October 18, 2018

Engineering for trust, privacy and security

By Mike Sheward

Cybersecurity. A topic that has now fully relocated from the sidelines of information technology, and found a new home in our daily connected lives. It's a topic that many of us have been focused on for a number of years, but also one that others are coming face-to-face with for the very first time, often under less than desirable circumstances.

Typically, the first time a person becomes aware of the scope of information a service provider holds about them is when something bad happens to it. Either it becomes compromised accidentally, or maliciously. Either way, the end result is the same, and is equally concerning. Perhaps information is used in ways the subject of that information didn't fully expect, or understand. The truth is, in this day and age, personal information is more than just information. It's representative of a person's life and livelihood, and as a service provider it's a privilege to handle that information.

Understanding the privilege to serve

At Accolade we take this privilege very seriously, and that's why the Accolade security team is focused on building tools that help us work to ensure not just data security, but also privacy and trust.

While it's true that we spend a great deal of time on our technical security infrastructure, to detect, deflect and understand the constant barrage of internet-based threats, we're also very aware that security isn't just something that can be bought off the shelf and dropped into place. Good security comes from instilling a culture that understands and respects what is at stake if things go wrong. After all, when it comes to highly sensitive healthcare information, there is little room for error.

Our internal security toolset includes bespoke utilities that allow us to answer questions like:

• Who accessed this information?

• Where did they access the information from?

• How did they access the information?

• For what reason was this information accessed?

Perhaps most importantly, our tools also allow us to answer these questions quickly.

Reducing the number of clicks to resolution

At the center of our world, is a tool known internally as FortifyHQ. This custom-built Security Incident and Event Management (SIEM) tool gives Accolade's security engineers a single resource for correlating input from a variety of different sources. Data from our logging platforms, signals from our network monitoring tools, events triggered from our infrastructure management APIs, and threat intelligence from our partners may each tell part of the story when viewed in isolation, but when combined shine a light on an occurrence from beginning to end. Breaking down walls between disparate tools is an incredibly powerful way to add value to those tools, at no extra cost.

The custom nature of our SIEM platform means that we're not only the users of the tool, but also the product managers and developers. It means we can be agile, and adapt to customer and business needs without having to wait on another vendors roadmap to materialize. This is a great way to be, as it allows us to be enablers for other teams, rather than nay-sayers, and that in turn builds trust. Trust is contagious, and when trust flows within an organization, everyone benefits. This becomes even more apparent when the trust flows outside of the organization, to its customers, clients and partners.

Controlling access to information

FortifyHQ isn't the only custom tool Accolade Security has developed to help accomplish the team's mission of becoming the most trusted brand in healthcare. A custom-built Access Manager tool is used by all employees to request access to various systems within the organization. Using this tool allows us know exactly who has access to what, and ensures that appropriate levels of access are provisioned to that person. Access management has become a much more important topic in recent years, and having a handle on it allows us to hold ourselves to the standard we've set internally, that our people should only have access to the systems they truly need. This is another important tenant for respecting the privacy of our clients.

Engineering for visibility.

Both of these internally developed tools have a common theme. They provide visibility. Visibility into the environment, and visibility into who can access what portion of that environment. Really, visibility is a big part of what it takes to run an effective security program. If you can see everything, nothing can surprise you.

You might think that cybersecurity is a wide ranging, overly complex topic that sees teams of hoodie-clad engineers huddled over laptops in a darkened room working to defend against a never-ending stream of state-sponsored attacks, the latest and greatest tools and techniques needed to enable the defenders of the realm. The truth is that good cybersecurity is rooted in a few basic principles, of which visibility is one. Knowing exactly what you have to defend before you can defend it seems like a no-brainer, but sadly, it's a task that many organizations struggle with. To be fair, many aren't helped by the constant noise and distraction brought about by vendors offering magical tools and solutions to address security problems that are less actually pressing.

Security engineering at Accolade is about blocking out this noise, focusing on the basics of security, privacy and trust, and building tools to appropriately support this objective. That's why the Accolade security team loves what they do, and revels in engineering trust, just as much as the underlying code that provides it.

Read Next: Accolade's EVP, Chief Technology Officer, Harish Naidu on digging into the data to disrupt healthcare