When Daniel Chait started his first company in New York nearly 30 years ago, cloud infrastructure didn’t exist. His team had to build a server room full of computer racks and air conditioners to keep the technology from overheating. And buying new software meant having it delivered and set up in person. At times, it felt like a full-time job.
Now, everything runs on the cloud, including the entirety of his current HR recruiting company, Greenhouse, which certainly makes it easier to scale and centralize data, he says. But keeping up with customer expectations with all the risks that have arisen managing business in the cloud, he says, it feels like once again a full-time job and then some.
“We have a huge security infrastructure, as you can imagine, because we’re under constant attacks 24/7,” says Chait.
Recent data from Crowdstrike backs up his claims. New cloud intrusions increased 25% last year, meaning more nefarious individuals are looking to take advantage of the technology for their own gains. This often involves manipulating people through various means to get them to give up login info, for example, that will allow these bad actors to access the cloud to steal confidential company info then or deploy malware, says Adam Meyers, senior vice president of counter-adversary operations at CrowdStrike.
“From a financial and logistical standpoint, it makes sense to do things in the cloud, but there are risks, and any company that uses it needs to have compensating controls and mitigation strategies they can put in place to try to minimize it,” he says.
And as Greenhouse has grown larger, and brought on more customers, Chait says it’s also opened the company up to more cloud-based threats.
“Because our product is one that’s often listed on a company’s website, [hackers] have started targeting us more often,” he says. “We’ve done a good job of keeping the bad guys out, but it’s a huge, huge investment.”
Greenhouse’s cloud security playbook
To ensure data remains safe, the company encrypts all passwords, and all cookies are transmitted over secure channels. Individual candidate records and files can be hard‑deleted on demand and are retained for 30 days before a complete purge. Third‑party services of the company also undergo annual security and privacy reviews. They also must sign a Data Processing Agreement (DPA), a legally binding contract that outlines how personal data can be handled.
Greenhouse also implemented annual SOC (Service Organization Controls) compliance, a certification that companies can get that ensures they follow rules and practices to protect client and worker data. Having these kinds of verifications certainly helps, Chait says, as clients will send in their chief information officers (CIOs) to go over these protections before signing on.
This is typical, as most businesses prefer to see this kind of verification before signing on to use a service, says Rob Geist, senior vice president of Growth at SimpleVMS, a cloud-based vendor management system.
“Everybody these days wants companies to have this kind of compliance to do business because they understand the risk, they’ve seen the lawsuits that arise when data isn’t protected.”
But managing risks involves more than having the latest tech and security practices, Chait says. He believes that it’s crucial that he himself understands what new threats that have arisen in the landscape and what can be done to mitigate them. Being able to answer this question, he says, could meanlanding a major deal with a potential customer, or not.
“Our customers frequently put us through the ringer,” he said.