December 19, 2018 CIA: The 3 Pillars of Security You Need to Know at Topcoder
Before taking on the role of VP of Security at Topcoder, I led our global consulting service that enables customers to use crowdsourcing at enterprise scale. Most of my career has been spent in IT, beginning in telecommunications products and doing software development and systems engineering for companies like Motorola and 3Com. Later I worked for U.S. Cellular, a telecommunications provider, and led teams responsible for maintaining a highly available infrastructure focused on FCAPS: fault, configuration, accounting, performance, and security. After being in IT for more than 15 years, I became a consultant on Salesforce deployments. The move exposed me to crowdsourcing and I quickly became fascinated with this delivery model.
3 key areas of security: platform, customer, and member
Security is an intrinsic component of Topcoder’s offering. It exists in all aspects of the business — from a customer’s first interaction with the platform, to members registering and competing, to ultimately delivering solutions. Our platform enables collaboration yet preserves privacy, allowing for experimentation with limited risk.
At Topcoder, we allow customers to access top talent using a delivery model that’s proven to provide outcomes without compromising enterprise security policy. To that end, security at Topcoder can be divided into three key areas, which you can imagine as this venn diagram:
- Platform. These are the services and systems that enable the Topcoder platform. They are cloud-hosted systems as well as cloud services.
- Customer. Anyone who uses the platform to obtain outcomes via crowdsourcing.
- Member. Anyone who competes on the platform around the world.
3 pillars of security at Topcoder: confidentiality, integrity, and availability
Security remains one of our most important values — and my top priority at Topcoder. We take precautions at every step of the crowdsourcing process and are always keeping up to date with new tools, needs, and best practices. That includes our three pillars of security:
Confidentiality is the ability to hide, anonymize, or otherwise obfuscate information from those people unauthorized to view it. It introduces the notion of least privilege, which requires that information be accessible only to the people or resources that are necessary for legitimate purposes. Bifurcating people into two groups implies that you understand the nature of the information, as well as which group has access and which group does not.
Information classification is the key to understanding confidentiality and access control. Information is typically classified into two or more increasingly secure categories and access control is built on allowing only those given access to view this information. An example of a compromise in confidentiality is when an unauthorized user is able to steal credentials and gain access to company information.
Integrity ensures that information isn’t tampered with, either at rest or in motion. This implicitly requires that trust exists throughout the lifecycle of the information — from genesis to destruction.
An example of integrity is using Transport Layer Security (TLS) to transmit data from one system to another. TLS ensures that you are transmitting to a known valid entity when your data is cryptographically transmitted. This can be seen by the certificate chain of a given site. But this type of integrity is just for the duration of the information in transit. Other architectures must maintain that trust for the remaining information lifecycle.
Checksums and hash functions are also typically used to verify integrity has not been compromised. A checksum can be computed and transmitted with the encrypted payload. Once the receiver decrypts the payload, they can compare the hash of what was transmitted and what was recieved. Access controls are also implemented to track information changes. These controls enable the user to verify who, what, and where a change to the data occurred.
How long would you continue to use a bank whose services were constantly unavailable? For any system to serve its core purpose, it must be available when needed. Availability should be examined throughout the full lifecycle of a service — from DNS to web content and database, as well as transport. The weakest link in this chain will govern the availability of your service. Security controls need to be in place to protect against denial of service, disaster recovery, and encrypted communications.
Greater security and experimentation through crowdsourcing
In my next blog post, I’ll delve deeper into customers, members, and infrastructure, and describe the process and controls in place to support the CIA triad for each of them. In the meantime, it’s also good to understand the distinct layers of data protection we have in place at Topcoder and more of the fundamental reasons why crowdsourcing is more secure than traditional means of software development. As the global leader in crowdsourcing, we not only keep our customers and members safer, but we are able to do so while incorporating new solutions and offerings all the time.