Ensuring Full Proof Security At Xero
-
Upload
craig-walker -
Category
Business
-
view
2.082 -
download
0
description
Transcript of Ensuring Full Proof Security At Xero
![Page 1: Ensuring Full Proof Security At Xero](https://reader035.fdocuments.net/reader035/viewer/2022070302/548e331ab479597a588b48de/html5/thumbnails/1.jpg)
Title of the presentation
Craig Walker, Chief Technology Officer, Xero Ltd
Case Study:
Ensuring Full-Proof Security At Xero
22 July 2008
![Page 2: Ensuring Full Proof Security At Xero](https://reader035.fdocuments.net/reader035/viewer/2022070302/548e331ab479597a588b48de/html5/thumbnails/2.jpg)
Agenda
• What is Xero?
• Where does security fit in?
• How did Aura get involved?
• What kinds of things did we do?
• Did you learn something?
![Page 3: Ensuring Full Proof Security At Xero](https://reader035.fdocuments.net/reader035/viewer/2022070302/548e331ab479597a588b48de/html5/thumbnails/3.jpg)
Who is Xero?
• The company
– Started in 2006 by Rod Drury and Hamish Edwards
– IPO in June 2007 to establish ourselves as a credible & secure software provider
– 60 staff in 6 locations (HQ in Wellington) and over 1500 customers
– A New Zealand business with global aspirations
![Page 4: Ensuring Full Proof Security At Xero](https://reader035.fdocuments.net/reader035/viewer/2022070302/548e331ab479597a588b48de/html5/thumbnails/4.jpg)
What is Xero?
• The product
– Software-as-a-Service small business platform starting as an online accounting system
– Revolutionising the way small businesses are managed
– Staff and advisors all connected and unconstrained by legacy process or technology
– Built on a Microsoft platform and hosted in the US
![Page 5: Ensuring Full Proof Security At Xero](https://reader035.fdocuments.net/reader035/viewer/2022070302/548e331ab479597a588b48de/html5/thumbnails/5.jpg)
How does SaaS change security?
• Software-as-a-Service (SaaS) is software that is deployed as a hosted service, accessed over the internet and paid for on a subscription basis
• SaaS is about reducing the cost of providing software services to go after the “long tail” of small businesses
• Shifts the “ownership” of the software and reallocates responsibility for technology infrastructure from our customers to Xero
![Page 6: Ensuring Full Proof Security At Xero](https://reader035.fdocuments.net/reader035/viewer/2022070302/548e331ab479597a588b48de/html5/thumbnails/6.jpg)
We can’t just say we’re “secure as a bank”. We must actually BE secure as a bank.
![Page 7: Ensuring Full Proof Security At Xero](https://reader035.fdocuments.net/reader035/viewer/2022070302/548e331ab479597a588b48de/html5/thumbnails/7.jpg)
Why is security important to Xero?
• Because the impact of security breaches could destroy our business
• Potential effects:– Loss of data– Loss of credibility– Loss of revenue– Damage to customer confidence– Damage to investor confidence– Legal consequences– All on the front page of the Herald
![Page 8: Ensuring Full Proof Security At Xero](https://reader035.fdocuments.net/reader035/viewer/2022070302/548e331ab479597a588b48de/html5/thumbnails/8.jpg)
Virtual Security Officers
• Identified early on that we need to get outside expertise not because we couldn’t do it but because we wanted to do it right
• Security expertise not common in New Zealand especially related to SaaS
• Concept of Virtual Security Officers – a partnership that would help us to deliver secure software over the long term
![Page 9: Ensuring Full Proof Security At Xero](https://reader035.fdocuments.net/reader035/viewer/2022070302/548e331ab479597a588b48de/html5/thumbnails/9.jpg)
Aura Software Security
• Microsoft development shop turned security experts
• Understand both secure development and also the secure enterprise
• Not just another security audit
• Promised a refreshing view of security and what it means to be secure
• Promised to make security suck less
![Page 10: Ensuring Full Proof Security At Xero](https://reader035.fdocuments.net/reader035/viewer/2022070302/548e331ab479597a588b48de/html5/thumbnails/10.jpg)
The Aura Experience
![Page 11: Ensuring Full Proof Security At Xero](https://reader035.fdocuments.net/reader035/viewer/2022070302/548e331ab479597a588b48de/html5/thumbnails/11.jpg)
What are your top 5 security risks?
• Staff
• Customers
• Contractors
• Hackers
• Hosting Providers
![Page 12: Ensuring Full Proof Security At Xero](https://reader035.fdocuments.net/reader035/viewer/2022070302/548e331ab479597a588b48de/html5/thumbnails/12.jpg)
Integrated approach to security
• Defence in Depth (a holistic view)
– Security policies
– Security operations integrated with regular processes
– Security infrastructure
– Security-aware users – all staff aware of security not just developers
– Application security design and review
– Penetration testing
– Ongoing monitoring and proactive analysis
![Page 13: Ensuring Full Proof Security At Xero](https://reader035.fdocuments.net/reader035/viewer/2022070302/548e331ab479597a588b48de/html5/thumbnails/13.jpg)
Security policies
• BORING!
• Implemented as “house rules” – how Xero deals with security
• Team effort – everyone (not just IT staff) gets the chance to contribute and policies are circulated company wide for feedback
• Be pragmatic – not totalitarian
• Use software to help enforce policies where appropriate
![Page 14: Ensuring Full Proof Security At Xero](https://reader035.fdocuments.net/reader035/viewer/2022070302/548e331ab479597a588b48de/html5/thumbnails/14.jpg)
Threat Modelling
• Risk assessment for software
• A Microsoft approach but in no way attached to the Microsoft platform and can be used for modelling any and all enterprise and application threats
• Great documentation, presentation and communication tool for both your team (and your board)
![Page 15: Ensuring Full Proof Security At Xero](https://reader035.fdocuments.net/reader035/viewer/2022070302/548e331ab479597a588b48de/html5/thumbnails/15.jpg)
Attack trees
• To truly defend yourself you need to know how you can be attacked
• Attack and defence are always interlinked
• Look at threats from the attackers point-of-view
• In soccer, the best penalty-taker is often the goalkeeper because he knows the best way through the net
• As a CIO you are the goal keeper! What would you do to attack your own organisation?
![Page 16: Ensuring Full Proof Security At Xero](https://reader035.fdocuments.net/reader035/viewer/2022070302/548e331ab479597a588b48de/html5/thumbnails/16.jpg)
Kidnap the Princess
Kidnap the Princess
Bribe guardBribe guard Sneak through sewer
Sneak through sewer
Launch full military strikeLaunch full
military strike
1,000,000 Gold Coins
1,000,000 Gold Coins
Walk in the main gate
Walk in the main gate
Forge letter of introduction
Forge letter of introduction
Discover/steal King’s Seal
Discover/steal King’s Seal
Discover sewer location
Discover sewer location
Break any protectionBreak any protection
5 Gold Coins5 Gold Coins
10 Gold Coins
10 Gold Coins
Imagine you had a castle …
![Page 17: Ensuring Full Proof Security At Xero](https://reader035.fdocuments.net/reader035/viewer/2022070302/548e331ab479597a588b48de/html5/thumbnails/17.jpg)
Test it!
• Perform penetration testing to make sure that the time spent during development and implementation actually created a more secure environment
• Highlights anything that was missed
• Allows us to test both our software and our hosting provider as part of the complete solution to identify areas where our hosting environment (and potentially hosting provider) is weak
![Page 18: Ensuring Full Proof Security At Xero](https://reader035.fdocuments.net/reader035/viewer/2022070302/548e331ab479597a588b48de/html5/thumbnails/18.jpg)
Monitor it!
• Your environment should be gathering lots of information about security attacks as they occur
• Tell the attacker nothing – tell the administrator as much as possible
• Aura’s Red-Eye
– Custom solution integrates directly into your environment
– Managed and administered by Aura
– Attackers are persistent and will try many variations of an attack and Aura can provide steps to mitigate against these
– First installation picked up a major security hole within 3 days
![Page 19: Ensuring Full Proof Security At Xero](https://reader035.fdocuments.net/reader035/viewer/2022070302/548e331ab479597a588b48de/html5/thumbnails/19.jpg)
Things to think about …
• Take a holistic approach to security involving the whole organisation
• Get independent expertise to guide you through the process
• Think about attacks you could face and how your organisation would respond to them
• Security is an ongoing process, not a singular event – continuously improve as attackers are also improving
• The cost of implementing security is not trivial, however it is a fraction of the cost of mitigating security compromises
![Page 20: Ensuring Full Proof Security At Xero](https://reader035.fdocuments.net/reader035/viewer/2022070302/548e331ab479597a588b48de/html5/thumbnails/20.jpg)
www.xero.com www.AuraSoftwareSecurity.co.nz
Questions?