Moloco provides machine learning-powered performance solutions to help companies around the world strengthen their digital strategies to increase growth and return on investment.
With a founding team from Google, Twitter, and Amazon, Moloco is highly tech-driven. The advertising services company uses machine learning to help customers unlock the value of their first-party data.
Moloco wanted to ensure its valuable customer and employee data stayed secure. Especially as the company grew and hired more employees around the world.
“We have employees across the globe – in Europe, Asia, and the United States. Different countries and states like California have laws, rules, and regulations around protecting your employee data,” explained Moloco’s VP and Chief Information Security Officer Rudy Rouhana.
As the company expanded, Rouhana and the team needed to keep Moloco’s valuable intellectual property, company, and fiscal data safe.
We wanted to prioritize securing information like our financial information, future strategies, and employee data.Rudy Rouhana,VP and Chief Information Security Officer
Rouhana and Moloco’s Senior Director of IT Chris Davis joined forces to strengthen the environment around sharing data in solutions like Google Drive. According to Rouhana, IT and Security leaders are not typically day-one hires for companies, and before he and Davis joined, the amount of company information shared externally had built up.
“You can imagine there was an extensive amount of file sharing and utilization that had never had a policy applied to it,” Rouhana said.
As Moloco grew in employee count, it was apparent that sharing documents with everyone could not be the default. Rouhana and Davis knew they wanted to address the risks that came with file sharing, but they didn’t have the resources to tackle it immediately.
“Chris and I put it on our risk register, and we began addressing it as we implemented our ISO 27001 security program to start creating policies around file sharing,” Rouhana explained.
But Rouhana, Davis, and their teams ran into roadblocks with tools on the market.
It was difficult to take care of half a million files that were incorrectly shared with the default tools we had. I would have had to hire several people to do that.Chris Davis,Senior Director of IT
Davis also wanted to kick off a knowledge management initiative to provide employees with an enterprise search solution.
“I wanted to get everybody’s information in front of them, making sure they knew exactly what they had for their job and our different information stores,” Davis said.
Davis identified solutions to execute this initiative, but it soon became clear that those enterprise search tools gave employees unnecessary access to sensitive information, creating even greater risk.
So Davis and Moloco’s Enterprise Applications Leader Eric Lee turned to Nira for help.
With Nira, Davis and the team could strengthen the company’s overall security framework and create initiatives around knowledge management. Without Nira, Moloco would have had to accept potential risks around file sharing.
If we didn’t have Nira, it would create an untenable situation where we would have to risk accept. Or we’d have to hire more people and trade off on other initiatives and support.Chris Davis,Senior Director of IT
Complete visibility and control
Moloco uses Nira to gain visibility, take bulk actions, and reduce risk
Before Nira, Rouhana and Davis needed greater insight into who was sharing what information, especially as employees joined or left Moloco. It was especially vital to understand which outside parties had access to company documents, according to Rouhana.
“New people join, and eventually they leave. No one has any visibility or insight into what kind of access they had. Or access they may still have after they’re gone, Rouhana explained. “And then, more egregious from a security and risk perspective is, who did they share documents with externally?”
Nira allows the Moloco team to effortlessly view and understand their access risks in Google Drive. With Nira, they have targeted visibility as well as a broad, complete overview of their Google Drive environment. What’s more, Nira lets them act on the risks they have identified, providing the ability to make bulk permission changes. Using Nira, they can view and remove external collaborators from Moloco files in just a few clicks.
We are able to easily identify our security posture, get a good picture of it, and then take bulk actions, which is extremely valuable.Chris Davis,Senior Director of IT
With the full visibility Moloco receives from Nira, departments have also begun to reorganize information in a way that reduces risk.
“We’re setting up our folders in Drive to be more secure. Various groups including Legal have done this after Nira made the issue visible,” Rouhana said.
According to Rouhana, Nira enables IT and Security initiatives – such as the folder reorganization – by providing more visibility and control over Moloco’s security environment.
I think security initiatives happen because of things like Nira. You've raised awareness around sharing and how it can quickly be overly permissive.Rudy Rouhana,VP and Chief Information Security Officer
Shrink the attack surface
Nira helps Moloco secure private data from public access
Nira lets Molocco rectify one common risk when it comes to data sharing: reducing public access to documents.
Public links – links that allow anyone on the internet to access a document – are commonly used by most companies; organizations may have tens of thousands, even hundreds of thousands of them. Any employee, vendor, or customer can access these documents. But so can anyone else on the internet. And there’s no access trail of who saw the files.
But there are cases when public links do need to be used for a certain amount of time.
Some files may need to be shared publicly but not in perpetuity. Nira allows us to restrict access as needed.Chris Davis,Senior Director of IT
The idea is to use Nira to reduce Moloco’s attack surface. Being security-focused, Davis and Rouhana wanted to move from a “default allow” to a “default deny” mindset, where they limit sharing if there is no reason for a document to be public.
Using Nira, they were able to swiftly reduce the number of files with public links that had not been modified in two years or longer. They could easily do the same with those that had not been changed in one year.
“I was nervous we would see tons of support tickets from employees when changing 100,000 files at once. But we really didn’t,” Davis said. “Nira’s system worked as it was supposed to.”
For Moloco, taking care of public access is a building block for greater security initiatives down the road.
When we think about our journey for security, Nira has helped us take a huge risk off the table and reduce it.Rudy Rouhana,VP and Chief Information Security Officer
Ensure security is everyone’s responsibility
Moloco empowers employees through Nira’s security portal
For the Moloco team, using Nira is not only about reducing potential risk but “pushing out security responsibility,” according to Rouhana.
Rouhana and Davis say they do not implement security measures “out of thin air.” They want to inform employees about why certain policies should exist.
“Everything can be pointed back toward a risk. In this case, it’s data exfiltration of some of the most confidential data potentially in the company – be it financial documentation, customer information, things related to our product or strategy,” Rouhana explained.
Davis and Rouahana are developing and disseminating policies so end users understand how to safely share documents. Employees also receive access to Nira’s Employee Security Portal.
We put Nira in front of our users and gave them visibility. We wanted to empower our users to have knowledge of their own data.Rudy Rouhana,VP and Chief Information Security Officer
Through the security portal, employees have visibility and control over their documents. This way, they can view who has access to every document they have created. And, then they can remediate any access that is no longer needed.
Davis was also able to work with employees who had higher levels of external sharing, to help educate them about how they share company data. He provided these employees with an access audit using Nira, to allow them to review and change sharing permissions as needed.
“With highly exposed people, I’ve said, ‘You personally have these kinds of files at risk. I’m going to send you an access review, and I want you to review these files. I educate them on changing how they think about sharing data,” Davis said.
Employees do not need technical expertise or advanced training to utilize Nira. Instead, they can easily assist the Moloco IT and Security teams with access control, without wasting valuable time or needing administrative help.
We’ve even received thanks from employees who’ve told us, ‘I really wanted to understand how my data is shared and had no idea, so thank you’.Chris Davis,Senior Director of IT
Strengthen data protection, step by step
The adoption of Nira has helped Moloco enhance the company’s security posture, safeguarding sensitive data. Through Nira, Moloco has successfully reduced external access to documents, effectively shrinking the organization’s attack surface. And Nira’s security portal has empowered employees to actively participate in the security process.
Moloco has established a robust security framework that fosters a culture of data protection and prevents data exfiltration. The company is well-equipped to combat evolving threats and secure its valuable customer, company, and employee information.
There’s never a situation that you would call perfect security, but Nira is moving us forward step by step.Rudy Rouhana,VP and Chief Information Security Officer