Insights from our Director of Security, Jan Kubíček
I joined Kiwi.com in January 2020 as the Director of Security. Although “anticipating the unexpected” has been a major part of my job for a long time, I really did not foresee what the year had in store for us all. More than a year later, we’re still in pandemic mode, but a little wiser and seasoned. Let me take a look back and share some insights about what we had to struggle with.
The business turned upside down
When Covid-19 hit the world, our whole business got turned upside down. Instead of selling travel services, we had to switch to handling cancellations, refunds, and assistance to passengers stranded at airports. This shift was palpable across the whole company, and also influenced our security operations.
Work from home only
The first thing to handle – enable ongoing operations under lockdown conditions. Kiwi.com was already quite prepared for this. We try to enable our people to work from anywhere and our infrastructure and security controls reflect that. However, we also use outsourced services that are very “office-centric” and located in countries where broadband connectivity from home is not standard, and where lockdowns or curfews were enforced very strictly and swiftly. In Tunisia, the curfew was announced with one hour’s notice. In India, the police were arresting people who were not staying at home. These are some of the conditions that left us with a lot of people unable to reach their workstations in the office. As we rely on cloud-based applications and very little on-premise infrastructure, this allowed us to flexibly reassign access rights to people that were available, without compromising security. The problem was reduced more to a logistics issue – getting the equipment to the homes of people and setting them up with VPN and proper access rights.
We use Okta as our identity provider and we have built our own access management based on Okta Groups API. Changing the access rights was really fast and easy. Although there were a few operational challenges, time zone differences do not help, I have to say, I was happy that we did not have to deal with a more traditional design that relies on on-premise network security and access set up in multiple places. The lesson: Prepare for a remote workforce. The scenario where people work from one site does not work. There should be very few additional obstacles between the user and the asset they need to access.
The silver lining
So, thanks to Kiwi.com being primarily built on cloud technologies and with a remote workforce, there were, in the end, only a few security concerns that we quickly overcame. There is also an upside. The Covid-19 times have brought us an opportunity to clean the house, as many of you probably did in a literal sense during lockdowns. Opposite to normal times, where everything follows the imperative “quickly, there’s no time, make it work yesterday”, the dip in the travel industry allowed us to assign resources to some overdue systematic tasks in sometimes overlooked security areas, especially when cooperation outside of the team was needed.
Of course, this is not a time to spend big bucks on new security solutions. But you would be surprised what you can do with internal resources only. Want some suggestions?
Review your endpoint security – you were probably forced to anyway, to accommodate remote work on an ongoing basis, and use momentum to introduce mandatory multi-factor authentication across the workforce. We did a phishing exercise as well.
Clean up your access rights – the changes that Covid-19 brought highlighted a lot of “temporary exceptions” that were overdue for realignment. You may get better control of your licensing as a bonus.
Reschedule your penetration tests, if they can be done remotely. You will have more time to evaluate and address the results before the business reaches 2019 levels.
Take a look at your business continuity plan – I can say that “global pandemic” was one of the often neglected scenarios until now, and you have a lot of real-life data at hand.
Review the security posture of your suppliers and partners – they probably had to do some changes too, make sure there are no future surprises.
And stay safe. And sane.