The following is a transcript of an interview with Josh Evans, lead software developer at Trifoia. Due to scheduling conflicts and pandemicrelated restrictions, the interview was also conducted by Josh Evans.

First, let me start by saying thank you for agreeing to have this interview. I know you are busy, but it means a lot.

Thanks! It’s really no problem. I enjoy talking about this kind of stuff. I don’t think it’s possible to talk about data security enough, it’s such an important topic.

I agree. Before we get into the weeds, though, can you tell us a little bit about what you do here at Trifoia?

As it says in the header, I am Trifoia’s lead software developer, so I have a lot of responsibilities. Firstly, of course, I am a team lead, so it’s my job to manage the other software developers, though we are a small team, so I write a lot of code myself. I’m also responsible for designing the infrastructure that we use internally, as well as the systems we design for our clients.

What role does “security” play in all that?

A huge part of designing any digital system is making sure that it is secure, so it’s one of the things at the top of my mind whenever Im designing infrastructure. I also review all the code that is written by our developers to make sure it follows security best practices, among other things.

You mentioned that data security is important. Why is that so?

Data security is really important because whenever you hold a user’s PII (Personally Identifiable Information), you hold that user’s life in your hands. If that data is leaked it could have terrible consequences for that person. One of the most common uses for PII data is identity theft, but it can also be used to initiate harassment or blackmail campaigns. It can even be used for political espionage.

On top of that, there are many laws that regulate this data. Every country and state has their own regulations, and because of the global nature of the internet, it’s really easy to find yourself in control of data from many different places with many different data security laws. It’s important that you have an understanding of the data security laws that are most relevant to you, but in general the best way to not get into trouble is to not lose control of your data in the first place. Or even better, not collect it at all.

Can you tell us more about “PII” for those who might not know what that is?

PII stands for Personally Identifiable Information. It refers to any data that you could use to distinguish one person from another. This includes obvious data like names and addresses, but can also include less obvious data like race and gender, since this kind of demographic data can be combined with other data to determine a person’s identity. There’s no single list of all of the specific types of data that count as PII, and there never could be, since the definition can be quite broad.

Despite the consequences you mentioned, security seems like something a lot of companies overlook. It feels like every month there is a big story of a major data leak. Why is that?

I think there are a couple of reasons. First, the internet was just not originally built with security in mind. In the early days of the web, security wasn’t a concern because the networks were extremely small and all of the computers on the network could be physically accounted for. A lot of very good work has gone in to making these systems secure since then, but we are still dealing with the “original sin” of a culture of insecurity today. For example, many colleges offer degrees in cybersecurity, but these classes are often not part of the more traditional software engineering tracks. Computer scientists are a bunch of nerds, after allmyself includedand time spent learning about security compliance is time not spent learning about the more fun and interesting aspects of software development.

Second, security considerations can often “get in the way” of project goals. It’s not very fun to be a security specialist because a major part of your job is to shoot down the business and engineering teams’ ideas because they are inherently insecure. You’re basically a professional wet blanket. It can also be difficult to justify the cost of enhanced security because time spent making a system more secure is time that could be spent implementing or fixing features that users will actually care about on a daily basis. Very often, security is only thought of after there is a security breach, because improved security does not reap observable results. You can’t really demo security improvements to a client like you can new features that people can actually use.

I understand that you have been working on a specific project at Trifoia that has a large data security element. Can you tell us a little bit about this project?

Definitely, though I don’t want to go into too much detailcompany secrets and all that.

Of course.

The important part for this interview is that we have developed a “data portal” that will allow users to enter potentially sensitive data for use in a research study. We’re responsible for lots of PII here, including demographic and health data.

Based on your previous responses I think I know the answer to this question, but at what stage in this project was security considered?

Security has been a core consideration from the very first day of the project! We understand the importance of keeping this data secure, and so the systems were designed from the ground up with security in mind.

What percentage of the initial design and implementation time was spent on security considerations?

Somewhere between 25-50%. We put a lot of thought into it.

Image shows security layers. Connections are between user, the internet, the web layer and the app layer. These last 2 are secured. App layer includes the database and the app server.

At a high level, what are some of the specific ways you made these systems more secure?

One of the primary concepts used for this project is something called “Layered Security”. It’s important to understand that there is no such thing as perfect security. There is no single firewall or data access procedure that is completely immune to attack, so relying on a single point of failure is asking for trouble. The systems that we designed are built so that less critical systems could become completely compromised without giving access to the data itself, forcing hackers to find their way through many different layers of security to get access to the data being protected.

As a specific example, we use two different “layers” to manage user interactions with the data. The first layer is open to the internet and is responsible for distributing web pages and other content to users. This layer communicates to the second layer, which is isolated from the internet and is the only system capable of actually interacting with the primary database. This is just one thing we do to ensure the security of our data, but I don’t want to go into too much more detail.

 

That’s understandable. I just have a couple more questions before we’re finished. First, what are some tips that people can use to improve the security of their own systems?

The most important thing is to have security on your mind from the very beginning of a project. It can be very difficult to add proper security protocols later in development if they were not part of the original designs.

Also, understand that there is no such thing as a perfect defense. You should always second guess your designs because there is a good chance theres something you didn’t think of. It’s always good to have a diverse team of people who can apply different perspectives to the problem and to layer your systems so a single point of failure can’t compromise the entire thing.

Finally, what would you say to someone who thinks it is not worth the time or expense to implement these security measures?

Is it not worth the time or expense to secure your house? To secure your office? Your car?

That’s a good point. Thank you again for this interview. It’s been a pleasure.

Of course! Any time. It’s always great speaking with you.