Dropbox Layers AWS Security Services to Scale Its Signature Service Protection
Cloud-based file storage and smart workspaces company Dropbox acquired the electronic signature and storage solution HelloSign in 2019. HelloSign grew quickly to more than 80,000 customers in 2021 and recognized the importance of protecting its customers’ personally identifiable information (PII) and payment card information data. The company wanted to make its service both secure and highly available, which required protecting its services from distributed denial of service (DDoS) and other security events.
Already using Amazon Web Services (AWS) for many of its infrastructure needs, the company decided to expand its use of AWS to enhance its security posture. In just 6 months, HelloSign upgraded its security by using a suite of scalable, customized security tools from AWS, implementing best practices, saving developer time, improving security response time, and averting security events.
Using AWS, we were able to mature our security model and automate manual processes. We saved about a million dollars per year in triage time for security operations, staffing, and licensing costs.”
Director of Security, HelloSign
Implementing a Suite of AWS Services
Dropbox is a smart workspace that offers file synchronization and sharing features to optimize workflows. When it acquired HelloSign, Dropbox provided customers the ability to send, sign, and store documents online without leaving Dropbox. HelloSign decided to boost its security posture, including gaining visibility into its web application security and proactively identifying stored PII data so that it could identify where to place additional controls.
HelloSign wanted a scalable, robust option that wouldn’t require data to be off-loaded to a third-party solution—potentially giving outside companies access to PII and therefore requiring a time-consuming security review process. HelloSign already trusted AWS for its infrastructure, storing encrypted data using Amazon Simple Storage Service (Amazon S3), object storage built to retrieve any amount of data from anywhere. Rather than adopting security services piecemeal, HelloSign quickly implemented a suite of AWS security services into its internal workflow.
Strengthening Security Posture on AWS
At the first layer of HelloSign’s security solution is Amazon Macie, a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect sensitive data in Amazon S3 buckets. Amazon Macie functions at scale and without off-loading data to a third party. For vulnerability management, HelloSign uses Amazon Inspector, which helps improve the security and compliance of applications deployed on AWS by assessing them for vulnerabilities and checking for unintended network accessibility. “We use the Amazon Inspector findings as part of our patch management automation process, saving a lot of time and resources in updating our software and systems,” says Kirtika Dommeti, senior security engineer at HelloSign. To further security visibility, HelloSign uses Amazon GuardDuty, a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect AWS accounts, workloads, and data stored in Amazon S3. To better understand the root cause of security findings from Amazon GuardDuty, the company is evaluating Amazon Detective, which uses machine learning, statistical analysis, and graph theory to build a linked set of data that lets users easily conduct faster and more efficient security investigations.
To monitor and report on HelloSign’s AWS security posture, the company uses AWS Security Hub, which aggregates all its security findings and performs security best-practice checks across its AWS deployment. This comprehensive view of security alerts and security posture helps support compliance. For example, HelloSign uses the ability of Amazon Macie to assist in detecting PII and payment card information alongside the comprehensive security posture checks of AWS Security Hub to meet Center for Internet Security benchmarks and Payment Card Industry Data Security Standard.
HelloSign manages the findings using proprietary processing logic alongside services such as AWS Lambda, a serverless compute service that lets users run code without provisioning or managing servers, and Amazon DynamoDB, a key-value and document database that delivers single-digit millisecond performance at any scale. HelloSign’s internal teams then address any issues through the company’s ticketing and incident response workflow.
Addressing Security Concerns for Web Applications
The company combats web application security events using AWS Web Application Firewall (AWS WAF), which helps protect web applications or APIs against common web exploits and bots that might affect availability, compromise security, or consume excessive resources. Using AWS WAF, HelloSign can filter traffic before it hits the company’s web servers—mitigating incidents in just 15–30 minutes, customizing rules that proactively block common security event patterns, and applying geographic or country-specific blocks to areas under US sanctions. Using AWS WAF helped HelloSign avert 12 DDoS security events and other security threats that might otherwise have brought down its system. HelloSign also uses AWS Shield Advanced, a managed DDoS protection service that helps safeguard applications running on AWS. For resources protected using AWS Shield Advanced, customers get AWS WAF and AWS Firewall Manager, a security management service, at no additional cost. “Now we can make intelligent decisions and gain visibility into which customers are coming from where,” Dommeti says.
HelloSign upgraded its authentication process using AWS Single Sign-On (AWS SSO), which makes it simple to centrally manage access to multiple AWS accounts and business applications and provides users with single sign-on access to all their assigned accounts and applications from one place. Automating security features within 3 months has streamlined workflow and reduced time-consuming tasks. In total, these moves have increased efficiency, saving HelloSign roughly 120 hours of work a week. “Because the services are intuitive, we were able to get them going and train new personnel to manage them with ease,” says Dommeti.
Continuing to Drive Efficiency
Benefits of AWS
- Averted 12 DDoS security events
- Saved roughly 120 hours of work time a week through automation
- Gained visibility into security posture
- Implemented security best practices
- Customized security tools
- Automated security features within 3 months
AWS Services Used
Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.
AWS Shield Advanced
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection.
Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
AWS Security Hub
AWS Security Hub is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation.
Organizations of all sizes across all industries are transforming their businesses and delivering on their missions every day using AWS. Contact our experts and start your own AWS journey today.