Making the right moves for security

Published May 22, 2013
Last modified May 22, 2013

Security is like chess: both require adaptation and the methodical use of multiple pieces. A good security program requires a similar, multi-layered strategy, requiring a continuous and methodical approach to risk assessment, mitigation, and re-evaluation. It evolves to address new risks and iterates to incorporate necessary changes.

A few months ago, Zendesk took an “across the board” look at our security capabilities, including the features in our product, the effectiveness of our key processes, the depth and breadth of our security organization, and the design of our security architecture. This effort, combining insights from senior management, engineering, product management, IT, and contracted third-party consulting and audit organizations, created a security to-do list. Here are some of the many security improvements we’ve made as a result.

Security governance and leadership is important to Zendesk’'s management team. As such, I recently joined Zendesk to lead the security function. My primary focus is to further enhance our security program to ensure that we are being absolutely diligent in protecting customers and data.

Our team——a dedicated group of security engineers——is deeply experienced in such areas as penetration testing, security architecture, application and network security, and security monitoring. Additionally, we are augmented by qualified third parties who assist in security audits and discrete projects.

While security vulnerabilities can and will be exploited, people are often targeted first. According to the most recent Verizon Breach Report, “95% of all state-affiliated espionage attacks relied on phishing in some way—even the most targeted and malicious attacks often rely on relatively simple techniques.” To address this threat, we'’ve created several programs to enhance security awareness across various levels of the company, from training new employees in security fundamentals to a bi-monthly meeting of the Security Steering Committee to discuss the security roadmap, drive improvements, and address concerns.

Over the past few months, we’'ve continued to develop our new data centers. At the same time, we’'ve invested heavily in our security architecture, including enhanced intrusion detection capabilities, enhanced layer 7 firewalls——providing deeper stateful inspection——and enhanced traffic scrubbing capabilities, allowing us to more quickly mitigate DDOS attacks.

Process is the glue enabling the repeatable and expected use of technology by people. Security processes allow for more consistent and reliable controls, ultimately providing a greater level of data protection. In March, we performed a full security audit of our product and infrastructure. Over the last few months we'’ve developed and enhanced our many security processes, such as quarterly third-party security audits and a Responsible Disclosure Policy, giving researchers an avenue to safely test and notify us of vulnerabilities.

We've dedicated the past few months to a product “security timeout” to bolster the security features in our product. While we have already launched a number of features to help you better secure your Zendesk environment, in the coming months, you will see many more. Stay tuned for more details this summer.

Like in chess, where it is important to not rely on one approach to be successful, an effective security program employs multiple layers. At Zendesk we take security seriously and will continue to grow, develop, and adapt our program to identify and address the latest threats. Likewise, we will continue to listen to your feedback to ensure that our product’s features are meeting your business and security needs.

Ryan joined Zendesk in April as vice president of security. He's spent more than a decade working in the security field, most recently as the information security officer and head of IT at Engine Yard and previously at eBay and PwC.

Read more about Zendesk security