Security is a never-ending journey. What works today may not work tomorrow. It's an ever-evolving process and at no point can we say, “Job done. Security project finished.” We must continuously observe and act both proactively and reactively, while balancing risk versus probability.
Refining Security FrameworksSilverchair is a technology-first company. Many companies and institutions see the technical operations team or the security team as a cost sink. Leadership at Silverchair, however, is fully aware of how vital security and operations work is to the continued success of the company.
Despite already having a well-established security program, we feel that adapting to more formal security standards gives us better insight and understanding into the landscape, enabling us to further strengthen our security posture.
Those standards include:
- HECVAT - Higher Education Community Vendor Assessment Toolkit. Many of our clients work within or very close to academia and interact with higher education institutions or are higher education institutions themselves. HECVATs gives those in those higher education institutions and their security teams a standard against which to measure cloud service providers. It also allows universities’ and institutions’ security teams to have an assurance that Silverchair is taking steps to ensure that their information and their privacy is safe and secure.
- PCI DSS - Payment Card Industry Data Security Standard. At Silverchair, we do not process, store, or transmit credit card information. We act as a gateway switch, meaning that we will wholly redirect payment traffic to approved third-party vendors such as PayPal, Stripe, or whatever secure payment gateway solution our clients use. Then, the credit card transactions happen with those approved third parties, and we get a token back that says, “X user has successfully purchased X content. Please serve it to them.” But since security is a very important part of this transaction, we do hold a third-party certified attestation of compliance within PCI DSS.
- ISO 27001 Security Framework Standard. ISO is the International Organization of Standardization. The 27001 framework involves an Information Security Management System or ISMS. This is a holistic security management system designed to provide guidance for implementing, maintaining, and continuously improving that system. We've not only invested capital into this project, we’ve onboarded additional security personnel to tackle this major project. Currently, we're in the middle of an internal self-audit against this standard, we aim to begin a third-party audit by the end of the year in order to obtain our certification. This is going to touch every aspect of the business, from developers to our people ops program and everything in between. It’s a big effort, but we're excited to get there.
Automated Traffic ControlsRobots (or “bots”) is an industry term for an automated computer system that requests and stores what is publicly available on the internet. Most research suggests that 40%-47% of all internet traffic in the world are bots. Some are good: Google-bot, Bing-bot, and Apple-bot consume publicly available website information in order to index it to feed their search engines, so that when an end user searches for something, your website is brought up and these engines direct that user to your content.
Some bots are not so good, and they scrape this publicly available data for their own ends. The problem has always been keeping that balance between letting all the humans and good bots in and keeping those unwanted bots out. For that, we have a multilayered approach on how we combat unwanted bots. The first one is our anti-bot solution which first looks at the behavior of traffic coming into our systems.
For example, did you go to the home page first or did you go directly to an article? And if you went directly to an article first, do you have a referrer header? Did you come from Google or did you just go straight to our site? If you are suspected of being an unwanted bot, we'll send the requesting system a computational operation that must be solved before serving content. Another aspect of our bot protection system is analysis of the source of the request. We maintain lists of known anonymous proxies and data centers and give extra scrutiny to requests from those sources.
Finally, we are utilizing machine learning to combat abuse and perform anomaly monitoring. We have machine learning that's looking at our traffic at both the client level and as a whole that will detect and alert the on call team to statistically significant changes in traffic levels as compared to past norms.
Device and Network SecurityAnother aspect of security is device and network security. We have engaged an industry-leading End Point Detection and Response (EDR) provider to deliver a highly adaptable security solution that gives us peace of mind because it is monitored 24/7 by some of the best security engineers in the business. Their combination of a large market share and AI-driven threat hunting means that if some of their clients are getting attacked by a new bad actor or malware that they've not seen before, they can take that learning and apply it to the rest of their client base. This helps them proactively look for and prevent new attack vectors.
Privacy ComplianceFinally, privacy compliance, which refers to the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other comparable policies. GDPR is a set of personal data protection and privacy laws enacted by the European Union and is one of the best (read most stringent) in the world. Silverchair has baked in this standard into our platform so that both our EU and non-EU clients benefit from this peace of mind.
When people think about a platform, they often first conjure pictures of a front-end site with flashy widgets and sleek branding. But the behind-the-scenes efforts like security, privacy, performance, and other aspects are absolutely critical to delivering value for our clients. Our goal is to protect your users' privacy and security both proactively and effectively, so you don’t have to.
Read more about the Silverchair Platform's features & functionality here.