Ben Ede, CTO of 7bridges the AI-powered Logistics Platform discusses cyber security and how we handle our client's data.
We get it, a company comes along promising to reduce your yearly logistics spend by up to 30% and provide an ROI in just four weeks time, it sounds too good to be true right? Then you find the catch, they want access to your data.
You: "But I don't want to give a company I barely know access to my data, I have no idea what they will do with it or how secure they are. I don't even know if I CAN give them access to our data! It could be a breach of data security regulations, like GDPR."
Like we said before, we get it. When we founded 7bridges, we realised two things:
1. A solution that optimises your logistics spend will only work if it's working with real data. Your data.
2. That you have a responsibility - both legal and moral - to treat your data with utmost care. For that reason, you would not hand it over to us unless we can demonstrate how very seriously we take that responsibility.
That's why we've always thought about security and have built it in to the 7bridges platform as we progressed (rather than hurriedly retro-fitting it once we've grown).
If you want to try us out, but you're nervous about GDPR and don't want to hand over your data with Personal Identifiable Information (PII) attached, we can also accept data with redactions. This means that you don't need to announce it to all your customers as a new 3rd party data processor until you are ready to fully engage with us.
You: "But I don't want to give you access to my network, this is a major security risk and we don't have the time or budget to add in extra security controls."
You send your data to us.
We've built a solution that allows you control over what you send us. We provide various public endpoints for you to send us your data securely. Because this is a core part of our business we invest our time and budget ensuring these endpoints are secure rather than making you do any legwork.
You:"Great but when I send you my data how do I know it's secure?"
Even before your data hits our service it will be sent via encrypted channels. As soon as it lands within our network - no matter where it is stored (file or database) - it will be encrypted. This means that if (a big if) a bad actor was able to access the hard drive storing this information, stealing it would be useless as it's unretrievable by anyone except ourselves.
We host all our data on AWS cloud infrastructure. Our primary location is in Ireland (over three distinct zones), but we also maintain a failover copy in AWS London. In the unlikely event that an extremely large outage occurred in AWS (which would require all 3 Ireland locations to go down at once) we would flip a switch and start hosting from London instead.
You: "Yeah, but how easy is it to pretend to be a 7bridges employee and get access to the unencrypted data?"
VPC, VPN, 2FA, RLS, RBAC, etc. are probably not important to you. But we've built a lot of layers of security to make sure we are as secure as possible. Firstly we've protected all the critical systems by hiding them from the outside world, except for the battle hardened public endpoints.
Secondly, inside this, we've also hidden the critical systems from each other by partitioning the systems into separate secure areas. So even if a bad actor could penetrate the first line of defence (and let's assume they had some sort of access to one of the machines inside), they would still be unable to access all of our systems.
Obviously, our own Software Engineers need to access our environment. For this purpose, we also follow the principle of least access: in other words only giving access to people whose roles require it. They can only access our secure spaces via our VPN once they've been authorised and given their credentials.
From the web platform side, we also enable 2-factor authentication for any of our admins to prevent any bad actors from gaining access there.
As we are a shared SaaS platform you'll also be happy to know that all your data that sits in our database will be completely walled off from any other customer by security rules meaning that it is impossible for us to ever leak data from one customer to another.
You: "Sounds great! But how do you know you haven't been compromised already?"
We use a service called GuardDuty. GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorised behaviour to protect our services and data. The moment something is flagged as suspicious we will be alerted and will investigate.
Also, every time we push a new piece of code to our central repository it is automatically scanned to make sure we haven't introduced a security vulnerability.
When we run our full integration tests we also run a Dynamic Application Security Testing tool that tests our platform in the same way a hacker would try and find exploits to gain access or perform other malicious tricks.
Every time we deploy, all the code and all the supporting operating systems and libraries are scanned against regularly updated global vulnerability lists. This scanning will prevent us from unknowingly pushing code with a new vulnerability into production.
You: "Ok so you monitor everything and confirm everything is secure, but what about confirmation bias?"
We have engaged with independent 3rd party security companies who have been CREST certified. We provide them full access to a replica of our production environment (without real data) and let them run regular full penetration tests on it. These ethical hackers work like normal hackers except they provide us with a report instead of stealing any data (not that they've been able to thus far).
They also provide endpoint scanning, that checks for vulnerabilities in our public endpoints.
Outside of the technology itself, they also attempt to hack our staff by phishing, smishing, and vishing them to try and gain access to our data. This all creates a high level of awareness in the whole company of the importance of security.
You: "Ok I'm feeling pretty good about this now, but what happens if I don't want to use your services anymore..."
If you want to part ways with us, then we are obliged to remove your data from our platform.
You: "Ok this sounds awesome, I'm ready to start working with 7bridges...."
There's still more. As we mentioned at the start, we prioritised security from day one. Now, we're putting that all together, formalising it, and will be soon gaining our ISO 27001 information security accreditation. Additionally:
Feeling better about sharing your data with 7bridges? Talk to one of our expert team today, and learn how our secure, data-driven solution can save you 30% on your direct logistics costs.