A couple of weeks ago, we started talking about a new initiative at GraceRock: the building of GraceBlocks. We shared that GraceBlocks will be a system for building amazing software, block by block. Last week, we introduced the 10 pillars for a good system of record. In this week’s post, we explore pillar #1 Security so users can store their data and trust their data is safe. Here’s what that means for GraceBlocks.
First let’s talk about the data that needs to be securely stored. If the data does not matter, then there’s nothing to secure in the first place. Ensuring that users can easily prescribe and then store the data they want, is core to this pillar. It’s also part of our secret sauce, so further elaboration on that topic is for another day. Right now we’ll unpack what it means to securely store the data, that evolves as you scale the audience:
Single user: Increasingly, users are becoming skeptical of technology and data privacy. Kara Swisher, a well known technology reporter, has been at the forefront of putting this into our collective conscience. Her recent New York Times article Be Paranoid about Privacy is a good summary of where we are on this topic. If users are to adopt GraceBlocks, we need to ensure that folks can trust that their data is safe and they can retain ownership and control of their data. In addition, conventional secure methods for access need to be supported, such as strong passwords, sign on through existing validated accounts and/or 2 factor authentication. We also need to confirm that the user, is, well, an actual user, and not a bot – which means connecting them with a validated device that can be tracked.
Small and Midsize business: If the customer is a business, they will also want their employees, who are using the software on their behalf, are working in a secure environment that is still giving the business data ownership. Personally identifying information for businesses also needs to be treated with the right data masking and encryption at rest so they don’t have to worry about accidentally compromising the data they are storing.
Large Enterprise: Any company who has sold enterprise systems to large organizations has to pass information security audits that prove that they have core policies and standards in place to ensure proper data security across the company both in terms of data storage and the procedures employees must follow to confirm that their data is managed securely. These processes have evolved and only gotten more stringent as we’ve witnessed selling HR systems to large enterprises for the past two decades. It can involve the regular passing of penetration testing by 3rd parties. It can also involve video surveillance and background checks and possibly security clearance requirements of personnel managing the data on the company’s behalf. While the emergence of the public cloud may have eliminated the need for a “visit to the data center” by the prospective client, it has not eliminated the potential for a multi-day visit by a company auditor and a book of requirements the business might need to support to pass a large employer or government entity’s security audit. This stuff is no small order and the larger the enterprise, the more stringent the hurdles become. But information security controls and procedures are core threshold one must pass to sell software to large organizations which might range from 5K to 100K or even 1MM employees.
Finally, when it comes to personal information data storage and ownership, mechanisms for record deletion on request given the rise in regulations such as GDPR and California’s new Consumer Privacy Act,which begins being enforced in July this year. These laws give new meaning to what is involved in capturing someone’s information, disclosing access and giving a person the right to request removal of their personal information.
All of these elements come into play as we identify requirements for security at GraceBlocks. Again, the process will be iterative and one step at a time. We will focus on the user’s needs first and grow from there. Next week, we’ll move past security and begin the discussion on the next pillar: ease. In the meantime, if there’s something core to security you think we’ve missed, please let us know, we’re all ears!