Security is paramount for Human API because their platform places a consumer at the center of managing their healthcare data and sharing their health data with doctors, labs, pharmacies, and other health care businesses.
Traditional assessments are point-in-time and,as a software company using Agile and DevOps methodologies, Human API understands very well that “security has to be a continuous process,” adds Bell. The business challenge for Human API is how to deliver the highest levels of security with their limited security resources, while meeting customer expectations around legacy testing approaches.
“We chose CyCognito because it delivers a continuous approach and focuses us on the critical security issues most likely to take place,” says Bell.
CyCognito helps Human API understand not just where they are potentially exposed, but provides them with an attack surface map showing them what assets and critical attack vectors are exposed. The clear prioritization and identification of risks by the CyCognito platform helps the security operations team be more efficient and get a greater return on investment from their security efforts.
“The CyCognito platform helps us efficiently monitor security. There are thousands of threats out there; even an army of security staff can’t address them all. CyCognito helps us focus our efforts on what’s critical,” says Bell.
One of the ways that Human API uses CyCognito is to validate security controls, configurations and third-party partners. The Human API IT ecosystem is cloud-based, and one of the benefits of today’s virtualized infrastructure is that a lot of security is built-in by default. But the model is also one of shared security responsibilities, and the enterprise owns proper configuration. “In these environments, dealing with a mountain of configurations is challenging, and misconfigurations can be a primary source of vulnerability,” says Bell.
The CyCognito platform provides attack surface visibility by new insights, identifying risks not previously known or examined, including risks with third-party partners. Those findings have helped facilitate conversations with third-party providers about the security of their interactions.
“The CyCognito platform helps my team be more efficient because we are working from our threats to the specific assets,” says Bell. “It delivers a first line of understanding of what needs to be considered and evaluated and possibly mitigated and/or remediated. Otherwise, we could be chasing corner cases all day.”
Another use case for CyCognito at Human API is to set the context for penetration testing, which improves the benefit and quality of penetration testing. Bell notes, “There are thousands of risks and threat vectors for any organization small or large, and the challenge is to know what’s most likely to be targeted.” Penetration tests don’t give you that. And, they don’t provide the continuous view needed for security operations; they provide a point-in-time snapshot. According to Bell, the question becomes, “How does one tailor a pen test? You cannot reasonably cover everything. Using CyCognito to understand the risks that are present informs how to scope a pen test and even select the methodologies.”
And Bell says that the clear identification of risks and priorities helps her justify requests for additional resources. “The information CyCognito provides helps us prioritize our investments,” Bell says, “and that’s always a good thing.”
Validation that security controls are operatinag as expected
Information to help focus penetration testing
Data to support the business case for additional resources
Continuous security assessment & visibility to previously unknown threats
Prioritization of critical risks to be addressed