“You might be scanning to see if a device is jailbroken or rooted. There is a whole class of companies that are offering services based on zero trust that can take security to the next level,” he says.
For Optimizely, a San Francisco–based company that helps its customers to optimize its digital experiences, keeping data safe requires a multipronged approach.
Optimizely’s customers use its platform to do A/B testing, personalization, optimization and customization for e-commerce sites. The resulting customer data is proprietary and valuable — which is why Optimizely takes its security controls so seriously.
“Our platform is used by large enterprise companies, so the stakes are high for us, which is why we mitigate risk at every stage,” says Kyle Randolph, the company’s senior director of security, privacy and compliance. “Software security is paramount because of the impact to a customer’s website that a JavaScript vulnerability can have. It’s a big ask of trust for us to deliver JavaScript and ask our customers to trust that the experience is going to be secure. At Optimizely, ensuring the integrity of JavaScript is a top security priority to mitigate the risk of a website compromise.”
The company runs its servers in the cloud, so it trusts its cloud providers to handle the physical and network security. However, the business logic security for its 400 employees, as well as the security for customers, falls under Randolph’s domain.
His work starts with plenty of automated tools and a security-first focus. Randolph and his team don’t overlook the basics, such as keeping software patched and updated, using firewalls and tapping security standards. But controlling the sign-on process is just as important, he says. “Here at Optimizely, we use dozens of cloud-based services. So, for us and for our customers, passwords are a big focus. Humans are bad at choosing passwords and at password hygiene. We use Okta single sign-on, so we can remove those worries across the board.”
JBG Smith Taps Security at the Edge
When it comes to protecting data, IT should know what’s going on with the network, where company data resides and how well its current infrastructure and strategies are working.
JBG Smith, a real estate investment company based in Chevy Chase, Md., looked to this strategy to shore up its infrastructure. It needed a way to secure its properties and its tenants while allowing its many contractors and employees to access everything remotely. “Our issue was how to deliver a strong business experience while still delivering security,” says David Shanker, the company’s senior vice president of IT. “And that security had to be easy to use so it didn’t impact the user’s overall experience.”