Ben Ede, Principal Engineer here at 7bridges, discusses cyber security and how we handle our customer data.
We get it, a company comes along promising to reduce your yearly logistics spend by up to 30% and provide an ROI in just four weeks' time, it sounds too good to be true right? Then you think you've found the catch: they want access to your data.
You: "But I don't want to give a company I barely know access to my data, I have no idea what they will do with it or how secure they are. I don't even know if I CAN give them access to our data! It could be a breach of data security regulations, like GDPR."
We understand the importance of your data
Like we said before, we get it. When we founded 7bridges, we realised two things:
1. A solution that optimises your logistics spend will only work if it's working with real data. Your data.
2. That you have a responsibility - both legal and moral - to treat your data with utmost care. For that reason, you wouldn't hand it over to us unless we can demonstrate how seriously we take that responsibility.
That's why we've considered security from day one and have built it into the 7bridges platform as we progressed (rather than hurriedly retro-fitting it once we've grown).
If you're nervous about GDPR and don't want to hand over your data with Personal Identifiable Information (PII) attached, we can also accept data with redactions. We don't have to know or see any of their personal details, especially in the early stages. This means that you don't need to announce it to all your customers as a new 3rd party data processor until you are ready to fully engage with us.
You: "But I don't want to give you access to my network, this is a major security risk and we don't have the time or budget to add in extra security controls."
We don't need access to your network
You send your data to us.
We've built a solution that allows you control over what you send us. We provide various public endpoints for you to send us your data securely. That means you never have to let us into your network. Because this is a core part of our business we invest our time and budget ensuring these endpoints are secure rather than making you do any legwork. Which means you have total control, but no boat-load of new responsibilities you need to manage.
You:"Great! But, when I send you my data, how do I know it's secure?"
We encrypt your data as soon as we receive it
Even before your data hits our service it will be sent via encrypted channels. As soon as it lands within our network - no matter where it is stored (file or database) - it will be encrypted. This means that if (a big if) a bad actor was able to access the hard drive storing this information, stealing it would be useless as it's unretrievable by anyone except ourselves.
We host all our data on AWS cloud infrastructure. Our primary location is in Ireland (over three distinct zones), but we also maintain a failover copy in AWS London. In the unlikely event that an extremely large outage occurred in AWS (which would require all 3 Ireland locations to go down at once) we would flip a switch and start hosting from London instead.
You: "Yeah, but how easy is it to pretend to be a 7bridges employee and get access to the unencrypted data?"
We've built multiple layers of security
VPC, VPN, 2FA, RLS, RBAC, etc. are probably just a lot of acronyms and not really important to you. But we've built a lot of layers of security to make sure we are as secure as possible. Firstly we've protected all the critical systems by hiding them from the outside world, except for the battle-hardened public endpoints.
Secondly, inside this, we've also hidden the critical systems from each other by partitioning the systems into separate secure areas. So even if a bad actor could penetrate the first line of defence (and let's assume they had some sort of access to one of the machines inside), they would still be unable to access all of our systems.
Obviously, our own Software Engineers need to access our environment. For this purpose, we also follow the principle of least access: in other words only giving access to people whose roles require it. They can only access our secure spaces via our VPN once they've been authorised and given their credentials.
From the web platform side, we also enable 2-factor authentication for any of our admins to prevent any bad actors from gaining access there.
As we are a shared SaaS platform you'll also be happy to know that all your data that sits in our database will be completely walled off from any other customer by security rules meaning that it is impossible for us to ever leak data from one customer to another.
You: "Sounds great! But how do you know you haven't been compromised already?"
We actively monitor the security of our systems
We use a service called GuardDuty. GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorised behaviour to protect our services and data. The moment something is flagged as suspicious we will be alerted and will investigate.
Also, every time we push a new piece of code to our central repository it is automatically scanned to make sure we haven't introduced a security vulnerability.
When we run our full integration tests we also run a Dynamic Application Security Testing tool that tests our platform in the same way a hacker would try and find exploits to gain access or perform other malicious tricks.
Every time we deploy, all the code and all the supporting operating systems and libraries are scanned against regularly updated global vulnerability lists. This scanning will prevent us from unknowingly pushing code with a new vulnerability into production.
You: "Ok so you monitor everything and confirm everything is secure, but what about confirmation bias?"
We use independent 3rd party security experts to test our security
We have engaged with independent 3rd party security companies who have been CREST certified. We provide them full access to a replica of our production environment (without real data) and let them run regular full penetration tests on it. These ethical hackers work like normal hackers except they provide us with a report instead of stealing any data (not that they've been able to thus far).
They also provide endpoint scanning, that checks for vulnerabilities in our public endpoints.
Outside of the technology itself, they also attempt to hack our staff by phishing, smishing, and vishing them to try and gain access to our data. This all keeps us on our toes and creates a high level of awareness in the whole company of the importance of security.
You: "Ok I'm feeling pretty good about this now, but what happens if I don't want to use your services anymore..."
This is your data, not ours.
If you want to part ways with us, then we will absolutely remove your data from our platform. You have total control of that.
You: "Ok this sounds awesome, I'm ready to start working with 7bridges...."
Hang on, we're not finished yet!
There's still more. As we mentioned at the start, we prioritised security from day one. Now, we're putting that all together, formalising it, and we also have the ISO 27001 information security accreditation.
And we promise that we take it seriously day in and day out. To keep your data safe:
- We will continue to raise security awareness with our staff with regular awareness training and exercises
- We will continue to assess new risks and re-assess existing risks
- We will continue to audit all 3rd party suppliers we work with to make sure they meet our standards.
- We will continue to put security at the front of all of our solutions.
Feeling better about sharing your data with 7bridges? Talk to the team today, and learn how our secure, data-driven solution can save your supply chain 30%.