You’re online, looking for the best deal on that Pokemon collectible that your girlfriend is so fond of. You find it, at last, at one of the usual retailers that have everything. You hurriedly click on the Buy button, fill in your address details and your credit card number, before it’s out of stock or the site stops responding — which is what takes place. Nothing happens after clicking the button.
You hit refresh, hoping it was just a slight page load error, but no. Now the whole page refuses to load. Almost desperately, you copy the URL and paste it in the address bar of another browser, the one you don’t like but know works in some cases where your main one doesn’t. To no avail. The site is truly down.
As you wallow in your disappointment at having missed the opportunity to get your hands on the coveted Pink Pikachu plush, you aren’t completely surprised. Afterall, it seems today that nearly a third of the websites you generally use are down, evidenced by sites failing to load and reports in traditional media. Also forefront in your mind is that your address and credit card information seem to be lost in the digital ether. The site did look legit and secure, but…
Of course, this isn’t a situation you’d ever want your customers to find themselves in. Not that you’d know — our annual Website Relevance Report found that 55% of respondents don’t complain, they just make a beeline for competitors. As businesses today rely either partially or completely on the cloud for their software needs, the importance of a sound and secure cloud infrastructure is clearer than ever. Cloud computing offers numerous benefits, including increased flexibility, scalability, and cost savings. So it’s not a question of if you should move to the cloud — but it does give pause as to who you should choose when selecting a cloud provider.
Coveo abides by the traditional CIA triad when it comes to securing your digital experience for your customers: Confidentiality, Integrity, and Availability. Despite the name of this security model, we don’t want to make a secret of how we’re safeguarding your business’s and customer’s information. So let’s dive in.
Confidentiality: Expanding Our Testudo
Security by design is how we innovate. Taking security to heart is something we prefer to do before incidents happen. (Especially with the release of our new Coveo Relevance Generative Answering.)
In the wake of some news about API Keys exposure by a Saas provider, Coveo proactively restricted how certain privileges could be associated within any given key used with our platform. For instance, if a key could be used to perform searches, it could not perform admin tasks, and vice versa. We also did a very intense campaign with our customers to make sure they followed best practices regarding API Keys’ management.
We also made it easier for our users to create sources with simpler permission sets. Let’s say you have an internal website where you list all of the social activities happening at an office within your company. That site is freely accessible to all your employees, but it’s an internal site. Though it was still possible to configure it as such before, since last November we have full UI support for setting up custom permissions for such a source, with something as simple as an email filter, e.g., *@acme.com.
And we’re not stopping there!
I’m happy to announce that, on top of having been a SOC II-certified company since 2015, as of May 10th, 2023 we are now ISO-27001 certified! This is a major milestone for us for many reasons.
First and foremost, it crowns a company-wide project with the objective of formalizing existing processes, creating new ones, and molding them into a cohesive whole called an “Information Security Management System”. This isn’t software, but a whole way of working. Of which Coveo had many pieces already, but haven’t until now been made to fit tightly together, as was vetted by a third party auditor.
Second, this shows our commitment to security, for our customers and for ourselves, in a whole new light. It shows our adherence to an international standard, whereas SOC was solely recognized by US companies and government agencies.
Integrity: Iterating Toward Perfection
We see building our infrastructure’s security and resilience as a constant self-improvement journey. On our short-term roadmap, we plan to give customers who wish it better control over temporary access to their organizations. With this new functionality, customers who wish to vet every access to their Coveo environments will be able to review and approve access requests.
Also, in order to make sure customers do not misplace API keys we will be partnering with GitHub as part of their Secret Scanning Partnership program. Once in place, GitHub will scan all its public repositories, as well as those of its GitHub Advanced Security customers who wish it, looking for Coveo API Keys, flag potential keys that might be part of an attempted push and will thus be able to prevent these keys from being committed in GitHub in the first place.
We are always mindful of the trust imparted in Coveo, given the data customers give us stewardship over. Therefore, adding security layers to prevent wrongful access and making sure that it is always available for authorized users remains at the heart of everything we do.
Availability: Even in the Cloud, Always Plan for a Rainy Day
Moving to cloud computing decreased many risks. Back then, companies had rows of poorly ventilated servers in their storage shed, often on the brink of catching fire. Or, if you’re in Canada, short-circuiting due to condensation caused by hot CPUs running in sub-zero temperatures. (Fahrenheit or Celsius, doesn’t matter — zeroes everywhere!) The point is, with servers now managed in orderly data centers accessible to any company tier, hardware reliability issues are a thing of the past.
That’s not to say accidents don’t happen. When they do, there’s usually redundancy built into the system. But as most companies have learned, cloud computing involves complex software/hardware systems that aren’t impervious to outages. Over the last five years, several big cloud providers experienced outages — if you’re thinking of a name, chances are it’s a good guess. Most outages are caused by unforeseen consequences in configuration changes or new software deployments.
To prevent this and uphold our security by design philosophy, Coveo expanded its footprint into multiple locations around the world so that no portion of its search infrastructure is running in solely one AWS region. Like any company looking for redundancy, we multiplied the bases on which our business could rely, spreading the load, replicating data in points separated from hundreds or even thousands of miles.
This setup is called Active-Active. Coveo’s U.S. customers can benefit from having their index duplicated across two geographically separate AWS regions in continental U.S., as well as full replication of all the services necessary to support the query path, including machine learning model hosting capabilities. Subsequent phases of Active-Active will see other services included in this redundant architecture and spreading of this architecture in more and more points across the globe. For the more technically curious, this technical blog post goes into more implementation details!
For customers keen in preserving uptime no matter what, a 99.999% uptime package will be available as an add-on to our Enterprise plan. We’re very proud to release that collective team effort for our customers’ benefit. This is a huge undertaking in strengthening our infrastructure that spans across multiple teams within R&D.
Where Safety Meets Innovation
So if your company is planning to launch a pink Pikachu plush, your marketing plans are safe from the prying eyes of the competition — or the die-hard fans — while your online shop is ready to handle incoming traffic, even if large chunks of the internet suddenly disappears for an afternoon at the beach…
Dig Deeper
Learn more about how Coveo brings search and personalization securely and consistently to the cloud: