Back in mid-2016, information security and cybersecurity were becoming one of the major concerns for companies willing to adopt cloud services. This became even more important as companies were looking at cloud services as a way to eliminate traditional software development constraints, making security much more than a nice-to-have for application development.
Being a market leader, OutSystems took this requirement seriously and acted, creating Sentry, our “unbreakable fort.” However, building a fort wasn’t an easy task, especially because Sentry is more than a product; it’s a service.
The thing is, nowadays, there’s no one-size-fits-all solution for security. Security dynamics are not compatible with a single design-and-build approach. A continuous management mindset is needed throughout the entire software development lifecycle, including operations that promote the corresponding improvements.
The OutSystems approach to the Sentry product offer took all those aspects into consideration and built a product and service with security and the proper certification as a foundation.
The Needed Foundation
Based on our technological and process requirements for Sentry, certification was key from the very beginning. And so, the reference for product and service security requirements was the SOC 2 report, a standard with worldwide, cross-industry recognition for service organizations. This was clearly where we wanted to be, so we started working on SOC 2 compliance because an external audit in 2016 was top of mind.
To meet the requirements of the SOC 2 trust service principle (TSP) for availability, OutSystems used the ISO 22301 standard reference for its business continuity management system. Also, to complement some of the OutSystems organizational and processes that promote a security mindset, OutSystems used the ISO 27001 standard as a reference for the continuous improvement of the information security management systems.
Our project priorities and efforts included meeting the requirements of the security TSP in SOC 2 Type I during the November 2016 audit, and we were found compliant. Six months later, we had an SOC 2 Type II audit and were found compliant for confidentiality, processing of integrity, and availability.
Our first compliance process for Sentry concluded with the SOC 2 privacy TSP, which was evaluated during our yearly renewal of SOC 2 Type II and catered to the GDPR requirements that were compulsory after May 2018.
We now have a fully SOC 2-compliant strategy. This meaningful milestone puts OutSystems at the forefront of security in cloud-based app development.
Building a Security Operations Center
A good strategy for security is much more than certifications and tools. Therefore, while OutSystems was developing Sentry, we were also building a new Security Operations Center.
In this facility, the Computer Security Incident Response Team (CSIRT) continuously monitors and manages Sentry. It’s here that Sentry comes to life. Thanks to our Security Operations Center, we have 24x7 monitoring of our platform and customer applications, along with an ongoing analysis of information and suspicious events.
Moreover, advanced threat detection provides our security team with immediate intelligence of potential bad acts or vulnerabilities. Therefore, we’re able to anticipate threats that could impact our customers. We can analyze attack trends, stay up-to-date on regionalized threats through our connections with the global threat intelligence community, and keep an eye on abnormal uses of the OutSystems platform.
This facility was launched on March 1, 2018, to be ready for the Sentry Early Adoption Program and has been working at full capacity since then.
Choosing the Right Allies
Now that we had service and product, we needed to go even further to protect those who trust us. So, as part of our security strategy, OutSystems partnered with external cloud and security entities.
OutSystems became a member of the Cloud Security Alliance and published the Self Assessment Questionnaire on their website. This way, with this CSA matrix, our customers can understand how the controls are implemented and their maturity level. Also, because we belong to this alliance, we can share our experience and learn from those of others. We also have the opportunity to participate in different workgroups, promoting guidance in best practices adoption.
The OutSystems CSIRT is also a member of the global organization FIRST.ORG (Forum of Incident Response and Security Teams). As part of this organization, OutSystems can share information about security incidents with other CSIRTs, increasing the speed of incident response and the reliability of the services to customers.
When One Door Closes, Another One Opens
Building a solution like Sentry is just the start of a continuous process aimed at providing the safest environment for our customers. An environment where they can develop mission-critical applications without any security issues.
This is what Sentry really is. It’s a combination of product, service, and compliance that underscores our commitment to security and building trust with our customers.