Reltio, the first cloud-native master data management (MDM) SaaS platform, reached out to Bishop Fox to test their cloud security environments with a cloud security review engagement. Their customer base consists of highly engaged, mature, and security conscious organizations representing nine of the top 10 global life sciences companies and leaders from industries like financial services, hospitality, healthcare, and retail. Reltio seeks to go beyond simple compliance requirements and ensure their platform and environment are secure.

Terence Runge, Reltio’s Chief Information Security Officer (CISO), explains, “Reltio is a complex platform. We have a policy requirement for third-party testing, and we try to use the best. I've worked with Bishop Fox long enough to know that they’re going to send me the best.”

Validate and Expand on Internal Security Findings

“Earlier assessments that we did in-house led to the external assessment that was completed by Bishop Fox,” Terrence said. “At a certain point I thought, I really need to get outside help from some experts to take a look at this.”

Reltio relies on Bishop Fox to review security findings and remediation efforts originally found internally or by customer-driven testing in addition to finding new areas of risk. Reltio has strong internal security validation, but trusts that Bishop Fox can illustrate what a skilled, creative adversary could accomplish. Would an attacker be able to circumvent the remediations? Are there other avenues of attack to consider based on the latest tools and tactics available?

Digging Deeper into Cloud Security Issues

To assess the security of their Kubernetes deployment, Reltio and Bishop Fox collaborated to develop a testing methodology based on Reltio’s internal threat modeling. Bishop Fox approached the test from the position of a compromised developer or DevOps engineer, which required additional access but yielded high-impact results.

Through close cooperation between internal teams and pen testers, Reltio and Bishop Fox were able to go beyond the low hanging fruit during a cloud security assessment and illustrate how real-world attackers might compromise the deployment. Identity and access management was a key component of this test that often isn’t included in standard pen tests. Terrence explained:

"Pen testing identity and access management for Kubernetes is a pretty novel approach. Many pen testing companies are still just doing traditional web app pen testing and calling it done for Kubernetes, not considering other avenues of attack. We'd rather do advanced testing in a more controlled manner with people we trust than be on the defensive. "

— Terence Runge, Chief Information Security Officer (CISO) at Reltio

Pen Testers Are Trusted Partners

Terence has extensive experience working with pen testers and knows that you get more out of engagements when you partner closely with the testers and trust them. As he puts it, “we try to let the testers just test.” Bishop Fox and Reltio have built a strong partnership over multiple engagements. During earlier tests, internal security team members shadowed Bishop Fox testers and over time, Bishop Fox was able to develop strong contextual knowledge of Reltio’s environment, threat models, and unique security concerns; allowing us to deliver specific, effective findings and recommendations. Testers can dig into what has changed since the prior test, rather than starting from nothing.

With Bishop Fox, Reltio knows they’re getting results beyond low-level crowdsourced “fluff.” That comes from engaging with highly skilled, experienced testers and giving them ample time to do their work.

"Security leaders get hung up on this notion that a pen test has to be the classic two by two: give me two people for two weeks, and we'll call it done. And that's good. But what I've learned by working with Bishop Fox is that I can rotate the pen testers in over three to four months at a time and, in the first two days, they would find all the fluffy, obvious stuff. In about two months, they would say, ‘Oh, that looks interesting.’ Then in about three months, they'd say, ‘look what I did.’ It was really impressive, but it takes a long time to get there. It helps me understand how long it could take a motivated adversary with that same skill set to get to that point."

— Terence Runge, Chief Information Security Officer (CISO) at Reltio

Successful Tests Have Broad Impact

An effective pen test doesn’t just provide a list of vulnerabilities and misconfigurations without context; it challenges your assumptions and helps you improve security posture long term. Based on the results of these tests, Reltio has support for their plans to expand their DevSecOps efforts. They’re expanding how they leverage threat models and where security occurs in the software development life cycle.

"The findings also emphasized the importance of shifting security left, getting into the design phase as much as possible, and giving as much input as we can earlier in the process so we don't have to go back and fix issues later."

— Leslie Devlin, Senior Security Manager at Reltio

By continuing to partner with Bishop Fox, Reltio can rely on trusted testers to validate that they’re making good security decisions based on contextual knowledge of their environment and the use of novel approaches. Reltio’s clients should feel confident that their data and privacy are in good hands.

About Reltio

Reltio disrupted the master data management (MDM) software market when it launched the first cloud-native MDM software-as-a-service (SaaS) platform nearly a decade ago. The Reltio Connected Data Platform is a proven multi-tenant, multi-domain MDM platform that masters all data types in real-time and at-scale. Customers benefit from agility, scale, simplicity, security, and performance unmatched by Reltio’s competitors.

Reltio Connected Data Platform uniquely features big data architecture to manage massive data volumes in real-time for operational, analytical, and data science use cases, an API-first SaaS business model for rapid configuration and responsive data management, and Connected Graph technology to discover relationships.