Recently, Laneway Analytics earned its ISO 27001 certification, which is the international gold standard in managing sensitive information assets. Sanjaya Perera is the Head of Devops and Infrastructure at Laneway Analytics, and led Laneway’s ISO certification program. In this interview, he shares his experience in taking a company through the ISO certification process, what’s involved, and what is means for Laneway’s customers. Recently, Sanjaya added to his long list of credentials by becoming an AWS Certified Security Specialist.
Sanjaya is the Head of of DevOps and Infrastructure in Laneway Analytics. He has more than 16 years of experience in the IT Infrastructure & Telecommunication Industry. His expertise is on Infrastructure Automation and Network Security.
Q: Hi Sanjaya, you are the head of DevOps and Infrastructure at Laneway Analytics. What sort of things have you done in your career to get into this sort of work?
Sanjaya: At university, I studied Engineering in Electronics & Telecommunications and earned a BSc. I followed this up with a Masters in Computer Science. From there, my work experience was in telecommunications where I focused on Network, Cloud & Information Security, Infrastructure Automation, and Systems Integration. Getting exposure to so many areas developed my passion for Infrastructure Automation and Open Source Technology.
I have worked for some really large, great, international companies, and through these experiences collected so many skills across multiple areas in IT. So now working in a start-up technology business like Laneway Analytics, I get to put all of this to use across the many hats we all wear in a start-up. And I am continuously learning about new tech and bringing this to Laneway’s growing technology stack. As one example, I just became an AWS Certified Security Specialist. I am loving the freedom to research all this new technology and lead the on-going dev-ops and security capability at Laneway Analytics.
Q: Where did you grow up? How does your background influence your outlook on your work?
Sanjaya: I was born in Sri Lanka and completed my tertiary education at University of Moratuwa, Sri Lanka. In 2003 I got the opportunity to join Sri Lanka Telecom, the largest telecommunications and ICT provider in Sri Lanka. I worked in many different areas during my tenure at Sri Lanka Telecom from Network Security, System Administration, implementing ISO 27001.
I came to Australia in 2013 for a change after serving in a single organization for 10 years. I started with Intrepid Travel group as a Network Engineer. I got an opportunity to join their development team to help migrate their infrastructure into AWS cloud. That was my first experience with a development team in an agile environment where infrastructure was also built with code.
Having worked in multiple infrastructure and security roles helped me to successfully guide Laneway Analytics to their ISO 27001 certification.
Q: Recently your company earned their ISO 27001 certificate, can you tell us about what that process was like?
Sanjaya: As a data analytics company, we host our customers’ data. As an early stage company, with lots of competing demands, especially developing product for our first few customers, we took what is a large bet to go big on security.
Taking Bets is a core value for us. There is no right answer in deciding which parts of your start-up to focus on. We took the bet that managing compliance risk for our customers and proving we have the right systems and procedures in place to earn their trust is one of the most valuable things we can focus on for our company and customers.
And striving for ISO 27001 isn’t cheap. It takes a total company effort and focus. Fortunately, our CEO is a huge believer in security and creating trust and belief from our customers that we will diligently manage their sensitive data. So, we were given the resources to begin our journey to ISO certification.
We started by standardizing our infrastructure. Such as naming conventions, automated deployment scripts. Once we standardized our infrastructure it was much easier for us to introduce new changes, systems and missing modules in the security stack. We always had ISO 27001 compliance as one the end goals. We had to introduce changes carefully to avoid destruction to live systems and other priorities.
Our next step was to identify what was in place and fully compliant, what was in place and needed improvements and what needed to be implemented fresh.
We prepared a plan with target dates and identified responsibilities and a proposal was submitted for management review and approval. Once our CEO was happy with the plan and budget we started with improving processes and policies in line with ISO 27001 controls. From there we were able to implement the identified gaps / improvements within a three-month period to get ourselves ready for stage 1 of the ISO 27001 audit.
Q: How long did it take to get your tech in place to feel ready for a 3rd party ISO auditor to look at your company?
Sanjaya: It took a lot of work and close to one of year of effort from all of us in the organisation. We never had the idea of just acquiring ISO 27001 certificate for the sake of compliance. We always wanted to follow and implement the proper guidelines and controls so that the company and our customers are well secured. We know compliance is a huge task, and we solve a big problem for our customers with our information asset management capability. And through this, our customers really trust us to provide this service.
Analytics is more than just deploying a SQL Server data warehouse and a BI reporting tool. We have more than 90 different pieces of technology in our analytics platform to deliver a comprehensive data management and analytics platform. And this isn’t just fancy kit for machine learning workloads, at the core, we need to protect our customer’s data, and also our intellectual property.
We need confidentiality, integrity and availability in all aspects of our information assets and processes. Certainly, technology will be used for that. But that itself doesn’t provide everything. We need to make sure that encryption keys are protected, data is not corrupted and insights are available on the portal when required. That requires technology, people and processes to work together to achieve a fully secure and compliant environment.
We provide the right kind of training for our team members which is practical and based on actual incident response training. We often run war games where we simulate an incident to test our team’s response to a range of likely scenarios from ransom ware to core service outages, and onto business continuity simulations. During the war game simulations, a large part of our testing focus is on teams working with each other under stress, root cause analysis, and perhaps most importantly, communications back to the customer.
ISO isn’t just about tech… its mostly about people, processes, and communication.
Q: What was the audit process like?
Sanjaya: Once we were comfortable with our infrastructure, policies and procedures, we booked in our audit three months in advance. We had enough time to carry out an internal audit and address any findings. Our Head of Analytics, Janice Tam, has significant experience in Information Security and running audits at Deloitte. She led the internal audit. We identified more areas for improvement and lapses in understanding of the team members during the internal audit process. The internal audit process was useful not only to fix the technical and process issues, but also get ready the team for the audit process.
The audit process was in two steps. The first step was document review where auditor reviews our policies, procedures, documentation, scope and applicable controls.
The second stage is actual verification of implemented controls with evidence. Since we had gradually worked towards the ISO 27001, we had the necessary evidence to show how the controls were implemented, evaluated and improved over the period.
Q: So does ISO mean you are hack proof now?
Sanjaya: no… ISO isn’t valerian steel, but it does mean we follow the best practices to safeguard information assets. When you follow the best practices, you expect to have less or no information security incidents. Even if an incident occurs, we have ways to detect, respond and normalize services within the specified recovery time objective.
Q: What does being ISO certified mean for your customers and business?
Sanjaya: One of our company’s core values is: ‘Create certainty’. For us, it is all about how we create confidence with our customers, and confidence within our teams. It’s about our work and communications. At all times, we are putting ourselves in our customer’s shoes and imagining what their fears are. It’s all about reducing stress and sleeping well at night.
For me, the ISO certification creates a necessary foundation to our analytics platform that enables us to scale our tech and innovation.
Plus, it’s a pretty great achievement to get. This is the second time for me. Previously I led the process for a large telco. It is hard work. The tech is fun for me, but the real challenge for any organisation are where the tech meets humans.
‘’Our customers ask us, ‘I don’t care about some web api widget, tell me what a human will do when things go wrong.’’
And this is a core part of ISO. It is 144 controls across the whole company’s people, processes, and the IT systems.
For us, we make security a part of all product design aspects.
Just because we achieved our certification, we are not going to take our security lightly and rest, we will continue to evolve and improve our systems, procedures and most importantly our knowledge to meet challenges we have to face tomorrow. We have already listed out our infrastructure plan for next two years where we have identified key dates for important activities such as penetration testing, disaster recovery drills, user awareness and internal audit etc. On top of this, we will have an annual external audit and the scrutiny will only increase.
Laneway Analytics
Laneway Analytics is a visionary and leader in data and analytics solutions and services for superannuation funds. It partners with funds to analyse and rapidly transform data into better member and employer engagement outcomes. Laneway Analytics cutting edge approach to business intelligence is evident in the industry awards and recognition its client-base is accumulating.