Building a Framework for Trusted Cloud Services
As Chief Trust Officer at Informatica, it’s my job to make sure that customers trust our global cloud services platform and software. Simply put, data privacy and security have never been more important to our customers. A study by RSA Security Research reports that roughly 70% of global consumers are prepared to boycott a company they don’t believe takes data protection seriously. And close to half of U.S. consumers surveyed by PCI Pal said they spend less with brands that they believe have insecure data practices.
Regulations like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are yet another reason that organizations are taking data privacy, data security, and trust more seriously.
It’s one thing to realize that trust is important, but it’s another to actually prioritize and build trust into everything you do. In a recent blog post, Darshan Joshi, our SVP for Technology Strategy and Shared Services, shared the top 10 principles that go into the Informatica Intelligent Data Platform as part of a blog series on System Thinking. One of those principles is around security and privacy as foundational elements for development, testing and hosting of cloud offerings. Amit Walia also reinforced this in his Informatica World 2019 keynote address.
I’ve spent my career innovating at scale and building security for companies such as Accenture, Netscape, AOL, AWS and Netflix; and at Informatica part of my role is leading the cloud business transformation strategy within our R&D products division. Here’s a deeper look at what we mean when we say we build cloud services with security and privacy top of mind.
4 stages of security and privacy across the product lifecycle
The worst way to do security is to work on a product and then engage your security team — in effect, handing them something that’s already developed and asking them, “Hey, can you make this secure?”
At Informatica, we consider security and privacy throughout a product’s conceptualization, development and operational processes. Our Secure SDLC follows deliberate processes to manage the threats, risks and controls throughout a product’s lifecycle. Essentially, we’re looking at security and privacy at each of four major stages in our SDLC:
Requirements & Design: Before the teams start coding, our CloudTrust security team works with product managers and architects to construct threat models and review architectural requirements and relevant regulations so that security and privacy are woven into the product requirements. That continues as we move into design. And to reinforce the latest security learnings, we hold product security trainings for our global development and QA teams. In the last year we invested over 7,000 person-hours in this training to teach teams how to develop safer products.
Development & Testing: Once development is underway, we test our code throughout the process. We have a variety of tools and techniques – a mix of commercial, open source and in-built – that we use to test our code. And we continue testing as the product gets further along – in the last 12 months we scanned almost 400 million lines of code to identify potential security problems before they make it into the final product.
“Hacking”: Our customers typically interact with our products in “polite” ways. It’s fairly straightforward to figure out problems that users will likely encounter. Then there are hackers, those who actively try to break and disrupt software and cloud services. Part of our testing process is to think like hackers – to anticipate and simulate what malicious actors may try to do. We employ teams of ethical hackers to try to break our products before release, and we support external security researchers through a Responsible Disclosure Program.
Deployment & Maintenance: Once a product is released into the world, our teams doesn’t stop protecting our customers and their data. We continuously scan our global cloud platform and products – over 45 million security checks – to stay vigilant and gather information about how they are performing. Our Hall of Fame publicly thanks the growing list of external security researchers who have shared their findings – all those learnings and feedback go directly to the product and operations teams.
We think about these constraints and considerations throughout the process. If you’re familiar with the concepts of DevOps or DevSecOps, you’ll notice that our processes fit with the ideas of continuous integration, monitoring, and deployment. And we’re always looking for great minds to join our expanding CloudTrust team, in any of our engineering centers across Silicon Valley, Ireland, or India.
The end result is a cloud platform and set of products that meet the trust standards for the most stringent customers in the industry. To learn more about our certifications, our cloud security program, and how we keep your data safe, visit our Platform Trust page.
I’ll write more about our approach to developing cloud products in future posts.