As a company that offers wire-free 4K and HD smart home security cameras, security amongst apps — internal and external — at Arlo is paramount. Boosting 44% of the market share with 13.3 million devices shipped and 3.4 million registered users as of August 2019, along with 127 million recorded video events per day, the business apps used to run their connected platform have to be maintained in a responsible way.
“We have these business applications, amazing bots, and amazing automations that we use internally. With all this power of creating these automations and applications and the integrations between them comes responsibility. And the biggest responsibility as custodians of IT is security,” said Sridevi Pasumarthi, Vice President of Information Technology at Arlo. She shared her thoughts on how to secure business apps at Biz Systems Magic, the first and only conference for Systems leaders. During her session, she further expanded on why this is so important.
“At Arlo, we have a combination of on-prem and cloud [systems] like many enterprises these days,” she continued. “It used to be that security was just a product function, but now security has evolved with the evolution of these applications and enterprises have to account for that.”
Security Needed for Proliferated Applications and Multiple Use Cases
Thinking of the rate at which technology has changed and the diversification of the types of apps used, Sridevi says you have to be willing to make sure your systems are secure.
“You have such a heavy proliferation of apps,” Sridevi said. “Before it was always a big vendor for your ERP or CRM, etc. Now, just take a look at your expense reports. You have one app to scan your expense. You have another app that tells you if the expense report was audited or not. Then you have another just for approvals and another set of data for validations and reporting.”
“With this proliferation of data,” she continued, “it becomes extremely important to have a vision about how to make your applications and, most importantly, your data secure.”
Sridevi said enterprise app teams don’t just look over back-end processes. They oversee customer-facing systems, as well.
“If you work in customer support, you have access to customer support [data]. If you work in financials, you have access to your customers’ financial data. If you work in payment processing, you have access to your customers’ payment information. So it’s not just enterprise data that you have – it’s the data of your customers. And a data breach, whether it’s at a product level or not, is still a breach.”
“As custodians of all data, enterprise security within applications is where this whole idea becomes extremely important.”
She added that this goes beyond being SOC II or ISO compliant for a SaaS company. “Enterprise security is not just giving access. It’s more than that. It’s how do you build it, how do you secure it, how do you ensure that your customers’ data is not impacted in any way,” Sridevi said. “Some of it overlaps with compliance, but there’s a totally different mindset you must have when you come into enterprise app security.”
How to Approach Keeping Business Apps Secure
In creating a framework for biz app security, enterprises should approach it in three ways, Sridevi says: people, processes and tools.
At Arlo, the importance of business apps is built into their culture. This starts with the onboarding process. New employees are given awareness and training on what security means to them, framework(s) built to maintain it, and why “whenever you do anything at the company, security has to be at the heart of it,” Sridevi said.
Arlo also continuously provides security awareness and training across the enterprise through corporate Intranet postings, monthly newsletters and web training. They’ve also started to build architecture standards for security, which bleeds into IT practices across the enterprise. “For example,” Sridevi said, “we have online chat on our website that talks to our Salesforce whenever someone opens up a new conversation. If the developers don’t understand how to secure those chats, you are exposing yourself to a community of hackers, you’re exposing yourself to all sorts of vulnerabilities. So across the enterprise, we ensure that our developers are aware of the security practices and we’ve established their IT security standards.”
The company’s also working on security standards for vendors that are brought in, as well as defined roles and permissions for corporate access management (who needs access to what at what level and who doesn’t).
For processes, particularly product engineering, Arlo follows OpenSAMM, a framework that assists organizations in formulating and implementing a software security strategy customized uniquely to the risks faced by the organization. In it are levels of guidelines that help you make or choose your apps securely. Step 1 of this process for her team was to make a blueprint of all of the other corporate apps her company has – who owns them, their patching schedules, etc.
The next step was to invest in a security architecture and design review, which they apply for each production rollout. Launching their eCommerce site, for example, involved integrations between their payment processor, customer service tool, chat, fraud protection, shipping providers, etc. Once the design was complete, Sridevi’s team engaged with a threat model that revealed potential vulnerabilities they were exposed to just by the way the system was set up.
They’ve also implemented a security sign-off for change management so that whenever a developer tries to build something new, for example, it has to run through a security checklist first. The company’s also implemented a strong retention and data deletion process. With the GDPR and California Consumer Privacy Act affecting many software companies in the Bay Area alone, Sridevi says it’s impossible not to be “too cautious” with the data.
“It’s one thing to have data safe, but it’s another to also understand when can you let go of data,” she said. “This is not an IT-only function, but you can closely work with legal and compliance [teams] to make sure that these processes are documented and that you stick to it.”
Another thing Sridevi suggests is that you must always be prepared for a security breach. “How you act when there’s a security crisis is not something that you want to plan in the moment,” she said. “You should always have a plan ahead of time and establish what your security breach protocols are. If your customer data has been exposed, what happens next? What are your SLAs? That should always be top of mind.”
A final thing Arlo considers under security processes is vendor evaluations. By bringing outside tools into a complex app infrastructure, “you’re only as good as your weakest link in the system,” Sridevi says. With data being stored in different places, there’s an increased chance for vulnerability – so, as a procurer, you should consider things like what SOC tools they have, how they perform their pentests, whether they have DDoS protection, etc. The more they’re protected, Sridevi says, the more you and your customers are protected.
As far as the tools used to keep Arlo’s app infrastructure secure, the company uses SFRA (or storefront reference architecture) that provides standard technical controls to your dev teams to help build a website. The company also uses Splunk to establish monitoring, logging and reporting standards within the tool that houses data from their entire app and device ecosystem. They also invested in security testing and scanning tools, and crowdsourced cybersecurity via Bugcrowd.
“Whenever we bring on new platforms like an eCommerce or customer support tool that are exposed to external customers, we work with Bugcrowd. They have a team of researchers who will proactively look at the application, check to see if there are any vulnerabilities, and if there are, will work with us to make sure they get fixed. This has helped us a lot when we’ve launched major products.”
Keeping Business Apps Secure With Business Systems
Though biz app security can seem like a tall order, Sridevi says, it will be absolutely worth it if your customers are happy and everyone’s information is secure.
“Everyone’s using a slew of apps and it takes different ways to make these things secure,” Sridevi said. “To keep both employees and customers happy, you have to adapt all of your programs – in house, purchased, outsourced – to the security protocols that best fit your teams and ecosystems, and you can only do that with a roadmap built by business systems.”