Security and Compliance at Datadog

Series Context

• Series Name: Datadog On
• Topics: Challenges faced by engineers at Datadog
• URL: Provided to sign up for notifications

Introduction

• Speakers:
  • Kirk Kaiser, Technical Evangelist at Datadog
  • Andrew Spengler, Governance, Risk, and Compliance Team at Datadog

Datadog Overview

• Core Function: Monitoring and analytics platform
• Scale:
  • 12,000+ customers
  • Millions of hosts
  • Trillions of data points/day
• Infrastructure: Primarily runs on Kubernetes
• Multi-cloud: Over 400 integrations

Importance of Security and Compliance

• Customer Trust: Critical to Datadog's operation
• Compliance Challenges: Dealing with the complexity, risk assessment, and trust building
• Agent Binary: Installed on customer systems for data collection

Information Security & Compliance Team Structure

• Growth:
  • 2017: Datadog had about 500 employees
  • 2021+: Over 2000 employees
• Departments: Corporate IT, Security Engineering, Infrastructure InfoSec, Compliance
• Key Teams:
  • Customer Trust team
  • Privacy function
  • GRC (Governance, Risk, and Compliance)
  • Federal Programs team
  • Compliance Operations team

Guiding Principles in Security & Compliance

• Minimizing Risk: Context and residual risk management
• Preserving Velocity: Maintain quick innovation while ensuring security
• Practicing Empathy: For colleagues and customers, balancing goals, and technology limitations

Implementation Strategies

Security by Design

• Security shift left: Integrating security in design, implementation, and operations
• Compliance Standards: FedRAMP, ISO 27001

Customer Trust

• Primary Functions: Responding to customer audits, educating customers, collaborating with legal/product teams
• Enabling Business: Facilitating contracts, entering regulated markets (e.g., HIPAA)

Automation

• Self-service Compliance: Deployment guides for products/data centers
• Engineering Workflow Integration: Automating compliance processes to keep pace with scaling

Corporate Laptops and Beyond Corp

• Transition: From single-device focus (MacBooks) to multiple OS's (Windows, Linux)
• Security Management: Configuration baselines, addressing local admin rights
• Jamf & CIS Benchmarks: Transparent and secure device management

Additional Tools and Processes

Beyond Corp

• Endpoint Management: Host monitoring, configuration management
• Security Notifications: Slack alerts for updates/configurations

Automated Enforcement

• Example: AWS security group configurations, automated alerting and reverting unauthorized changes

Container Security

• Trivi Integration: Just-in-time vulnerability scanning
• Policy as Code: Using tools like Open Policy Agents

Code Ownership

• SarbOx Compliance: Ensuring authorized changes to financial systems

Supply Chain Security

• Tough/Intoto framework: Ensuring authenticity and integrity of software packages

Vendor Risk Management

• Assessment and Automation: Proactive risk assessment, annual reviews, integration with procurement

Questions & Answers

• Changes for U.S. Gov: Access management, monitoring/logging adjustments
• International Employees: Use of Appgate for granular, secured access
• Preventing Security Silos: Transparency, embedding security in teams
• Employee-Lead Compliance vs Forced Compliance: Balancing regulatory requirements with cultural values

Closing

• Career Opportunities: Highlight on hiring
• Recording available: Session will be on YouTube
• Contact: Support for additional questions