Caveat emptor. It’s a Latin phrase that translates to “Let the buyer beware” in English. While that may be a time-honored principle of commerce for purchasers of tangible goods, cloud computing users deserve a better bargain as to the security of the virtual services they buy.
Revionics, a provider of science-based solutions for pricing, promotions, markdowns, and advanced analytics for lifecycle pricing optimization, wants their retail organization customers to enjoy the peace of mind that the AI-powered solutions they deliver via the cloud are secure. Not all retailers are the same regarding their cloud experience level, however.
“Some clients are very well versed around cloud security and what practices to expect,” says Patrick Lea, Senior Vice President of Enterprise Infrastructure and Operations at Revionics. “Other clients aren’t as mature or they’re just not as familiar, so we need to be able to speak to all of them, whatever their maturity level relative to the cloud. Every client has a different perspective on security.”
With Revionics’ customer list of retailers ranging from large to small and medium-sized, it spans various categories, including grocery, home improvement, pharmacy, convenience, and more. All these retailers share the need to keep their customers’ data secure. After recently completing a migration to the cloud from on-prem, Revionics wanted to get a baseline of their security posture to provide that information to their retailer clients for a big picture view and peace of mind.
“Companies are more or less comfortable with the concept of the cloud and cloud security,” says Lea. “We have to make sure we’re always focused on providing good security and best practices around the cloud to properly deliver our services. We need to educate our clients and prospects about what steps we take to ensure that our services and their data are secure.”
Revionics determined that a security assessment of their cloud infrastructure would be the best way to baseline their security and obtain documentation to educate their customers. They wanted an outsider with expertise in assessing cloud security to offer an independent perspective across their entire cloud footprint, thoroughly evaluate their security, and help guide them on their cloud security journey.
Because Revionics had recently collaborated with SADA to complete the full migration of all their production assets to Google Cloud, they naturally considered SADA’s Cloud Security Confidence Assessment. As a multiple-time Google Cloud Partner of the Year, SADA has the resources and experience to help the company gain clarity about their cloud security and define the next steps on their cloud security journey.
We decided to engage with SADA and leverage the SADA Cloud Security Confidence Assessment to provide an external, independent view of 10 different security-related domains to understand where we are relative to our security plans, footprint, and profile. We also want to understand how we compare to industry benchmarks for overall security and best practices.Patrick Lea | Senior Vice President of Enterprise Infrastructure and Operations at Revionics
Over five weeks, SADA executed the cloud security assessment to determine the security status of Revionics’ Google Cloud infrastructure. SADA conducted the security assessment by evaluating Revionics’ cloud infrastructure across the ten domains of:
- Identity and Authentication/Authorization
- Secrets and Key Management
- Resource Governance & Organization Policy
- Secure Software Supply Chain
- Network Segmentation and Security
- Logging & Monitoring
- Asset and Data Management
- Virtual Machine Security
- Google Kubernetes Engine and Container Security
- Incident Response and Recovery
SADA also performed threat hunting in three Revionics projects. This exercise led to the generation of detailed findings.
“Based on SADA’s outside, independent review, we were able to assess the results and determine actions that make sense to ensure we’re pursuing the best practices around security,” says Lea. “Security is a journey, not a destination. It’s always changing, and we have to make sure that we continually evaluate what we do well and where we can do better. That’s why we brought in SADA to look at our security and see how that’s progressing.”
As a result of working with SADA on their Cloud Security Confidence Assessment, Revionics was provided:
- Information about areas of security strength
- Pinpointed opportunities for quick-win improvements
- Observations about longer-term security policy changes
- Aggregated results distilled into a single numerical score
- Detailed findings and recommendations in a sixty-page report
- Documented action items in a checklist format
The impact of these results enabled Revionics to analyze their security by comparing what they intended versus reality. “We were pleasantly surprised at the results for parts of the security assessment,” says Rob Gallo, Director of Information Security at Revionics. “In others, the SADA Cloud Security Confidence Assessment really highlighted areas where we already knew we could make improvements.”
With the Cloud Security Confidence Assessment in hand, the Revionics IT team now has what they need to persuade decision-makers within the organization to prioritize security over competing objectives.
Seeing the security results spelled out in the context of SADA’s third-party, independent set of recommendations gave us the ammunition to move forward. It helps us prioritize that work and get more buy-in to get the job done and defer other projects.Rob Gallo | Director of Information Security at Revionics
Additionally, Revionics feels very confident about the input they received from SADA as to what security areas to work on and in what order. “SADA made specific recommendations for which security priorities would most benefit Revionics,” says Lea. “They didn’t just tell us to go figure it out ourselves. They actually listened and made specific recommendations around which priorities take precedence, based upon what we do and how we operate our business. SADA brought their expertise to bear in that regard.”