What’s more secure? A cloud-based or on-prem document management system?
It’s a question that gets asked a lot in our industry.
So, I invited Mark Richman, Principal Product Manager at iManage, on to the show for a wide-ranging discussion on the topic.
In this episode, we discuss:
- Why a SaaS-based document management system is more secure than on-prem
- Implementing compensating controls to mitigate potential damages
- iManage’s customer-managed encryption keys and threat manager
- What a cloud provider should be doing from a security perspective
SaaS-based document management is more secure
When deciding on a document management system, ease of use is a major driver. The trick is to make the system easy to use and simultaneously as secure as possible.
SaaS solution providers accommodate for the security aspect in their development roadmaps because it’s a serious competitive advantage that can feed their sales pipelines.
While on-prem implementation may receive maintenance and upgrades, it will likely also cost more over time, compared with the subscription fee for a SaaS solution. In a zero-trust environment, you need to prepare for the worst all the time. Maintenance intervals may be too far and few between, to adequately protect against malicious attacks.
“A cloud solution is, generally speaking, going to be more secure than an on-prem solution.” — Mark Richman
“A cloud solution is, generally speaking, going to be more secure than an on-prem solution.” — Mark Richman
Controls and contingency: mitigate document management risk
Choosing a cloud-based system doesn’t mean that you can sit back and relax.
Mark’s team takes a shared responsibility approach:
- Clients want solution providers to take on more of the risk management work.
- The shared goal is to increase the likelihood that attacks will be completely prevented (rather than requiring remedies).
- Although clients are responsible for the data they input, iManage continues to think of ways to support customers in managing data responsibly.
- Accounts, devices and identities are all covered.
In a SaaS context, the architecture and product levels should provide security confidence. It’s possible to use automation and several smart tools to reduce dependency on human input and maintain security policies. Features can be developed, but it’s down to the user to apply them operationally.
Here are some examples of what providers can offer, but not control, in terms of additional solution security:
- 2FA
- Minimum password strength requirements
- Segmented user permissions
By exploring and then extending control opportunities to customers, iManage actively prevents both intentional and unintentional disasters.
Encryption and threats: iManage enables customer control
Customer-managed encryption keys
All of the data that a customer houses in iManage’s system is encrypted by default. It’s an extremely strong encryption foundation, but Mark also recognizes that overconfidence brings risk.
To ensure that even iManage doesn’t present a breach risk, customers are empowered with additional control over their respective encryption keys. This prevents iManage from accessing the encryption key. The system can still use the keys to encrypt and decrypt data but can’t access it, so customers could revoke the keys independently at any time.
The caveat with this is that there’s little iManage can do to assist a customer who has opted for this control but has misplaced or lost access to their own encryption keys. As the saying goes, with great power comes great responsibility.
“Customers are increasingly looking to shift more of that shared responsibility to the cloud vendor who has expertise.” — Mark Richman
“Customers are increasingly looking to shift more of that shared responsibility to the cloud vendor who has expertise.” — Mark Richman
Threat analytics and management
When it comes to threat management, Mark mentions the importance of educating the customer. Even the most comprehensive solutions can be used incorrectly. Consistent communication and support therefore become critical.
With any feature that a customer decides to use or not use, there is a clear explanation of the parameters that come with it.
Additionally, usage data is processed through AI and ML to help detect anomalies and suspicious behavior. An example of this might be that, despite the system prompts, a user selects the bare minimum password strength. If an attacker bypasses that and suddenly begins to download masses of data, the system is able to detect this usage anomaly and send out alerts about it.
Cloud providers and security
Most organizations work on assumption when it comes to security, which is where risk really begins.
Mark’s team thinks of all the angles:
- Content security during storage and transit
- Security-first application and device usage and management
- Appropriate system configuration
- Data backups as risk vectors
Here’s Mark’s advice for cloud providers when it comes to security:
- Try to take a security-first approach to everything that you do.
- Update solution architecture in line with changing market dynamics and demands.
- Maintain awareness of, and accommodate for, constantly developing threats.
- Embrace attestations, accreditation and certification audits as you build your compliance- and security-related reputation.
- Run practice rounds and threat simulations to stay on top of response and containment protocols.
“It’s about building a smart architecture, validating that with a bunch of certifications and attestations, and then also, practicing in real time to ensure that the day when that threat does come, that you’re well-prepared to handle it in real time.” — Mark Richman
“It’s about building a smart architecture, validating that with a bunch of certifications and attestations, and then also, practicing in real time to ensure that the day when that threat does come, that you’re well-prepared to handle it in real time.” — Mark Richman
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.
Time-Stamped Transcript
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
Narrator (Intro/Outro) (00:01):
You are listening to The Virtual CISO Podcast, a frank discussion that providing the best information security advice and insights for Security, IT and Business leaders. If you’re looking for no BS answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.
John Verry (00:19):
Hey there, and welcome to yet another episode of The Virtual CISO Podcast. With you as always, John Verry, your host, and with me today, Mark Richman with iManage. Hey, Mark.
Mark Richman (00:27):
Hi. How are you, John?
John Verry (00:29):
I am well. Thanks for joining me today.
Mark Richman (00:30):
Yeah, you bet. Happy to be here.
John Verry (00:32):
Cool. So, I always like to start easy. Tell us a little bit about who you are, and what is it that you do every day?
Mark Richman (00:37):
Sure. So, I’m Mark Richman. And as you said, I work with iManage. And we are a document management provider. And I’ve been in the cloud and security space for a number of years. I actually worked for iManage back in the iManage for a number of years in professional services and actually worked building the very first implementation of the iManage cloud. And then I went off and worked in startup land for a few years, building different kinds of scalable and secure cloud SaaS platforms. And then returned to iManage about two years ago to help us build our next generation cloud platform.
John Verry (01:11):
Excellent. Before we get down to business, I always ask, what’s your drink of choice?
Mark Richman (01:15):
Drink of choice, I guess maybe I’ll go off the beaten track just a little bit, but really into mezcal these days. So, enjoying some of that. I actually just returned from a trip to Mexico and got to drink some really good mezcals down there.
John Verry (01:27):
Yeah. So, that’s interesting. And somebody else who had on was a huge mezcal fan. And I have not had many mezcals, but I was in Grand Cayman a couple winters ago, and they have a Mexican restaurant there that specializes mezcals. And they a guy that they imported from Mexico who was responsible for the mezcal bar. And we ended up going there a couple nights, because mezcals can be a lot of fun.
Mark Richman (01:52):
Yeah, you bet.
John Verry (01:53):
Definitely takes tequila and takes it to a slightly different place. All right. So, let’s get down to business. So, cloud based applications in general, and specifically a document management system hold a lot of sensitive information. I’m constantly being asked, and I’m guessing you are as well is, is a cloud-based X application document management system, whatever, as secure as a on-premise solution? How do you answer that question?
Mark Richman (02:21):
In general, I guess I would say, generally speaking, a SaaS based solution is, generally speaking, I think going to be more secure than an on-prem solution. And I think there’s a couple of different reasons for that. And I think some of the incentives around that are different as well. When you’re trying to deliver an on-prem software solution, one of the really chief things you’re trying to keep in mind is, you want to make it easy for the person that you’re handing it over to, to make it as easy as possible to deploy and configure. And in some cases, there’s a tension there in also making it easy to deploy, install and configure with making it as secure as possible.
Mark Richman (02:59):
And certainly from a SaaS vendor perspective, the SaaS vendor is certainly incented to try to keep the content and the platform as secure as possible, and has already sunk the costs into the setup and configuration and that architecture. So, the SaaS cloud platform vendor can really make the necessary investments into that architecture to make sure that it’s secure as possible to get their deployment pipelines and so forth set up in such a way that it’s as secure as possible. So, certainly, an on-premise person can invest the time and energy into making something really secure. And certainly, a cloud vendor can certainly not put the time and effort into making something secure.
Mark Richman (03:40):
But on balance, I would say that a cloud solution is, generally speaking, going to be more secure than an on-prem solution.
John Verry (03:48):
One of the things that you just said piqued a thought in my head, and I hadn’t really thought about it before. But in a weird way, we see this movement toward zero trust. And I was thinking, as you said, that in the old days, much to say way, original versions of Microsoft server operating systems used to be insecure by default, because they were easy to install, and then you’d have to secure them. And then they moved to that more model of secure-first, which are a little bit harder to deploy. And I never really thought about that, but we did have the same thing with the applications that people were deploying.
John Verry (04:18):
And it was, as a on-prem software provider, to an extent, you were pushing the responsibility of the security onto them. They were inside the moat. So, it’s the old “trust anything inside the castle walls” philosophy. I never really thought about that, but I think that actually is a really good argument for why now you’re in a different world. In a sense, your job is to … You’re a zero trusts environment almost. Right?
Mark Richman (04:44):
Absolutely.
John Verry (04:45):
You have to assume that you are living amongst your enemies, and you’re constantly under attack. So, the whole philosophy by which you develop the software at that point, I guess, is radically different.
Mark Richman (04:55):
I think that’s absolutely accurate. And the zero trust model and the zero trust principals that you just mentioned, that’s something we’re always thinking about, and how we can improve our standing in that area.
John Verry (05:08):
So, I guess the answer is, it depends, but the general answer is, if you’re picking the right vendor, then almost definitively you are I think in a position to have a more secure net solution. Because the second thing that I smile about with regards to cloud, I saw a statistic recently that they said eight in 10 companies across the … This is IDC research. Eight in 10 companies across the United States have experienced the data breach made possible by cloud misconfiguration, according to new research by IDC. So, let’s talk about that for a second. I think fundamentally … I’m going to just display something for anyone that’s watching this on video.
John Verry (05:54):
I think fundamentally, it’s because people fail to understand that cloud, although we’re outsourcing the application, we’re not outsourcing our responsibility to participate in the security of the application. So, they don’t understand this shared responsibility matrix. Can you talk a little bit about the shared responsibility matrix and which pieces you guys own and which pieces they own and how you communicate that to your clients?
Mark Richman (06:24):
Yeah. So, there’s definitely shared responsibility here. And I think one of the things that customers are increasingly looking for vendors to provide for them is to be able to take on more of that responsibility and to shift more of that responsibility more to the cloud vendor who has expertise certainly in this application and in that application architecture to increase the chance of limiting any bad things that can happen. So, I think from our application perspective, we definitely take on certainly as much of this. In this SaaS column that you see here, we certainly take on a lot of that responsibility that exists.
Mark Richman (07:10):
Certainly from a Microsoft perspective, also we’re taking on a lot of that responsibility and trying to limit the responsibility that the customer has. So, certainly for things like accounts and identities, certainly devices and things like that, and to a certain extent, management of the data the customer has responsibility for. But we like to design architectures and also to provide tools that put capabilities in the customer’s hands to really have a good understanding and good insight into the capabilities of those things. And I guess one example of that could be around encryption.
Mark Richman (07:47):
So, in our platform, we have a default encryption model that exists just foundationally as part of the platform. But we also provide ability for the customer to take on ownership of the primary keys for encryption management of all of the content such that they have full control. And there’s some inherent risks in that too. So again, in a default model, we have a very strong foundational encryption model. But from a security perspective ourselves as the cloud vendor can also potentially be a threat for a breach potentially. So, some customers want to have ownership of those primary keys, and that is something that we can absolutely support.
Mark Richman (08:32):
But as the old adage from the comic book goes, with great power, comes great responsibility. So, if you’re taking on that responsibility, you’re also of then assuming a certain amount of risk, and taking on a certain amount of ownership of process maturity and to manage those things. So, there’s always a tension here that we’re trying to balance with our customers to be able to take on a lot of that operational responsibility for the customers, but also give some flexibility for customers to take pieces of that where it makes sense for their business and for their amount of risk tolerance.
John Verry (09:08):
But generally, there are certain elements of the security responsibility that you can’t do anything about. So, as an example, if they don’t manage the authentication authorization process right on their side.
Mark Richman (09:23):
Correct.
John Verry (09:25):
There’s really nothing we can do. We can provide additional levels of controls to help them. So, as an example, supporting multifactor authentication. That is a compensatory control, something which reduces the burden a little bit on them in terms of a mistake being made is less likely to cause an impact. But we really can’t fully remove that. You guys are managing highly sensitive documents. Much of the documents you manage are in the legal vertical or supporting the legal offices of different corporations. So, you’ve got this really highly sensitive data.
John Verry (10:03):
You can keep that data as secure as Fort Knox, but when they bring that back into their environment, or if they don’t do the right thing and then actually upload those documents like they’re supposed to in your environment, there’s really not much you can do other than make sure that they understand what those responsibilities are, right?
Mark Richman (10:16):
Absolutely. If someone sets up some accounts, and they just don’t enable two-factor security, multifactor-authentication as you mentioned, and they have configured an insecure password, obviously we can suggest minimum password requirements and so forth. But if they don’t adopt those best practices, absolutely. There’s very little that we can do to intercede there.
John Verry (10:43):
I always go back to … I worked as an expert witness in a lawsuit. And it was interesting, because somebody left with information out of a CRM that they should not have left with, and they gave it to the competitor. This online CRM is very well secured. They do a great job. And it turned out, as we did our investigation into it, that someone had misconfigured the CRM and allowed 40 odd people in the organization to be global admins. The client was unhappy that this data had been stolen and originally thought it … But it was completely their fault. And there’s really not much you could do. So, do you guys have … In the FedRAMP world, we have a concept of …
John Verry (11:30):
They’re referred as the Rules of Behavior guide, which is how you specify to the federal agency what their responsibilities are. Is there an analogous document in your world or analogous set of documents that you use to ensure your clients understand what their responsibilities are?
Mark Richman (11:46):
Yeah. We definitely have a whole series of best practices that we communicate out to our customers. And we have a whole partner ecosystem that we work with that can also help with documentation that we provide to our customers in terms of best practices around configuring and securing the application. And we also have sets of tools that help mitigate some of these things as well. So, I think both from a security perspective at the architecture level and then also from an application perspective at the product level, there’s things we can do to help from that perspective. So, certainly on the architecture side, investing significantly in automation can help in this area.
Mark Richman (12:35):
But also on the product side, we also have tools that allow us to set up and maintain security policies on the content, so that someone can’t just either maliciously or accidentally change security on a set of documents or something and exposing it to a wider audience. That we have products that will see that diversion from the policy, and then reset the content based on a policy that’s already been configured, and also then tools that, that we can offer to our customers that offer threat analytics. So, if there are patterns of behavior or that are deviating from the norm, that we have products that we can offer to our customers to help identify those things.
Mark Richman (13:22):
So again, there can still be a danger from a customer misconfiguring something or setting an insecure password. But there’s a whole variety of computating controls that we think about from a product perspective, from an architecture perspective, along with certainly best practices and documentation that we provide to help minimize any of those potential damages.
John Verry (13:43):
Got you. So, in full disclosure, Pivot Point works a bit with iManage with regards to a couple of the products that you guys have, helping our clients that are in the legal vertical get the staff working properly. And I like a couple things you guys do quite a bit. So, let’s talk a little bit about, I think, something that most cloud service providers should provide, and I think most organizations should take advantage of, and that’s customer-managed encryption keys. I think it’s a fantastic idea. So, could you explain what a customer-managed encryption is and why it’s such a valuable offering that you provide to your clients?
Mark Richman (14:21):
Yeah. I alluded to this earlier when I spoke about encryption a few moments ago, but a customer-managed encryption key is really the concept that all of the content that a customer houses in our system is encrypted by default, regardless of whether they’re using this customer-managed encryption key or not. So again, there’s this foundational level of encryption. But as I said earlier, iManage ourselves is a potential threat vector. So, there could be people at iManage or another cloud vendor who, again, potentially through accidental or malicious means are trying to access customer content.
Mark Richman (14:59):
And we want to minimize a threat vector coming from any place, be it inside our company, inside the firm or via an external party. And so, really, the customer-managed encryption key really allows the customer to take ownership of the primary encryption keys, such that the cloud vendor really does not have direct access to the primary keys that are encrypting the content itself. So that our application has the ability who use the keys to be able to encrypt and decrypt content, but our application never has access to the encryption key itself. And that just puts a lot of power then into the customer’s hands that if the customer wants to terminate the relationship with iManage for any reason, that those keys can be revoked at any time.
Mark Richman (15:52):
And then all of that content is immediately just turned into a series of bits and is no longer recoverable. So, it just provides a lot of power and flexibility, puts that into the customer’s hands. But as I said a moment ago, that also does come with risks. So, our customers, as they adopt this technology, that they also need to understand that if those keys are lost or misplaced for any reason, then that there is very little that iManage can do to help them to recover that content. So, there is a cost, and that power again doesn’t come for free.
John Verry (16:32):
So, just to be clear, for anyone that’s … Sometimes people’s eyes glaze when you say the word “encryption.” So, when we talk about this key, the key is the … Think of it as the key to the lock. It’s the way that we transform that data into a format that would be unreadable by somebody else without a copy of that key. In the original implementation that iManage does, that data’s encrypted. So, if someone gained access to the data, they have no access to see your data. But if they gained access to the key and the key is owned by iManage, they would be, in theory, able to unlock that data.
John Verry (17:07):
So, what you’re doing in a customer-managed encryption key is you’re keeping the key that unlocks the data in your possession, not in their possession. So, it provides just an insane level of value. I do agree with you that with great power comes great risk, I think is what you said, or great responsibility, which I agree with you completely. I love the idea that you guys, through Azure key vault, you can do an N of M administrative scheme, which is really powerful for the client as well. So, not one person holds the key to the kingdom literally, so that you can have multiple.
John Verry (17:38):
So, you can’t change that key without multiple people working together on it. This is like the old nuclear missiles.
Mark Richman (17:46):
Exactly.
John Verry (17:46):
That’s why there was two keys and they both had to do the same thing at the same time. So, what it does is provides an insane level of protection to these organizations. The only thing you have to be careful of is that you’ve got these good key management processes to ensure that if a key custodian leaves your organization, that they’re being replaced. That you’ve got the right controls in place to know how to use these keys. But I think what you guys are doing there is fantastic, and I think every organization should take advantage of it.
Mark Richman (18:12):
Thanks, John. And again, just building on what you said, I think one of the innovative things that we’ve done is really that separation of concerns, and then putting the same copy of the same key in two places. And this is an area where our customer can potentially hurt the themselves, because again, for ease of administration, a customer just might want to have a single administrator to be able to have access to both instances of those keys. But that’s the thing that we really strongly caution against, because as you said, in the nuclear sub-model, we want to ensure that one person can’t launch the nukes.
Mark Richman (18:50):
That if you’re going to do something that has potential catastrophic consequences, that at least two people have to be involved in that decision. So, enforcing that separation of concern is something, again, that we strongly recommend and is not something that we can do for you, but really strongly encourage our customers to do.
John Verry (19:10):
Right. So, not just with you guys, but with any organization, I think the idea of customer-managed encryption keys is fantastic. Another thing that you guys do, I think, that’s really good is your threat manager product, because what you’re I think you’re providing folks there is a set of suspenders for the belt that they should have put on in the first place. They should have good processes to identify, authenticate authorized individuals. They should ensure that people that don’t have access to the data shouldn’t have access to the data. They should ensure that they don’t hire people that are malicious in nature and would do something either inadvertently or inadvertently bad to the organization.
John Verry (19:49):
So, you guys brought threat manager to provide some insight into that and some warning, if it does occur. Can you talk a little bit about that?
Mark Richman (19:56):
Yeah, definitely. And I think it goes back to what we were talking about a little earlier, that oftentimes the insecurity might be at the front door, that’s just someone has an insecure password or something like that. And maybe there’s some social engineering that happened and an attacker gets access to an account and starts downloading content on mass. And so, we’re increasingly adopting things like certainly machine learning and artificial intelligence and looking at the patterns of how our users are using the application.
Mark Richman (20:32):
And if our applications are seeing things that deviate from the norm, if some account is now suddenly downloading hundreds of megabytes of documents when that user is typically only accessing a couple documents a day, it’s like, “Holy crap, maybe there’s something bad going on here. Administrator, you want to be alerted to this potentially anomalous behavior.” And so, the threat manager build these insights and pattern analysis to see if there are things that are happening in the application that are outside of what’s expected that that’s something that an admin might want to just take a look at. So, it does help on a variety of measures from that perspective.
John Verry (21:14):
Yeah. A couple things that I also like that it does and that we’ve seen be very effective in law firms is the idea that somebody who typically isn’t accessing a certain type of document, like one practice accessing another practice’s documents can be interesting. And then the other thing which I think is even almost in a way better is the idea that you will alert when individuals do not appear to be uploading documents that they should be uploading. Because if you think about it, one of the fundamental problems I think most organizations have is the assumption of security.
John Verry (21:46):
So it’s like, “Oh, we have a document management system. That document management system, it’s iManage. It’s fantastic. It’s highly secured. We’ve got everything working the way it’s supposed to, but it only works when people are actually doing what they’re supposed to do. If they don’t operationalize those elements of using the system, it’s not going to be effective. And you guys have some mechanisms that we’ve implemented for some clients to let them know when people are not doing what they’re supposed to be doing.
Mark Richman (22:12):
Yeah. And that’s absolutely correct. And certainly from a security perspective, we want to ensure that the content is secured and is being stored in a repository with all of the controls that we want to have. And we certainly also want to ensure that our customers are just getting the value and benefit out of the significant investment they’ve made in the software. So, ultimately we want it to be a win-win for everyone.
John Verry (22:39):
Got you. One question I don’t know the answer to. Do you provide the ability for somebody to create copies of their documents that are in your system in a repository that they own and manage?
Mark Richman (22:57):
We don’t do that ourselves. So you mean as like a backup or another redundant thing?
John Verry (23:02):
Mm-hmm (affirmative).
Mark Richman (23:03):
We don’t provide that ourselves. There are additional partners in our ecosystem that do provide solutions like that. Again, back to the conversation we had at the beginning, I think today, I would certainly caution customers from doing things like that. Because really, again, the more places you’re storing your content, you’re really just increasing the service area of potential attack vectors. So, if you’re replicating that content potentially back to your own site, your own premise or to another cloud vendor, you’re just, again, opening up the possibility that there could be, again, a misconfiguration or something else that happens, or just providing another venue for a bad actor to be able to get their hands on your content.
John Verry (23:50):
Got you. That’s a question we get asked a lot. So, I’m assuming what you’re doing is you’re replicating that data across geographically disparate data centers or something of that nature to address the availability concern that this idea of copying it to another place provides.
Mark Richman (24:09):
Yeah. Yeah. And full disclosure, we’re leveraging Azure as part of our application. And Azure is very strong in this area. So, Azure itself has a concept of what they call availability zones. And so, these are three discreet physical data centers in a primary geographic region. And so, when we write piece of data to Azure, it’s actually synchronously storing that piece of content across three physical data centers each with its own power, network, cooling, et cetera. And then additionally, asynchronously that content is being replicated to a secondary physical geography, again, across three discreet physical data centers. So-
John Verry (24:52):
Wow.
Mark Richman (24:52):
… when you are actually writing a piece of content to the iManage cloud, we’re actually storing it six times in six data centers across two discreet physical geographies.
John Verry (25:02):
Wow.
Mark Richman (25:02):
So, we have what we believe is a very robust data resiliency posture.
John Verry (25:09):
Got you. So, we started this conversation by saying, which is more secure? A cloud based version or on-premise based version of a document management system or application? I think we’ve made a good argument for, if we assume that the cloud service provider is doing all the right things and we assume that we are holding up our end of the conversation, that we’re going to be in a much better spot in the cloud. So, let’s talk about, what are some of those things that a cloud service provider should be doing? So, I know that recently, you guys gave us access into … I forget the name of the system where you keep all of the evidence and artifacts of all of the things you do from a security perspective.
John Verry (25:48):
And to be blunt, I was like, “Wow.” You have as many certifications as any organization I’ve ever seen. So, talk about how you manage security on your side of the fence.
Mark Richman (26:01):
So, we really truly tried to take a security-first posture towards everything that we do, and when we’re thinking about our architecture and so forth. Cloud architectures are not really like fine wine. They don’t age well. So, we really want to be thinking about our architecture and how we keep it up to date with modern norms and with the modern threat that are coming out in the world. And so, we’re certainly thinking about those things and really designing things from a security-first posture. And we can have a bunch of security, attestations and audits that we do, and ensuring that we have a bunch of controls and so forth, and that’s important, and that’s very good.
Mark Richman (26:58):
But then we also want to ensure that we’re testing all of this stuff ourselves and that we are actually doing tabletop exercises for how we would deal with a potential threat problem and actually exercising all of our strategies around disaster recovery and things of that nature. So, it’s about building smart architecture, validating that with a bunch of certifications and attestations, and then also practicing in real time to ensure that the day when that threat does come, that you’re well-prepared to handle that in real time.
John Verry (27:37):
So, some of the things, say as an example, you guys are ISO-27001 certified. You’re SOC 2 attested. You guys leverage the cloud control matrix. I think your CSA STAR certified.
Mark Richman (27:49):
CSA STAR Level 2 is the one we just recently achieved.
John Verry (27:53):
Anything else that … I remember there was a long list.
Mark Richman (27:56):
I think there’s 27017 and 27018.
John Verry (28:02):
That’s privacy in cloud.
Mark Richman (28:04):
Yeah, and also business continuity certification [crosstalk 00:28:07].
John Verry (28:07):
ISO 22301?
Mark Richman (28:10):
Yeah.
John Verry (28:10):
So, you guys have really done … What I like about that is that is what you’re doing is you’re not only saying, “Hey, we think we’ve done it right. But then we’re going out and getting the objective evidence and having independent people look at what we did and validate it,” which I think third party attestation of that nature is the best thing. If you’re looking to work with a cloud service provider, that is the first thing that you should look for is, do they have good third party attestation?
Mark Richman (28:39):
Yeah. I think that’s absolutely right. And in some cases, we have even gone steps further than that. We were talking about encryption a moment ago. And recently, we engaged a third party independently to do an independent audit of our security and encryption architecture again, because we certainly believe that we have built something that is smart and forward-thinking and secure, but we want independent validation that we haven’t missed something obvious. So, yeah. We recently engaged a third party to do an end-to-end review of that, and that came through very, very well.
John Verry (29:17):
So, we’ve got the cloud service provider. We hope they’re doing all the right things, and we have a way to deal with that. We can look for third party validation that they’re highly secure. We’re going to look for that cloud service provider to provide us with clear guidance on what our responsibilities are. We’re going to hopefully be able to ask that third party service provider, do they provide any other additional capabilities, like CMEK, like threat manager that are going to help us provide the suspenders to our belt for the controls that we’re going to be responsible for? If we get all that right, I think I would personally say that the cloud is far more secure than the average on-prem application that I’ve seen.
Mark Richman (30:00):
Yeah. And I think that’s true. And I was recently talking to a customer. We were talking on this area. And for this particular customer, we were talking with the CISO. And he said for him that the SolarWind’s breach was really the straw that broke the camel’s back for him. That when that happened, he realized that all bets were off and that he just couldn’t offer his firm the confidence to say that, “I’m absolutely sure that something like that couldn’t happen again to us.” And in this industry, we have seen instances where firms have been attacked by ransomware, things of that nature.
Mark Richman (30:39):
And cloud vendors like iManage and hopefully others as well are making the investments and things to ensure that something like a SolarWind’s attack or a ransomware attack ideally, fundamentally couldn’t happen with our architecture and ideally with other vendors’ architectures as well.
John Verry (30:56):
Yeah. I had a guy the other day. We were talking about this and he says, “Look, I don’t keep all of my money in my retirement accounts in a safe, in my house. It’s in a safe at the bank.” He goes, “I’d be foolish to think that I could protect that asset as well as they can.” He says, “So, I’d be foolish to think that I could architect a system and run it in my environment better than X could,” where X is some major company. So, I agree with that. So, given all that, so given what we just talked about, we talked about that eight in 10. Give you a couple more statistics.
John Verry (31:30):
Gartner estimates that by 2024, 70% of IT organizations will lack the relevant role skills and tools to support SaaS-enabled digital transformation. 80% of breaches that result from hacking involve brute-force attacks or use of lost, stolen credentials, which are of course, on the client side. Based on all of that data in our conversation, is it crazy to say that your customers are a bigger risk to you than you are to them?
Mark Richman (31:55):
I guess maybe it’s not crazy, but we certainly make efforts to limit any of those bad things that can happen. But-
John Verry (32:06):
No, I meant as a business risk. Because what you have is, a breach happens, that people right away, they blame the cloud service provider. “Oh, we shouldn’t do business with iManage anymore. Our DMS got hacked.” No, it didn’t. No, it didn’t. Your directory got hacked or somebody was phished in your environment and stole the documents out of there, because you weren’t paying attention to your threat manager alerts.
Mark Richman (32:29):
Yeah, exactly.
John Verry (32:30):
“Oh, we’re going to leave and we’re going to go to someone else.” That’s what I meant. It’s a business risk, not really a technical [crosstalk 00:32:35].
Mark Richman (32:34):
Yeah. I think that’s accurate. And it’s what we said earlier. We can take all the preventative measures that we can, but again, in that shared responsibility world, it takes two to tango. And if someone’s not holding up their end, there’s only so much that we can do. But yeah, I think that’s right.
John Verry (32:53):
I agree. So, we beat this up pretty good. And anything we didn’t cover that you think we should.
Mark Richman (32:58):
I think we’ve really covered the highlights. Maybe just talk briefly about a couple of other things. I think some of the other things that we have invested in as well is just, we talked about zero trust and things like that, and assuming that the bad guys are already present. And we’ve also made extensive investments in more modern technologies like containerization and things like that. And when we’re utilizing things like containers, instead of legacy hosts, we can ensure that these services don’t have administrative accounts on them. That there’s no way to like SSH into these services and things of this nature.
Mark Richman (33:42):
And this is just some other examples of technologies and techniques that we’re leveraging to minimize the threat surface area that a potential bad actor can take. And it’s, again, very time consuming and very expensive for an on-prem customer to be able to invest in these kinds of things extensively. But this kind of stuff is our bread and butter, and it’s what we do every day. So, I feel very strongly and very confident that our customer’s data is the safest in the iManage cloud.
John Verry (34:14):
Yeah. If you get into the DevSecOps Agile CI/CD world, and you can get to a point where you’re doing infrastructure as code, so you are literally … And for someone that doesn’t know it, that means in practicality, it’s where you’re deploying virtual hardware through software. So, there is no hardware per se on your side. If you employ good practice there… So, we have a third party we work with that we co-develop some GRC platform stuff with. They literally rebuild the environment every Saturday night. So, there’s no patching, there’s no configuration. They just push a button, and all of our infrastructure disappears and is rebuilt in 15 minutes.
John Verry (34:57):
So, I’m sure that’s where you were at, because that’s the stuff that you’re talking about. In that kind of a world, maintaining that level of security posture in a non DevSecOps world is virtually impossible.
Mark Richman (35:09):
That’s right. I think that’s absolutely right. And it’s exactly what you say. So, we’re at the point, we have a geo-distributed cloud with data centers all around the world. And when we’re now at the point where we can literally push a button, and in a matter of hours, we have a brand new data center stood up and configured, all the code and all the services deployed, and really anywhere that Azure has footprint. And that’s what customers should be looking for in a modern cloud provider today.
John Verry (35:40):
Got you. Just out of professional curiosity. Not that it means anything more than I just want to … I’m curious. What containerization technology are you using?
Mark Richman (35:48):
We’re using Kubernetes.
John Verry (35:50):
Kubernetes? Okay. That’s what you see so many people using. I was just curious. Cool. Anything else you want to talk about?
Mark Richman (35:56):
I think that covers it. It’s been a good conversation.
John Verry (36:00):
Yeah. I agree completely. I agree completely. So, hopefully you did your homework, Mark. We’re going to find out. You’ve done so well to this point. Don’t screw it up at this point. What fictional character or person do you think would make an amazing or horrible chief information security officer and why?
Mark Richman (36:14):
All right. I did do my homework on this one. So, let’s go for horrible first. So, horrible would be Sauron from Lord Of The Rings. And if you look at what Sauron did, it’s really the worst possible scenario. You look at the maps of Middle-earth, and Sauron had this impenetrable wall of mountains that was preventing anyone from potentially getting in and destroying the ring. But, first of all, you could just walk around the back and you could just get into Mordor from the back. He had one big gate that was really certified, but then there was a secret stare with a tunnel that you could get into and just do that.
Mark Richman (36:56):
And then hobbits got to Mount Doom, and there’s nobody guarding Mount Doom. So, you could just get in there and just toss the ring in. So, not really optimal security practices from that perspective.
John Verry (37:09):
So, what a surprise that a techie went with Tolkien. Go ahead.
Mark Richman (37:19):
So, I have a maybe not quite as nerdy one on the awesome, but I’ve turned it around a little bit. So, on the awesome seesaw, I chose Professor Moriarty from the Sherlock Holmes’ stories. And we’d have to turn him a little bit, but if we could … He’s more of a black hat hacker today, but if we could turn him around and bring him into the light, he’s really got a keen mind and really sees all the angles. And I think if we could turn him around, he would be an amazing CISO.
John Verry (37:55):
So, it’s so funny. The reason why you see a smirk on my face is I recorded a podcast a little bit earlier today, and Sherlock Holmes was the answer to who he thought would be a terrible part. So, when you went with Sherlock Holmes, I’m like, “Wow, twice in one day,” which is funny. So, last question. You’re in the same world as I am, and we chat with the same types of people on an everyday basis. Any ideas for a future podcast that you think would be valuable?
Mark Richman (38:23):
Just modern cloud architectures I think is a really interesting topic, and there’s just been tremendous innovation in the space certainly in the last decade, accelerating all the time. So, I think there’s just tremendous innovation and great work that’s happening in the architecture space that I think is interesting for your listeners.
John Verry (38:49):
Yeah. I would great completely. And I’ve been looking for somebody to come on to do a containers for dummies. Because I think containerization is a fascinating technology, and there’s an inception to it. And I know that I don’t have my crap completely together with really understanding all the implications, understanding the security within a security security within a security; these nested Russian dolls that containers represent. So, I think that would be an excellent one. Beyond containers, I’d be curious, is there another component of that modern cloud architecture that you would also emphasize?
Mark Richman (39:31):
I think there’s some interesting … This is maybe getting a little nerdy, but also just some more modern technical architectures and patterns for storing data and additional use of queuing technology and eventually consistent systems I think are techniques and things that are really interesting these days and that are being increasingly adopted. I think those are some interesting trends that are happening in the cloud space as well.
John Verry (39:57):
Awesome. Thank you for that. Appreciate it. Last question. If somebody wants to get in contact with the good folks of iManage and talk about the wonderful things you guys are doing, who would they get in touch with?
Mark Richman (40:07):
Definitely feel free to reach out to me directly. My email is mark.richman, R-I-C-H-M-A-N, @imanage.com. And if you want to connect to me on LinkedIn, please do. And my handle on LinkedIn is M.B. Richman.
John Verry (40:20):
Excellent. Excellent. Well, this has been fun. I genuinely appreciate you spending some time here today. Thanks.
Mark Richman (40:25):
Thanks, John. I enjoyed it too.
Narrator (Intro/Outro) (40:27):
You’ve been listening to The Virtual CISO Podcast. To ensure you never miss an episode, please subscribe to the show in your favorite podcast player. As you’ve probably figured out, we really enjoy information security. So, if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected]. Until next time, let’s be careful out there.
Narrator (Intro/Outro) (40:52):
You’ve been listening to The Virtual CISO Podcast. As you’ve probably figured out, we really enjoy information security. So, if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.