Security 🔐 in an HR Tech Company - When and how to start?

In the fast-paced world of tech companies, we often face big challenges with limited resources. Our sales and business teams always want more features to attract customers and stand out from the crowd.

But there's an important question we need to think about: When should we focus on security? It's a big deal these days, but it might not be the first thing developers think about when building a new app.

Follow along as we share the journey of our HR tech company and how we tackled this crucial issue.

‍

The context

To get the big picture: let me first explain what Epix is about.

Multi-country companies across the globe use lots of apps and tools to handle their payroll. Each country has its own software for this process, which usually does the job of managing local employees and calculating their pay each month.

But when we look at the bigger picture, we notice a problem: it's hard to manage and see the entire workforce in a consistent way (input, output and integrations).

That's where Epix comes in. Epix is an integration platform that handles the entire international payroll process, from start to finish using the local payroll codes. You can input monthly data directly into Epix, including both core HR info and time-related data, and it takes care of the rest.

All the input goes through checks to make sure it's accurate and complete. Then, it gets sent to local payroll providers who calculate the final pay. Once that's done, the results come back to Epix, where you can easily access all the HR analytics you need.

But here's the thing: Because Epix deals with a lot of personal HR data, security is a top priority!

When did Paybix start with security?

In a previous blog post about automated testing, I emphasized the importance of starting early with automated tests. Falling behind can be tough to catch up with as the company grows. There are always reasons to delay, but the gap only widens.

The same principle applies to security. Drawing from my experience as a CTO in larger companies, I understand the expectations of security officers. This can encompass a wide range of things, from IT and data policies to risk registers and certifications like ISO or SOC2.

However, I believe it's crucial to focus on the fundamentals first. Startups don't have established policies or risk registers from the beginning because there's not much to document initially. So, where do you begin?

I followed a few key guidelines that I knew would be difficult to change once the development process advanced:

IT tooling

At Paybix, everyone uses a PC, but we don't have a traditional network. Instead, we store everything in the cloud using Microsoft services like SharePoint and Office365.

I previously mentioned in a LinkedIn post that we're part of the Microsoft Founders Hub, which gives us free Office accounts and Azure credits. That's why we stick with this environment.

As an admin, I made some changes to enhance security, like enabling 2FA for Office365 and SharePoint. Our main SharePoint site can't be shared externally to prevent accidental sharing outside our company. Instead, I set up another SharePoint site called 'External Share' for external sharing.

Is this foolproof? No, but it makes people think twice before sharing because they have to move the file to the right place first. They often come to me for help with sharing, which helps prevent mistakes.

These are just a few simple things you can do to improve security without spending a lot of time.

Recently, we started using Microsoft Intune more, and we plan to use it even more extensively in the coming months.

Azure and DevOps security

Our Azure hosting environment was set up with clear guidelines from the beginning. We organized users into groups based on their roles and purposes, managing their access through Microsoft Entra. This allowed us to easily track who has access to what.

All our infrastructure is configured using Bicep, which eliminates manual changes to Azure. Everything is scripted, ensuring consistency and reliability.

We have strict rules in place: Developers are only granted access to development databases, never to acceptance or production databases. Additionally, developers can push code to acceptance and staging environments, but they can't make the final swap to production. These are just a few of our key guidelines.

The software: Epix

Of course, we prioritize security in our software development process. That's why we implemented strict lines of code in our framework to ensure multi-tenancy (=different customers using the same app but with their own data). Each table includes a tenant column, and we automatically add a 'where clause' to every query involving this column. This means developers don't need to worry about multi-tenancy—it's all handled automatically for them, including creates and updates.

We also implemented functional roles in the tool, which required careful programming and thorough checks in both the frontend and the API. This was perhaps the most critical aspect on our list, and we took great care to do it right.

Going into production

Before launching with real customers, we had a review with Azure architects through our Microsoft Founders Hub program. They gave kudos to our main architect because we didn't need to make any extra changes at the infrastructure level - just some minor suggestions.

We also began using Aikido.dev, a tool that scans our code and flags any vulnerabilities. It's been incredibly helpful for keeping track of the code our developers produce.

With all these measures in place, we felt confident about going into production.

External penetration test

Towards the end of last year, especially after launching our self-service module, which brought in many new users with different roles, we realized it was time to conduct a penetration test by an external party. We scheduled this for Q1 of this year.

We chose Aikido.dev to perform the external penetration test. We provided them with two tenants, each with several users assigned different roles, including self-service users and tenant full admins.

During the test, they attempted to break into our system through various methods, including exploiting infrastructure vulnerabilities, manipulating HTTP headers, and altering file names to gain unauthorized access. They also tried to access data from one tenant and retrieve data from other users.

It was a nerve-wracking week for us because we were confident but knew this test was crucial for our security. After a week, we received the reassuring news that we had passed with flying colours. We were even commended for the small number of issues detected.

They found only five items, which we promptly addressed within a week. This resulted in the final report, a snippet of which you can see below.

Receiving such an exceptionally good score for security makes me very proud!

Final report of the test

Conclusion

In conclusion, we began with long-term guidelines early on, investing a bit more time upfront. This approach proved beneficial when we launched into production, bringing peace of mind for me as aCTO. It's also important for a CTO to get some sleep 😊!

So, remember: maintenance and security should always be considerations when choosing items for your roadmap. I have aspecific approach to this, envisioning a bulldozer that pushes maintenance andsecurity items forward. I'll delve deeper into this concept in one of my upcoming blog posts.

‍

About Paybix

Paybix offers integrated payroll solutions to multi-country employers, based on its global payroll platform Epix. The Paybix platform unifies and digitizes global payroll operations leveraging on digitized and localized payroll data exchange with ICPs. The beauty of the platform is its plug-and-play nature, allowing seamless integration with any ICP and minimizing the implementation effort to be done by payroll administrators. The platform reduces significantly the time spent on monthly payroll processing both for the employer and its ICPs and offers detailed insights into the composition and labor cost of an international workforce. Paybix has partner agreements with numerous ICPs, covering in total more than 100 countries.

Do you want to discover how Epix can radically streamline your international payroll operations? Then make sure to register for this 45-minute live demo (30 minutes of demo + 15 minutes of Q&A). During the demo we will showcase our platform Epix and share our roadmap of future releases.

If you have any questions up front, don't hesitate to contact us. If you want more insights in our unified processing offer using Epix you can check this out.

About the author Bart Slaets

Bart is CTO at Paybix and has already a long career in the development and product management world of payroll and time and attendance applications. He is used to create and manage products with an international orientation in a SaaS environment.

‍