Putting a bounty on bugs: Instructure's Wade Billings on securing data
With more colleges and universities taking services to the cloud, keeping student data secure is an increasingly complex issue. And it's one cloud-based learning management system provider Instructure is all too familiar with.
Knowing the elevated risks associated with offering services in the cloud, the company — which serves the likes of Harvard Business School, Auburn, the University of Southern Florida, and UC-Berkeley, to name a few — has long taken an offensive approach to security, offering awards to anyone reporting security flaws. This year, however, it stepped up its game even more, crowdsourcing dozens of "good" hackers and paying them from a "bug bounty" pool of $10,000 to find security flaws — $1,500 for top tier issues to $100 or $200 for low-level problems.
When all was said and done, the pool was exhausted, says Wade Billings, Instructure's senior director of global IT shared services.
"When I’m speaking with people who are understandably concerned about the security of this data, I’m struck by how much fear, uncertainty, and doubt is out there around cloud services," says Billings. "As a cloud service provider, I am acutely aware that I have a responsibility to protect their student data as much or even more so than they do."
Education Dive recently caught up with Billings to find out more about Instructure's approach to security, the bug bounty, and why others in the space can't afford to make protecting data an afterthought.
EDUCATION DIVE: Before we talk about the bug bounty, can you tell me a little bit about the security measures Instructure had in place to begin with?
WADE BILLINGS: Sure. So, as you are very aware, the landscape of security — IT security, in particular — has changed dramatically over the number of years. It’s gone from a hacker mindset of, “Hey, I’m gonna try to break into a system for credibility’s sake” to more of "for fun and profit and/or cause.”
With Instructure and Canvas, in particular, being the only cloud-native LMS service out there, we knew right away, basically at launch, that our security profile was going to be much different than, say, a self-hosted LMS. So from the get-go, we tried to get a security mindset in place — organizationally as well as operationally. I think that shows in that, every year since launch, we have performed a third-party security assessment, and made publicly available the results of that assessment, while none of our competition has. The security processes and procedures that we had to put in place in order to ensure that we were able to have a final report every year that was public display-worthy meant that we had to do a lot of homework, as well as a lot of hard work, internally to ensure that we were highly secured.
What led to the idea of offering hackers a cash bounty to find flaws in the system?
BILLINGS: It’s kind of a change of mindset, right? Most of your self-hosted systems have a defensive type of mindset: Put up firewalls and IDSes and perimeter type of hardening in order to keep the bad guys out. We decided to take more of an offensive stance on this, which means that not only do I want to keep the bad guys out, but I want to know what the bad guys are thinking. And I want to know how they approach the exploit.
So, we started our bug bounty program way back in 2011, but it was more of a “see something, say something” type of program. In other words, we put on our security page that if you happened to come across an issue, here’s an email, open a ticket with us, and if we’re able to validate the vulnerability, we’ll provide you with a t-shirt and give you credit on the security advisory once we publish. And that actually was successful for us. It caused us to be very attentive to what we were deploying because we knew that we had people out there who would poke at us.
This year, when it came time to do the security analysis and evaluate where we were going to take our bounty program — because at that time, it was kind of a passive type of program — I came across Bugcrowd. Their approach to how they source their security researchers resonated with me. It allowed me to fulfill all of the goals Instructure wanted to fulfill. We were not hiring a legacy security firm to do an assessment that had three or four security researchers following a well-defined internal playbook and would produce consistent and predictable results. I wanted to do something a little bit crazy. I wanted to go out and find a group of hackers that I could point at our system and say, “Go for it. Approach this as if you were trying to break into us.” And Bug Crowd came to the table with that.
They have thousands of security researchers who they crowdsource, and we happened to go into what’s called a “Flex Program” with them. They handpicked 75 of their researchers, of which I believe 63 agreed to participate. Past results show that we had five or six vulnerabilities — that’s what the legacy security analyst type of engagement would find. This engagement, we netted a multiplier of that. I think, actually, now that it’s public, there were 59 issues that were found.
What’s the biggest takeaway you have for other cloud-based companies?
BILLINGS: If I was able to give advice to other cloud providers — again, we’re sort of unique as opposed to our competition. Most of our competition is self-hosted. So again, the rules of the game change, and the rules of engagement with those who wish to do us harm changes, by us being a cloud service provider.
As a cloud service provider, I may not necessarily have direct control over some of the infrastructure that my service is running on. We’re hosted with Amazon, and they do a great job as far as knowing how to operate and secure their platform as a service. But that presents some unique challenges to us as a cloud service provider. That’s why we’ve switched from a defensive mode to an offensive mode, because we’re being hammered each and every day.
If [your service is] self-hosted, you kind of have to know where you’re going. You kind of have to be on the campus, or on the network, to gain access to the system. With a cloud service provider, our URL is public, and our IPs are public. You don’t have to be on a campus. You can be in a Starbucks in Parsippany, NJ, and try to attack us, so we have to take a much more holistic and offensive approach to security.
We continuously attack ourselves, and that’s what the bug bounty program actually plays into—that strategy of constant, adaptive vigilance around security. It’s not just, “Hey, what are the logs saying, or what is the IDS saying?” It’s, “What are people saying? What are they finding, and how are they finding this stuff?” It tells you much more about the health and security of your system than any log file or security appliance ever could. So my advice to other providers of either LMS or cloud-based services is that you need to go on the offense. You can no longer be sitting and having confidence in your defensive measures.
Follow Roger Riddell on Twitter