Financial tech firm Mercury has been refining its zero-trust security practices in response to recent high-profile breach disclosures. As a remote-first company, Mercury places a strong emphasis on securing remote access, particularly for its software engineers. The company has made several changes to its security protocols, including switching from an open source VPN to a software-as-a-service (SaaS) option, implementing device security software, and reworking its incident response plan.
Branden Wagner, Mercury’s senior information security manager, joined the company in early 2022, bringing with him experience from the Naval Sea Systems Command and Naval Nuclear Laboratory. He set out to bring the zero-trust practices used in the military closer to the corporate world. Wagner conducted “thought exercises” with engineers and executives based on security incident reviews from other companies, in order to identify vulnerabilities and improve Mercury’s security measures.
One major breach that influenced Mercury’s security protocols was the LastPass data breach in late 2022. At the time, Mercury was using open source Pritunl as its VPN tool, which allowed for the use of physical security keys to access the company’s networks. However, the user experience with Pritunl was not optimal, especially for remote engineers. As a solution, Mercury switched to Tailscale, a SaaS offering that provided easier setup and a more distributed architecture that aligned with the principles of zero trust.
Another breach that prompted changes at Mercury was the CircleCI data breach, which involved a compromised security token. After examining their existing security measures, Mercury implemented an inventory of tokens and developed procedures for replacing compromised tokens. The breach also highlighted the importance of maintaining strong partnerships with other companies, as Mercury realized they lacked specific points of contact in the event of a breach. This prompted the company to update their information and reevaluate their security relationships.
Mercury’s relatively new status as a company founded in 2019 has made it easier for them to implement changes and update their security practices. They have been able to adopt SaaS solutions without the burden of legacy equipment. However, they remain cautious about relying too heavily on SaaS and are implementing extra monitoring and logging to mitigate potential risks.
Overall, Mercury’s proactive approach to security and willingness to learn from other companies’ breaches have allowed them to continuously improve their zero-trust practices. By prioritizing remote access security and making necessary changes to their VPN, device security, and incident response plans, Mercury aims to stay one step ahead of attackers and protect their valuable financial technology infrastructure.