Following a report by the Wall Street Journal that the security vendor Tanium used a hospital’s live network as a demonstration platform on sales calls and even revealed private hospital data in a publicly posted demonstration video, Tanium CEO Orion Hindawi has admitted that mistakes were made in handling data from El Camino Hospital’s network. Hindawi was vague about whether the company had live access to the network, but in a blog post late yesterday, he said that the data was from “this particular customer’s demo environment” and that Tanium did not—and should not—have remote access to customers’ security data except in a very few cases where customers had granted access. But this appears to have been a change made after Tanium lost access to the El Camino Hospital network in 2015.
“We do have a few customers who have agreed for us to use their environments for external demos and have provided that access to us,” Hindawi wrote. “Since 2015, we’ve insisted that before a customer is willing to let us demo from their environment, regardless of the access they offer us, we document that in writing and agree on what data we can show to ensure there isn’t any confusion. Other than the few customers who have signed those documents and provided us remote access to their Tanium platforms, we do not—and in fact cannot—demonstrate customer environments with Tanium.”
Hindawi called the El Camino systems accessed a “demo environment,” indicating that it was a proof of concept testbed set up by the hospital and not an actual live network. “That said, we take responsibility for mistakes in the use of this particular customer’s demo environment,” he wrote. “We should have done better anonymizing that customer’s data… Looking at those demos, we see there are easy things we should have done to obscure and anonymize further.”
Still, Hindawi insisted that there was no damage done by using the hospital’s data. “Viewers didn’t connect the demo environment to that customer for years,” he wrote. “We do not believe we ever put our customer at risk with the data we showed.”
The post was also an effort by Hindawi to respond to allegations of a “toxic” culture at the company (which has lost a number of high-level executives over the past year). While he did not address claims that Tanium had routinely terminated employees just before their stock options vested, he defended the company’s culture. “It is absolutely true that we’ve built a culture that is highly demanding and mission oriented and that we expect our employees to drive themselves hard with that same commitment to the mission that we have,” the CEO acknowledged. “When taken to an extreme, that drive can make for a stressful environment, which we are working to balance and prevent. It is true that I personally can be hard-edged, and that I’ve had to apologize to people at Tanium when I’ve gotten too sharp at times.”
Hindawi added that the Tanium “fire[s] people when they don’t meet our ethical or performance standards, and we understand that from the outside that may raise questions about the number of people leaving. And it is true that as we’ve grown, we haven’t matured processes in some areas as quickly as we’ve added people, which is something we’re working hard to build faster.” But he asserted, “what is not true is that we have a toxic culture. Mission-oriented, hard-charging, disciplined, even intense, but not toxic.”
http://ift.tt/2pHjDBV Source: https://arstechnica.com