“Why is it that when one man builds a wall, the next man immediately needs to know what's on the other side?”
-- Tyrion Lannister
Recently, we wrote about the importance of data privacy in the research world, an idea that conveniently and delightfully lent itself to some Game of Thrones analogies -- how we all have just a little bit of Lord Varys in us and must ensure no one else gets to the secrets our little birds share with us.
As the keepers of billions of data points, researchers know the importance of cyber security. But, have you ever wondered what your company’s cyber security guards actually do? To continue the GoT metaphor, we’ll say that being in cyber security is like being a member of the Night’s Watch. The security team must guard against multiple threats, without knowing exactly where they are coming from, who they are, or how they are trying to find or force their way in.
It doesn’t matter what industry you’re in, it doesn’t matter what you do. Everyone is subject to being hacked, so it’s important it is for researchers to have confidence in security of data. We sat down with our own Lord Commander of the Night’s Watch (and dscout COO) Chip Hardt to get more information.
What kinds of security threats are of particular concern to companies dealing with research data?
Going with the Game of Thrones metaphor, if you liken a research company to a castle, you might say that data security is the wall and moat around the castle.
External threats are mostly hackers. They want to steal your information --either client information or financial information-- and use it against you. Inside, could have another issue: someone who is unhappy with the way things are and wants to harm the company. You need to make sure that once a person is identified as a threat, or has left a company, their access to the systems is removed.
We also have to make sure we protect clients’ confidentiality. We have practices and habits in place that prevent us from talking about things that we shouldn’t talk about to anyone who isn’t directly involved with a project. We always have to put the interest of our clients first.
What security measures are in place to keep customer data safe?
To begin with, we have SAML 2.0, which allows web-based authentication and authorization, including SSO. This helps reduce the administrative overhead of distributing multiple authentication tokens to the user. In short, a researcher at one of our client companies can access their dscout information from the comfort of their own secure system.
SSO is Single Sign-On for users. Basically, a customer signs into one system in their company and is good-to-go for all the other systems to which he or she should have access.
The converse is also true. When the person leaves the company, it’s much easier to take away their access to data. People come and go from jobs frequently, so SSO has become especially important. A lot of things need to happen to keep unauthorized people out.
Third-party penetration testing is another thing we do. To make sure that no one can hack us. we actually hire people to try to hack us. We do yearly penetration testing to make sure that no one can get past the wall. We have penetration test reports that show that absolutely no high or even medium risks exist on our web application, our API, or our mobile apps.
A all data security measures taking place in the virtual space?
Some things we do are sort of old school, actually. Physical access to our building and our servers is very strictly controlled. Authorized staff must pass two-factor authentication at least three times to access areas where data is stored. We also have firewalls to restrict access from external systems and between internal systems.
Not to be too dramatic, but cyber security is a constant war. We don’t have our own seer, to tell us what’s coming next, so, it’s important that we constantly update and be prepared to face whatever threats are coming. We take that responsibility seriously at dscout.