As we progress to an integrated digital world where data is the red blood cells for our economic, institutional and lifestyle circulatory systems, the impact of cyberattacks is magnified. This risk ranges from very capable teenagers demonstrating their cleverness to advanced nation states using almost unlimited resources to “acquire” intellectual property. Leading cybersecurity threat research firms continue to report that critical attacks are increasing every year,as is the number of successful breaches. Even large tech companies are among the notable breaches. The research also reveals there are millions of records of personal data on the Dark Web. Those records, containing names, phone numbers, Social Security and National Insurance numbers, credit card numbers, and addresses, can be purchased for less than a McDonald's Big Mac.

If “millions” of addresses on the Dark Web sounds like marketing hyperbole, data from The 2022 Cyber Threat Report provided by Sonicwall provides sobering news by highlighting the growing breadth of techniques being used to capture all of those records:

Cyberattacks_blog_chart.png

It’s a good example illustrating that the potential for risk only grows from here.

Given this increasing potential for risk, business insurances are needed more than ever. Protecting customers’ data and intellectual property is a fundamental part of how 8x8 develops and delivers its cloud-based communications services. As a way to introduce the scope of the challenge and rigour 8x8 applies to security and privacy, this post provides an overview for nine key components of its security and compliance program:

  1. Dedicated Team
  2. Third-Party Validation
  3. 24x7x365 Scanning and Monitoring
  4. Data Encryption
  5. Pen Testing
  6. Shifting Left in the Attack Chain
  7. Empowered Organisational Design
  8. Proactive Participation in Policy Development
  9. Global Reach from Global Development

1. Dedicated Team

It starts with a dedicated team that includes experts with 100+ years of combined security and compliance experience from WhiteHat Security, Apple, and Facebook, that are focused on security management, technical investigation, guiding industry policy, and securing third-party certification and validation to provide the highest level of protection for your data.

2. Third-Party Validation

One way 8x8 will work to continuously earn your trust is by conforming to the leading security frameworks and standards, verified through third-party validation and certification, not just 8x8 Marketing making claims on datasheets. 8x8 focuses on ten certifications and standards starting with NIST 800-53, the gold standard for security controls.

Security_Logos_for_Blog.png

This broad set of certifications and third-party validation demonstrate the investments 8x8 continues to make in ensuring the highest levels of industry security and privacy are met.

Additionally, to remain compliant, 8x8 conducts annual audits, including the SOC II compliant data centres, to ensure continued adherence to the latest standards.

3. 24x7x365 Scanning and Monitoring

Given the increasing frequency and sophistication of cyberattacks, the 8x8 network and security operations centre actively scans and monitors for potential threats 24x7x365 to maintain 8x8’s world class resiliency posture. If anomalous behaviour or an incident is detected, it's investigated using precise and practised procedures. If the investigation reveals a critical or material issue, 8x8’s closed loop security management system is designed to protect customer data. The approach and framework 8x8 uses also lines up with the requirements of many of the industry certifications that 8x8 has received.

4. Data Encryption

From a data transmission and storage perspective, 8x8 uses the strongest commercial encryption capabilities available including AES 256 and encryption types that are compatible with the Federal Information Processing Standards (FIPS) as well.

5. Pen Testing

In an effort to identify new vulnerabilities in the 8x8 environment, we are constantly tested from the outside through continuous pen testing, conducted by leading pen testers. For example, 8x8 works with Bishop Fox, who are well renowned for not just their testing but also their incident response and detection capabilities and skills, to conduct both static and dynamic code testing.

Additionally, 8x8 works with HackerOne, a leading threat research firm, that tries to break and penetrate the system 24 hours a day 365 days a year. When one of those researchers identifies a potential vulnerability, they use an established procedure to notify 8x8. After confirming the vulnerability and assessing its level, 8x8 will pay a bounty.

6. Shifting Left in the Attack Chain

Securing 8x8 products begins at the point of initial design. 8x8 starts development with architecting for security, data regulation, and privacy. This approach is based on a philosophy in the security realm that recommends practitioners need to “shift left” (not politically, but earlier in the process) and get closer to the developers and legal as a way to move from reactionary to proactive. As 8x8 develops products, source code scanning and testing are done in conjunction with our developers to ensure the platform is as secure as possible. The entire platform is scanned for known vulnerabilities, and should one be found, the security team has target remediation expectations for engineering and operations to mitigate. If a critical vulnerability is detected, the remediation is prioritised ahead of other work and response times are closely monitored. If remediation times exceed target performance, the issue is reviewed by a steering committee for corrective action.

7. Empowered Organisational Design

The goal is to get the product aligned with the direction of the regulatory environment at every step of the planning and development cycle. By incorporating this insight from the start, security becomes a standard chromosome in the organisation's DNA. The right organisational design facilitates the ability to include security at each step of the development process. For example, at 8x8, the Chief Information Security Officer (CISO) reports into the Chief Legal Officer. This structure is very intentional and ensures clear separation of duties so that security decisions and investments are not constrained by, but incorporated into, product priorities. In this structure, conflicts get raised to the C-Suite and not swept aside because a single functional area leader can make the final decision without peer review. Government cybersecurity solutions are thus effectively integrated into corporate governance, enhancing both compliance and security.

Another major program focus area empowered by organisational design is security and privacy training. The 8x8 Data Privacy Officer is part of the legal team. From that organisational structure, they can ensure a constant emphasis on privacy topics. As none of us humans are infallible, the 8x8 DSO is able to deploy a rigorous education program that includes ongoing cybersecurity best practice training and quarterly phishing training to ensure everyone in the organisation is both cautious and vigilant about security.

8. Proactive Participation in Policy Development

The final important area is participation in committees and advisory boards to actively participate in shaping regulatory policies to ensure there’s never a gap between 8x8 practices and regulatory requirements.

9. Global Reach from Global Development

8x8’s global reach uses 35 geographic locations/regions to enhance reliability and quality of service, while also supporting local data residency requirements. What's key is that as 8x8 continues to expand its global footprint, security is being designed into each location to maintain our security posture. .

The mindset is core to our developers who are located in R&D centres in Romania, India, Singapore, UK, and US.

In terms of data residency, there are exceptions driven by technical practicalities. For example, when talking to your daughter at school in Australia, your voice data must go to Australia. There’s no way around that technical requirement. Additionally, in the case of a major network disruption, data may get routed through Amsterdam or the US in order to deliver a seamless experience for our customers. But no matter where the data is travelling through or residing, it’s always encrypted using TLS 1.2.

Security is an endless journey

As “software eats the world”, more devices are connected to the internet, and everything becomes a service, the complexity to maintain a secure environment continues to grow. 8x8’s security programme provides a strong foundation for keeping your data safe today while also ensuring our team, business processes, and security monitoring are on a journey of continuous improvement.