Recent events of the pandemic have facilitated a rapid implementation of remote working tools, causing an increase in ransomware attacks – businesses suffer from financial and data losses.
In order to prevent such attacks, companies must not only educate their employees about best cybersecurity practices but also embed professional security solutions within the internal business processes and systems.
So today, we had a chat with Joey Stanford, the VP of Privacy & Security at Platform.sh – a company that offers a cloud hosting platform, about the essential security measures for modern businesses and the latest cybersecurity trends.
What has your journey been like? How did the idea of Platform.sh come about?
The idea of Platform.sh sprung from the need to provide easy, reliable, and secure hosting for Drupal projects so that organizations of any size would be able to deploy applications anytime without having to worry about breakage.
When designing the initial minimum viable product (MVP), thought was given to making the product flexible, allowing it to support multiple applications and languages. Since 2016, we’ve continued to enhance our product and service offering. Now, Platform.sh is used by more than 62,000 developers and thousands of companies worldwide.
Can you tell us a little bit about what you do? What are the main challenges you help navigate?
My responsibilities include managing our privacy and security efforts. During my tenure, we’ve successfully developed a platform that puts security at the heart of its service, something that cannot be celebrated without noting the significant efforts of my teams and the many other functions inside the company. Together, we work to be good custodians of our customers’ data.
Compliance with industry standards, such as PCI and SOC2, and legal requirements, such as GDPR, PIPEDA, CCPA, and APA, have always been a priority for me, but my main focus is really on trust. Trust that Platform.sh is secure and trust that we are doing the right things to keep people safe. By people, I mean not only our customers but also our employees. If you trust and have confidence in an organization, then you are more willing to do business with them.
As a result, we hold ourselves to high standards by securing several external industry certifications and taking part in audits to ensure that our customers and employees are secure.
What threats surrounding web applications do you find the most concerning nowadays?
We generally track the OWASP Top Ten list. We tend to see customer applications often lack timely security-related patching of their own applications and dependencies, as well as a lack of consistent attention to access control reviews. The most concerning aspect in my opinion, for everyone, is software dependency management. There are multiple software tools and services that can help in this area but we’re still somewhat far away from having an easy-to-generate and easy-to-use, software bill of materials (SBOM) and an associated process to manage security vulnerabilities in dependencies.
Do you think the recent global events altered the way people approach cybersecurity?
We’ve started to talk about how to protect people more. The pandemic has indeed caused a massive spike in cybercrime, specifically ransomware which boomed over 2020 and 2021. Researching the total cost of activity, Chainanalysis named 2020 the year of ransomware after it found that payments exceeded half a billion USD. This spike is being driven by the uptick in phishing, social engineering, and a general increase in what I call the routine exploit behavior. Cybercriminals know that the weakest point in the chain is through a company’s people which has led businesses to have more conversations about implementing a Zero Trust approach.
Although the uptick in activity is bad, it’s positive to see businesses start to put security higher on their priorities list. After all, if a business is taking its security seriously, so will its employees.
Why do you think companies often hesitate to try out new and innovative solutions that would enhance their IT operations?
There are two principal reasons for this, the first being cost and ease of integration. Good solutions do not come cheap and despite there being bigger investments in digital transformation, companies struggle to find ways to justify spending on new solutions they don’t know they need.
The second is complications with integration. There may be several reasons why integration is difficult. It could require a lot of manpower, it may not have the right connectors, and/or it may require administrative/root permissions to sensitive environments that you don’t want to give. Many businesses also lack the right skills and expertise, so even if they do identify the right solution, they may not have the right knowledge about taking it to the next step.
On top of this, the solution may not be compliant with privacy laws, such as GDPR. We require all our vendors who touch personal data of any sort, even employee data, to be GDPR compliant. We’ve had to reject a non-trivial number of vendors who don’t care about privacy, don’t comply with industry standards, and don’t have any third-party audits. As to my earlier point, if I can’t trust them, I can’t entrust them with our data or our customers’ data.
In your opinion, what security details are often overlooked when developing a website or an application?
There are three items I consistently see as failures:
- Lack of adherence to at least one audited security standard (e.g. PCI, SOC2, ISO 27001).
- Lack of support/integration with a single sign-on provider and MFA support.
- A total lack of support for privacy laws, like GDPR.
Besides implementing cloud solutions, what other security measures do you think are essential for organizations nowadays?
There is a clear list of measures a company should take and these include:
- Timely security patching.
- Dependency management, ideally integrated with CI/CD.
- Both QA and security reviews of all code.
- Regular access control reviews.
- Timely off-boarding.
- Anti-malware solutions that are proper and enforced on endpoints and servers.
- At least one third-party external security certification with twice-a-year external penetration testing.
- A dedicated, adequately staffed, and funded security team.
- Executive attention and championship.
- Proper vendor management.
- A focus on complying with privacy laws.
- A well-honed incident, and breach, response process.
- A regularly tested disaster recovery process.
- Cybersecurity insurance.
- Utilizing VPNs as appropriate.
- Auditable administrative actions (e.g. logging of all ssh sessions).
- Requiring SSO and MFA everywhere.
Talking about individual users, what security tools do you think should be a part of everyone’s daily lives?
There are a few things an individual can do to upgrade their personal security, the first is password hygiene. The single-use password is still the most popular form of authentication and with so many accounts needed, it makes sense that people will reuse the same credentials. As this is incredibly unsafe, users should take advantage of password managers, so they don’t need to remember passwords.
In addition, it’s not possible to see if your credentials have been compromised. I use Have I been PWNED to get notified if my credentials have been breached.
Although it’s not a tool, people should educate themselves or request that their business invests in cyber awareness education. Phishing and scams are still the main tools used by hackers, so being able to identify and avoid them is how you can stop hackers at the first point of entry. In short:
- Don’t click links in suspicious emails.
- Don’t take someone’s word for it on the phone.
- Require proof/confirmation that your CEO really wants that $200 gift card.
What does the future hold for Platform.sh?
We’ve experienced wonderful growth over the last few years and it’s going to continue. We keep adding new features while improving our product to make Platform.sh more attractive to customers, large and small. Most recently we announced that we were renewing our partnership with Adobe to help its e-commerce enablement – something that more and more small businesses need help with because of the pandemic. We’ve also made strides in Green Hosting and will continue to improve in this area as the wider world looks at how we can do more to improve the future of our planet.
As we grow, we will continue to focus on security and privacy to retain the trust of our customers and win new business.