Developing security-by-design across the Zoho application suite

Zoho Security by DesignAn Intellyx BrainBlog by Jason English

Delivering secure application services free from exposed vulnerabilities—without imposing overbearing authentication controls that frustrate users, or draconian code review requirements that inhibit developer innovation—is a challenge as old as the internet itself. 

Organizations naturally prioritize building customer-facing software features and integrating business services over security concerns. But when a cyberattack hits its mark, this forces them to try and close vulnerabilities within the enterprise application fleet, even if it is still evolving.

Zoho’s recent announcement of an Integrated Security-Solutions Stack at their annual Zoholics customer summit signaled a novel approach to securing their own fleet of more than fifty discrete but integrated applications with a common security-by-design approach, spanning from access controls and threat detection all the way down to data protection and code.

Zoho’s stack includes a privacy-first browser (Ulaa), an identity and access management (IAM) platform (Directory), multi-factor authentication (OneAuth), as well as secure password management (Vault).

Unfortunately, most long-running businesses aren’t in a position to build such a stack, much less suddenly shift DevOps teams to a security-by-design practice, because of the need to manage ongoing digital services while securing software architectures that were designed elsewhere. Still, there are some interesting ideals which any development shop can take away from Zoho’s approach.

Eliminating access barriers

Passwords and two-factor authentication are still par for the course in most online applications today, but they can only go so far when users must constantly change and write down passwords to remember them, and when phone numbers and email accounts can be spoofed.

Millions of active daily users within the Zoho One platform already notice a common single sign-on (SSO) for apps such as Zoho CRM and Creator, with the option to apply enhanced multi-factor authentication (MFA) through OneAuth.

For other commonly entrenched authentication and authorization regimes in use today, such as Microsoft Active Directory or Okta, Zoho can overlay this SSO with their Zoho Directory IAM management platform. This reduces login hassles for users of other SaaS suites such as Salesforce or Microsoft Office while allowing the end customer enterprise to mix and match their teams productivity tools.

Ingraining data privacy as corporate policy

As an end user of several CRM and social marketing tools as a marketer over the last 25 years or so, I always assumed my lead and contact data was generally secure. Then, I started realizing just how often I was a target of remarketing advertising campaigns myself, as well as being offered huge email lists of users from virtually everyone else’s event registration databases.

Unauthorized contact sharing should never happen in today’s post-GDPR world, where data privacy and sovereignty are paramount. But all too often, assurances are much easier said than done, as major network and application aggregators hide the means to commercialize their user data within lengthy terms of service agreements.

In every interaction with Zoho I’ve experienced over the last few years, data privacy has been a consistent theme, and thanks to their business model, they can demonstrate they have no interest in sharing an enterprise’s data.

“Starting from our day one, even in our free plan, we don’t have an ad-based revenue model. So as a company, we want our customers’ data to be their own data,” said Mouli Dorai, Zoho’s evangelist for security and digital signature services in our recent interview at the Zoholics’24 conference. “We don’t touch their data. We don’t have any monetization aspects on top of it.”

Beyond such privacy assurances, all Zoho services run and store data in Zoho’s own private datacenters which they own and maintain. Not something most vendors could afford to do, but it really enables them to  control their own tightly integrated security stack.

Detecting anomalous browsing

A secure-by-design approach should rethink user security and data privacy both before and after the login. While most companies wouldn’t consider trying to revisit the long-lost browser war era, Zoho has done just that by introducing its own free Ulaa browser.

Have you ever noticed how sometimes your browser will start consuming an inordinate amount of CPU and memory resources—even when you aren’t actively downloading or watching anything? In addition to obfuscating user sessions with tracking controls and ad blockers, Ulaa allows users to enter ‘work mode’ to prevent distracting alerts and plugin notifications.

More significantly, though, since Zoho owns Ulaa, they can train their own AI assistant, Zia, to look for anomalous usage patterns such as cryptojacking without needing to know every detail of a user’s identity or session specifics. 

This sort of pattern recognition becomes even more compelling when combining IAM and browser usage of Zoho apps themselves. Say an India-based sales manager account suddenly logs into the company’s Zoho CRM account from an unknown location in Moldova, less than an hour before their last session from India. The Zia assistant can alert the admin to terminate the suspicious session before allowing customer data exfiltration, and challenge the user with multi-factor authentication or a block.

Building a zero-trust software supply chain

Every security operations center is striving to associate their application estates with zero-trust architecture (or ZTA), where every login, every active user session, any system request, and any upload should be assumed to be a potential threat, unless explicitly declared and proven otherwise.

Zero-Trust is meaningful as a best practice, but it also doesn’t mean much when every security vendor is already claiming to offer it. All too often, there are code artifacts and components left behind that must be supported from previous generations of software that won’t support ZTA policies.

In a sense, Zoho has some of the natural advantages of an air gapped, walled garden, even as they need to integrate their SaaS app suite with external services. They build and maintain everything in their own software supply chain, starting from private infrastructure and code, all the way up to their own observability, threat detection and IAM platform.

“How do you build security into the core language, the compiler, and the entire tool chain as much as possible, so that there is less flexibility for the developer to make a mistake?” said Zoho co-founder Tony Thomas.

The Intellyx Take

Most of us are in no position to start over from scratch and reinvent all of our applications from a secure-by-design perspective the way Zoho has.

Still, security is not a binary on/off toggle switch—it’s actually a continuous journey toward maturity, and delivering more safe and resilient applications over time. 

By looking at the way Zoho has approached its integrated security stack, we can take away lessons, and identify achievable improvements along this journey toward a secure-by-design architecture.

 

©2024 Intellyx B.V. Intellyx is editorially responsible for this document. At the time of writing, Zoho is an Intellyx subscriber, and Microsoft and Okta are former Intellyx customers. No AI bots were used to write this content. Image source: Adobe Express AI. 

SHARE THIS:

Principal Analyst & CMO, Intellyx. Twitter: @bluefug