Interview

Robust security with 99.99 percent uptime – LogMeIn CISO tells us how it’s done

From taming the DevOps beast to building a highly resilient architecture, Gerald Beuchelt, CISO at LogMeIn shares his strategy to thrive in the rapidly changing threat landscape.

GerryBeucheltLogMeIn.png

Clocking over 6 billion annual interactions and catering to over 4 million daily active users, LogMeIn ranks second in the increasingly competitive remote access market. 

Remote access management is a sticky wicket to bat on. The propensity for being exposed to emerging threats coupled with the absolute necessity to maintain uptime makes the space one of the toughest fields for a CISO to operate in.

In an exclusive interaction with CSO Online, Gerald Beuchelt, CISO at LogMeIn, talks about exploring AI; recent acquisitions and what it means for its business; and why secure DevOps is the key to achieving security and agility.

Edited excerpts: 

How does LogMeIn manage to maintain a 99.99 percent uptime, and ensure that security is not compromised?

The key to this lies in a highly resilient architecture, so investing in technology is very important to us. We have a very large network operations and security operations center working hand in hand.

The constant coordination between technical operations, the NOC and the security team is critical in terms of understanding how we can address vulnerability issues. My team continually monitors our entire fleet, both internally and externally. 

We work closely with our partners in technical operations in order to be able to schedule vulnerability patches classified as low or medium. Can this affect availability? Absolutely, in some instances it does.

However, by having a highly service-oriented architecture, we have the ability to failover certain nodes, take the other systems offline, patch them and then bring them back online. 

So thinking about microservice architectures and how you can integrate the benefit of DevOps into a truly secure DevOps or DevSecOps kind of model is critically important.

We feel that if we have product security included at the beginning of DevOps discussions, it becomes a lot easier to build secure systems from the start.”

Gerald Beuchelt
CISO, LogMeIn

Do you think secure DevOps is going to gain more traction? Are we going to see more companies adopt a DevSecOps model?

DevOps is an interesting beast. There are teams in some organizations that have implemented a very mature DevOps program. Fitting the appropriate security in mature programs is actually quite easy. 

This is because at the end of the day, you automate deployment pipelines, testing across the board, and have quick feedback loops reaching developers through the use of canary or other standard DevOps techniques.

These techniques enable you to maintain a very high level of security, and also patch quickly and effectively across the board.

We feel that if we have product security included at the beginning of DevOps discussions, it becomes a lot easier to build secure systems from the start.

What's really important here is to have very close collaboration between your DevOps team and product security team, because this will enable you to use this technology like it was intended.

Could you share some use cases where LogMeIn deployed AI and machine learning?

We have a communication and collaboration business unit where we focus on meetings, interactions and reach out to customers. We recently bought a company called Jive that delivers UCaaS (Unified Communications as a Service).

We have another business unit called Identity and Access Management - we're focusing on Logging as a Service (LaaS) and Platform as a Service (PaaS). 

LogMeIn LastPass provides secure password management, and is an important cornerstone in the security space, especially for smaller organizations as they are much more exposed to password leakage. 

We have the customer engagement business unit, and within that we have various tools like Rescue that serves a helpdesk kind of functionality. We also recently bought a chatbot and AI startup called Nanorep. 

Nanorep focuses on bot automation, and we're using this in a number of ways. We've integrated Nanorep with Bolt, which is a customer engagement tool. 

You had stated earlier that you're deeply distrustful of most PaaS and SaaS providers. Could you explain the reason for your initial skepticism and has that changed now?

Yes, absolutely. When we started early on, the whole notion of cloud across the board was not particularly well understood. We were also in a situation where the maturity of security and compliance programs were not at a point where we could fully rely on them.

A couple of years back, we were using SAS 70 as a reporting standard on security organizations' controls, and we all know the shortcomings of that standard. With the advent of various highly cloud-focused security reports over the last 5 - 7 years, the picture has changed quite dramatically.

The tables have turned with significant investments by cloud providers into security and compliance and also with the ability to leverage very specialized resources for running their own platform in a secure way.

For example, if you want to roll out an e-commerce application, you would have onboard application engineers, application security engineers, network engineers, system administrators, database administrators, your own security team and back up sites. Buying all of this for a single application was very expensive.

“We have a very interesting portfolio of SaaS offerings that we can bring to the market. We have a broad coverage in the communication collaboration space, we have a lot of capabilities around secure password management, and products which are forward looking in the customer engagement space.”

GeraldLogMeInCISO

 

                                                  Gerald Beuchelt

                                                                        CISO, LogMeIn

 

 

 

 

 

 

 

Tell us about the LogMeIn India story. You are in direct competition with Google, Cisco, AWS and Adobe; what does LogMeIn bring to the table and what is that differentiator?

We have a very interesting portfolio of SaaS offerings that we can bring to the market. We have a broad coverage in the communication collaboration space, a lot of capabilities around secure password management, and products which are forward looking in the customer engagement space.

Bringing all of this together, we have a portfolio of services that can enable small companies and startups to really get up to speed in terms of a whole variety of business needs. 

Everyone is going to need some form of a meeting tool. If you want to reach a larger audience, you'll also need a webinar kind of ability to roll it out, and perhaps make those webinars available later with a product like GoToStage.

You need password management, and integrating services like LaaS and PaaS can really help companies to move forward. In the customer engagement space, if you have a marketing website or you really want to reach out to your customers, you need a product like Bold with associated AI capabilities to help you scale quickly.

This value proposition is very relevant for a startup-driven country like India. In this context, I feel we're very strongly positioned to help local companies excel.