Agile security in the cloud: Lessons from Xero

Our teams work as ‘security as a service’... We need to be able to continuously iterate and deploy.

Protecting the sensitive financial data of more than 700,000 global subscribers is one of the most important jobs at Xero. Just as the move to cloud technology has completely disrupted the way small business owners and accountants work, it’s transformed the way we protect them.

Migrating to the Amazon Web Services (AWS) environment will again lift the sheer pace of innovation at Xero.

In the past 12 months, we’ve had more than 1200 new product features and updates released. With the plug-and-play ability of machine learning and automation tools available in the AWS environment, we have the opportunity to step up the level of innovation and take full advantage of this new cloud world, yet fundamental to the success of our platform is tight, agile security.

No caption

If a security team isn’t agile, it can block the pace of the organisation. Aaron McKeown, Xero

Accelerated innovation also means organisational governance and security teams need to lift their pace and quality of service, something the agile security ethos enables teams to do.

At Xero, our security teams work as “security as a service”. We operate as a supplier within Xero’s walls. We have rapid response teams running 24x7, product security teams, all of which need to be on the same trajectory as the rest of the organisation. We need to be able to continuously iterate and deploy.

To build an always on, always shipping culture in our security teams, we operate on three basic principles.

API-driven security

Traditionally, security systems were managed by people logging into a console. But by taking the human element away from the process helps establish a continuous integration methodology. It means that you do something once and repeat it over and over again. It means you get consistency of delivery and if you need to adjust a security policy, you do it once, eliminating inconsistency in the system or unnecessary outages.

Security at speed

Security and speed are not mutually exclusive. If a security team isn’t agile, it can block the pace of the organisation. Previously, security was about having gates, but under the agile method we use guardrails so our developers stay on the road, rather than having to stop at a gate.

Fast response times are imperative to keep a tech company pushing ahead. We continuously measure, test and monitor everything. It helps us iterate on-the-fly.

Security on-demand

Having the ability to scale up and down as you need infrastructure is critical for cloud organisations. In the past, security was a static part of a business. It was slow moving.

In the new tech world, we need security infrastructure to work at scale, adjusting to the peaks and troughs of our customer usages in multiple timezones around the globe. Dynamic computing means that the choice between being fast or secure is no longer - now you can be both.

By operating in an agile environment, security professionals are improving data protection, eliminating downtime, and transitioning what was once seen as a hurdle in a business to a function that runs alongside every other function.

No caption

Aaron McKeown is lead security architect at Xero.

Send news tips and comments to

Follow CIO New Zealand on Twitter:@cio_nz

Sign up for CIO newsletters for regular updates on CIO news, views and events.

Join us on Facebook

Copyright © 2016 IDG Communications, Inc.

Security vs. innovation: IT's trickiest balancing act