Come learn about how Netlify is protecting the worlds biggest brands one composable architecture at a time. In this talk, we will cover:
Mark Dorsi
Thank you all very much for coming today. This has been fantastic all the way through. I'm really excited to come forward and talk to you all about giving a damn about your brand reputation. It really is the most important thing to us. So when I take a look at this, the whole reason for this is so that you all can focus on your customers. That's what today has been about — shrinking down the time between your creatives and the customer. That's what we do here at Netlify, and that's the reason I joined Netlify. It's so powerful in that one way. So I want to dive into that a little bit and explain how you can just focus on your customers because we're here to protect your brand's reputation, which is the most important part for us.
Of course, we've talked about this all day — the move to composable is undeniable. This is where the world is headed, and this is what we're here to do. Netlify is all about that. From a security perspective, before composable, you have multiple teams managing everything, which eventually allows you to get to your customers. There's a lot of complexity involved in that, and it's a big distraction. Having all these teams involved the entire time creates a lot of distractions. You have to coordinate various events just to get content to your customers, which is a big distraction. So many things to manage and so little time. Our security team really thinks about this when we work internally with our engineering teams.
We want you all to be able to "set it and forget it." That's a big term for us. Netlify’s goal is to get your creatives as close to your customers with that content as possible. We bring this organization to you from a security perspective, from a development perspective — everything we bring together emphasizes simplicity.
So, what is composable security? Typically, in the past, when you talk about security, it's about being careful with your internal users, employees, laptops, and such. But composable security in this new world gets back to you, and it's crucial that you understand that. When we talk about security, especially from a Netlify perspective, we look at the entire picture. We not only consider what it means for our internal employees, but also what it looks like for you. Composable security is designed to protect composable businesses. In healthcare, the gold standard is securing PHI and HIPAA compliance. That's what my team thinks about, keeping your data safe and secure.
We want to talk about what it means to be secure by design. That's what my team likes to do. We want to ensure that everything we put out there is secure by design, whether for our employees, your architectures, or the things you want to include. We want it to be secure by design so you can set it and forget it and focus on getting your content to your customers as quickly as possible.
I'd like to bring this slide forward because I want to talk about how you're going to find the time and the people to take care of all the things. I see this from every single one of our customers; they're coming from some sort of monolithic architecture. They have to figure out how to build the source and where it's going to live. There are a lot of applications to bring together, and you need to secure them. Then you have to worry about deploying that pipeline and the security controls in place. You need a CDN, and you're also looking at third-party services. Then there's your customer, but now you have to worry about attackers, not only against your CDN but against your customers. How are you all going to protect against that? We talk about bot networks and Bitcoin mining; it's a crazy set of things. Then we have this whole world of AI that shows up. We don't even know what's coming next, but we know that people can copy and paste in an idea and all of a sudden they're hacking against you in a brand new way and an easier way than you never thought of before. That's really where Netlify comes in to say those things are all distractions, and they're keeping you from getting your content to your customer. With Netlify, you don't have to worry about those things. We put in guardrails, not gates; many things go on behind the scenes, and we take care of it automatically for you.
What does that mean, secure by design? Right out of the gate, when you think about your GitHub instance and what goes on there, we have read-only access to that. We have well-scoped GitHub access as well, so we're only getting the tiniest bit of what you provide to us. We don't need all the access in the world. We have fantastic control points and integrations. From a build process perspective, we're the ones there; we put in all the sandboxing required so you don't have to worry about somebody breaking into your environment or doing something to that effect. We keep your keys secure by default as well. When we deploy, we ensure the cache, so there's no cache poisoning. The integrity of the thing you want to get out there is what goes out there and makes it to our CDN. We have all the protections in place to ensure that the CDN is secure. Your customers are going to access your content, and it's available. From an attacker's perspective, we see attacks all the time and proactively knock them down using things like IP hammers and IP firewalls. Bitcoin mining is something we make sure doesn't happen, and you don't see the cost of that. For all those next-generation attacks, we manage the infrastructure. You've offloaded all of those responsibilities to us in the composable world so you can focus on your customer.
Let's talk about compliance by design. We are in NIST 853, we've got SOC 2 Type 2, ISO 27001, PCI DSS, GDPR compliance, and more. Rachel Tobin, our Head of Legal, spent a ton of time to ensure that not only are all these things in place, but also that all of these things are compliant by design. Each one of the different services that we bring together has all of this built in for you already, that is security and compliance in a composable world.
Alluding back to Ryan at RVO Health and getting the sneak peek going into 2024, a lot of these things that you saw up there, all those badges ISO and SOC 2 things, are years in the making In order to make them happen. The next couple of things that I'm going to bring up here have been a year in the making since I've been here, which is a little over a year and a half, this has sort of been the charge forward. Coming up in 2024,we have been working on ISO 27018 and will be HIPAA compliant in Q2. So you will not only be safe, secure, but private as well. This dovetails right into RVO Health. These are things that take time to acquire, these are things that take practice, these are things that take all of us in order to make them happen from a wide team perspective.
I've been talking a lot about guardrails, not gates, but I want to mention our latest security features. We've introduced things as of late like Firewall Traffic Rules, Secrets Controller, and Content Security Policy. Many of you might not even know that we have a Content Security Policy available, but it's there to protect you against a class of attacks. Traffic rules are straightforward with geographic location type restrictions, making it easy for you to leverage and use.
Our Netlify Secrets Controller is revolutionary. Now this is something where it is truly like an easy button. You can literally click a button that says this thing is a secret, and your teams would never see it again which is fantastic from a security person perspective. You can now have real strong confidence that the keys to the kingdom are protected, and they're protected from day one. and gives you strong confidence that your keys are protected from day one. When I look at products and teams, I would love for other products to have this but I'll tell you what, they don't. Most of the time you plug in a key, I can go back and see it again. There's the key to the kingdom. We don't necessarily want that to be the case. And at Netlify we've addressed that issue with this fantastic solution.
Content Security Policy is a protection against the theft of personal data and credentials. Not only is it available to you and your administrators on Netlify with a simple plugin, but it's also extensible all the way out into your application. This is what we mean when it's guardrails, not gates secure by design. We want you all to be able to leverage these things out of the box with high confidence that they're going to be very successful. This is another revolutionary step. This is a very dynamic type of content control. In a world of static and composable, this was really legendary that we were able to get this pulled off in a very short period of time.
Above and beyond that, just on Monday we released Security Scorecard. If you go into your account now, you can go through and take a look and see which of our security controls that you're actually using and then you can take that and tout it to your security team. Rest assured, if you're not using all these sort of controls, we're happy to help you all get in there and figure out how to use them. That sort of concierge service we really like to get out there for our Enterprise customers and for all customers for that matter. The Security Scorecard gives you that map to where you need to be.
In each of these aspects, we've aimed for a "fix it for me" button approach, providing guardrails to allow you to focus on your customers. We want to be that, “No, no, we're using Netlify, it's fine. Just focus on the customer, it's totally good. They've got it, they've got us.” So, please focus on your customers, and we'll protect your brand reputation. Thanks all.