Automic Group is taking a multi-pronged approach to its information security, using a mix of tooling, testing and weekly security improvements to its ecosystem to address key risks.
Marcelo Dantas
Chief information officer Marcelo Dantas told the iTnews Podcast that “if one week goes by and I don’t make a security improvement in our ecosystem, I start to get itchy.”
“Even if it’s a small change every week, you need to consider what you can do to make your ecosystem more secure,” Dantas said.
Information security and compliance is a key pillar of the Australian share registry and professional services provider’s technology strategy and operational approach.
The company’s cloud-native registry software is used by 750 of the 2300 trading companies on the ASX. This grew by 180 companies in March, which migrated to Automic over a single weekend.
“As a registry provider, we host a very large volume of personally identifiable data,” Dantas said.
“We host millions of records of investors and tens of millions of transactions related to those investors.”
The broad attack surface meant Automic faced threats from “a range of different angles”.
“We’ve got people trying to attack our infrastructure. We also see different types of vulnerability scanning and brute force attempts through our logs, and quite regularly get the standard phishing campaigns with people trying to trick our employees into doing the wrong things,” Dantas said.
The company has so far deployed a range of security tooling into its ecosystem, from endpoint protection, vulnerability scanning and antivirus, to cloud access security broker (CASB) tools.
Dantas sees information security remaining “a very large challenge for years to come”.
“The battle against the bad actors just keeps getting harder and harder,” he said.
“The tools they have at their disposal are becoming smarter, so it’s always important to be at the forefront in trying to anticipate what the adversaries are trying to do.”
He is maintaining a close watch on how threat actors may be able to avail themselves of AI software as part of their activities.
“An area which excites and frightens me at the same time is the impact of AI on information security,” Dantas said.
“As a tool, AI is very powerful to us, but it’s also very powerful to our adversaries as well. So they would be using those tools for evil and we’ll have to use [AI-enabled] tools to help defend our customers and ourselves.”
IT strategy
At a high level, Automic Group’s IT strategy is aligned with two of the group’s core values: customer success and team value.
“It’s important that everything we continue building with our platform or any security control that we implement is done with the best intentions to service our customers, giving them a better user experience, better insights, and a system that will be available when they need it, that is reliable, and that can scale when it needs to,” Dantas said.
“On the team value aspect, it’s about continuously focusing on automation and operation efficiency. It’s important for the [Automic] team to be happy so that they are efficient and they spend their time doing tasks that are valuable and exciting for them.
“The more that we can reduce the manual work and give them a more efficient way to do their day-to-day challenges, the happier the team is, and that will make our customers happy, so it’s a nice little cycle.”
Dantas sees AI as a potential way to facilitate greater operational efficiency for teams. As one example, the company is trialling Amazon CodeWhisperer, one of several so-called ‘pair programming’ tools that have emerged this year targeting software development efficiency.
He also said that continuous improvement is a feature of the technology strategy but also the mindset at Automic.
“Technology moves at a very fast pace,” he said.
“Over the last 22 years, I’ve worked on maybe 35 different types of architecture, and since I started my journey at Automic [nine years ago], we’ve changed the application architecture multiple times.
“We’re just about to undergo another massive change to completely shift into 100 percent infrastructure-as-code, changing the way that we deploy our application.”
Aside from efficiency, one of the drivers for continuous improvement is a desire by Dantas to be able to look back favourably on past architectural decisions.
“Ten years from now, when you look back, are you proud of the architecture that you have? The only way to continuously say yes to that question is to continue innovating. When a new service emerges that you need to be aware of, finding when the appropriate time is to incorporate that in your ecosystem.”
Another intended outcome of the strategy is to “shorten the gap” between software development and the release of new features and functionality for customers.
“We do monthly production] releases, which is a quite fast pace,” Dantas said, adding the company’s ability to do so meant “always working with all the stakeholders so that they’ve got visibility of what the change is, so that they’re ready to start leveraging it.”
Mass migration
In March this year, Dantas’ team performed what it said is “one of the largest-ever registry services transitions in Australia”.
Automic acquired Advanced Share Registry late last year and migrated the latter’s 180 companies onto its own share registry platform “in a single weekend”.
The migration was possible due to a range of factors, from the scalability of the company’s cloud-native platform, to a large-scale and detailed planning effort, and effectively two ‘dry-runs’ to ensure that the entire migration would go smoothly.
Dantas said Automic had built up experience in migrating company share registries over the past nine years, including data preparation, cleaning and reconciliation such that it could be ported across.
“This is a process that we’re very familiar with,” he said. “We have done that almost every weekend for as long as I can remember over the past nine years.”
The challenge was doing that process for 180 companies over the one weekend.
Dantas said that “tens of thousands of inconsistencies” in the data from Advanced Share Registry had to be corrected before it could be migrated across.
“It was a pretty large effort,” he said.
Once prepared, the data was loaded into a test system to build confidence that it would work in production. Considerable planning also went into resource utilisation and ensuring that the work could be completed with available staff and automation scripts within the time window.
“After we had all that place, we had a pretty good chance to succeed, but that’s still not enough in my opinion. You have to be certain, so we’ve done all of that one more time,” Dantas said.
“This meant that, once we walked in on Saturday, we were pretty comfortable that we knew how long it was going to take. We knew that the data was under control and we knew that we had enough people to make the transition successful.
“We started the process around half past midnight and by five o’clock in the afternoon [on the Sunday], everything was signed off. We had over tens of millions of transactions imported, and more than 1.5 million investors’ data in our system.
“There was a lot of planning, a lot of testing, a lot of preparation, but it was a pretty good outcome in the end.”