In recent years, information security awareness has increased greatly in the industry, and so have the threat levels. We frequently receive questions from customers about our security policies and what we do to look after their data. In this article, I will try to provide you with an overview of our approach and activities in the realm of IT security.
Information security touches almost every part of our business and our customers expect us to act securely in all our activities and to deliver secure products and services.
We have been investing in information security for a long time, especially since we started developing the AIMMS Cloud Platform. The move to the cloud brings great benefits to our customers, but also increases our responsibility. At least a third of our development efforts for our cloud platform were and are devoted to security. In the following section I will outline what this has led to so far.
AIMMS Cloud Platform Security
We worked hard to meet our customers’ expectations for information security on our cloud platform, for example in:
- Architecture, network topology and encryption
- Roles, groups, permissions levels
- Security components like firewalls and VPN connections
Where the assumption used to be that ‘bad people’ could be kept out provided you built enough “defenses,” today’s motto is: “they will get in, so you need to catch them before they cause harm.” So, we also employ a so-called burglar alarm service from one of the leading cloud security service providers. This managed service monitors all network traffic on our cloud platform automatically. In addition, algorithms analyze over 2 gigabytes of logs every day. If any strange patterns are detected, experts in their 24/7 security operations center dive in and contact us when they have sufficient cause to suspect a security issue. This continuous intrusion detection and automatic vulnerability scanning helps us detect almost immediately if someone has broken into our systems or if we inadvertently left a weak spot. As an extra check, we regularly ask security specialists to perform a so-called “penetration test” of the AIMMS Cloud Platform.
As information security is defined with the acronym “CIA” for Continuity, Integrity and Accessibility (system must be available), we have also put a lot of effort into mitigating the risk of downtime. We do this through a combination of redundancy and auto-repair. In our cloud platform, failing hardware is automatically replaced within minutes. We use databases that are replicated across multiple data centers and clusters of servers to scale our capacity and gain resilience against server failure. We run multiple instances of all key services. So, for example, when one portal service crashes, the other ones will handle its traffic until it has automatically restarted.
ISO 27001 Certification
Towards the end of 2018, we decided to seek an ISO 27001 certification, the most common standard for information security. Besides offering extra assurance for customers, we primarily wanted to use this as a proven methodology for managing our information security risks. Of course, we were worried upfront that we would create a bureaucratic, “check endless checklists,” monster, devoid of common sense and not necessarily reducing actual risks. So, we sought advice on how to avoid this and carefully selected a matching consultant company.
Following the ISO 27001 approach, we started with an analysis of the risks we are exposed to, identified their severity and focused our efforts on the highest threats. We concluded that our number one priority should be securing customer data/models. This primarily affects what we do in product development, support and our cloud operations.
Secure cloud and software technology are not enough, as our ISO 27001 risk analysis illustrated. We require behavioral changes. We have implemented a bundle of policies to make sure everyone at AIMMS knows how to act. Our policies include:
- How to use strong authentication
- How to classify, handle, encrypt and store information
- How to develop secure software
- How to work securely when not in the office
- How to keep our devices secure
- Who has access to what
- How we monitor suppliers
- How we handle incidents
- How we ensure business continuity
- How we train ourselves, differentiated per function, on information security
- How we check we all comply with all of these required behaviors.
And yes, these policies are sometimes inconvenient, adding friction to our work. So, we keep looking for ways to minimize the inconvenience and boring manual checks. Plus, we must get used to holding each other accountable for complying, which is not always a comfortable experience.
Just the beginning
It was important for us to realize that this all would not stop the moment we got the certificate. That was just the start. We are “only as secure as our last behavior” and vulnerabilities can occur because of the tiniest oversights. We cannot be “black belt” in one pass, our business keeps evolving and information security threats keep changing and increasing, reflected also by the requirement for an annual re-audit. We must remain as vigilant as we can and continue to improve the way we manage information security. This plan-do-check-act cycle is perhaps the most important requirement of the ISO 27001 norm and this is supporting us here. We also learned some people are way better at this than others, so having the right team is key.
I hope I offered you some insight into how we handle information security at AIMMS. If you have questions or comments, please feel free to contact me.