Enterprise-Level Security: The Next Big Thing at Threads
Our approach and lessons learned in the world of security and compliance
Here at Threads, our customers trust us with their most important business discussions. We feel it’s our responsibility as a platform to go above and beyond to keep these important conversations secure.
Throughout the past two years, we’ve bolstered our data protection measures to enterprise-level requirements. With these updates, businesses of all sizes can rest easy knowing their communication data is safe with Threads.
Key updates to our enterprise-level security program
Let’s dive into a few of the certifications and baseline security features we put in place (don’t worry, we won’t get too technical). With these key updates, we’re exceeding today’s security expectations and giving users more control over who can access their personal data.
SOC 2 certification
Threads is now SOC 2 certified. In short, it’s a stamp of approval that means we’re protecting customer data—and it’s a big deal for Threads.
There are two “flavors” of SOC 2—Type 1 and Type 2. Type 1 looks at what we’re doing at an operational level to keep your data safe—from our platform design to the internal processes we have in place. Type 2 looks at actually implementing and following those processes and whether or not they’re effective over time. Each requires a separate audit and Type 2 specifically requires at least six months of evidence.
This certification stretched us as a company and pushed us to operate more responsibly and effectively internally. Better yet, it opens the door for us to meet the security needs of companies of all sizes.
Threads also meets the requirements set by the General Data Protection Regulation (GDPR). GDPR is a set of security guidelines surrounding the use and storage of personal information for users based in Europe. In a nutshell, GDPR focuses on making sure companies are transparent about what data they’re collecting and how they’re using it.
GDPR compliance is key for Threads users, especially those who partner with vendors that have ties to Europe (or plan to). It gives users more control over their data by increasing transparency and accountability.
We added single sign-on (SSO), a base-level security feature that allows you to access multiple applications from a single source in a secure way (we support Google, Okta, and OneLogin).
SSO is key for enterprise-level security because users only have to login once through one set of credentials rather than multiple. This reduces the number of entry points where security might be at risk when accessing Threads and other apps. Plus, users don’t have to remember or waste time entering multiple passwords (which, let’s be honest, aren’t always strong and secure).
SCIM provisioning and deprovisioning
System for Cross-domain Identity Management (SCIM) is another standard we added to make it easy for administrators to automatically add or remove people from your applications. This security update is especially helpful for large companies where people are joining or leaving regularly.
When you’re dealing with hundreds or thousands of employees, it’s difficult to keep up with adding or removing access manually. This poses potential security threats, particularly in the deprovisioning or offboarding process when people are leaving your company and still have access to data.
Threads partnered with Okta, an identity, and access management company, to centralize the process and enable SCIM on our platform. It takes some of the load off your team, and it’s easy to make sure only the right people can access your sensitive information in Threads.
eDiscovery and data retention
Threads now has eDiscovery and data retention features to help you securely store, find, and delete your data as needed. These features allow an administrator to search all content owned by that organization quickly and easily.
This is key when companies need to place legal holds as needed on sensitive data and/or automatically delete information after a certain amount of time. These features make handling and storing information in Threads more secure and compliant with corporate policies, especially at larger companies.
Our journey to enterprise-level security (and what we learned)
Our security journey began as our customer base was growing. Our team suddenly had more enterprise companies interested in what we offer in the communication space. However, as discussions turned to security and compliance features, we realized we had some work to do. We dove in headfirst.
These discussions quickly snowballed into a two-year journey into security and compliance. Throughout the process, we learned some key lessons that are valuable to businesses of all sizes looking into their own security.
Learn everything you can from experts
Throughout the process, we partnered with security and compliance experts both internally and externally to really make Threads the best (and most secure) it can be.
We started by collaborating with multiple compliance teams from large companies to really understand what they needed and how we could improve on the security processes we already had in place.
Every industry and company is a little different—for example, the healthcare industry has HIPAA privacy rules—so it’s important to learn specifics for your business or industry. These experts and potential customers gave a lot of valuable tips and insights about what specifically mattered to them.
Make security upgrades a team sport
As we pushed forward, these compliance and security upgrades became a full team effort.
From IT to HR to engineering, we collectively put in thousands of hours of work internally to make Threads the best (and safest) it could be. We even hired a security engineer at the beginning of this year—a position that isn’t all that common at businesses of our size.
We also partnered with Laika, an outside consulting firm specializing in security and compliance. We met with them multiple times per month—sometimes weekly—throughout 2020 as we worked toward SOC 2 compliance. They became a trusted partner throughout our journey.
Security upgrades are an ongoing process
We originally thought improving security and privacy would take a few months or maybe a year. It took almost two years—and it’s only the beginning for us.
We quickly realized that privacy and security aren’t just something you “do” to appease customers. In reality, it needs to be a core part of your operations and who you are as a company. As such, it’s an ongoing journey that requires continuous learning and dedication.
A lot of our initial discussions were about GDPR compliance. As we worked toward that, things naturally progressed toward implementing SSO, SCIM, and pushing forward on SOC 2 certification. The security upgrade process just kept building and building until we had the solid, secure foundation that’s now in place.
While we’ve come a long way, there’s still more to do. The security landscape is continuously evolving and will always be in flux. This means that security isn’t something that we can ever consider “done,” but is an evolving and ever-growing part of a business that we will need to constantly be improving and working on. The minimum bar for security and compliance is increasing every year—whether you’re an enterprise business or a startup.
How we’ll continue to move forward
These enterprise-level security upgrades put Threads and our partners (of all sizes) in the best spot moving forward. Not only are we ready to meet the security and privacy needs of businesses of all sizes, but this foundation will also make ongoing compliance a lot smoother. As policies and best practices change and new threats emerge, the processes we have in place will allow us to easily pivot and expand into other markets as needed. We are excited to continue keeping security a priority at Threads and encourage you to keep a lookout for new improvements and to learn more at security.threads.com.