Model Behaviour at Pearson
Global education company PEARSON is shifting from a publishing company to a media company. As it goes through a digital transformation to achieve this, we speak to its security team to find out how they mitigate risk to help improve the lives of students.
The learning ecosystem has shifted.
Even before the pandemic, the trend for digital-first learning was climbing. Now it has escalated. This has dovetailed with a change in how people want to be educated. Workplace and non-academic learning is booming as organisations – and schools and colleges – increasingly see the value in providing access to acquiring new skills across a lifetime of education.
Simply, education is no longer the linear experience it once was, and Pearson is catering for this change.
Pearson creates digital learning products and tools. It brands itself the world’s leading learning company, and it very much backs up that claim: the company has around 20,000 global employees, and its reach is enormous, providing rich digital content, online resources, qualifications, courses, assessments, and data to learners in schools and organisations throughout 200 countries.
Education comes with great responsibility, and with that responsibility comes huge security implications across all of Pearson’s business areas.
Muthu Meyyappan, Global VP of Security Engineering, joined Pearson as in 2017. His role now covers identifying industry trends, engineering tools, and helping development teams and product teams to implement security within Pearson. The landscape five years ago was significantly different to today.
“When I joined Pearson, we were looking at changing two different areas,” he says. “One was moving from a fragmented view to an overall centralised view of security and looking at it from a risk perspective, as well as providing tools and services that will improve the security rather than keeping that as a checkbox for compliance reasons. What are the right technologies we need to bring in? What are the right processes we need to bring in? What are the right people we need to bring in?
“The second piece was how do we work with the different teams to understand their needs within Pearson and make sure that they see security as an enabler, not as a cost item. We have done a lot of work in those two areas to look at the risk in an overall manner, rather than in a very specific area.
“In 2020 we appointed Andy Bird, who came across from Disney, as our new CEO. His direction is to take us from a publishing company to a media company, and technology is at the forefront of that transition. And we are going through that transition now.”
The security threats Pearson faces are twofold. One is familiar to what any software organisation would face, which is a vulnerability or architectural flaw in its system. The other is very specific to Pearson’s core area of content creation and delivery. Securing the content to avoid pirating is a major piece of work, and crucial to Meyyappan’s team.
“The threats we face at Pearson range from curious students trying to test the limitations of our learning tools, through to nation state-sponsored criminal enterprises, and everything in between,” says Nick Vinson, Director of DevSecOps.
Vinson joined in early 2018 as part of Meyyappan’s drive to set up a security engineering team, full of security engineers with domain-specific knowledge.
The thinking behind this? People who have knowledge and experience in building and managing technologies are simply better placed to secure it. However, Meyyappan and Vinson recognised recruits can’t be experts in all areas. Therefore, they built a team of subject matter experts across a variety of different fields and got them working together.
This, however, did create some initial challenges. “We started the team from scratch. And the first initial few months were very challenging because we had to move from that legacy enrollment to ‘how do we operate in a DevSecOps fashion’,” says Meyyappan. “The challenge is, you need to find the right person and the right skills and the right attitude to be part of that DevOps movement to make sure that we can implement those jobs.
“Within the DevOps area, there are specific domains that are more challenging than others,” says Meyyappan. “The way that we approach this is to identify the very specific needs for the different projects, and make sure that the team is integrated as a single collective, rather than ‘here is a security team, here is a development team, and here is the operations team.’”
Because central security teams in large organisations struggle to keep up with the sheer volume of security engineering needs of product teams, Pearson has found a logical and efficient way of implementing effective security: teaching the product teams to be self-sufficient in security.
For Vinson, it was also important that the security engineering team was seen as a crucial piece of the cross-functional jigsaw. “It was very important to be part of cross-functional teams in order to actually introduce the required security controls to improve the security posture of those products,” he says. “The way we achieved this was by building trust with the teams with the quality of technical input. We weren’t providing the teams with security requirements which weren’t relevant, and we were providing tools which fit their workflows.”
Identifying the threats
A major part of Pearson’s approach to security is threat modelling. A systematic process that allows security teams to identify product-specific threats and mitigating countermeasures.
Traditional threat modelling can have significant limitations when used at scale, because the process is manual. Due to the size of Pearson’s operations, it knew that traditional threat modelling couldn’t keep up with the pace of technological advancements – and therefore the advancements in security threats. So the company took the decision to embrace automation in its threat modelling.
“The problem we wanted to solve was getting a holistic view of security risks across our products, and quantifying those risks in a consistent and accurate way,” says Vinson. “We want to identify security requirements as early on as possible in the software development lifecycle with a view that remediating them early on is much easier and much less expensive.”
This was easier said than done. In order to create consistency in identifying threats and security controls, a framework was needed. The time burden of manually reviewing security control implementations also needed to be overcome. So Vinson started looking for products with the flexibility to define a threat modelling framework and an API that would allow Pearson to integrate their own testing.
Owen John is a Platform Security Lead at Pearson. His primary role is to improve the security posture of the cloud platforms being utilised by Pearson’s product teams. Specifically, that involves identifying a set of security requirements for cloud infrastructure and working with the product teams to get those implemented correctly.
“With the high number of development teams we have in Pearson, doing threat modelling manually just won’t scale and wouldn’t work for us,” John says. “The last thing we want to be doing is bombarding product teams with hundreds of tickets, a lot of which might be irrelevant as they are already implemented.
“So what we do want to do is analyse each security countermeasure in advance and make sure it’s relevant. So to help us reach our scalability goals, we’ve developed an automation framework which allows us to validate these countermeasures and security controls automatically by integrating Irius with our third-party tooling.”
Automating threat modelling
The ‘Irius’ John talks about is IriusRisk, the automated threat modelling platform. Pearson chose IriusRisk as its platform of choice in early 2020 when it was looking to automate the threat modelling process to add consistency, reduce man-hours, and scale. It was an ideal partnership from the start.
“We were evaluating other tools in the space,” says Vinson. “And based on our criteria and requirements, IriusRisk came out on top. That was predominantly because it had the flexibility for us to define our own custom risk libraries and an API where we could integrate our existing security testing.
“The SaaS nature of the platform was attractive as we didn’t need to self-host it. And, with us being a globally distributed team, it fits really well.”
An ongoing relationship, IriusRisk’s platform has allowed Pearson to build a framework tailored to its products and tech stacks. This has given Pearson the ability to generate threat models rapidly and accurately. The security requirements are more relevant and effective because they’re project-specific, giving Pearson a more comprehensive view of the risks it is facing.
Introducing risk libraries allows Pearson to consistently measure risks and deliver quality countermeasures across all of the products that it is threat modelling.
“We maintain our own in-house threat libraries that are based on the public standards,” says John. “That’s beneficial because we work very closely with the product teams. We know their tech stack, and we know their working practices, so we can add relevant context to the security countermeasures to aid with implementation.”
“Pearson is a global company,” says Meyyappan. “And we use pretty much any technology you can think of under the sun. So the way that we are using IriusRisk really helps us in the sense that we can go to IriusRisk and say, ‘here are the new technologies, we may need a new control library for this’.
“We are going through this digital transformation, and looking at more cutting-edge technologies because we want to be a front-runner with these technologies. Partnering with tools and platforms like IriusRisk means we can be innovative in design, and bring that into the wider security community.”
Looking to the future
As Meyyappan touched on, the future of Pearson is a pathway that leads to them moving from being a publishing company to a media company. A big part of that is shifting to direct-to-consumer products, in particular Pearson+. The eText subscription service allows students to download digital learning materials on multiple devices, study to their own schedule, have access to materials created by over 3,000 experts, and to 1,500 eTexts created and taught by Pearson-approved authors.
Pearson+ Channels, the company’s newest study tool, will allow students to interact with thousands of videos across a range of subjects.
This means that, for the DevSecOps team, the model has changed from building tools for a captive audience of educational institutions, to selling products to the general public – who only pay for those products if they like them.
“We have a number of different products that are very well received in the market,” says Meyyappan. “Now the goal is making it more direct-to-consumer-centric. Pearson+ is the first major D2C product we’ve delivered – we have done D2C in specific applications before, but not as a global strategy.
“The approach here is making sure that we can create an ecosystem that can go directly to the consumer. That creates challenges from a technology perspective and a security perspective, because you are doing that last-mile delivery now, and you know your customer pretty intimately.”
These developments go hand in hand with the future of threat modelling at Pearson, with the aim to scale the model out across all business divisions and product groups.
“The principle that security is a shared responsibility is something we’re fostering and spreading,” says Vinson. “The future of security in the culture of Pearson is that security is a fundamental aspect of all new products that are developed.”