Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Agile security in the cloud: Lessons from Xero

Divina Paredes | June 29, 2016
Previously, security was about having gates, but under the agile method we use guardrails so our developers stay on the road, rather than having to stop at a gate, writes Aaron McKeown of Xero.

Protecting the sensitive financial data of more than 700,000 global subscribers is one of the most important jobs atXero. Just as the move to cloud technology has completely disrupted the way small business owners and accountants work, it's transformed the way we protect them.

In the past 12 months, we've had more than 1200 new product features and updates released. With the plug-and-play ability of machine learning and automation tools available in the AWS environment, we have the opportunity to step up the level of innovation and take full advantage of this new cloud world, yet fundamental to the success of our platform is tight, agile security.

Accelerated innovation also means organisational governance and security teams need to lift their pace and quality of service, something the agile security ethos enables teams to do.

At Xero, our security teams work as "security as a service". We operate as a supplier within Xero's walls. We have rapid response teams running 24x7, product security teams, all of which need to be on the same trajectory as the rest of the organisation. We need to be able to continuously iterate and deploy.

To build an always on, always shipping culture in our security teams, we operate on three basic principles.

API-driven security

Traditionally, security systems were managed by people logging into a console. But by taking the human element away from the process helps establish a continuous integration methodology. It means that you do something once and repeat it over and over again. It means you get consistency of delivery and if you need to adjust a security policy, you do it once, eliminating inconsistency in the system or unnecessary outages.

Security at speed

Security and speed are not mutually exclusive. If a security team isn't agile, it can block the pace of the organisation. Previously, security was about having gates, but under the agile method we use guardrails so our developers stay on the road, rather than having to stop at a gate.

Fast response times are imperative to keep a tech company pushing ahead. We continuously measure, test and monitor everything. It helps us iterate on-the-fly.

Security on-demand


Having the ability to scale up and down as you need infrastructure is critical for cloud organisations. In the past, security was a static part of a business. It was slow moving.
In the new tech world, we need security infrastructure to work at scale, adjusting to the peaks and troughs of our customer usages in multiple timezones around the globe. Dynamic computing means that the choice between being fast or secure is no longer - now you can be both.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.