Title of the presentation Craig Walker, Chief Technology Officer, Xero Ltd Case Study: Ensuring Full-Proof Security At Xero 22 July 2008

Agenda What is Xero? Where does security fit in? How did Aura get involved? What kinds of things did we do? Did you learn something?

What is Xero?

Where does security fit in?

How did Aura get involved?

What kinds of things did we do?

Did you learn something?

Who is Xero? The company Started in 2006 by Rod Drury and Hamish Edwards IPO in June 2007 to establish ourselves as a credible & secure software provider 60 staff in 6 locations (HQ in Wellington) and over 1500 customers A New Zealand business with global aspirations

The company

Started in 2006 by Rod Drury and Hamish Edwards

IPO in June 2007 to establish ourselves as a credible & secure software provider

60 staff in 6 locations (HQ in Wellington) and over 1500 customers

A New Zealand business with global aspirations

What is Xero? The product Software-as-a-Service small business platform starting as an online accounting system Revolutionising the way small businesses are managed Staff and advisors all connected and unconstrained by legacy process or technology Built on a Microsoft platform and hosted in the US

The product

Software-as-a-Service small business platform starting as an online accounting system

Revolutionising the way small businesses are managed

Staff and advisors all connected and unconstrained by legacy process or technology

Built on a Microsoft platform and hosted in the US

How does SaaS change security? Software-as-a-Service (SaaS) is software that is deployed as a hosted service, accessed over the internet and paid for on a subscription basis SaaS is about reducing the cost of providing software services to go after the “long tail” of small businesses Shifts the “ownership” of the software and reallocates responsibility for technology infrastructure from our customers to Xero

Software-as-a-Service (SaaS) is software that is deployed as a hosted service, accessed over the internet and paid for on a subscription basis

SaaS is about reducing the cost of providing software services to go after the “long tail” of small businesses

Shifts the “ownership” of the software and reallocates responsibility for technology infrastructure from our customers to Xero

We can’t just say we’re “secure as a bank”. We must actually BE secure as a bank.

Why is security important to Xero? Because the impact of security breaches could destroy our business Potential effects: Loss of data Loss of credibility Loss of revenue Damage to customer confidence Damage to investor confidence Legal consequences All on the front page of the Herald

Because the impact of security breaches could destroy our business

Potential effects:

Loss of data

Loss of credibility

Loss of revenue

Damage to customer confidence

Damage to investor confidence

Legal consequences

All on the front page of the Herald

Virtual Security Officers Identified early on that we need to get outside expertise not because we couldn’t do it but because we wanted to do it right Security expertise not common in New Zealand especially related to SaaS Concept of Virtual Security Officers – a partnership that would help us to deliver secure software over the long term

Identified early on that we need to get outside expertise not because we couldn’t do it but because we wanted to do it right

Security expertise not common in New Zealand especially related to SaaS

Concept of Virtual Security Officers – a partnership that would help us to deliver secure software over the long term

Aura Software Security Microsoft development shop turned security experts Understand both secure development and also the secure enterprise Not just another security audit Promised a refreshing view of security and what it means to be secure Promised to make security suck less

Microsoft development shop turned security experts

Understand both secure development and also the secure enterprise

Not just another security audit

Promised a refreshing view of security and what it means to be secure

Promised to make security suck less

The Aura Experience

What are your top 5 security risks? Staff Customers Contractors Hackers Hosting Providers

Staff

Customers

Contractors

Hackers

Hosting Providers

Integrated approach to security Defence in Depth (a holistic view) Security policies Security operations integrated with regular processes Security infrastructure Security-aware users – all staff aware of security not just developers Application security design and review Penetration testing Ongoing monitoring and proactive analysis

Defence in Depth (a holistic view)

Security policies

Security operations integrated with regular processes

Security infrastructure

Security-aware users – all staff aware of security not just developers

Application security design and review

Penetration testing

Ongoing monitoring and proactive analysis

Security policies BORING! Implemented as “house rules” – how Xero deals with security Team effort – everyone (not just IT staff) gets the chance to contribute and policies are circulated company wide for feedback Be pragmatic – not totalitarian Use software to help enforce policies where appropriate

BORING!

Implemented as “house rules” – how Xero deals with security

Team effort – everyone (not just IT staff) gets the chance to contribute and policies are circulated company wide for feedback

Be pragmatic – not totalitarian

Use software to help enforce policies where appropriate

Threat Modelling Risk assessment for software A Microsoft approach but in no way attached to the Microsoft platform and can be used for modelling any and all enterprise and application threats Great documentation, presentation and communication tool for both your team (and your board)

Risk assessment for software

A Microsoft approach but in no way attached to the Microsoft platform and can be used for modelling any and all enterprise and application threats

Great documentation, presentation and communication tool for both your team (and your board)

Attack trees To truly defend yourself you need to know how you can be attacked Attack and defence are always interlinked Look at threats from the attackers point-of-view In soccer, the best penalty-taker is often the goalkeeper because he knows the best way through the net As a CIO you are the goal keeper! What would you do to attack your own organisation?

To truly defend yourself you need to know how you can be attacked

Attack and defence are always interlinked

Look at threats from the attackers point-of-view

In soccer, the best penalty-taker is often the goalkeeper because he knows the best way through the net

As a CIO you are the goal keeper! What would you do to attack your own organisation?

Imagine you had a castle … Kidnap the Princess 10 Gold Coins Bribe guard Sneak through sewer Launch full military strike 1,000,000 Gold Coins Walk in the main gate Forge letter of introduction Discover/steal King’s Seal Discover sewer location Break any protection 5 Gold Coins

Test it! Perform penetration testing to make sure that the time spent during development and implementation actually created a more secure environment Highlights anything that was missed Allows us to test both our software and our hosting provider as part of the complete solution to identify areas where our hosting environment (and potentially hosting provider) is weak

Perform penetration testing to make sure that the time spent during development and implementation actually created a more secure environment

Highlights anything that was missed

Allows us to test both our software and our hosting provider as part of the complete solution to identify areas where our hosting environment (and potentially hosting provider) is weak

Monitor it! Your environment should be gathering lots of information about security attacks as they occur Tell the attacker nothing – tell the administrator as much as possible Aura’s Red-Eye Custom solution integrates directly into your environment Managed and administered by Aura Attackers are persistent and will try many variations of an attack and Aura can provide steps to mitigate against these First installation picked up a major security hole within 3 days

Your environment should be gathering lots of information about security attacks as they occur

Tell the attacker nothing – tell the administrator as much as possible

Aura’s Red-Eye

Custom solution integrates directly into your environment

Managed and administered by Aura

Attackers are persistent and will try many variations of an attack and Aura can provide steps to mitigate against these

First installation picked up a major security hole within 3 days

Things to think about … Take a holistic approach to security involving the whole organisation Get independent expertise to guide you through the process Think about attacks you could face and how your organisation would respond to them Security is an ongoing process, not a singular event – continuously improve as attackers are also improving The cost of implementing security is not trivial, however it is a fraction of the cost of mitigating security compromises

Take a holistic approach to security involving the whole organisation

Get independent expertise to guide you through the process

Think about attacks you could face and how your organisation would respond to them

Security is an ongoing process, not a singular event – continuously improve as attackers are also improving

The cost of implementing security is not trivial, however it is a fraction of the cost of mitigating security compromises

www.xero.com www.AuraSoftwareSecurity.co.nz Questions?