The Cambridge Analytica scandal was enough to make the mighty Mark Zuckerberg face congress in person, and might have swung the US presidential election. The implementation of the GDPR in Europe has international companies scrambling to comply with user data protections, or risk penalties of up to 4% of worldwide annual revenue or €20 million (whichever’s higher—ouch!).
The Cambridge Analytica scandal blew up in the mainstream media because it involved end-user personal data, explosive politics, and nearly everyone has a Facebook account. And do I really want to message my wife through a service that might read and sell that message?
Of course, that’s not what really happened. Facebook didn’t intend to sell off as much info as they did—they just got careless.
But how exactly was Facebook exploited? What was the chink in the $500 billion tech giant’s armor?
A third party vendor.
There was no virus, no worm, no hackers breaking into their system. Facebook simply gave the wrong app developer too much access.
Vendor failures are your failures (So run a risk assessment!)
When you partner with a vendor, you can’t simply think of it as “us” and “them.” You’re taking on responsibility for that vendor’s handling of proprietary data. Their risks are your risks, and their failures—malicious or not—are your failures.
Breaches put corporate viability at risk in countless ways—exposing trade secrets, damaging brand credibility, violating contracts, breaking laws—and you should absolutely have an information security management system in place.
That means creating a vendor risk profile and giving it real weight in your vendor selection process, right alongside price, quality, and scalability. Set your bar high, and flunk out any vendor who can’t clear it.
We’ve recognized the importance of infosec from the beginning, and have always invested in it. Your security is critical to our operations: that’s why we we have always kept to the highest possible standard (jump to Pixelz security setup).
What are the risks?
Consider the following risks of an insecure outsourced retouching vendor:
Stolen images may be sold to knock-off factories before you even have product listings up on your own site. Depending on your licensing agreements, you may also be liable for paying photographers, models, brands, retailers, etc. for use of the image—whether authorized or not. Don’t lose control.
Trade Secret Theft
Your photography and and workflow techniques are proprietary. The props you use, the camera and lighting settings found in metadata, your naming schemes, your local digital asset management, how your images are retouched—don’t let it be stolen.
Insecure vendors get hacked and infected. Those infections can spread to your systems. Even if they don’t, vendors with good intentions become vulnerable to the aforementioned thefts.
If an insecure vendor is connecting to your proprietary systems, you don’t know who’s gaining access. If your own system isn’t completely firewalled, you’re creating a vulnerability ripe for exploitation.
Insecure systems crash. They become infected, subject to DDOS attacks, or even fail because pirated software gets caught by legitimate antivirus. Insecure vendors are unreliable because their systems are unreliable.
Due diligence requires you to perform a risk assessment, especially for publicly traded companies. If you’re working with an insecure vendor and it burns your company, you may be legally liable.
If you’re considering working with an outsourced image editing service, be sure your risk assessment covers the following vulnerabilities.
Building a risk profile (20 questions to ask every vendor)
First, map out the process. Where are your images going? How are they secured at each stage? Who has access to them? How is that access controlled?
Ask each potential vendor the following 20 questions:
- What hardware does your company use?
- Where is it hosted?
- Do you have redundancies for critical infrastructure? (multiple dispersed locations)
- What physical controls exist regarding access?
- What environmental controls are there? (in event of fire, natural disasters, etc.)
- Who owns the hardware involved?
- What software does your company use?
- What is your server infrastructure?
- How do you keep it patched and up to date?
- How do you monitor integrity?
- Who performs IT support?
- What are their qualifications?
- Is there background screening during your hiring process?
Download complete 20 point questionnaire template
How Pixelz secures outsourced product image editing
We’ve developed extensive controls, policies, and plans so we can stay alert and respond rapidly to contingencies. For structure, we’re working towards ISO 27001:2013 certification, the globally recognized risk management framework addressing legal, physical, and technical controls.
In simplest terms, we rely on end-to-end encryption, tightly controlled access, and extensive network and event monitoring. The idea is that only individually authorized people have access to partitioned portions of our system, we know everything that’s done with that access, and in event of a worst case scenario all customer data is encrypted and therefore protected.
I’ll try to put our infosec management system into an acronym-lite format that doesn’t dissolve into alphabet soup on reading, but bear with me. It’s hard to get specific without also getting into technical jargon.
Please note that while software and services listed are current at the time of writing, we update from time to time in order to provide the best possible service. That means, for example, that a firewall service named now may not be the one we’re using in six months.
End-to-End Encryption (AES-256 in the cloud)
We keep customer data securely encrypted during transport, storage, and caching.
Transport: All uploads, downloads, and management—like web account use—take place over a secure connection. That connection either occurs via HTTPS (web), SFTP (secure file transfer protocol), or TLS (when using our proprietary API). Using state of the art SSL/TLS encryption ensures that your connection to Pixelz is certified safe.
Storage & Caching: Okay, you’ve safely uploaded your images. What happens to them now? At Pixelz, they enter into one of our AWS (Amazon Web Storage) layers. We have regional caches around the world, and move images between them depending on the editing steps they are going through. We encrypt all cloud data, regardless of location, with AES-256. That’s one of the most secure encryption standards, approved by the U.S. government for top-secret data. This is done using AWS KMS, so keys are protected with FIPS 140-2 validated hardware security modules. “FIPS” is another U.S. government cryptographic approval standard (the “F” stands for “Federal).
Firewall (WAF rapid patching)
Web Application Firewall (WAF): On-site firewalls can quickly become outdated, so we use a more responsive WAF. CloudFlare is a PCI compliant continuously updating firewall we use across our web properties. You’re probably familiar with PCI compliance if you’ve operated an e-commerce site, as it’s the “Payment Card Industry” standard.
In addition to rapid patching and protection of www.pixelz.com, CloudFlare allows us to restrict access to internal systems (like our CRM) by IP, security level configuration (so insecure devices even within our office are blocked), and other relevant settings.
Controlled Access (Managed devices, unique users, IP restrictions, VPN, and 2-factor auth)
We tightly control access to our systems and to customer data.
Secure Local Computers & Managed Devices: All photo editing steps performed by humans are done on managed devices in our offices. USB drives are disabled, preventing exporting of files and installation of malware. The computers can only be accessed via Active Directory login, meaning all users are uniquely authenticated, permissions are strictly defined, activity is monitored, and PCs auto-lock after 5 minutes of inactivity.
Tablets and other devices used to perform QA, development, and related tasks have permissions controlled at the user level, are subject to the same network access restrictions as computers, and are forbidden to leave the office by company policy.
We use a host-based intrusion detection system to analyze the logs from all computers in our system and detect threats. It reads operating system and application logs, monitors the integrity of the file system, looks for malware and suspicious anomalies, and scans for compliance to company policy.
Remote Access via VPN and Multi-factor Authentication: Remote access is necessary for developers and administrators who need to be able to respond immediately, at any time, to crises—whether that’s from home, an airport, or the other side of the world.
Flaws in remote security have major repercussions; you’re opening up your system to the whole world, rather than a few bad actors on premises. At Pixelz, remote access requires multi-factor authentication with a VPN login, and we use a high security VPN: OpenVPN and L2TP / IPSEC. That ensures anyone who accesses our VPN is who they say they are, and all activity is happening in a monitored and controlled environment.
Network and Event Monitoring (Logs, logs, and more logs)
We go to a great deal of effort to make sure all activity happens within our systems, where it can be monitored and audited. We use a variety of systems and software to monitor the different layers of our service
Cloud Monitoring: For our Amazon instances—like AWS, our cloud storage—we use CloudTrail. CloudTrail is an Amazon service specifically designed for logging and continuously monitoring activity across an AWS account. Whether actions are happening through the AWS web portal, command line, or software development kit, they’re tracked and analyzed. In this way we can detect suspicious events that could indicate a security threat—whether malicious activity or a technical vulnerability.
We combine CloudTrail with CloudWatch, another Amazon service, to set alarms and automatically react to specific actions.
Local Monitoring: For monitoring of our local servers and computers—like the hundreds of PCs and servers in each of our photo editing offices—we use Wazuh. Wazuh combines OSSEC with the popular ELK stack (Elasticsearch, Logstash, and Kibana).
OSSEC is an open source project that has exceeded common open source limitations thanks to its acquisition by Japanese security multinational Trend Micro back in 2009. It is a top-of-the-line Host Intrusion Detection system.
The ELK stack is used to collect and analyze many different kinds of logs, like event logs, system logs, and photo editor client logs. It’s extremely useful for visualizing threat monitoring.
Rapid Response: The bigger and more successful you are, the more you become a target online. DDOS attacks and hacking attacks aren’t a probability, they’re an inevitability. The better your prep—software, hardware, training, and planning—the more easily you will handle the crisis when it happens.
We regularly weather spikes of 10x traffic to our website, and constantly see attempts to infect us with malware. Our preparation allows us to operate normally during such episodes.
We have alerts and rulesets for immediate threat response in the cloud, and have similar functionality in our offices. For example, we combine real-time monitoring of logs with Microsoft Group Policies linked to Active Directory, enabling us to update every computer in our production offices within minutes. Rapid threat response minimizes the extent of damages.
Contingency Planning (Be ready for things to go wrong)
When something does go wrong—and it will—having a detailed contingency plan in place will keep heads cool and the machine running as smoothly as possible.
Just as we advise you to perform a risk assessment of vendors, so do we perform our own risk assessments. We have extensive action plans to respond to natural risks like flooding and fire; technical risks like systems breakdowns, security threats, and internet disruption; and human resource risks like loss of key personnel.
One of the best parts of writing out 20 pages of step-by-step instructions for disaster response is discovering things you can do to mitigate risk right now. The ability to reduce or eliminate risk proactively is extremely beneficial. For that reason, Pixelz continuously updates our contingency plans, with strictly defined implementation owners, communication channels, and effective dates.
Next Steps (Assessment and mitigation)
After you’ve profiled your retouching vendor, the next step is to assess the risks. Determine the likelihood of occurrence, severity of impact, and mitigation possibilities. A quality vendor will work with you to mitigate risks—it’s in both their short-term and long-term interests.
Risk assessments and mitigation aren’t sexy (to most), and require a lot of detail oriented communication and analysis. But if you value your company’s reputation, secrets, and performance, they’re a critical step in every RFP. If a vendor’s not able and willing to answer your questions, why would you trust them with your images?
If you’d like to learn more about our security standards, policies, and procedures, just ask! We love to spread infosec love.