Project Xero: Agile Security in the Cloud

Additional Info

Job title of nominated professional (or team name)Lead Security Architect & Cloud Security Product Owner at Xero
Company (where nominated professional or team is working)Xero
Websitehttps://www.xero.com/us/
Company size (employees)1,000 to 4,999
CountryNew Zealand

Overview

Xero, a cloud accounting platform for accountants and small businesses, recently completed a successful transition to fully becoming a DevSecOps environment through Project Xero: Agile Security in the Cloud. They had to create a security mindset among developers, while providing security tools that matched the pace of agile development.
Xero’s security team was the last stop before deploying new product innovations, often slowing deployment in order to secure new releases. As part of this project, the team used new technologies, best practices and a DevSecOps approach to replace the gates and gauntlets with guardrails and guidelines to accelerate innovation while maintaining security. Now, Xero developers are able to securely leverage cloud infrastructure and agile development without slowing innovation. Xero developers released more than 1400 new product features and updates in the last 12 months and will exceed this number in the next year.
Becoming agile and secure in the cloud was critical to Xero, largely because its cloud-based software protects the sensitive financial data of more than 700,000 global subscribers. In order to move on the project and continuously iterate and deploy new products and solutions, Xero enlisted its security teams, calling them “security as a service,” whereby they would operate as a supplier within Xero’s walls.
To achieve “security on-demand,” Xero deployed cloud-based technology, including CloudPassage Halo, to ensure its security posture did not remain static. Xero also worked closely with other leading enterprise security vendors to build scalable commercial and technical models to allow for on-demand security systems.
By deploying CloudPassage Halo, Xero was able to quickly allow its security teams to focus more efforts on proactive defenses and innovation to protect its customers. CloudPassage Halo has given Xero cloud server visibility within seconds of deploying; speed via automated processes baked in from day-one; and compliance via automation.

Accomplishments

The deployment of a code driven security infrastructure to allow for the repeatable and automated build and management of security systems.
The Xero migration to the public cloud has presented new security scenarios, and in turn has presented the opportunity for the Xero product team to operate at an even more accelerated pace. Our “Security as a Service” model makes us responsible for the security of the core Xero platform, but also allows us to enable the business to do what it needs to in a timely manner. Our goal is to help the product teams at Xero improve their security posture, deliver faster and reduce cost.
The Xero product teams want to pay for what they use rather than their peak usage, this aligns with our goal to support the next wave of growth, by building a more agile responsive infrastructure, an infrastructure where we can scale and up and scale down depending on market demands. To do this we worked closely with Amazon Web Services and other enterprise security vendors to build a partnering model that allowed