Security is the most important part for any technology and often times does not get enough attention, causing catastrophic damages to your business, platform or clientele data. With the availability of public Cloud platforms and Free/Discounted products in recent years, the problem of has exploded. As a business, it requires a deeper commitment to actively understand, monitor and address of the related concerns from legal aspects to delivery goals.
Building a scalable, secure and optimal technology platform requires working on security concerns at different levels of the solution ecosystem. Depending on the choice of your implementation, the responsibilities vary and should be addressed accordingly.
Source: Microsoft – Digital Transformation in the Cloud (page 46)
Botsplash, is a “Software as a service” provider for multi-channel chat engagement. We manage, monitor and maintain most of the responsibilities as part of our platform ecosystem, so as to minimize the risk and security overhead and concerns of our clients.
Our approach to actively mitigate the security concerns
As we worked through building Botsplash, we have implemented numerous security measures but following 4 security audits are crucial to attend and address
By any means, these 4 audit items are not comprehensive but a great start and reduce your attack circumference significantly:
Incorrectly configured data storage solutions are the primary reason for large scale personally identifiable information leaks in the recent years. It includes:
From the onset, AWS S3 and other Cloud storage options may appear to be easy to use and configure. In reality, they are complex with 100s of operations, functions and permissions. This accidentally results in many misconfigured S3 buckets and inadvertently exposing sensitive documents to the public.
Fortunately, AWS now rolled out a new security feature that restricts the accidental exposure of documents at the S3 bucket and account level.
Source: AWS Public account settings
We strongly recommend that every AWS account should set this restriction at the account level. This sometimes is not possible due to need for publicly accessible documents, but advise to use alternate account or different form of storage and add long term security to your account.
Free AWS Trusted Advisor is one of the reliable way to measure your account exposure of AWS S3 accounts
You might have heard now the famous quote,
If you are not paying for it, then you are the product.
And some “Software as a service” and “Data” companies take it a step further, “You pay for the product, we will sell (or collaborate) your data and your customers data to resellers to make better profits”.
Read the fine print of terms and conditions for every Chat app, Analytics Pixel or 3rd party apps on how the data will be used or shared with their partners and re-sellers.
When in doubt , escalate it to the Chat App/Pixel account manager and get it in writing that your data and your customer’s is secure and not sold. Failing to so can cause great damage to your business as your website traffic and/or customers data could be shared with your competition.
In addition, 3rd party applications such as Chat apps, Calendars, Forms should be running in their own container (IFRAME) to avoid accidentally exposing their vulnerabilities.
At Botsplash, we provide simple and transparent contract with data usage and purge policies. We do not share or resell the data to 3rd parties. Our chat application runs in a separate IFRAME with restricted network access for security reasons. Very few software providers can claim such practices!
Also, we recommend to host your own websites to maintain full control of your application and metrics across cloud providers. It is much easier to do it now than ever, here are few places to get started, Docker Containers, Jekyll Themes – Used by Botsplash, WordPress and large number of choices. Exposing your business to 3rd party platforms could result it in amazoned by the platform itself or unsustainable.
Public website and the supporting web applications, APIs and mobile applications are face of an organization and technology solutions. They should be well secured as these are the most easy to access, for attacker to investigate.
Start with these steps:
Source: Keycdn HTTP Headers snapshot
At Botsplash, we use regularly measure and monitor our web exposure. Also, we are strong proponent of Web Application Firewalls such as CloudFlare for being securing our applications and being a great partner.
In a targeted attack, where an attacker knows about you or your organization or have incorrectly gained access to the secrets, this can result in potential hazard of attackers stealing the customers or business data and in some cases, loosing access to your infrastructure.
Security vulnerabilities come in many forms and shapes. Due the rapid delivery of applications and 3rd party solutions, the applications are more vulnerable than ever. Cultivating security best practices in your teams and organizations is important and we recommend the approach of “Production Infrastructure” monitoring and “Release Process methodology” code reviews/sprint process.
Also, we laid out 4 audits you must do today to secure your application and business interests. For businesses that need extra protection, there are many security companies (one next door to us – Gotham Digital Science) that can help with the auditing and process.
If you have feedback or suggestions for alternate passes, leave comment below.
Do you want to read more of Botsplash team contributions? Check out articles here.
For more articles on Live Chat, Automated Bots, SMS Messaging and Conversational Voice solutions, explore our blog.
Botsplash, is an innovative, digital messaging software with the ability to connect agents and customers across any digital platform. In order to win and keep a customer’s business, businesses must be able to connect with customers in a meaningful way using websites, social media, text and email. Botsplash helps businesses adopt digital strategy with right balance on Live Chat and Automation.