IN PARTNERSHIP WITH behaviourModel
VIDEOGRAPHY: Joe Clarke-Blomfield and Wendy MacKinnon
Education company Pearson is shifting from a publishing business to an on-demand education provider to the world. As it goes through a digital transformation to achieve this, we speak to its security team to find out how they mitigate risk to help improve the lives of students.
behaviourModel 2
AUTHOR: Dan Brigham PROJECT DIRECTOR: Richard Durrant
PEARSON 3
Muthu Meyyappan, Global VP of Security Engineering, joined Pearson as in 2017. His role now covers identifying industry trends, engineering tools, and helping development teams and product teams to implement security within Pearson. The landscape five years ago was significantly different to today.
Secure education
T
Simply, education is no longer the linear experience it once was, and Pearson is catering for this change.
and its reach is enormous, providing rich digital content, online resources, qualifi cations, courses, assessments, and data to learners in schools and organisations throughout 200 countries.
Pearson creates digital learning products and tools. It brands itself the world’s leading learning company, and it very much backs up that claim: the company has around 20,000 global employees,
Education comes with great responsi bility, and with that responsibility comes huge security implications across all of Pearson’s business areas.
4
he learning ecosystem hasEvenshifted.before the pandemic, the trend for digital-first learning was climbing. Now it has escalated. This has dovetailed with a change in how people want to be educated. Workplace and non-academic learning is booming as organisations – and schools and colleges – increasingly see the value in providing access to acquiring new skills across a lifetime of education.
“The second piece was how do we work with the different teams to understand their needs within Pearson and make sure that they see security as an enabler, not as a cost item. We have done a lot of work in those two areas to look at the risk
in an overall manner, rather than in a very specific area.
“When I joined Pearson, we were looking at changing two different areas,” he says. “One was moving from a fragmented view to an overall centralised view of security and looking at it from a risk perspective, as well as providing tools and services that will improve the security rather than keeping that as a checkbox for compliance reasons. What are the right technologies we need to bring in? What are the right processes we need to bring in? What are the right people we need to bring in?
“In 2020 we appointed Andy Bird, who came across from Disney, as our new CEO. His direction is to take us from a publishing company to direct to consumer learning company, and technology is at the forefront of that transition. And we are going through that transition now.”
The security threats Pearson faces are twofold. One is familiar to what any software organisation would face, which is a vulnerability or architectural flaw in its system. The other is very specific to Pearson’s core area of content creation and delivery. Securing the content to avoid pirating is a major piece of work, and crucial to Meyyappan’s team.
PEARSON 5
Within the DevOps area, there are specific domains that are more challenging than others. The way that we approach this is to identify the very specific needs for the different projects, and make sure that the team is integrated as a single collective”
Muthu Meyyappan
6
The thinking behind this? People who have knowledge and experience in building and managing technologies are simply better placed to secure it. However, Meyyappan and Vinson recognised recruits can’t be experts in all areas.
Vinson joined in early 2018 as part of Meyyappan’s drive to set up a security engineering team, full of security engineers with domain-specific knowledge.
Therefore, they built a team of subject matter experts across a variety of different fields and got them working together. This, however, did create some initial challenges. “We started the team from scratch. And the first few months were very challenging because we had to move from that legacy enrollment to ‘how do we operate in a DevSecOps fashion’,” says Meyyappan. “The challenge is, you need to find the right person and the right skills and the right attitude to be part of that DevOps movement to make sure that we can imple ment those jobs.
“The threats we face at Pearson range from curious students trying to test the limitations of our learning tools, through to nation-state-sponsored criminal enter prises, and everything in between,” says Nick Vinson, Director of DevSecOps.
7 PEARSON
effective security: teaching the product teams to be self-sufficient in security. For Vinson, it was also important that the security engineering team was seen as a crucial piece of the cross-functional jigsaw. “It was very important to be part of cross-functional teams in order to actually introduce the required security controls to improve the security posture of those products,” he says. “The way we achieved this was by building trust with the teams with the quality of technical input. We weren’t providing the teams with security requirements which weren’t relevant, and
“Within the DevOps area, there are specific domains that are more challenging than others,” says Meyyappan. “The way that we approach this is to identify the very specific needs for the different projects, and make sure that the team is integrated as a single collective, rather than ‘here is a security team, here is a development team, and here is the operations team.’”
Because central security teams in large organisations struggle to keep up with the sheer volume of security engineering needs of product teams, Pearson has found a logical and efficient way of implementing
we were providing tools which fit their workflows.”
Identifying the threats
“The problem we wanted to solve was getting a holistic view of security risks across our products, and quantifying those risks in a consistent and accurate way,” says Vinson. “We want to identify security requirements as early on as possible in the software development lifecycle with a view
A major part of Pearson’s approach to security is threat modelling. A systematic process that allows security teams to iden tify product-specific threats and mitigating countermeasures.Traditionalthreat modelling can have significant limitations when used at scale, because the process is manual. Due to the size of Pearson’s operations, it knew that
8
traditional threat modelling couldn’t keep up with the pace of technological advancements – and therefore the advancements in security threats. So the company took the decision to embrace automation in its threat modelling.
PEARSON 9
Nick Vinson
IriusRisk came out on top. It had the flexibility for us to define our own custom risk libraries and an API where we could integrate our existing security testing. “The SaaS nature of the platform was attractive as we didn’t need to self-host it. And, with us being a globally distributed team, it fits really well.”
Start ThreatLeft:Modeling for Secure Application Design
Helps Enterprises to remain secure while demonstrating ROI
Whether teams are implementing threat modeling from scratch, or scaling up their existing operations, the IriusRisk approach results in improved speed-to-market, collaboration across security and development teams, and the avoidance of costly security flaws.
Benefits of Threat Modeling
Ensures collaboration between systems architects, developers and security teams
Enables regulatory compliance and full auditing trails and reports
IriusRisk is the industry’s leading threat modeling and secure design solution in Application Security. With enterprise clients including Fortune 500 banks, payments, and technology providers, it empowers security and development teams to ensure applications have security built-in from the start - using its powerful open and automated threat modeling platform.
Threat modeling improves time to market for new products and services
www.iriusrisk.com
Nick Vinson
12
The problem we wanted to solve was getting a holistic view of security risks across our products, and quantifying those risks in a consistent and accurate way”
“With the high number of development teams we have in Pearson, doing threat modelling manually just won’t scale and wouldn’t work for us,” John says. “The last thing we want to be doing is bombarding product teams with hundreds of tickets, a lot of which might be irrelevant as they are already implemented.
Owen John is a Platform Security Lead at Pearson. His primary role is to improve the security posture of the cloud platforms being utilised by Pearson’s product teams. Specifically, that involves identifying a set of security requirements for cloud infra structure and working with the product teams to get those implemented correctly.
that remediating them early on is much easier and much less expensive.”
PEARSON 13
“So what we do want to do is analyse each security countermeasure in advance and make sure it’s relevant. So to help us reach our scalability goals, we’ve developed an automation frame work which allows us to validate these countermeasures and security controls
This was easier said than done. In order to create consistency in identifying threats and security controls, a framework was needed. The time burden of manually reviewing security control implementations also needed to be overcome. So Vinson started looking for products with the flex ibility to define a threat modelling frame work and an API that would allow Pearson to integrate their own testing.
Automating threat modelling
The ‘Irius’ John talks about is IriusRisk, the automated threat modelling platform. Pearson chose IriusRisk as its platform of choice in early 2020 when it was looking to automate the threat modelling process to add consistency, reduce man-hours, and scale. It was an ideal partnership from the“Westart.were
“The SaaS nature of the platform was attractive as we didn’t need to self-host it. And, with us being a globally distributed team, it fits really well.”
quality countermeasures across all of the products that it is threat modelling.
“We maintain our own in-house threat libraries that are based on the public stand ards,” says John. “That’s beneficial because we work very closely with the product teams. We know their tech stack, and we know their working practices, so we can add relevant context to the security countermeasures to aid with implementation.”
“Pearson is a global company,” says Meyyappan. “And we use pretty much
Introducing risk libraries allows Pearson to consistently measure risks and deliver
An ongoing relationship, IriusRisk’s platform has allowed Pearson to build a framework tailored to its products and tech stacks. This has given Pearson the ability to generate threat models rapidly and accurately. The security requirements are more relevant and effective because they’re project-specific, giving Pearson a more comprehensive view of the risks it is facing.
automatically by integrating Irius with our third-party tooling.”
evaluating other tools in the space,” says Vinson. “And based on our criteria and requirements, IriusRisk came out on top. That was predominantly because it had the flexibility for us to define our own custom risk libraries and an API where we could integrate our existing security testing.
14
Looking to the future
As Meyyappan touched on, the future of Pearson is a pathway that leads to them moving from being a publishing company to direct-to-consumer education service provider, in particular via its Pearson+ offering. The eText subscription service allows students to download digital learn ing materials on multiple devices, study
“We are going through this digital trans formation, and looking at more cuttingedge technologies because we want to be a front-runner with these technologies. Partnering with tools and platforms like IriusRisk means we can be innovative
any technology you can think of under the sun. So the way that we are using IriusRisk really helps us in the sense that we can go to IriusRisk and say, ‘here are the new technologies, we may need a new control library for this’.
in design, and bring that into the wider security community.”
PEARSON 15
16
Owen John
To help us reach our scalability goals, we’ve developed an automation framework which allows us to validate these countermeasures and security controls automatically by integrating IriusRisk with our third-party tooling”
PEARSON 17
This means that, for the DevSecOps team, the model has changed from building tools for a captive audience of educational institutions, to selling products to the general public – who only pay for those products if they like them.
“The approach here is making sure that we can create an ecosystem that can go directly to the consumer. That creates challenges from a technology perspective and a security perspective, because you are doing that last-mile delivery now, and you know your customer pretty intimately.”
These developments go hand in hand with the future of threat modelling at Pearson, with the aim to scale the model out across all business divisions and product groups.
“The principle that security is a shared responsibility is something we’re fostering and spreading,” says Vinson. “The future of security in the culture of Pearson is that security is a fundamental aspect of all new products that are developed.”
to their own schedule, have access to materials created by over 3,000 experts, and to 1,500 eTexts created and taught by Pearson-approved authors.
“We have a number of different products that are very well received in the market,” says Meyyappan. “Now the goal is making it more we’vePearson+direct-to-consumer-centric.isthefirstmajorD2Cproductdelivered–wehavedoneD2Cin
specific applications before, but not as a global strategy.
Pearson+ Channels, the company’s newest study tool, will allow students to interact with thousands of videos across a range of subjects.
Cutting-edge media services for info@digitalbulletin.comwww.digitalbulletin.combusiness.