[ad_1]
The most important task of the castle is to defend against invasion.
Defenses are incorporated into the placement of every brick, buttress and battlement of the structure, ensuring its readiness to repel attackers. Castle dwellers may hear the aggressive clatter of arrows against stonework or the frustrated howls of invaders as they attempt to overcome the moat’s swift water, but with a strong design they need have no fear.
When Andrew Dean, Prisidio’s chief architect, described his company’s approach to securing their application, this is the comparison he drew from.
“When you design a castle, you build it on a hill, surround it with water and put the most important things in the center of the building,” he said. “You can only do such a design if you think about security first. You can’t just take an existing building and apply this model to it.
Dean would know. In previous work, he protected digital assets for the UK government and has experience protecting data across all types of organizations from small start-ups to large enterprises.
Now, Prisidio’s security team is reaching back in time for inspiration as they defend against modern day attackers: hackers looking to steal personal data.
“Before we even started building the platform, I was thinking about security-first concepts and how to structure everything 100 percent around security,” Dean said.
And given the nature of Prisidio’s product, security had to be the primary focus.
What they do:
Prisidio helps customers manage information about the key people in their lives, all the places where they keep essential items and information, and an inventory of all the valuables they own. Its cloud-based vault securely stores sensitive information such as tax and social security data, identification documents such as birth certificates, and any other essentials that need to be protected but may need quick access.
“We ask customers to put very sensitive information in a cloud vault,” said co-founder and CMO Paul Koziarz. “The first thing people will ask is how secure it is.”
“From the moment we decided to create Prisidio, the company and the product, we knew that security would play an essential role in everything we do,” said Koziarz.
While there may be some challenges and hurdles surrounding the philosophy, Prisidio has remained steadfast in its commitment to security since the beginning. This affects every aspect of their design, engineering and relationships with their partners and customers.
Inside and outside
“The vast majority of security incidents involve some type of human factor,” Dean said. “You can have all these great security measures, but as soon as someone is tricked into giving all their information to an attacker, there’s an easy way around them.”
This means that Prisidio not only needs to build security into its application, but also needs it to be a priority in every part of its network – technical and human. Dean’s security team, which includes the industry’s leading security and privacy experts, meets frequently to address the many different strands of Prisidio’s network that require protection.
“We’re doing checks with our suppliers to make sure they’re protected,” Dean said. “It’s the internal tools we use — our laptops, our cloud environments, our source code — and how we protect them.”
Another important consideration is how Prisidio trains its employees. All employees go through a thorough background check before joining and then receive training so they are aware of the latest emerging threats. Security training varies by role, with engineering teams getting access to training on secure code practices, for example. Prisidio has developed a set of security policies based on industry standards, and they provide employees with a framework to ensure they are always following best practices principles.
Security is a whole set of tools – it’s what we’ve built our entire company on.”
“We have secure code training, where developers are given code that contains a security vulnerability and asked to fix it,” Dean explained. “It makes people think about writing code in terms of security first. It’s constantly at the forefront of people’s minds.”
Of course, along with addressing the human element, Prisidio’s product has no shortage of features that enhance its protective power. These features include mandatory multi-factor authentication, biometric authentication, advanced encryption, and full control over who has access to a user’s vault — including the ability to instantly block anyone involved in suspicious activity. And they are willing to test the strength of these features through third-party intrusions, where Prisidio has an outside organization trying to break into their systems and find vulnerabilities.
In addition, Prisidio has third-party organizations conduct independent security architecture reviews and works with both the Cybersecurity and Infrastructure Agency and the Department of Homeland Security to ensure the company’s security standards are in line with the most best practices of the US government.
“There’s nothing we can do,” Dean said. “Security is a whole set of tools – it’s what we’ve built our entire company on.”
Balancing Usability
Security is Prisidio’s number one concern. But deeply intertwined with that security is usability—and if the team isn’t careful, those two priorities can come into conflict. As important as it is for Prisidio to keep a user’s sensitive information and documents safe, if there is no way to access them — or the access method is so difficult that it feels impossible — then it won’t matter because no one will use the product.
“If Andrew’s team gives us new security requirements, they happen,” said design lead Josh Henn. “Then my job is to try to reduce the learning curve without sacrificing any of the security.” I have to ask if we can reduce the steps or weave in existing patterns to make things easier for the user.”
It sounds simple, but it means that even a basic action like uploading a file requires complex work behind the scenes to feel easy while meeting the security bar set by the company.
“There are a lot of conversations between pretty smart people,” Henn said. “It’s rare that we get it right on our first try, but that’s what product design is – we figure out as a team what we’re trying to achieve and explore different ways to do it. After two or three cycles, we’ve made it as good as possible, then we track it as it goes to the consumer. Even with this added focus on security, it’s still a design that can benefit the user.”
There’s that point every user goes through when they say, “we can stop talking about security now.”
It is significantly easier to iterate on usability based on customer feedback than it is to fix security after the feature is already available. The castle must be built with security in mind, but interior details can always be changed.
“Most of the things we do in terms of security are hidden,” Dean said. “We’re revealing some of them, but a lot of them are behind the scenes. Yet our security posture is at the same level as a bank or financial institution would provide.”
No more security talk
Even the most secure product in the world is worthless if it doesn’t get into the hands of the people who need it. That’s why it’s just as important for Prisidio customers to know that their app will keep their files safe.
“Familiarity breeds trust,” Koziarz said. “We need to be out there promoting the message that we have a vault that is secure. We can’t reveal all our secrets, but we can be consistent in that message.”
Koziarz and his team also make sure to listen to customers’ security concerns through interviews and feedback. Being able to quickly resolve direct issues that users have is a good sign that the product is trustworthy.
A company may brag about the security of its platform, but it may not stand up to scrutiny. So how does Prisidio walk? From the fact that employees also put their most important documents in the application.
“That’s what I do,” Koziarz said. “I pull it up and say, ‘I helped build this, and here’s my vault.’ It helps us talk about security — we can show that we’re comfortable with it.”
Andrew Dean recently attended the Black Hat conference, where hackers and security researchers from around the world come to share techniques they’ve used to break through cybersecurity measures — and tech companies show what they’re doing to stop them.
“You never want to connect to Wi-Fi there,” Dean said.
In the end, Dean was able to convince some of the smartest hackers and cybersecurity professionals that the product was worth using, simply by opening it on his own phone.
“My name is Andrew and I use Prisidio and that was enough?” Hen joked – but that’s pretty much how it went according to Dean.
We disclose some of the things we do in terms of security, but a lot of it is behind the scenes.”
But the biggest indicator that customers trust Prisidio is when they no longer have to talk about it.
“There’s a point every user goes through when they say, ‘we can stop talking about security now,'” Henn said. “That point is different for everyone, but eventually they reach the threshold of confidence when they are sure and know it. Then they want to get to the fun stuff.
When a user enters the walls of Prisidio Castle, they want to be assured that they are protected. Prisidio has made great strides to make these guarantees verbally, technologically and through practice. Users can then enjoy what you protected – a vault for the most important documents stored digitally for easy access.
[ad_2]
Source link