Human API Increases Security Effectiveness with CyCognito Platform

Security is paramount for Human API because their platform places a consumer at the center of managing their healthcare data and sharing their health data with doctors, labs, pharmacies, and other health care businesses.

Traditional assessments are point-in-time and, as a software company using Agile and DevOps methodologies, Human API understands very well that “security has to be a continuous process,” adds Bell.

The business challenge for Human API is how to deliver the highest levels of security with their limited security resources, while meeting customer expectations around legacy testing approaches.

Why CyCognito?

“We chose CyCognito because it delivers a continuous approach and focuses us on the critical security issues most likely to take place,” says Bell.

CyCognito helps Human API understand not just where they are potentially exposed, but provides them with an attack surface map showing them what assets and critical attack vectors are exposed. The clear prioritization and identification of risks by the CyCognito platform helps the security operations team be more efficient and get a greater return on investment from their security efforts.

“The CyCognito platform helps us efficiently monitor security. There are thousands of threats out there; even an army of security staff can’t address them all. CyCognito helps us focus our efforts on what’s critical,” says Bell.

Results

CyCognito platform benefits for Human API to-date include:

• Continuous security assessment
• Visibility to previously unknown threats
• Helping the team quickly identify, prioritize and remediate critical risks
• Prioritization of critical risks to be addressed
• Validation that security controls are operating as expected
• Information to help focus penetration testing
• Data to support the business case for additional resources

One of the ways that Human API uses CyCognito is to validate security controls, configurations and thirdparty partners. The Human API IT ecosystem is cloud-based, and one of the benefits of today’s virtualized infrastructure is that a lot of security is built-in by default. But the model is also one of shared security responsibilities, and the enterprise owns proper configuration. “In these environments, dealing with a mountain of configurations is challenging, and misconfigurations can be a primary source of vulnerability,” says Bell.

The CyCognito platform provides Human API with new insights, identifying risks not previously been known or examined, including risks with third-party partners. Those findings have helped facilitate conversations with third-party providers about the security of their interactions.

“The CyCognito platform helps my team be more efficient because we are working from our threats to the specific assets,” says Bell. “It delivers a first line of understanding of what needs to be considered and evaluated and possibly mitigated and/or remediated. Otherwise, we could be chasing corner cases all day.”

Another use case for CyCognito at Human API is to set the context for penetration testing, which improves the benefit and quality of penetration testing. Bell notes, “There are thousands of risks and threat vectors for any organization small or large, and the challenge is to knowwhat’s most likely to be targeted.” Penetration tests don’t give you that. And, they don’t provide the continuous view needed for security operations; they provide a point-in-time snapshot. According to Bell, the question becomes, “How does one tailor a pen test? You cannot reasonably cover everything. Using CyCognito to understand the risks that are present informs how to scope a pen test and even select the methodologies.”

And Bell says that the clear identification of risks and priorities helps her justify requests for additional resources. “The information CyCognito provides helps us prioritize our investments,” Bell says, “and that’s always a good thing.”