ensuring full proof security at xero
DESCRIPTION
This presentation shows how Aura Software Security helped Xero focus it's security strategy and integrate security throughout the organisation.TRANSCRIPT
Title of the presentation
Craig Walker, Chief Technology Officer, Xero Ltd
Case Study:
Ensuring Full-Proof Security At Xero
22 July 2008
Agenda
• What is Xero?
• Where does security fit in?
• How did Aura get involved?
• What kinds of things did we do?
• Did you learn something?
Who is Xero?
• The company
– Started in 2006 by Rod Drury and Hamish Edwards
– IPO in June 2007 to establish ourselves as a credible & secure software provider
– 60 staff in 6 locations (HQ in Wellington) and over 1500 customers
– A New Zealand business with global aspirations
What is Xero?
• The product
– Software-as-a-Service small business platform starting as an online accounting system
– Revolutionising the way small businesses are managed
– Staff and advisors all connected and unconstrained by legacy process or technology
– Built on a Microsoft platform and hosted in the US
How does SaaS change security?
• Software-as-a-Service (SaaS) is software that is deployed as a hosted service, accessed over the internet and paid for on a subscription basis
• SaaS is about reducing the cost of providing software services to go after the “long tail” of small businesses
• Shifts the “ownership” of the software and reallocates responsibility for technology infrastructure from our customers to Xero
We can’t just say we’re “secure as a bank”. We must actually BE secure as a bank.
Why is security important to Xero?
• Because the impact of security breaches could destroy our business
• Potential effects:– Loss of data– Loss of credibility– Loss of revenue– Damage to customer confidence– Damage to investor confidence– Legal consequences– All on the front page of the Herald
Virtual Security Officers
• Identified early on that we need to get outside expertise not because we couldn’t do it but because we wanted to do it right
• Security expertise not common in New Zealand especially related to SaaS
• Concept of Virtual Security Officers – a partnership that would help us to deliver secure software over the long term
Aura Software Security
• Microsoft development shop turned security experts
• Understand both secure development and also the secure enterprise
• Not just another security audit
• Promised a refreshing view of security and what it means to be secure
• Promised to make security suck less
The Aura Experience
What are your top 5 security risks?
• Staff
• Customers
• Contractors
• Hackers
• Hosting Providers
Integrated approach to security
• Defence in Depth (a holistic view)
– Security policies
– Security operations integrated with regular processes
– Security infrastructure
– Security-aware users – all staff aware of security not just developers
– Application security design and review
– Penetration testing
– Ongoing monitoring and proactive analysis
Security policies
• BORING!
• Implemented as “house rules” – how Xero deals with security
• Team effort – everyone (not just IT staff) gets the chance to contribute and policies are circulated company wide for feedback
• Be pragmatic – not totalitarian
• Use software to help enforce policies where appropriate
Threat Modelling
• Risk assessment for software
• A Microsoft approach but in no way attached to the Microsoft platform and can be used for modelling any and all enterprise and application threats
• Great documentation, presentation and communication tool for both your team (and your board)
Attack trees
• To truly defend yourself you need to know how you can be attacked
• Attack and defence are always interlinked
• Look at threats from the attackers point-of-view
• In soccer, the best penalty-taker is often the goalkeeper because he knows the best way through the net
• As a CIO you are the goal keeper! What would you do to attack your own organisation?
Kidnap the Princess
Kidnap the Princess
Bribe guardBribe guard Sneak through sewer
Sneak through sewer
Launch full military strikeLaunch full
military strike
1,000,000 Gold Coins
1,000,000 Gold Coins
Walk in the main gate
Walk in the main gate
Forge letter of introduction
Forge letter of introduction
Discover/steal King’s Seal
Discover/steal King’s Seal
Discover sewer location
Discover sewer location
Break any protectionBreak any protection
5 Gold Coins5 Gold Coins
10 Gold Coins
10 Gold Coins
Imagine you had a castle …
Test it!
• Perform penetration testing to make sure that the time spent during development and implementation actually created a more secure environment
• Highlights anything that was missed
• Allows us to test both our software and our hosting provider as part of the complete solution to identify areas where our hosting environment (and potentially hosting provider) is weak
Monitor it!
• Your environment should be gathering lots of information about security attacks as they occur
• Tell the attacker nothing – tell the administrator as much as possible
• Aura’s Red-Eye
– Custom solution integrates directly into your environment
– Managed and administered by Aura
– Attackers are persistent and will try many variations of an attack and Aura can provide steps to mitigate against these
– First installation picked up a major security hole within 3 days
Things to think about …
• Take a holistic approach to security involving the whole organisation
• Get independent expertise to guide you through the process
• Think about attacks you could face and how your organisation would respond to them
• Security is an ongoing process, not a singular event – continuously improve as attackers are also improving
• The cost of implementing security is not trivial, however it is a fraction of the cost of mitigating security compromises
www.xero.com www.AuraSoftwareSecurity.co.nz
Questions?