How we think about SaaS product security at Skedulo
At Skedulo, our security team is always looking for ways to leverage technologies to continuously secure our user, customer, and company data. In most organizations, working in a fast-paced environment, driving innovation and continuous delivery leaves a slim margin for embracing security in all aspects of the product lifecycle.
As most security practitioners know, rush to market and robust security practices can be at odds with each other. In a similar sense, it’s easy for organizations to get caught in the bureaucracy of regulatory compliance checkboxes, rather than making meaningful steps in creating a secure product and security-minded culture.
This is especially true in startups transitioning to compliance-driven security. It doesn’t have to be that way—it’s possible to maintain speed, agility, and a sound security posture by applying a comprehensive and self-aware approach to security. This is achieved by properly planning and configuring technologies existing in the organization. We employ several strategies to address this, and ensure it meets the needs of our organization and our customers:
Leverage technology as a force multiplier
Just like any SaaS company, using the cloud to manage scalability and availability greatly reduces the overhead and technical debt associated with maintaining infrastructure. The majority of these services also reduce the attack surface available and make configuration management much easier to handle for smaller security teams. Making smart, sound, and modern technology choices and avoiding legacy systems and processes puts time and energy back in our security team’s tanks to focus on proactive security application.
An added benefit to this is agility. For example, when COVID-19 forced a transition to working remotely, our Identity Access Management (IAM) technology choices and configurations enabled our transition time to a matter of hours, not days. Additionally, our security posture remained unchanged due to configuration management choices implemented during the planning process and executed when needed.
Compliance as a baseline
We’re proud of our achievements in SOC 2 and other regulatory compliance standards—but we understand that compliance doesn’t always equal security. An attacker doesn’t care about ISO 27001 compliance if you have a public S3 bucket with PII exposed—or worse. Effective regulatory compliance requires a self-aware approach to how the critical controls actually apply to a security function. That’s why we view compliance as a baseline and apply additional measures where it matters. We draw from years of lessons learned in offensive security roles and bring an “attacker mindset” to our security policies at large.
Evolving threat models
The threat model is not a static entity; they evolve as quickly as exploits are created. As such, it’s important to evolve our security model as the threat model changes. When we focus on risk, it’s also important to contextualize relevant threats to our organization, and focus on the potential business impacts. This enables us to prioritize risk and subsequent security requirements based on the real-world threat. In return, we’re benefitted with a portfolio of evolving threat models based on emerging techniques from attackers. We combine these tactics with industry-accepted best practices to bolster our security posture to realistic threats.
Learn more about the Deskless Productivity Cloud
Embrace the Unknown
Expect zero days. Albeit not the most positive outlook, we embrace the mentality that known-secure applications will not always be that way—and ultimately, security incidents are an if-and-not-when. On the surface, this appears as a grim way to look at security posture—but it’s actually a proactive step. Keeping this in mind, we layer and segment our network security measures to build a robust security posture. If an asset (secure or not) is compromised, we apply defence-in-depth policies to minimize the business risk and loss of data.
A Strong Human Element
It’s well known that breakdowns in security awareness often lead to the initial compromise of a secure system. We understand that and create a secure culture not only through policy, but also security awareness training to promote a security-minded and self-aware culture. We also recognize that security awareness doesn’t stop with being able to recognize a phishing email—it must also be baked into our product. We achieve this by also creating a security-minded culture in our product development cycles, and conduct regular security reviews as validation.
The moment we believe a system is indefinitely secure is the moment security-atrophy will take its course. As such, we remain vigilant in securing all aspects of business functions. Using these strategies, we create an ecosystem of intelligent choices in configuration management, process management, and network management with the resources in our arsenal. By implementing a combination of regulatory compliance frameworks (e.g., NIST, SOC2), critical thinking in our threat modeling, and making intelligent technology choices, we’re left in an advantageous position to develop a comprehensively secure product to our customers.