October is Cyber Security Awareness Month and as official champions of the scheme, we wanted to shine a light on security here at Alfresco. So we asked Alfresco Security Director, Phil Meadows about his role here keeping us, and customers using our products, secure.
What do you do at Alfresco and how did you get into this role?
As the Security Director here at Alfresco I’m responsible for ensuring that the products that we deliver are secure and also that we’re running our business in a secure way. I originally come from a software engineering background and most recently I led the DevOps team here so I have had a lot of experience with both software and operational security, which was great preparation for being Security Director.
How do you ensure that Alfresco is developing products that keep customer organizations secure?
We make sure that we consider people, tools and policies to help ensure that security is an integral part of our product development process, not a separate activity. We support the engineers with training and personal development to make sure that they’ve got the right level of security awareness. We’re also building a virtual team of secure coding representatives from across the engineering teams to be able to share best practices and also make sure that security is considered up front in everything we develop.
We follow some of the DevSecOps approaches and integrate automated security scanning analysis tools into the development pipelines. I’m a believer that if the engineers can have potential security flaws highlighted as they are writing code, then it’s a lot easier to resolve while it’s still fresh in their mind. We also use more heavyweight automated scanning tools and we make use of third party penetration testing companies to give us external validation.
We also put in place policies to make sure that if and when security issues are reported, that they’re categorised and responded to appropriately.
What are some measures the security team takes to ensure the protection of customer data?
As a company we have regular SOC2 assessments of our own operational processes. This makes sure that we have appropriate policies and processes in place to cover security, availability, processing integrity, confidentiality, and privacy of customer data that we hold. Our documentation team provide extensive documentation about Authentication and Security of our products to help customers correctly configure and run their systems.
For customers who have compliance obligations around storing records we also have information governance solutions which meet a number of standards including NARA/OMB 2016 and 2019, ISO 15489, MoReq and VERS.
Your job means you’re responsible for helping our customers run Alfresco securely. Tell us more about that.
As a security team, we work closely with all parts of our company that are helping customers to help them out with guidance and advice on how to run our products securely. We also work closely with product engineering on tools like our AWS Quick Start and other reference documents and deployment tools to make sure that they have a good level of security built in.
One of my colleagues in the security team, Toni de la Fuente, has his focus on operational security. Increasingly, our customers are running Alfresco on AWS. With Cloud security a big concern, and as open source believers, we like to share the tools that we create. We have an active project called Prowler which anyone can use to assess the security of, and then harden, their AWS accounts based on the industry standard CIS benchmarks. We’re also working on a new project called The Trooper which will allow automated deployment of an integrated suite of AWS security monitoring tools. Watch this space!
To hear more from Phil and Toni, watch them discuss Security at Alfresco in this recent Tech Talk Live: