Ted Schneider, ARCOS chief technology officer, knows a thing or two about cyber security. In addition to being interviewed by Forbes and contributing articles to Energy Central, Ted manages the technology team responsible for ARCOS cloud operations, software development and product management. Schneider also oversees development of the product strategy plan, software road map, and user experience. During his career, he has managed teams who have developed software for the manufacturing, industrial automation, biomedical, healthcare, and HR industries all with a keen eye on keeping data secure. He has been a technology leader, executive, or product owner for leading companies like Taleo (now Oracle), Eaton, Rockwell Automation and GE Healthcare. He holds a bachelor’s degree and graduate degree studies from the Milwaukee School of Engineering.
We thought we would pick his brain about cyber security, ARCOS’ recent SOC 2 compliance testing and passing and AWS.
Cyber security is an unending theme that is in the foreground of our digital age. Ted, ARCOS takes the security of utilities, airlines, and critical infrastructure industries very seriously and recently completed a SOC 2 audit. What is SOC 2? Did ARCOS pass certification? You have to be compliant. What does that mean?
Security is an evolving practice. There used to be perimeter-based security, which meant you built fences within your fences and moved them around. Now the idea is that the security practices are where you are. So, what SOC 2 ensures is the people that are accessing server areas in the moment have a need to be in those environments and there isn’t just a simple fence gate letting people in or out or letting them wander about. It’s more discreet in each piece of functionality that is served. The audit guarantees that only the people who need access to a small concise piece of information are allowed to obtain only that.
Listen to Ted’s answer about SOC 2 below.
So, to be compliant, kind of going backwards with your question there, is that we need to go through a third-party audit. We have a major firm that comes in and audits all of our different controls. SOC is “service organization controls” – and we are type two, which is a deeper audit than just the basics. And we did pass, and we have no qualifications on our passing the audit. What it does for the organizations that we serve, it ensures them that we are consistently following all of our organization’s standard operating procedures, our processes, and all the security practices that go with that as well. And that is confirmed each year, that we have documented, and we continually meet those practices every day.
Why is compliance so important?
It’s important in a couple of ways. Generally, our customers will give us an RFI or an RFQ around what we do for security or what we do for our controls. You know, back in the day, a client would send in their own audit team that would come in and interview ARCOS and check all of our standard operating procedures manually. Now through SOC 2, a company can fast track that whole process, and be ensured that during the procurement process, ARCOS is complaint and exceeds their security needs. We have roughly a 67-page report that shows them SOC compliance by all the different controls that are measured. They no longer have to spread their resources thin by sending anyone to interview dozens of ARCOS team members. They can confidently check off their own criteria by reviewing a single document.
Listen to Ted putting questions to rest.
In many cases simply having the SOC 2 type compliance almost puts the question at rest immediately and allows the customer to move on to, is the solution a good fit and can we serve them best with that solution?
The product itself that we sell and offer to our customers as a solution must also be compliant in the fact that it has all the access controls, it has all the parameters and has all the configuration points and it does all the password management, a single sign on, et cetera, that comply with our customer’s standard operating procedures as well.
Are there other ways that ARCOS protects customer data?
Listen to Ted describe the other ways.
There are many other ways. Some of the things that may or may not be part of the SOC compliance, but more so concerns of the customer is encryption. We definitely encrypt at rest. We encrypt in transit. Do we limit the access by our employees? Our employees do not access any of the customer’s data and only during support instances do the customer support people use the application to try to take care of any customer configurations that may be needed. So there’s other things outside of that. In addition to buying some of the best of breed products, as Oracle is our database, we use Oracle’s security operations to ensure that a company like Oracle is also behind us with security.
We have thousands of monitoring points. They measure real time. We measure up-time, every 30 seconds from around the world. And we do have at least four major touch-points from different products that we use for monitoring our own application. In addition to, we’ve built in our own alerts and monitoring system in the product to ensure we have a hardened system that can self-detect. We even have capability to do some self-healing within the product as well. On top of that, we have regular patch management and updates that are monitored on our servers and for any situations that could occur on them.
Listen to Ted talk about ARCOS’ dedication to security.
Security is an everyday practice at ARCOS and with the team that we have here serving all the technology out to the customers, it’s more than just putting things in place such as technology and products to ensure that or being audited. It’s in our thoughts every day. Security has to be every step you take along the way of serving the customer with the solution. And it needs to be thought through. Is it a secure practice? Am I doing the right thing that protects the people and the people’s data to ensure that it is very, very secure and at the same time not losing any speed or performance while doing it because the security can affect that as well.
Can you explain how ARCOS works in the cloud with AWS (Amazon Web Services)?
AWS is a very strong partner with ARCOS and our platform is housed within the AWS infrastructure in multiple regions and locations. We not only have redundancy within the tiers, but redundancy within the regions and locales. ARCOS uses approximately ten different products within AWS that helps us, but the security in and of itself is above and beyond what a normal in-house, on-premise, IT organization would be adhering to because it serves a worldwide network. All the different AWS security features and functions are available to us in addition to our SOC compliances.
Have you ever personally helped a Nigerian Prince or bought $2,000 worth of gift cards for your CEO when you received his email asking for them?
(laughing) I have not responded to any rogue emails that appear to be from our CEO or any other person in the company that are requesting gift cards. And in addition to that, while I’ve helped a lot of people, I may have helped a Nigerian Prince somewhere along the way in my life, but I’m not sure exactly how I did that, whether it was opening a door or helping them carrying a bag. I have no idea. (laughing)