As a security professional I’ve gotten to work on systems from large banks to hospitals to government agencies, and even for the President of the United States. My background also has a healthy dose of cutting edge startups at every stage of growth, so when I came to LiveRamp I expected to walk into the “wild west” mentality of many small companies:
- Every engineer has the root password to production systems (and doesn’t see a problem with this)
- Code releases pushed to production 10 minutes before happy hour on Friday
- Crazy deadlines for features pushing all considerations about security and scalability into the “future.”
What I found was quite the opposite: a cultural understanding that security and scalability are core features that our customers rely on. I’d like to share how LiveRamp has made these core values of the company and how that translates into some really good security practices.
One of the biggest differences here at LiveRamp is the orientation process new hires go through. We go a lot further than the usual code walkthrough or network diagram intro that only takes the first half day at many companies. New employees get to participate in 8 or so days of intense orientation covering everything from application architecture to security and privacy practices at LiveRamp. During this period you’re given the time to really learn how we do things and ask any questions you might have, all without the distraction of a pile of work that should have been done a month before you were hired. Any company that plans ahead for this sort of training gets employees who are contributing to the long term vision of the company instead of just scrambling to produce results before knowing how those results will even be used. When it comes to security this drives home the lesson of “take the time to do it right the first time.”
LiveRamp has an awesome intern program that brings in talented individuals from around the country to work on some great and innovative projects. One of the concerns with bringing interns in to work on software is they’re almost always inexperienced in working on production systems. What we’ve done is created a locked down Linux virtual machine that interns install on their own machine, and then they must use this VM for working on LiveRamp systems. This provides them with the common toolset used by all the full time engineers here, while also limiting their access to systems and source code to what is necessary. Plus, when they leave at the end of their internship, we can just delete the VM in a single step and be sure that they aren’t accidentally leaving with any code or data. Interns are also paired up with mentors who review any code they produce before committing it into source control.
At LiveRamp when an individual raises a security concern it is immediately evaluated for risk and put into our issue tracking system. By treating these concerns the same as a new revenue-generating feature we ensure the best quality software makes it to our production systems.
One particular problem I’ve seen at many previous companies was database passwords hard-coded into the source code of production applications. When security invariably became an issue, it was always a huge effort to excise and manage these passwords in a secure way. I came to LiveRamp to find this problem solved in a manner more elegant than any I’d ever seen: First, the credentials and configuration are stored in separate meta-files in a secured repository. Access to the password part is carefully controlled, while access to the configuration part is easily accessed. Then, when it’s time to push code to production, the Operations team runs a deploy that constructs the full configuration file from the two parts and places it securely on the target server. This allows developers to make changes to their configuration as needed without having the sensitive database credentials exposed to anyone with access to the code base.
This is a critical aspect of security that often stops at the datacenter. At LiveRamp, it starts with the employee’s laptop. In addition to issuing mandatory laptop locks, we make sure that every laptop uses encryption to protect sensitive code and data, and that it is set up to automatically lock its screen and expire network sessions when not in use. This mitigates scenarios like this. At the datacenter level, we’ve gone the extra mile to use a SAS 70 Type 2 certified facility. This means that an external auditor has verified that critical controls are in place and being used such as:
- Biometric access controls
- Dry pipe fire suppression systems
- Man trap entrance
- Video surveillance
- Audited records of access
Stay tuned — in a future blog post, I will discuss more details on security in an agile web company in addition to why security policies are a good thing.