Brought to you by

Exploring the technical security of our platform

Posted 2 years ago in Platform by Beeny Atherton
Posted by Beeny Atherton

At Xero, the security of our data, our customers data and our platform is the highest priority. This is what was showcased earlier in the year at the CPX360 Cyber Security Summit and Expo as I walked the crowd through the technical security of the Xero platform.  

Migration to AWS

With Xero growing at such a rapid pace, we completed our migration to the Amazon Web Services (AWS) public cloud in November 2016. This was done in part to cut platform build times from weeks and days, minutes to seconds – and now milliseconds, in order to support the needs of our product teams.

Amazon EC2, Containerisation and Lambda (serverless computing), are not only technologies we use, but paradigms of the journey that Xero has gone through with the AWS migration. They ensure that we are utilising the best of breed platforms, tools and techniques so that we can deliver the final product faster for small businesses around the world.

In terms of our systems and protecting our customer’s data, Xero takes a “defence in depth” approach. Multiple layers of security controls protect access to, and within our environment. These include firewalls, intrusion protection systems and network segregation. But safe security practice isn’t just about systems – it starts from within teams so it’s essential that we instil a culture of shared responsibility first.

Security culture starts from within the security team

As a security team, we have many points of contact and many stakeholders within the company. These include our product and platform teams, who are responsible for the delivery and operation of the Xero platform. They work dynamically and in agile environments where things can change very quickly. Our goal is to be automated, continuous and visible in the way we engage with our product teams. Because if we aren’t agile, it can block the pace of the organisation.

Our product and platform teams are at the core of our business so we needed to change our mindset from being gatekeepers of our data and systems, to giving them access to security tooling. This ultimately empowers them to make the right choices based on safe security practice. This culture shift within Xero started with the transformation of how the security team was operating.

The security team was initially formed as two seperate teams, triggered by our migration to the public cloud. We adopted agile processes in order to think and act like product teams so that we could better integrate with them. Ultimately, we merged our security teams – building a new security portfolio: Engineering, Architecture, Identity, Risk, Operations and Advisory.

By using practical examples such as PACMAN (see below), our internal slack channel #help-security and our Architecture Knowledgebase (AKB), we promote the importance of security within our organisation.

A new paradigm of shared responsibility

Education is a major driver for security enablement amongst our teams across the business. At Xero we took the popular “Top 10” model, changed it to a “Top 9” and used it for cloud-based security issues we regularly see. We have internal Top 9 lists for Xero Infrastructure Security as well as Xero Application Security. These lists are the go-to areas for new starters at Xero, as well as a first point of call for our product teams when they are spinning up a new project.

In addition to sharing responsibility with other Xero teams, the “Amazon Web Services Shared Responsibility model” lies at the centre of how we operate with AWS. It clearly defines the responsibilities of each party when operating in the public cloud, and in our case it defines the shared responsibility between Xero and AWS. We use this to guide our design, operational process and compliance.

What is PACMAN?

PACMAN, stands for Platform Access Control Manager. It is a self-service system developed by Xero to allow our product teams to take control of their identity and access management. Because our product teams work dynamically, we needed to create an approach to security that aligns with this fast paced nature.

Originally, identity and access requests would come through as tickets to the security team, leaving a manual and time-consuming task of processing them. Our teams wanted a faster response, less tickets and ultimately, more enablement. Now, our teams can self-serve their identity and access needs.

Using this system, our product teams can query the status of their identities within the Xero ecosystem, reset their passwords for them, and request access to additional systems such as AWS accounts. Access is provided as and when it is needed, and administered by those who own the resources rather than by standalone gatekeepers. PACMAN also integrates with other internal systems to record our team members actions and requests, leaving a clear audit trail.

We have been presented with some interesting challenges working within an agile and high growth environment, but ultimately the goal has always been to build a culture of security being everyone’s responsibility. This is reflected not only internally and with tools like PACMAN but also in the shared investment in security and responsibility between Xero and our technology partners such as AWS.


February 27, 2019 at 1.23 pm

Great insight Aaron. Thanks for sharing.

Yulei Liu
February 28, 2019 at 10.35 pm


Leave a reply

Your email address will not be published. Required fields are marked *