Upvest enables businesses to build investment experiences for their end users – seamless, secure, and across international borders.
Upvest’s Chief Security Officer (CSO) Sebastien Jeanquier believes in having the proper data handling controls at Upvest. He and his team work in the highly regulated environment of financial services and are committed to safeguarding their customer data and the personal identifiable information (PII) of their customers’ users.
Upvest needed a solution to stay in line with German financial regulator BaFin and its IT and Security regulations, which emphasize access controls, access reviews, and recertifications. The company also wanted to remain compliant with GDPR and industry standards.
Part of Upvest’s data classification handling standard deals with access controls and securing internal company data and customer information. The company also protects the PII of the end users of its customers: the people using the various banking applications it supports.
To protect access to documents, Upvest tried using other tools and solutions, however, some of these methods were difficult to scale and did not work well with securing documents that were shared externally.
“Google Groups becomes hard to manage with an information classification approach where you might say, ‘restricted documents should never be publicly accessible through a link,’” Jeanquier explained.
Other open-source and commercial tools gave some visibility but were less tailored to the specific use case of auditing and automating access control to Google Drive data. Identifying overshared files was done on a more reactive basis and not as a periodic review.
“That method didn’t scale well, which is where more automated tools fit better,” explained Jeanquier.
This led Upvest to find Nira. Nira gave the company visibility that was instantly easy to understand.
“With Nira, we have access to the information, but it’s presented in a way that is immediately consumable by a human,” Jeanquier said.
The data is readily available to the people who need it. Users can log in, view their documents, and see what files they own that are shared with external parties, like vendors. Then, using Nira, the Upvest team can review, investigate, and fix any access issues with ease.
With Nira, I can do spot-checks and help out in internal investigations using a more powerful tool.Sebastien Jeanquier,Chief Security Officer
Automating security is the only way forward
Upvest uses Nira to automate access based on security policies
For Jeanquier, automation is the best path forward. Upvest’s largest use case for Nira is the automated pruning of access based on security policies.
Automation is vital because employees can be strapped for time, explained Jeanquier. Manual reviews are tedious, and the sheer volume of documents, at times numbering in the thousands, or even tens of thousands, for a single employee, increases the difficulty of making sure each one is appropriately shared. This is where automation saves the day, drastically reducing the burden on individuals and ensuring a baseline of adherence to sharing policies.
According to Jeanquier, it only takes a month for a document to be compromised. For example, an email will get forwarded with a file that has a link that’s accessible by anyone on the internet, and the person later forgets the link was in the email, or assumes it was protected. Access needs to be restricted, swiftly and securely.
Automation is the only way you can protect access to files in a time-efficient manner.Sebastien Jeanquier,Chief Security Officer
Upvest has implemented several automation and security policies in Nira, Jeanquier says. If a document meets certain criteria, then the tool will take actions like restricting a link that is accessible to the public or changing permissions for a file that has been overshared externally.
Jeanquier compares this automated process to pruning a tree. Over time, the build-up of overly permissive document sharing in the company’s Google Drive must be remediated. This involves assessing access to documents—especially older ones untouched for two or three years—and restricting those no longer relevant. This automated and gradual pruning helps maintain a secure Drive, which aligns with the company’s security policies and sensitivity rules regarding what can be publicly shared.
We have a strong security-first culture at Upvest, but with the help of the automation and security policies we have implemented in Nira, we can have further peace of mind that any manual mistakes can be avoided.Sebastien Jeanquier,Chief Security Officer
For these types of sharing issues, automation is the only effective remedy, he maintains.
Nira allows Upvest to configure policies to control document access and ownership based on the company’s needs. Files are protected in an automated way that does not burden the Security team and other Upvest employees, saving them time and resources.
Protecting crucial data from unauthorized access
Nira allows Upvest to secure public links and restrict personal account sharing
According to Jeanquier, Nira is a potent tool for managing external access to crucial data. He can easily secure documents that have been shared publicly or with outside domains, or even accidentally shared with personal email accounts.
For example, Upvest has a policy that doesn’t permit the sharing of company data with personal accounts. Personal account access is particularly risky for organizations. Most companies review document access limited to employees’ corporate accounts but have no way to fully analyze personal accounts.
As a result, personal email accounts can have access to company data for years, increasing the risk of data theft. Using Nira, Upvest can find and restrict documents with personal email account access in mere minutes, and secure hundreds of thousands of files at once.
The company’s overarching goal is to use Nira to keep customer and client PII safe. Upvest
safeguards company information, making sure all its partnerships are protected. Pricing, financial data, and confidential company information must be secured.
It comes down to fundamental data protection around personal information, company secrets, and commercial sensitivity. Nira helps us secure our data, quickly and efficiently.Sebastien Jeanquier,Chief Security Officer
Democratizing security by empowering employees
Nira’s Employee Security Portal lets Upvest employees secure their data
Upvest has a security-first company culture. The organization believes in giving employees visibility into unauthorized access and sharing issues.
“We’re very much of the mindset that we want to democratize security,” Jeanquier said.
While the Security team comprises subject matter experts, they push responsibility and messaging around security out to “the nodes or the leaves” of the business, according to Jeanquier.
“Everyone is an extension of the Security team. We can push really good initiatives based on our expertise, but everyone else is the eyes and ears of the organization,” he explained.
This means having proactive discussions. For example, engineers may fix security issues without expecting the Security team to get involved and solve them.
We expect people to be thinking about data hygiene as proactively as possible, removing access to data where people shouldn't have it, both internally and externally. Nira is an essential tool for managing that Google Workspace data.Sebastien Jeanquier,Chief Security Officer
Upvest has sent out communication about Nira, given employees access to Nira’s Employee Security Portal, and even has a page about the tool in its knowledge base.
“When someone says, ‘I’d like to know what information I’m sharing with so and so, how do I figure this out?’ It’s nice to point them to that knowledge base page,” Jeanquier said. “They can solve their own security issues using Nira.”
Strengthening security policies through automation
For Upvest, Nira gives immediate access to the state of data sharing across the company and the ability to act on it swiftly. Most importantly, Nira lets the Security team automate policies they’ve established for data handling within the organization. Automation optimizes security protocols, ensuring a proactive approach to vulnerabilities.
Nira’s role in securing access to company data helps Upvest protect against unauthorized access, fostering a safe and controlled environment. The democratization of the security process allows employees to be active participants in safeguarding company data.
Nira actively prunes access for you over time, so you don't have to do anything, and it lets users participate by notifying them when something should be reviewed and changed. Having your user base join in that security process is powerful.Sebastien Jeanquier,Chief Security Officer