such as ransomware, are emerging daily. In addition, with GDPR regulation led by EU and Privacy Shield in USA, data privacy regulatory landscape is fast maturing across the globe and is becoming a compliance domain of its own in the organization. Therefore, to maintain a high level of trust on an ongoing basis, a holistically intelligent approach is needed to handle Data and Security across the organization.
It all starts with setting the right compliance framework including industry standards, policies, procedures, controls, audit, and governance. The holistically intelligent approach requires seamless cohesion of the above with people, process and technology pillars of the business.
People: Maintaining A Culture of Heightened Awareness & Accountability
People are at the heart of managing security and privacy posture for a company. The human factor plays a big role in securing the business. Mistakes made inadvertently or taking short cuts to deliver products due to time pressure can create vulnerabilities that can be exploited. It is very important that everyone in the organization is aware of why security and privacy is important and what is their role in safeguarding company’s posture. While the security team provides the leadership and checks and balances, every Centilian is responsible to create and manage the environment of Trust for our clients and partners. We run internal thematic marketing campaigns, to emphasize the importance of security and privacy for doing good business, and to inform fellow Centilians of their role as the defenders of Trust.
This broad level awareness is complimented by monthly mandatory training activities that are thematically matched. This allows us to gauge the impact of the awareness campaigns and provides another means to reinforce the messages. In addition, department-specific, role-based training is provided to ensure that the relevant aspects of security and privacy policies are championed by department leads and their staff.
Process: Security & Privacy at the Front End
For any new product or feature, it all starts with business process flow which identifies the type of information being exchanged between the parties involved and what level of protection is required. Once the data flow is determined and required security measures for protection are identified the development can proceed.
Traditionally security was enforced at the tail end of the development cycle. Even though the security team worked closely with various teams, they were not deeply integrated in the Software Development Lifecycle (SDLC) process. This created some bottlenecks and inefficiencies as security vulnerabilities were either missed or caught at the tail end and required more time and effort to fix. In addition, data privacy was traditionally handled at the time of consumption and/or visualization instead of throughout the Data Lifecycle Management.
For Centili, security and privacy are embedded in our SDLC process. We call it DevSecDatOps. All requirements, data flows, architecture, design, development, deployment, and operations considerations are identified at the front end of the cycle instead of the tail end. Developers are trained to develop code using security best practices and are appropriately tooled to check their code for any security and privacy vulnerabilities before they submit their code for integration & quality assurance testing. The benefits of taking this approach are multiple. Privacy of customer data becomes the top priority; developers share the security responsibility with the security and operations teams, and the overall process of identifying and fixing vulnerabilities becomes more efficient.
Technology: An Integrated Security Posture
For privately hosted enterprises, the landscape of technology tools required to effectively manage security and privacy can be quite daunting because there is little to no integration between the tools. Historically, there is a tool for each tech layer, with little to no coordination and correlation between the tools/layers. For example, the network-level firewall is unaware of application layer, and application layer is unaware of the data or business layer. Because the vulnerability can creep up on any layer of technology, it is important to have an integrated full-stack security posture - from physical to network to application to data to business layers.
Hybrid environments have more challenges because they are operating in two different security paradigms with two different stacks and little to no coordination between the stacks. This makes the transition to cloud a bit tricky since enterprises will be operating two stacks in parallel.
Centili is moving towards a full cloud-native environment where we can better leverage vertical integration between layers to manage security and privacy. This will take our current proactive security management posture and turn it into an ML/AI-based Intelligent security posture. It will also allow us to monitor, correlate and take actions on events at a much granular level, without having to integrate the data from various tools. In addition, in case of detection of suspicious activity, immediate actions can be intelligently and automatically triggered to avoid or limit any potential damage.
Trust: A Virtue in Need of Ongoing Care
While technology is evolving and creating new vulnerabilities rapidly, the good news is that new solutions, designs, development techniques are also emerging that will also help in reducing the exposure to security threats. However, the threats are real and can have major consequences to the business. Enterprises that set a high bar for security and privacy and follow up with the holistically intelligent approach to manage the risks will be able to maintain the Trust of their clients and business partners. As we move into our second decade in digital monetisation, we are as vigilant as ever about trust – a multifaceted virtue in need of constant attention from all parts of our organization.