The most essential task of a castle is to protect against invasion.
Defense is factored into the placement of every brick, buttress and battlement of the structure, ensuring its readiness to rebuff attackers. The castle’s inhabitants might hear the aggressive plink of arrows against the stonework or the frustrated howls of invaders as they attempt to surmount the rushing water of the moat, but with a strong design, they should feel no fear.
When Andrew Dean, chief architect at Prisidio, described his company’s approach to securing their app, that is the comparison he drew from.
“When you’re designing a castle, you build it on a hill, surround it with water and put the most important things in the center of the building,” he said. “You can only do that kind of design if you’re thinking about security first. You can’t just take an existing building and apply that model to it.”
Dean would know. In a previous job, he protected digital assets for the British government and has experience safeguarding data across all types of organizations — from small startups to large enterprises.
Now Prisidio’s security team is reaching back in time for inspiration as they defend against modern-day raiders: Hackers looking to steal personal data.
“Before we even started building the platform, I was thinking about security-first concepts and how to structure everything 100 percent around security,” said Dean.
And given the nature of Prisidio’s product, security had to be the primary focus.
What They Do:
“We’re asking customers to put very sensitive information into a vault in the cloud,” said co-founder and CMO Paul Koziarz. “The first thing people will ask is how secure it is.”
“From the moment we decided to create Prisidio, the company and the product, we understood that security would play an essential role in everything we do,” said Koziarz.
While there may be some challenges and roadblocks around the philosophy, Prisidio has remained steadfast in its dedication to security since its inception. It affects every aspect of their design, engineering and relationships with their partners and customers.
Inside and Out
“The majority of security incidents involve some kind of human element,” said Dean. “You can have all these great security measures in place, but as soon as someone is tricked into giving all their information to an attacker, there’s an easy way to bypass those.”
This means that not only does Prisidio have to build security into its application, but it also needs it to be a priority in every part of its network — technical and human. Dean’s security team, which includes leading industry security and privacy experts, meets frequently to address the many different threads of Prisidio’s web that require protection.
“It’s checks we do with our suppliers to ensure that they are secure,” said Dean. “It’s the internal tools we use — our laptops, our cloud environments, our source code — and how we secure them.”
Another important consideration is how Prisidio trains its employees. All employees go through a detailed background check before they join and are then provided with training so that they’re aware of the latest emerging threats. Security training is different depending on the job role with engineering teams being given access to training on secure code practices for example. Prisidio has developed a set of security policies based on industry standards and these provide employees with a framework to ensure that they’re always following best-practice principles.
“Security is a whole suite of tools — it’s the thing we built our entire company on.”
“We have secure code training, where the developers are given code which contains a security vulnerability and are asked to fix it,” Dean explained. “It puts people in the mindset of writing code from a security-first perspective. It’s constantly at the forefront of people’s minds.”
Of course, along with addressing the human element, Prisidio’s product has no shortage of features that boost its protective might. These features include mandatory multi-factor authentication, biometric authentication, advanced encryption and complete control over who has access to a user’s vault — including the ability to instantly block anyone engaging in suspicious activity. And they’re willing to test the strength of those features through third-party penetration, where Prisidio has an outside organization attempt to break their systems and detect vulnerabilities.
On top of this, Prisidio has third-party organizations carry out independent security architecture reviews, and works with both the Cybersecurity and Infrastructure Agency and the Department of Homeland Security to ensure that the company’s security standards are in line with U.S. government best practices.
“There’s no one thing we do,” said Dean. “Security is a whole suite of tools — it’s the thing we built our entire company on.”
Balancing Usability
Security is the number-one concern at Prisidio. But deeply intertwined with that security is usability — and if the team isn’t careful, those two priorities can come into conflict. As important as it is for Prisidio to keep a user’s sensitive information and documents safe, if there is no way to access them — or the method of access is so difficult as to feel impossible — then it won’t matter, because no one will use the product.
“If Andrew’s team gives us new security requirements, they’re happening,” said design head Josh Hehn. “Then my job is to try to reduce the learning curve without sacrificing any of the security. I have to ask if we can reduce any steps or weave in existing patterns to make things easier for the user.”
It sounds simple, but it means that even a basic action like uploading a file requires complex behind-the-scenes work to make it feel easy while meeting the bar of security set by the company.
“There’s a lot of conversations between pretty smart people,” said Hehn. “It’s rare we hit it on our first try, but that’s product design — we figure out as a team what we’re trying to accomplish and explore different ways of doing it. After two or three cycles, we’ve made it as good as we can, then we keep an eye on it as it goes out to the user. Even with that added focus on security, it’s still a design that might benefit the user.”
“There’s that point every user passes where they say, ‘we can stop talking about security now.’”
It’s significantly easier to iterate on usability based on customer feedback than to fix security after the feature is already in place. The castle needs to be constructed with security in mind, but the interior details can always be changed.
“The majority of the things we do on the security side are hidden,” said Dean. “We expose some of them, but many of them are behind the scenes. Yet our security posture is at the same level that a bank or financial institution would provide.”
No More Security Talk
Even the most secure product in the world is useless if it doesn’t get into the hands of people who need it. As such, it’s just as important that Prisidio’s customers know that their app will keep their files safe.
“Familiarity breeds trust,” said Koziarz. “We have to be out there and promote the message that we have a vault that’s secure. We can’t give all of our secrets away, but we can be consistent in that messaging.”
Koziarz and his team also make sure to listen to customers’ concerns about security through interviews and feedback. Being able to address direct issues users have quickly is a good sign that the product deserves trust.
A company can boast about the security of their platform, but it might not hold up to scrutiny. So how does Prisidio walk the walk? By the fact that employees put their most essential documents on the app, too.
“That’s what I do,” said Koziarz. “I pull it up and say, ‘I helped build this and here’s my vault.’ That helps us talk about security — we can show we’re comfortable with it.”
Andrew Dean recently attended the Black Hat conference, where hackers and security researchers from across the world come to share techniques they’ve been using to crack cybersecurity measures — and tech companies show off what they’re doing to stop them.
“You don’t ever want to connect to the Wi-Fi there,” said Dean.
In the end, Dean was able to convince some of the cleverest hackers and cybersecurity professionals that the product was worth using simply by opening it up on his own phone.
“My name is Andrew, and I use Prisidio, and that was enough?” Hehn joked — but according to Dean, that’s about how it went.
“We expose some of the things we do on the security side, but a lot of them are behind the scenes.”
But the biggest indicator that customers trust Prisidio is the moment when they don’t need to talk about it anymore.
“There’s that point every user passes where they say, ‘we can stop talking about security now,’” said Hehn. “That point is different for everybody, but eventually they hit a threshold of confidence where they’re secure and they know it. After that, they want to get to the fun stuff.”
When a user steps inside Prisidio’s castle walls, they want to be confident that they’re protected. Prisidio has taken massive strides to make those assurances verbally, technologically and through practice. After that, users can enjoy what the defenses protect — a vault for the most important documents, stored digitally for easy access.