Centreon offers, among other products, user experience monitoring in SaaS mode. A product with specific security.
“At Centreon, the cybersecurity activity is organized around three main pillars. First of all, there is the security of the company itself, which is thought of in a fairly traditional way with a CISO who is responsible for the security of the information system, but also the physical security of our premises for example” explains Vincent Untz, technical director recently arrived at Centreon.
The second pillar, also quite classic for the company, is the security of its products, and therefore by extension of the code produced by its developers. “The CISO is also involved in this aspect, but this notably involves training and making developers aware of the most common flaws and errors” continues the CTO.
Among the risks feared by teams: the use of a dependency containing a flaw or malicious code. To protect against this, Centreon can count on a team entirely dedicated to security monitoring: “We have several developers responsible for these subjects. They will indeed keep themselves informed, but also use code or dependency analysis tools in order to identify potentially malicious or vulnerable modules” summarizes Vincent Untz, who recognizes that this approach is more feasible given the reduced number of products that Centreon is responsible for maintaining.
New activities, new responsibilities
There remains a third pillar to take into account and this is relatively new for the company: the security of its customers of its SaaS solution, launched two years ago.
“There we become responsible for an infrastructure used by third parties, and which hosts their data. So it is not personal data, but it is data which can still be strategic for our clients.” To avoid having to manage data centers and physical servers internally, Centreon has chosen to host its solution on the AWS platform, a player considered “sufficiently solid” on these subjects.
“But we are responsible for securing what we do on this infrastructure.” The CISO is also involved in securing this perimeter: “He needs to be involved in this area anyway, but we also rely on a team specialized in operating the solution and which has the skills to secure. It’s yet another job than development, but in the end, the developers, the CISO and this team must work together.”
The race for certifications
Another new element with the move to the SaaS offer is the race for certifications. A major project for the company, which claims to have already obtained a first certification of its cloud architecture from AWS. “But the big project in progress for us is obtaining ISO27001 certification, which we have been working on since we launched our SaaS solution.”
ISO27001 is a well-known international standard that describes best practices for implementing an information security management system. A major project for the company, which requires both technical and organizational efforts, “but these are things that our customers come to ask us and that’s normal, it also reassures them. We’re working to get it.”
In terms of cybersecurity, Centreon made headlines in 2021 following a publication by Anssi which reported the use of vulnerable Centreon servers by a well-known malicious group. It’s hard to blame the company here, the servers in question used open source and unsupported versions of the software published by the company. Vincent Untz was not on duty at the time of the incident, but he believes that the warning shot did not go unnoticed. “It went well overall but it left its mark. It was an example for the management at the time of the importance of security and the need to invest in these subjects.”