Ensuring Full Proof Security At Xero


Published on

This presentation shows how Aura Software Security helped Xero focus it's security strategy and integrate security throughout the organisation.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Ensuring Full Proof Security At Xero

    1. 1. Title of the presentation Craig Walker, Chief Technology Officer, Xero Ltd Case Study: Ensuring Full-Proof Security At Xero 22 July 2008
    2. 2. Agenda <ul><li>What is Xero? </li></ul><ul><li>Where does security fit in? </li></ul><ul><li>How did Aura get involved? </li></ul><ul><li>What kinds of things did we do? </li></ul><ul><li>Did you learn something? </li></ul>
    3. 3. Who is Xero? <ul><li>The company </li></ul><ul><ul><li>Started in 2006 by Rod Drury and Hamish Edwards </li></ul></ul><ul><ul><li>IPO in June 2007 to establish ourselves as a credible & secure software provider </li></ul></ul><ul><ul><li>60 staff in 6 locations (HQ in Wellington) and over 1500 customers </li></ul></ul><ul><ul><li>A New Zealand business with global aspirations </li></ul></ul>
    4. 4. What is Xero? <ul><li>The product </li></ul><ul><ul><li>Software-as-a-Service small business platform starting as an online accounting system </li></ul></ul><ul><ul><li>Revolutionising the way small businesses are managed </li></ul></ul><ul><ul><li>Staff and advisors all connected and unconstrained by legacy process or technology </li></ul></ul><ul><ul><li>Built on a Microsoft platform and hosted in the US </li></ul></ul>
    5. 5. How does SaaS change security? <ul><li>Software-as-a-Service (SaaS) is software that is deployed as a hosted service, accessed over the internet and paid for on a subscription basis </li></ul><ul><li>SaaS is about reducing the cost of providing software services to go after the “long tail” of small businesses </li></ul><ul><li>Shifts the “ownership” of the software and reallocates responsibility for technology infrastructure from our customers to Xero </li></ul>
    6. 6. We can’t just say we’re “secure as a bank”. We must actually BE secure as a bank.
    7. 7. Why is security important to Xero? <ul><li>Because the impact of security breaches could destroy our business </li></ul><ul><li>Potential effects: </li></ul><ul><ul><li>Loss of data </li></ul></ul><ul><ul><li>Loss of credibility </li></ul></ul><ul><ul><li>Loss of revenue </li></ul></ul><ul><ul><li>Damage to customer confidence </li></ul></ul><ul><ul><li>Damage to investor confidence </li></ul></ul><ul><ul><li>Legal consequences </li></ul></ul><ul><ul><li>All on the front page of the Herald </li></ul></ul>
    8. 8. Virtual Security Officers <ul><li>Identified early on that we need to get outside expertise not because we couldn’t do it but because we wanted to do it right </li></ul><ul><li>Security expertise not common in New Zealand especially related to SaaS </li></ul><ul><li>Concept of Virtual Security Officers – a partnership that would help us to deliver secure software over the long term </li></ul>
    9. 9. Aura Software Security <ul><li>Microsoft development shop turned security experts </li></ul><ul><li>Understand both secure development and also the secure enterprise </li></ul><ul><li>Not just another security audit </li></ul><ul><li>Promised a refreshing view of security and what it means to be secure </li></ul><ul><li>Promised to make security suck less </li></ul>
    10. 10. The Aura Experience
    11. 11. What are your top 5 security risks? <ul><li>Staff </li></ul><ul><li>Customers </li></ul><ul><li>Contractors </li></ul><ul><li>Hackers </li></ul><ul><li>Hosting Providers </li></ul>
    12. 12. Integrated approach to security <ul><li>Defence in Depth (a holistic view) </li></ul><ul><ul><li>Security policies </li></ul></ul><ul><ul><li>Security operations integrated with regular processes </li></ul></ul><ul><ul><li>Security infrastructure </li></ul></ul><ul><ul><li>Security-aware users – all staff aware of security not just developers </li></ul></ul><ul><ul><li>Application security design and review </li></ul></ul><ul><ul><li>Penetration testing </li></ul></ul><ul><ul><li>Ongoing monitoring and proactive analysis </li></ul></ul>
    13. 13. Security policies <ul><li>BORING! </li></ul><ul><li>Implemented as “house rules” – how Xero deals with security </li></ul><ul><li>Team effort – everyone (not just IT staff) gets the chance to contribute and policies are circulated company wide for feedback </li></ul><ul><li>Be pragmatic – not totalitarian </li></ul><ul><li>Use software to help enforce policies where appropriate </li></ul>
    14. 14. Threat Modelling <ul><li>Risk assessment for software </li></ul><ul><li>A Microsoft approach but in no way attached to the Microsoft platform and can be used for modelling any and all enterprise and application threats </li></ul><ul><li>Great documentation, presentation and communication tool for both your team (and your board) </li></ul>
    15. 15. Attack trees <ul><li>To truly defend yourself you need to know how you can be attacked </li></ul><ul><li>Attack and defence are always interlinked </li></ul><ul><li>Look at threats from the attackers point-of-view </li></ul><ul><li>In soccer, the best penalty-taker is often the goalkeeper because he knows the best way through the net </li></ul><ul><li>As a CIO you are the goal keeper! What would you do to attack your own organisation? </li></ul>
    16. 16. Imagine you had a castle … Kidnap the Princess 10 Gold Coins Bribe guard Sneak through sewer Launch full military strike 1,000,000 Gold Coins Walk in the main gate Forge letter of introduction Discover/steal King’s Seal Discover sewer location Break any protection 5 Gold Coins
    17. 17. Test it! <ul><li>Perform penetration testing to make sure that the time spent during development and implementation actually created a more secure environment </li></ul><ul><li>Highlights anything that was missed </li></ul><ul><li>Allows us to test both our software and our hosting provider as part of the complete solution to identify areas where our hosting environment (and potentially hosting provider) is weak </li></ul>
    18. 18. Monitor it! <ul><li>Your environment should be gathering lots of information about security attacks as they occur </li></ul><ul><li>Tell the attacker nothing – tell the administrator as much as possible </li></ul><ul><li>Aura’s Red-Eye </li></ul><ul><ul><li>Custom solution integrates directly into your environment </li></ul></ul><ul><ul><li>Managed and administered by Aura </li></ul></ul><ul><ul><li>Attackers are persistent and will try many variations of an attack and Aura can provide steps to mitigate against these </li></ul></ul><ul><ul><li>First installation picked up a major security hole within 3 days </li></ul></ul>
    19. 19. Things to think about … <ul><li>Take a holistic approach to security involving the whole organisation </li></ul><ul><li>Get independent expertise to guide you through the process </li></ul><ul><li>Think about attacks you could face and how your organisation would respond to them </li></ul><ul><li>Security is an ongoing process, not a singular event – continuously improve as attackers are also improving </li></ul><ul><li>The cost of implementing security is not trivial, however it is a fraction of the cost of mitigating security compromises </li></ul>
    20. 20. www.xero.com www.AuraSoftwareSecurity.co.nz Questions?
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.