Securing Your Contingent Workers With Zero Trust

Business Process Outsourcing (BPO) is when you hire a group of contractors from a single company to complete long-term work for you. This is typically something like customer support, where you want to outsource first-line tech support to a cheaper region or get more coverage in a timezone where you don’t have an existing presence. The problem is that zero trust architecture requires every employee accessing your critical SaaS applications to come from a managed device....

September 24, 2024 · 11 min · 2200 words · Kane Narraway

Threat Modelling Enterprise AI Search

Enterprise AI search tools are a simple concept. They take in all of the data from all of your productivity tools and give you a single pane of glass to search across your company’s entire corpus. This lets you search across all of the documents, email and chat regardless of what tool they are stored in. The productivity benefits are apparent here because who hasn’t spent half an hour searching for that doc you made three years ago?...

August 13, 2024 · 11 min · 2262 words · Kane Narraway

Building A Security Platform Engineering Team

I’m a big fan of building security into existing processes, a term coined as “secure paved roads” by Jason Chan, Ex-Netflix CISO. The idea behind this is that security should mostly be invisible. The average employee should simply not have to think about high-consequence security domains. They’ll use tools that make their life easier, and that tooling has security built in by default. Yes, they can divert from that paved path, but they’ll generally have a worse experience....

January 16, 2024 · 9 min · 1845 words · 

Improving Your Third-Party Risk Management Program

Background Third-party risk management (TPRM) has its challenges. It is a relatively new area that has been developing rapidly, but many programs face significant issues as their companies grow. TPRM rarely scales linearly with the business or the number of applications in use. There are no easy fixes, but you can make steady improvements. I will share some practices I have used to improve programs over time, which you can take away and adapt to your situation....

February 23, 2023 · 11 min · 2284 words · 

A Beginners Guide to Third-Party Risk Management

Summary In this blog post, I’ll go into the basics of third-party risk management, what the challenges are, and give you an overview of what an average Third-Party Risk Management (TPRM) program looks like. This is designed primarily for people new to the industry up to the mid-level, but there might be a few points valid for seniors with mature programs too. Background In recent years TPRM has become a growing chunk of work for cyber security teams....

February 14, 2023 · 11 min · 2245 words · 

8 Common Zero Trust Misconfigurations

I’ve seen a lot of zero trust setups, from off-the-shelf vendor tools to complex custom-built solutions. I’ve found that many of them share the same problems and below I’ve listed the most common 8 I see. These usually stem from the design phase so the earlier you catch them the better! Admittedly some are those gnarly enterprise security problems which require a culture change and effort shift, especially number 8 as increasing manual workloads is not usually the top priority....

December 6, 2022 · 4 min · 819 words · 

Building a Corporate Security Program From The Ground Up

Introduction I’ve seen a few blog posts lately about building corporate security but they are always… well.. so corporate. They are always viewed through the lens of extreme risk but the reality is that most places are not banks or government agencies. The examples given often lock things down to the point where manual work is required for every request which is unrealistic in most public companies. You can (and should) try to achieve your security goals while impacting your employee experience as little as possible in the process....

November 10, 2022 · 12 min · 2477 words · 

Phishing 2077: Zero Trust Edition

You wake up, alarm blaring. Your AI assistant notifies you there’s been another netrunner attack on the company. You chug down your synthesized meal replacement drink and hurriedly rush out the door, “hopefully the maglev isn’t delayed again” you think to yourself. You scan yourself into the office with facial recognition and check your metrics for security incidents, you realize you’ve gone below your allowed security KPIs this month and hope they don’t dock your pay again....

June 10, 2022 · 9 min · 1884 words · 

What Is Client Platform Engineering?

What is Client Platform Engineering? One of the growing ideas in tech is the idea of a “Client Platform Engineering” (CPE) team. I looked around and to my surprise I couldn’t find much in the way of content for what these teams do. I managed the Client Platform Engineering team at Shopify and worked closely with our team in Atlassian when I was leading the enterprise security team there so I figured I would attempt to demystify the team and what they do....

May 23, 2022 · 8 min · 1529 words · 

How Atlassian Built Zero Trust - Part 1

Background Update: This blog was posted back in 2021 on my previous blog and was based on a 2020 talk I did. In migrating to a new platform I’ve gone through and applied a few updates for 2022 mostly focusing on new features available on the market and upcoming changes such as WebAuthN improvements with passwordless. I spent the last few years building out a Zero Trust architecture as the Head of Corporate Security in Atlassian and I figured it’s time to write a blog going into some of the design decisions we made and how we implemented the changes at enterprise scale....

February 10, 2022 · 16 min · 3305 words ·