Since our inception, our team has always worked very hard to ensure our Content Services Platform (CSP) can adhere to the strictest security standards and protocols. This has been particularly true during the past two years when we’ve invested heavily to keep the Nuxeo Platform secure while continuing to provide the high-performance levels our customers depend on.
When I took on the official role as head of security at Nuxeo in 2017, my first step was to ensure we had effective processes in place to ensure we always have as much information as possible about the “what, where, when, and how” in regards to how data and content is managed within the Nuxeo Platform. With this foundation in place, we’re better equipped to deal with security incidents when they occur.
Secure Office Connectivity and Network Updates
Nuxeo has offices in North America, Europe, and Asia, and we also support several remote workers. We decided to unify our approach to equipment management and create VPN meshes that allow all of our offices to seamlessly connect with each other. We also added a connection to a VPC on AWS, allowing access to our internal services from every Nuxeo office while taking advantage of AWS architecture.
As Nuxeo has grown, we’ve deployed more systems and tools. With increased scale comes the need to securely manage both local and shared accounts.
We’ve installed a new AWS Directory Service and deployed a full ActiveDirectory. We’ve also deployed Radius servers to connect to Wifi in a manner that enables us to only use WPA Enterprise, which allows us to better track our network usage and increase our investigation capabilities. In addition, we have connected Okta to our new ActiveDirectory. As a result, we now deploy SSO on most of our existing applications.
We created one organization that was inclusive of our several AWS accounts, and then connected all of our accounts to it. Using a tool we developed (Ivoryshield), we enforced AWS CloudTrail on every account, and all events are now processed within minutes to ensure they comply with our policies. The beauty of AWS is that it generates an event for every action, so it’s easier to maintain granular controls that can be processed with automated scripts.
Automation is Key
A new set of ‘runbooks’ have been scripted that connect to several of our services, allowing us to record all actions via CloudTrail and ensure every member of the team will execute the same actions in the same order. We automate a vulnerabilities scanner that scans our dedicated environments.
Continuous Security Improvements
Our security, production, and development teams all operate with a focus on ensuring the Nuxeo Platform can adhere to strict security protocols.
Ensuring high levels of security requires vigilance and continuous improvement, and we set security-focused goals with this in mind. We’ve been working hard to achieve goals like these:
- Encryption at REST everywhere — We’ve automated the encryption on S3 buckets.
- Antivirus — We’ve deployed the Cylance solution on each and every server.
- WAF deployment — We’ve deployed AWS WAF along with AWS Shield Advanced.
- IDS — We’ve deployed Threatstack on every server, increasing the alerts gradually to reach a more acceptable state.
Audit and Gap Analysis
We began an audit and gap analysis in late 2018, and we’re using the results from this to help drive and guide our ongoing efforts to better protect and secure all content and data residing within our platform.
Nuxeo’s security team has created an approval token system that automates the process of validating security rules within our environment. As a result, this provides greater accuracy and efficiency to the process of applying and validating access controls and other security rules to specific workgroups (like the “security team”).
And by the way … We’re happy to report that Nuxeo has achieved PCI/DSS certification!
No time to rest-we’re already starting our SOC2 audit. We’ll continue to add more certifications because we know that our commitment to ensure the highest level of security possible in our product will inspire even more trust in our product and company.
Stay tuned for more security-related posts from me coming soon, including insight on our security automation and our firewall token signature with IvoryShield.