How Virgin Hyperloop One protects its most precious data

VHO's high profile means its intellectual property is coveted by competitors, nation-states and curious hackers. Tightly controlled access is the key to protecting that data.

The concept of high-speed trains in low-pressure tubes has been around since 1799 when English inventor George Medhurst patented his “wind pump.” It’s only since Elon Musk took interest in the last ten years that the vision looks like it might become a reality.

Musk released his Hyperloop Alpha white paper in 2013. In it, the Tesla and SpaceX founder envisioned a new form of high-speed magnetic levitation (maglev) rail system in near-vacuum tubes that could travel at speeds of over 700 mph. Rather than pursue the idea himself, Musk released the initial concept to the world and has let others take the initiative.

Since then a number of companies have sprung up looking to develop the concept into a real-world form of transportation. One of the most well-established of these is Virgin Hyperloop One (VHO), a company looking to enable its engineers to work as securely and quickly as possible without increasing risk.

Security is mission-critical at VHO

Founded in 2014 as Hyperloop Technologies, the company took on the Virgin name in 2017 after investment from Richard Branson and his UK-based conglomerate. Having raised more than $400 million, today VHO has testing facilities in the US, UAE and India, and is looking to be ready for human passengers by 2022 with commercial lines opening a few years later.

“We've certainly iterated well beyond the original conceptual white paper,” says Dawn Armstrong, IT director at Virgin Hyperloop One. “We're continuing to iterate. There's lots to learn. We do a lot of simulations and some of them take days to come in and that generate an enormous amount of data that needs to be protected.”

Armstrong leads a team of around a dozen IT staff. The team is “broadly experienced” and all are security-focused as part of their jobs. With the valuable intellectual property (IP) and human safety aspect of public transport to think about, security is always high on the agenda at the company. “The nature of our business demands that we make security a mission-critical priority,” she says. “I've never really worked for a company before that I needed to concern myself with foreign actors. This company, I do, and it definitely keeps me up some nights.”

The publicity anything Hyperloop-related garners can also draw unwanted attention, especially for a company with facilities located near one of the biggest hacking conferences in the world. “We did have this incident at our test track. Last year during Black Hat, there was a van driving back and forth on the road just in front of our test facility,” says Armstrong. “Our security alerted us and it was your typical Black Hat hacker guys with their Pringles cans sticking out the window trying to pick up our Wi-Fi.”

Such events, while not common, highlight the downside that comes with having a high profile. “I get concerned that we have so much attention on us,” says Armstrong. “That just really raises the bar for somebody interested in disrupting your progress, whether that's a competitor, nation-state, somebody that doesn't want to see it happen, or somebody that wants to make a name for themselves.”

Collaborating with engineering

While VHO uses various software-as-a-service (SaaS) providers, the company is unlike many startups in that it stores most of its data on-premises so that the IT department has broader control than they would using developer instances on Azure or Amazon Web Services (AWS). The cloud providers the company does employ must be on the same page when it comes to security and authentication, and whether internal or SaaS, all applications within the company have strict access controls.

“We actually don't onboard any SaaS provider that doesn't provide single sign-on (SSO) support anymore,” says Armstrong. “Everybody has to be able to provide SSO and multi-factor authentication (MFA).”

Given the nature of VHO’s business, Armstrong is aware that security must be a business enabler, not a blocker, and can’t stand in the way of innovation. “I always like to say that the IT department has to move at Hyperloop speed,” she says. “Security is always a balance. If you lock it down so much, you completely kill productivity, and we have a really open, collaborative culture here.”

As part of that collaborative culture, the IT team often helps the engineers on-site, which allows them to ensure best practices around security are being followed. “One of the main reasons I love working here is that the IT department has a really close relationship with engineering. I just love working with the engineers and talking through some of the challenges with wireless on the pod and all that kind of stuff. We assist the engineering teams with our test facilities helping the engineers out and providing technical consulting to them.”

“That also affords us the ability and the transparency to kind of see what they're doing and to make sure that we're following best practices,” Armstrong adds. “It's important that every single step of the way we're all communicating internally to make sure that we're making all the right decisions to keep everything secure.”

IAM simplifies authentication

As part of its goal to ensure agility across the company, VHO adopted OneLogin’s identity and access management (IAM) platform across all applications and its entire IT estate to speed provisioning of security controls for applications and increase monitoring. “When I joined, the company was a lot smaller and we had an older legacy platform,” says Armstrong. “It was not scalable, and certainly not redundant and not really conducive to SaaS applications. I looked at beefing up the ADFS [Active Directory Federation Services] infrastructure, but it was just going to be way too time intensive and complicated and way too many servers to maintain.”

Going with an IAM vendor like OneLogin allowed VHO to deploy SSO applications quickly. “When we were using ADFS originally, it would take two weeks to spin up to get SSO working with one application, and now ... we've got it down to about an hour.”

The company also uses OneLogin Adaptive Authentication to help monitor executives and senior engineers who travel internationally and help prevent unauthorized access through unexpected behavior. “When we were smaller, I was able to keep a much better handle on who was where, but now, it's just, I have no idea,” says Armstrong. “This just makes life so much easier. It analyzes what IP you're logging in from, and then it will notify us and do slightly different behaviors if, for example, you're logging in from LA and then two hours later, you're logging in from Russia.”


Copyright © 2019 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.