An interview with Award Force Technical Director Kirk Bushell
Read the interview below with Award Force’s Technical Director Kirk Bushell to learn about how to add security to your program, and what Award Force is doing to ensure your program’s security and integrity. Want to learn more security for your application management system? Watch the Award Force Academy webinar.
Carl (Award Force Academy): We all know security is important and have an idea of what it is, but, if I'm being honest, it's kind of a big grey area for many of us. We hear things like data encryption, SSL, ISO, GDPR, PCI DSS, and a lot more; but what does it all mean?
I'm delighted to introduce you to my good friend and colleague, Kirk Bushell, Award Force Technical Director. Hi Kirk!
Kirk: Hi Carl, how are you doing?
Carl: Great, thanks. Thank you for joining us today and taking the time to discuss a few things about how and what Award Force is doing in terms of security. If I can jump straight in, I have a few questions.
Kirk: Not a problem.
Carl: Fantastic. In regards to encrypted data, award programs using Award Force are also using SSL by default. How does this help users of Award Force? And what type of confidence can they walk away with because of this?
Kirk: That's a really good question, Carl. SSL is there by default, as you mentioned, and what this does for our clients and users is to ensure a better security implementation across all requests on the platform. What this means is that, with SSL enabled, there are certain attacks that are impossible to achieve. For example, a man-in-the-middle attack. The platform actually enables this protection by default. What this means is that you can't actually create any sort of connection with our services without SSL. If you try to connect to our platform without SSL enabled, it simply blocks the request, which is really great for security.
Carl: Fantastic. The General Data Protection Regulation, also known as GDPR, was introduced to protect European citizens back in May 2018, but how does this affect people outside of the EU?
Kirk: Another really great question. The first thing is that, although GDPR was developed inside the EU for EU citizens, it does actually have wider implications for anyone operating outside the EU that services EU customers. For example, if an EU citizen is accessing the Award Force stack from outside of the EU, we still need to apply the same feature set and protection as they would if they were inside the EU. Because the GDPR is really quite a good piece of legislation in helping to ensure user privacy and security at a fundamental level, we have championed that cause even though we are an Australian company. We've ensured that all of those regulations are met with a number of features we have implemented in the platform today.
Carl: Excellent. What has Award Force done to provide our clients with the options they need to safeguard themselves and their user-base?
Kirk: Another really good question. So, Award Force is a data processor, and this means that what we need to do according to regulation is to ensure that we have all the features in place to make sure our clients and program managers have the relevant features and requirements to facilitate things such as user deletion requests.
All of the resources within Award Force now have some sort of permanent deletion feature, namely users and entries, and, as an example, if you need to remove your season or even your full account at some point, we can do that and provide a certificate for you to be sure it has actually been done. The reason for this is because the GDPR legislation stipulates that we shouldn't maintain or hold on to any data beyond its use-by date.
So if you're running a season and you have data there that is no longer relevant, you can delete that information. Secondly, and probably the most important feature is the way we deal with data encryption to ensure that we respect users' privacy and especially for sensitive data.
When you're setting up custom fields, for example, we have three levels of encryption. The standard level is what we apply to all data regardless of the option you select, and that's our data-at-rest feature, so all the information and data that we collect on users and what they upload as part of their entry or as part of their user profile, is all encrypted at-rest. What that means is that the data exists on a file server’s disc space and is encrypted at that level. So if someone were to gain access to the server, for example, they’d actually need to key that we’ve used to encrypt that data before they can actually view it. That's a great standard level of encryption.
The next one above that is the elevated encryption option for custom fields. What this means is that we actually hash the values in our database so even if you're looking at the data, you can't see what the value is. You might be able to guess it if you sort of know what's in there, but obviously with the amount of data there is and the diverse data values, that is quite difficult to do. You can't actually see it; you have to decrypt it using our key as well.
And then, finally, we have maximized encryption, which means that the only value we store is a fully-encrypted value. Unless you have a key, again, you can't see it. The interesting thing with the maximum encryption option is that you can't actually search for the data; we're unable to write queries to search for the data that you're looking for. It provides you that extreme level of encryption and security for really private information for end-users. So, if you're collecting information on users that is particularly sensitive, then it might be a good idea to use maximum encryption.
Carl: Fantastic. I'll be touching on that a little bit more later today. Thanks for that. The next question I have for you is– What are the responsibilities of programs collecting personal information, especially if there's any chance of collecting data about European citizens? And what does it mean to be in breach of the GDPR?
Kirk: If you're an EU program, it is really important that you are up to speed with the GDPR regulation and just understand what is required from you as a data controller and what your responsibilities are.
First, for example, if the user requires that information be deleted, you need to see through that request. I can't remember the exact time frame, but I think it is within 30 days. It's really important that clients are aware of their responsibilities and what they need to do for their end-users as well as knowing the last cycle of data that you're collecting. Do you need it forever, do you need it just for that year, do you need it for that season or just a month? Ensuring that you know how long you're maintaining data is really important.
The second question concerns what a data breach is. What that means is that, for example, if Award Force, heaven forbid, were hacked by someone who was able to gain access to our data servers, that is essentially a data breach. So, as soon as Award Force is aware of such data breach, there are two things we need to do. The first is to investigate and understand the problem in regards to how it happened, and the second is to report that data breach to both the client and also to the regulatory body in the EU, to say "hey, we've been breached, these are all the details, this is what we're doing to combat it in the future."
Carl: Award Force is ISO27001 certified. What did Award Force do to ensure the international Standards Organization's requirements were met for this certification and, if I can be so naive, what is it?
Kirk: Great question. This standard is effectively a bunch of guidelines that control how an organization should conduct itself in regards to managing all sorts of data throughout the organization: the information we collect, how we store it, how we audit it, how do we make sure the users have access to that information and so forth. That's a very broad overview and a quite simplistic one, but it has wide-reaching implications for an organization that may not have that in place, to begin with.
The good thing is, at Award Force, we've always been quite sensitive to data privacy and data security and so we had a lot of that stuff already in place, but it still ended up taking about twelve months to implement all of the controls, the various audits and things to make sure that we are actually compliant with that certification. In fact, we are coming up to our next year certification. So we've been certified roughly for a year now to get that in place, but it's been a really interesting and exciting time because it shows our clients that we take security very seriously.
Carl: Absolutely. In terms of security, what has Award Force done, and continues to do to ensure we're the industry leader, the benchmark, if you will, with keeping data and users safe?
Kirk: Another really great question. We've mentioned a number of things that we've done to facilitate that, but simply, from a certification perspective, we chased ISO27001 certification, we also went after PCI DSS certification. That latter one is really important because, although we don't store credit card data for any of the payments, for example, for entry submissions, we do still have to collect that data to pass onto payment gateways that we utilize; and so, part of that certification is showing that we're not storing it, we're not doing anything else with it other than passing it along. In some cases, we're not even collecting that; we're not even asking for that data from the user if you're using, for example, some sort of redirect-gateway in that matter. Finally, we have the GDPR regulation, which I think is probably the strongest of all of them simply because it puts user privacy and data security front and center. So, essentially, if you want to operate in the EU at all, you have to follow that regulation and its legislation.
Carl: Thank you, Kirk, so much for joining us today and giving us your time. I really do appreciate that.
Kirk: No problem at all.
Learn more about Award Force security.