Building the Foundation for Ario’s Security Program
At Ario we’ve made securing our platform and protecting our customers’ data a top priority for our organization. This comes from a necessity to protect the highly sensitive personally identifiable information (PII), credit information and business information that is stored in our platform. In this blog post we’ll outline how we addressed this challenge and built a robust security program from scratch!
Our team is comprised of security professionals that have deployed secure online services for some of the largest companies in the world. We decided before we wrote one line of code we wanted to ensure that our partner’s could trust we would be professional stewards of their customer’s data. However as a new company we were faced with the challenge of establishing trust from nothing. We believe trust only comes through transparency and ongoing scrutiny so we accepted the challenge of: how should we build a world class security program from the ground up for an entirely cloud-based financial technology company?
At a high level we started building the Ario security program using both a top downand bottom upapproach. From the top down, we used the Build Security in Maturity Model (BSIMM) to provide direction. Early on this helped us identify and prioritize what we shouldbe doing next, e.g., threat modelling, penetration testing, etc. From the bottom upwe consulted detailed security controls from recognized standards bodies and industry best practices to help us identify and prioritizehow we should implement our security controls.
BSIMM provides a maturity model to manage the rollout of a security program. It describes activities, arranged in practices, to help software development firms identify and prioritize the activities required to build a robust security program. It is based on the quantitative analysis of the security practices that software development firms actually perform. Not all activities described by BSIMM are directly relevant to Ario, however. Based on our position as a cloud-based company we had to customize BSIMM to meet our needs. Overall, we plan to or have already implemented over 90% of the activities outlined by BSIMM!
While BSIMM provided the broad stroke activities we needed to perform, we felt it was important to consult recognized standards bodies to complement all of our collective experience when developing the security features in our platform. This was important to us for two reasons: 1) to ensure that our security controls were built in the most robust manner possible and 2) for general compliance with internationally recognized standards. The standards we consulted ranged from standards for very specific certifications (e.g., Payment Card Industry - Data Security Standard) to very general (e.g., ISO 27001), including:
● National Institute of Standards Technology (NIST)
● Defense Information Systems Agency (DISA)
● Communications Security Establishment (CSE)
● Open Web Application Security Project (OWASP)
● Centre for Internet Security (CIS)
● International Organization for Standards 27001 and 27017 (ISO)
● Payment Card Industry (PCI)
As a result of our prioritization of program activities through BSIMM and our use of security requirements from recognized standards, the Ario Platform now implements strong security controls throughout the platform, including: centralized logging, auditing, monitoring and alerting, intrusion detection, incident management, automated software patching, identity and access management, strong authentication, infrastructure-anchored data encryption, secure communication between services, two person integrity on sensitive operations and data lifecycle management.
As an early stage startup there were many directions we could have taken the security program in. Most are tempted to implement as little as they can get away with to get the product in the market. At Ario we chose to invest in an automated foundation for security baked into our continuous deployment pipeline. BSIMM allowed us to systematically identify the activities that we collectively believed were the most important at specific phases of our development. On the flipside, the recognized standards bodies that we consulted complemented our collective security experience to ensure we built strong security controls. It is this top downand bottom upapproach that provided the confidence that with discipline we could build a secure platform from scratch without impacting our time to market.