When I’m building business platforms, security is a considerable issue.  Security is definitely one of the technology issues that can get extremely expensive, timing consuming and complicated.  Like so many business decisions, security solution are investments that need to be within the maturity context of the information that you are securing and the resources that you have available.  Two years ago, I started a new business, Linkable Networks, and our technology platform, MyLinkables, integrates into several points along the financial transaction rails as we are providing users with the ability to link purchase discounts to the credit cards that they already have in the wallet today.  Our initial integration strategy was to avoid collecting any credit card information, instead we used a fairly common technique called “tokenization”; simply put, our partner collects authentication details from the users and issues randomly generated, unique identifiers to us that we use to anonymously exchange details without ever collecting, transmitting or storing actual credit card information on our infrastructure.  It worked surprisingly well, given the messy data issues and numerous edge cases in this complicated scenario.  Wearing our favorite start-up hats, we were up and running within 3 months of writing our first lines of real code.

We deployed using some of the typical secure practices that you would expect in a 3 month start-up – we used Amazon Web Service’s security groups, we changed a few default passwords, we closed down ports, we password protected our interfaces and services.  We definitely took protecting user information seriously and we definitely wanted to avoid security problems; we also didn’t have very interesting information and we were favoring speed in our new business.  As our business matured, we grew our platform and eventually made an important decision to build out a more mature security program for a few reasons.  We wanted to more securely protect information, we wanted to signal that we really did take security seriously and we wanted to accelerate the security portion of our business discussions with partners and customers by providing audited third-party reports of compliance.  It was a big decision and a serious investment – lots of money, tons of time to get into place and ongoing drag.

I called it a security “program” because it is in no way a project that you complete – unfortunately for the nibble minded start-up inclined.  There are many standards and best practices available – there are entire industries formed around writing standards, providing services, auditing and issuing certifications.  We decided to pursue PCI Level-1 certification since many of our partners are familiar with these standards and our business is centered around credit cards.  We learned quite a bit about securing a cloud based platform that is PCI compliant, including a number of gotchas that tripped up security experts, consultant and auditors.  In the next few posts, I’ll describe some of the things that we learned and some of the challenges of this security program, as it relates to certifying a cloud based architecture.