In this installment of the Web Setup, we spoke with Brian Masson, Information Security Officer at Wave Apps. Wave provides awesome cloud-based integrated software and tools for small businesses including invoicing, accounting, payroll, and more. Here’s a look into their setup and how they are scaling their business, and keeping their data secure, as technology continues to evolve.
What kind of office setup do you have?
We are a very open office, with a BYOD setup; everyone has their own laptops. We have a few remote workers, but no remote offices. Our Director of Operations Engineering, lives in Panama, and our VP of Payments lives in British Columbia. With BYOD it’s really easy, and we also do a lot of working from home.
Before we had the formal protocols we have now, each person kept passwords in their own way; in some cases, that could even mean Post-Its and notebooks. That soon grew into password-protected shared documents, but keeping that safe and up to date was a no-go.
We looked at many different options and Meldium just seemed to really align with what we were looking for in functionality. Now we have over 150 apps in Meldium across many departments – Sales, Marketing, Customer Support, Product Development, Design, and we use it to login to mail providers, support tools, and much more.
How do you onboard new employees?
When someone starts, we have a change ticket. Our technical administrator goes into Meldium and clicks a button. We make sure they are in the right group, and they automatically have access to all of the things they need to get started. Plus, we make heavy use of Google Apps for Business we love that Meldium supports a forced Google login. Once we've created a new employee’s Gmail account, they are in. It really helps us smooth out the onboarding process so instead of spending a day setting up accounts and recording passwords, we spend that time introducing our culture, our tools, and the team.
How do you choose new applications or tools?
Our process for choosing new technology is constantly evolving. As a company where everyone is so passionate about technology, somebody will always find the latest, hottest, whatever – and we generally do a proof of concept to see if teams will buy into the new tool.
What are some of the pain points of a growing number of tools?
There was a period where we were quite siloed and it was difficult to get a clear picture on who was using what applications, who had the credentials, who owned them, etc. We’d have scenarios where employees would spend half a day trying to find who owned the account, to reset the credentials. It was a nightmare. With Meldium, we have a single portal where we can see who owns it, and we don’t even need the credentials so it reduces response time.
How do you stay ahead from a security perspective?
It's very important to trust the people you work with, but trust isn't a valid security control. The idea of least privilege is important - it protects helps protect everyone from both malicious actions and mistakes.
I don’t want to wake up in the morning and see that Wave’s Twitter account was taken over. We know some passwords could be brute forced, so we look for single sign-on integrations and integrations with multi-factor authentication – those are critical.
Even though you don’t have remote offices, how do you manage remote work?
Identity and access management is the most critical thing to working remotely. If I need to reset a password, I can’t just walk over and ensure a person is who they say they are.
We use Jira and HipChat heavily for communication, and Meldium is our portal to share access securely. Together they facilitate remote working for us. Meldium requires that our users are able to access their primary account, and allows us to grant/revoke access to services without ever sharing actual credentials.
For me, I’ve been with Wave since we were at 10 employees; we’re constantly evaluating new technology and strategy to stay ahead. At Wave, we value the trust of our customers and are committed to privacy and security. Passwords are one small, but important, piece in the security puzzle but for growing businesses looking to scale, continuing to stay on the forefront of identity and access management is critical.
Brian Masson, Information Security Officer, Wave Apps: Brian formerly lead the QA team at Wave and now leads the Information Security team. To keep his technical skills sharp, he also helps with Wave’s our OpsEng/DevOps team. Motorcycles, wine (making AND drinking), books and cooking fill his spare time.