Client story DroneDeploy goes the extra mile for enterprise-grade security with Google Cloud and SADA

Business challenge

One primary business driver for DroneDeploy was the need for third-party security benchmarks. In the security world, it’s crucial to show tangible evidence of strong practices. Internal assessments, while valuable, can lack the objectivity and external validation that third-party evaluations provide. 

These benchmarks enable DroneDeploy to identify areas of strength, compare itself to industry peers, and gain insights into potential areas for improvement. This external validation helps secure executive buy-in and resources for security initiatives.

Moving beyond qualitative assessments

DroneDeploy wanted to obtain more granular information about their attack surface. They also wanted to identify areas for technical improvement and validate the procedures and protocols they already follow.

“We wanted to move beyond qualitative assessments and obtain quantitative insights,” says Ashutosh Agrawal, Senior Director of Risk & Compliance at DroneDeploy. “DroneDeploy needs to drill down on our cloud security posture, especially within the Google Cloud environment.”

They sought validation that their existing security measures were not only robust but also aligned with industry best practices. DroneDeploy aimed to ensure they were meeting internal standards and exceeding customer expectations for protecting their data.

Staying ahead of emerging threats

DroneDeploy already had a strong sense of their security operations maturity level, always using the latest technology provided by Google Cloud. They understood the importance of continuous improvement and staying ahead of emerging threats in the ever-evolving security landscape.

“We punch well above our weight, but there’s a security maturity journey that all companies are on,” says Joseph Mente, Senior Director of DevOps, Security, and IT Ops at DroneDeploy. “Our maturity is quite strong. It’s all about right-sizing our security investments based on customer needs and expectations, so we aim to have enterprise-grade security. We’re always on the cutting edge of how to secure our customers’ data and our internal data.”

DroneDeploy had existing visibility into its Google Cloud security posture through various tools, including Google Cloud’s Security Command Center and third-party solutions. They addressed key risk areas such as data exfiltration, data loss prevention, misconfigurations, email phishing protection, and vulnerability exploitation. 

Self-assessing security and compliance requirements

DroneDeploy consistently prioritizes robust security, regularly self-assessing their posture. 

Driven by a sophisticated understanding of the digital threat landscape, DroneDeploy cultivates their security posture within Google Cloud by diligently integrating insights from leading industry reports by organizations like Google Cloud and Verizon. Their objective is to continuously refine their security strategy and enhance their control settings against the most pressing threats. 

They also have compliance requirements, including SOC 2, GDPR, and ISO 27001. While they were already meeting these obligations, they needed supplementary evidence for their customers. “Some larger customers require finer details about cloud security controls,” says Ashutosh Agrawal. “We could do this by sharing the opinion of external auditors.”

Solution

To underscore their commitment to elevating their already strong defenses, DroneDeploy engaged SADA, An Insight company, for an independent, deep-dive Cloud Security Confidence Assessment. Driven by a dedication to the defense-in-depth principle and a layered security approach, DroneDeploy sought SADA’s expertise to validate their internal assessments and identify opportunities for further technical refinement. This positive approach highlights their pursuit of the highest possible security standards.

“Even with our rigorous internal self-assessments, seeking an independent review from SADA was a strategic decision to gain external validation and identify avenues for advanced security optimization,” says Mente. “Our working relationship with SADA symbolizes DroneDeploy’s proactive commitment to maintaining a world-class security framework.”

The threat-hunting process used by SADA involved analyzing data sources within DroneDeploy’s domain, including direct access to their cloud environments, audit logs, regular logging of services, and responses to questions. This white-box approach differs from a pen test but provides more valuable insights.

Long-standing, multi-year relationship with SADA

As their trusted Google Cloud solution provider, SADA had a long-standing, multi-year relationship with DroneDeploy. This established collaboration and SADA’s expertise in Google Cloud made them an ideal choice to conduct a 10-point security assessment.  

What appealed most to DroneDeploy about the security assessment was its completeness. A thorough review of all aspects of their environment was highly valuable. 

“The comprehensiveness of the SADA security assessment ensured that no stone was left unturned and that all potential vulnerabilities were identified,” says Ashutosh Agrawal. “SADA’s alignment with industry benchmarks and best practices, such as the Cloud Security Alliance and the Center for Internet Security Benchmarks, was critical. This alignment also helps educate executives and build confidence in DroneDeploy’s security posture compared to our peers.”

Focusing on critical security areas

During the assessment, SADA focused on critical areas, including Identity and Access Management (IAM), incident response, continuity management, observability, and detective controls. DroneDeploy showed SADA all their policies and procedures for access management, logging and monitoring, incident management, vulnerability management, and infrastructure security. 

IAM stood out as a particular area of focus, with detailed reviews of configurations. “Based on the latest reports, misconfiguration is one of the top three attack vectors now with cloud-native solutions,” says Mente. “Having SADA especially focused on that and leveraging their specific expertise with Google Cloud was incredibly helpful.”

DroneDeploy reported no major roadblocks during the assessment, indicating a smooth and systematized process. This positive experience was largely due to SADA’s expertise and established methodologies.

Impact

As a result of the SADA Cloud Security Confidence Assessment, DroneDeploy achieved the highest security score among all companies assessed by SADA up to that time – a testament to their robust security posture. SADA’s comprehensive assessment utilized a rigorous scoring methodology, provided a unique point-in-time metric, and a nuanced understanding of how DroneDeploy’s security measures effectively protected customer data and positioned them against their peers.

To provide more context, SADA’s assessment approach, utilizing a bronze, silver, gold, and platinum rating scale, proved insightful. This detailed scoring system effectively positioned DroneDeploy’s robust security position relative to their industry peers.

Providing actionable security recommendations

Beyond the overall scoring, SADA provided specific, actionable recommendations, including opportunities for low-hanging fruit. “While some of these quick wins had already been identified internally by the DroneDeploy security team, SADA’s independent confirmation provided significant validation and reinforced our strategic priorities,” says Mente. “For example, SADA’s recommendation to clarify ‘break glass’ procedures for exceptional circumstances strengthened an already well-defined process.” 

Other areas identified for improvement presented unexpected, valuable avenues for continuous enhancement, further solidifying DroneDeploy’s commitment to cutting-edge security.

Providing granular insights, SADA’s assessment helped DroneDeploy identify opportunities to further optimize their cloud security posture, including enhancements to service account permissions, storage bucket access controls, and firewall configurations. “These security refinements were all swiftly addressed, underscoring DroneDeploy’s commitment to keep a clean house and reduce unnecessary noise in assessments,” says Mente.

Strengthening internal security documentation

SADA’s engagement also facilitated valuable knowledge transfer, significantly enhancing DroneDeploy’s internal security capabilities. The independent validation from the detailed report also serves as a critical asset, strengthening their internal documentation and providing clear justification for resource allocation and strategic security prioritization.

The report categorized findings by severity and effort to remediate, which helped DroneDeploy prioritize follow-up actions. The categorization largely confirmed their understanding of their biggest opportunities and helped validate their internal product priorities for security. 

Achieving key benefits

Overall, the security assessment significantly strengthened DroneDeploy’s enterprise-grade security posture. The engagement with SADA provided critical insights and validation, empowering DroneDeploy to continually enhance their robust security framework. Key outcomes and benefits include:

• Strategic security optimization: The assessment led to prioritized initiatives, swift house cleaning, and refined cloud security.
• Enhanced customer assurance and compliance validation: DroneDeploy gained supplementary evidence for compliance, boosting customer trust and validating existing adherence to industry standards and best practices.
• Accelerated security maturity: SADA’s knowledge transfer empowered DroneDeploy’s team, fostering continuous adaptation to threats.
• Objective benchmarking and executive alignment: The security assessment provided crucial metrics for measuring effectiveness and securing executive buy-in for future security investments.