Listening to customers
The second factor was less about being forced to comply with external laws, and more about doing everything they could to meet customer expectations.
“Over the years our customer base has changed to include more enterprise-level teams working in large corporations. We could see our customers were working through their own audits to ensure the tools they were using met their security requirements.
“We received a number of security questionnaires all asking similar questions, which forced us to think: If you have to answer no to a question — saying that you don't do something — then you have to ask yourself, ‘Well why not? Why don't we do that?’”
After her experience with the customer support rep, Bridget knows how it feels for any customer — not just Enterprise customers — who need to see that YouCanBook.me has the processes in place to earn recognized security credentials.
So the team set to work to identify the systems already in place, identify any gaps, and then start the process for external security certification, beginning with ISO 27001.
What a difference a decade makes
When YouCanBook.me began a decade ago, security issues were on a completely different order of magnitude than today. Even so, for CTO and co-founder Keith Harris, who built the tool himself, infrastructure security was always a central concern. In fact, Keith built his own password manager for the team to use before password managers were cool!
Over the years, the demand for industry-recognized certification, as well as the increasingly complex attempts by bad actors to access data, led YouCanBook.me to move engineer Antonio Acevedo into a full time role as Head of Infrastructure to keep a laser focus on security.
“It can be overwhelming,” says Antonio. “You have to be constantly looking at things that are happening, things that might be happening, things that no one has thought could happen.”
Internally: Start with NO
Security breaches aren’t just an external risk. It’s not enough to say we've closed down our systems; nobody can have unauthorized access. But yet, inside, everybody still has access.
A very clear strategy within the YouCanBook.me team is what they call the Principle of Least Privilege’ policy. This means there is a strict limit on user access for every area of the tool — basically, everything is forbidden by default.
“The philosophy is, unless there's a reason for somebody — including myself the CEO — to have access to data, particularly customer data, we just don't,” says Bridget. “Everything is compartmentalised so if you don't need to be in the room, you don’t get the keys.”
For Antonio, these security measures add complexity because he has to create access profiles for each role in the company. But it’s worth it.
“The Principle of Least Privilege is a huge mental lifesaver because you don't have to be thinking what might happen if this user does this or this one does that. No one is allowed to do anything unless they need to for their work.”
This might sound extreme but studies show that employees are one of your biggest security risks. Almost 90% of data breaches are caused by employee mistakes.
“It's an interesting balance for a customer-focused company,” says Keith. “Our Support team is highly motivated to help our customers. So they’re looking to have as much information as they possibly can to help with troubleshooting and solving problems. You have to tell them they're not allowed that data. It can feel like you’re tying their hands behind their back.
“So then you have to think about what changes you can make to the product that will help those customers without our team’s involvement. Troubleshooting has to suddenly go inside the product so the customer either no longer sees that problem, or they have the tools to solve it themselves and it doesn't require a human being to go in and do anything that could cause a data breach.”
Externally: Reducing the blast radius
If someone wants to attack you, they're going to attack you one way or another. So the point here is about making it so difficult that the attacker just moves on to the next company, goes somewhere else.
One of YouCanBook.me’s six values is Simple is Beautiful and that comes across strongly in their approach to infrastructure security.
One of Antonio’s first projects when he started at YouCanBook.me in 2014 was to migrate all their systems across to Amazon Web Services (AWS). The company has grown with AWS ever since, taking advantage of its ever increasing number of product solutions and its world-class reputation for SaaS Security.
“When you’re talking to customers and are able to say that you use AWS, it’s an easy discussion because everyone understands that means excellent security,” says Antonio. AWS operates a shared responsibility model which means they take care of security for specific components. “So we don’t have to worry about those components. We just have to focus on our own. And with highly configurable user access, we can keep to our Principle of Least Privilege.”
AWS offers a lot of solutions, but it doesn’t have everything. Sometimes, YouCanBook.me needs to choose another service.
“If we need to go outside the AWS umbrella, that’s fine. But it’s also where the extra security concerns come in. So you have to balance the benefits of using a different service with the potential risks it brings.”
Keep things simple. Keep them structured and siloed as much as possible and only come out of that when you really need to. It’s all about how you can reduce the blast radius of any attack.
One of the risks is passwords. Once again, human error rears its head. Passwords are one area that is really difficult to get right when you leave it to individuals.
“The tools outside AWS are why we use Dashlane,” says Antonio.
Dashlane is a password management tool that allows you to centralize permissions, easily giving or revoking employee access to passwords as required.
“We’re not a huge company but it doesn’t matter how many people you have. You still have to be able to track who has access to each tool, and when they accessed it. The more you close things down, the less you have to think about the likely scenarios where you’re going to be attacked. The ‘least privilege’ policy is about trying to narrow down the possibilities, so we can keep it manageable on our side.”
To ISO 27001... and beyond
YouCanBook.me’s policies - keeping a tight control over access management, ensuring the highest level of data security and being in a position to scale safely - are all included in the best practices outlined for Saas Security practitioners.
The logical next step for YouCanBook.me was to go for external certification of their security measures. The two options were ISO 27001 and SOC 2 certification.
Any customer of a SaaS tool interested in security certifications will have seen those two names. What’s the difference between them? Actually, not a lot.
The SOC 2 and the ISO27001 certifications both convey industry-standard recognition that you have the security practices in place to protect customer data.
ISO 27001 certifies that a company has a robust Information Security Management System (ISMS) in place. It’s an internationally recognized three-year process with an initial pass/fail audit, and then an audit every year.
SOC 2 is a U.S. accreditation that focuses on proving that a company has implemented security controls to protect customer data. It is arguably harder to achieve, but you can have areas where you don’t yet conform. So it’s important to read the SOC2 certification for details on the areas where a company complies.