How Coda keeps your data secure
An interview with Bala Neerumalla, Head of Information Security at Coda.
Bala Neerumalla
Head of Information Security at Coda
Building trust with customers is crucial for software companies to establish and maintain successful relationships. Building trust requires consistent efforts and a demonstrated commitment to security. Few know this better than Bala Neerumalla, who leads the security engineering team at Coda. Bala was one of the engineers that handled SQL Slammer incident that brought down the internet back in 2003. The silver lining is that this prompted a sea change for Microsoft products: all development of the next version of SQL Server was paused, and everyone shifted their focus to improving the security of the product. This incident was hugely influential, and informs Bala’s approach to security protocols to this day. As the saying goes, “it takes a lifetime to build a reputation and five minutes to ruin it.” says Bala. Beth McGrath, our Head of Product Marketing, had a wide-ranging discussion with Bala: the security pillars that guide his team, his favorite accomplishments from 2023, what he loves about using Coda, and more.
Coda's approach to enterprise-grade security
What are Coda’s security pillars?
Security in cloud services is a shared responsibility between customers and cloud providers. For customers, we provide product security features to securely manage their Coda docs. Customers can leverage these features to protect their users and docs on Coda. Coda is responsible for securely building and operating our service. This consists of two pillars:- Application security contains internal processes, tooling, and practices to continuously design and develop secure software.
- Service security refers to the internal controls and practices to securely operate the service.
What are the most interesting things Coda's security engineering team worked on in 2023?
1. Sharing Coda docs with SCIM groups or Google groups. IT teams are responsible for managing permissions of thousands of employees across many applications. Recognizing that IT teams often rely on SCIM groups or Google Groups for managing permissions, Coda has invested in enabling the sharing of Coda docs with these groups. With this feature, teams can easily share documents with the relevant SCIM groups or Google groups, eliminating the need to individually manage access for each user. When employees join a new team or transition within the organization, IT admins can simply modify their group membership in their existing Identity Provider tools such as Okta, Google, or Azure AD. As a result, based on their new responsibilities, these users will automatically gain access to the Coda docs that are accessible to their new team groups. 2. Pack controls. Coda is used as a single source of truth by many teams. This is made possible through the use of Coda Packs. Last year, we introduced Pack controls. These controls allow enterprise administrators to configure integrations based on their organization’s unique security requirements. With Pack controls, IT admins have granular control over data access. They can specify which data can be imported from other services, determine who has permission to import the data, and control who can view the imported data. By employing Pack controls, teams can ensure that only authorized individuals—those who have direct access to the data through the remote service—are allowed to access that data within Coda docs. 3. Security controls. Enterprises often have unique policies and security requirements. Coda has developed a comprehensive set of security controls to cater to the needs of enterprises, including highly regulated companies. One notable security feature offered by Coda is the ability to lock customers’ Coda configuration to closely mimic an on-premises deployment. This, along with many security controls, provide customers with a level of control and security that aligns with their specific requirements.How does Coda's security engineering team use Coda?
We use Coda for a wide variety of purposes, including team hubs and wikis. One significant application of Coda within a security team is the creation of a CISO dashboard. Security teams typically have multiple sources of critical security information. We have security defects reported by external security researchers through the HackerOne Bug Bounty Program, internally found security defects and missing security patches stored in Coda docs, security alerts in OpsGenie, and others. We built a CISO dashboard by pulling in data from multiple sources. This dashboard provides a centralized view of the relevant security metrics and insights, helping the team effectively monitor and address security concerns.Keeping your data secure with Coda.
Coda remains committed to prioritizing the security of its platform by continuously investing in Application security and Service security to ensure the highest level of protection at our service layer. The following resources will assist IT admins in securing their data in Coda and how they can use Coda within their IT teams.Related posts
Explore more stories.