“We shape our buildings; thereafter they shape us,” – Winston Churchill.
At Relativity, we believe in shaping our security posture in layers so it will continue to grow and better adapt to the needs of the market, the threat landscape, and our customers around the world.
In the APAC market specifically, our Calder7 threat intel team believes the region will continue to be a hotbed for attacks from a variety of Ransomware-as-a-Service and nation state threat actors, not to mention recent customer-facing breaches. One other persistent threat facing organizations across the globe, and particularly in APAC, is Zero-Day Vulnerabilities like the Log4Shell Vulnerability. These types of threats are concerning due to their growing scope and usage by threat actors. In April 2022, Google’s Project Zero reported that last year, the number of zero-day vulnerabilities detected and disclosed had more than doubled to 58 “in-the-wild 0-days”; 2022 is closely tracking a similar trajectory.
The constant influx of current and future threats makes the need to use secure, public cloud software much more important for businesses looking to do their work with the peace of mind that their most confidential data is secure.
One new validation of our security posture that we’re particularly proud of at Relativity is the announcement that Relativity has achieved the Infosec Registered Assessors Program (IRAP) assessment against ‘PROTECTED’ controls for our Australian cloud offering, RelativityOne. This means that RelativityOne now meets the high standard needed for security postures in technology systems used by a variety of Australian governmental agencies. For us, taking on this assessment was about building a high standard of assurances throughout our part in the legal supply chain so Australia’s public sector and anyone else dealing with high value and protected data can feel confident in where their data resides, despite an evolving threat landscape.
Building a skyscraper, or even a single-family home, requires a strong foundation. There are many paths to creating strong security foundations. Certifications are one of the most visible foundations for our customers. Our certification foundation at Relativity and its security posture includes many pillars: Relativity is ISO/IEC 27001:2013 certified and SOC 2, Type II; IRAP assessed, and many more. Achieving these pillars and keeping them up to date can be taxing, but it means that our foundation is strong and resilient against bad actors; additionally, it means that we can be adaptable and able to meet the needs of a variety of global customers and industries.
To achieve a new certification or assessment – in IRAP’s case – you need close collaboration between a variety of teams along with a significant commitment of time and resources. For IRAP, this meant close collaboration with over 12 teams across a variety of time zones over a period of several months, along with numerous evidence submissions, documentation updates, and walkthrough assistance with our 3rd party auditors.
The goal of all of this is to show that RelativityOne adheres to IRAP’s more than 700 security controls through an extensive review conducted by a 3rd party auditor. During the formal assessment, the auditors looked to find any security weaknesses in our SaaS product as listed by the controls and ensured that we adhere to their specific list of rules and regulations that allow us to handle sensitive data in the region.
In many ways, the assessment was like a house inspection. The inspector looked to ensure all of the doors in RelativityOne were properly locked, windows were working, furnace was functional, piping and electrical ran correctly, and everything in between. Basically, they assessed – is your product a fortress that is highly protected from even the greatest threats or is it a standard house with a few security gaps that could allow a bad actor unwanted access. The gap in controls between the standard house and a fortress is large and hard to achieve, but that’s what it takes to meet the standards of the IRAP assessment.
After the assessment, we can confidently say that RelativityOne securely supports Australian government data in a cloud environment classified up to the PROTECTED threshold, which is a vital security threshold for many of these agencies.
Providing best-in-class security is an ongoing process that requires a particular combination of the right people, processes, and technology to be successful. While IRAP shows RelativityOne has now completed its latest ‘home inspection,’ there’s always more to be done to establish resilience against cyber threats. Having people on the ground locally can be critical for intimately understanding the environments you’re operating in. This led us to add our first cybersecurity analyst in Australia to further bolster our home’s protective forcefield, adding to the highly skilled Calder7 global security crew of over 50 engineers, analysts, and subject matter experts tasked with protecting customer data from getting into the hands of bad actors.
Another important element is having partners you can rely on to add to your layers. Perhaps the most important partner for us is Microsoft. Relativity built RelativityOne on the shoulders of Microsoft’s Azure infrastructure and security experience and continue to work in close partnership with the tech leader. Relativity has also been a member of Microsoft’s Intelligent Security Association (MISA) since 2020, an ecosystem of independent software vendors and services that have integrated their security products and services with Microsoft’s, and recently received the award for Security Independent Software Vendor of the Year at Microsoft’s 2022 Security Excellence Awards. Once we’ve established deep relationships with our security partners, we can exponentially increase the layers of protection of both our company and our product, and in turn provide the benefit of an increased level of security and intelligence for anyone who chooses to partner with us.
Finally, and not to be overlooked, are the innovations we can create in the product itself to help our customers keep their teams more secure. One additional way we’ve expanding our global approach to security is through the rollout of the RelativityOne Security Center, which is a homegrown, free to use application, built by Calder7, aimed at increasing the security posture of our customers by giving them the direct ability to drive security actions and monitor alerts directly from the app. Alongside the enablement of mass force two factor authentication, one of the other cool features of the tool is the automated log-in map of sign-geographies it provides, giving customers direct lines of sight into who is accessing their application, where they’re coming from, when they accessed it, and the ability to disable or delete inactive users when needed. Security Center is just another tool that empowers our customers to get the most out of their security in RelativityOne.
Moving forward, we will continue to look for new ways and opportunities to ensure Relativity’s security fortress remains secure, no matter the region or circumstance. Successful security postures need maintenance – you need to do annual assessments, home improvements, and daily maintenance to ensure your windows are locked, your doors aren’t broken, and there are no gaps for intruders to infiltrate and exploit. Much like Churchill’s famous quote, the building that we’ve created in RelativityOne’s security posture shapes our path as a company at large moving forward.
Amanda Fennell, Chief Security Officer and Chief Information Officer – Relativity