With the vision of making global trade easy, compliant, and secure, Flexport enables businesses to manage supply chains seamlessly, handling a continuous stream of data tied to goods, containers, aircraft, trucks, and every logistical link in between. Their offices are located on multiple continents and include dozens of product engineering teams. With sensitive customer data and proprietary business information stored throughout their databases, finding a data security solution that could safely keep production data out of their developers’ staging environments without sacrificing that data’s utility was a critical and complex challenge. Their security team required guarantees around privacy not only to ensure that all sensitive data be protected but to certify compliance with privacy regulations the world over.
“It’s a very hard problem to solve,” says Flexport Chief Information Security Officer Kevin Paige. “I’ve tried other tools in the past, but they were hard to use, my engineering teams hated them, and in the end, they never quite met all our needs.”
At one point, a Flexport engineer built a solution in house to generate data he urgently needed. It worked great for his specific use case, but its applicability ended there, and all too soon its data became outdated.
“Until you’ve tried to synthesize data, you don’t realize how important it is to find someone who does it for a living,” continues Paige. “We needed more flexibility, a more dynamic solution—we're going to have use cases tomorrow that we don't know about today—and, ideally, we wanted something easy for our developers to use.”
In 2019, Flexport approached Tonic with the goal of equipping their engineers to generate safe, synthetic data, capturing the complexities of multiple relational databases, so that all of their teams—and security—had protected data they could depend on.
With its easy Docker deployment, Tonic soon won fans in IT and among Flexport engineers who were instantly able to connect the platform to the data they needed. Flexport’s databases amount to hundreds of tables peppered with sensitive information, and with anywhere from three to five schema migrations per day, the data is in constant flux. To generate a fully functional, but secure, version of their vast data ecosystem, a member on each of Flexport’s 30+ development teams accesses Tonic’s UI to ensure that the tables their team needs are appropriately protected.
Tonic runs multiple times a day in line with Flexport’s schema migrations to generate fresh slices of data representative of production databases but stripped clean of all sensitive information. Ultimately, each developer at Flexport is equipped with a personal version of a synthetic database that they can use however they need without stepping on anyone else’s work. By exclusively using Tonic’s secure data for testing and development, Flexport obviates the need for access to production data and achieves real data protection, meeting global privacy obligations, as well as requirements for SOC 2 compliance.
Tonic is providing the long-sought-after flexibility and controls required to successfully support Flexport’s complex organization across multiple teams. CISO Kevin Paige describes it as a triple threat for DevSecOps: “Our security team loves it because it solves a complex problem crucial to reducing risk for our company. Infrastructure loves it because it’s on-prem and easily deployed in a container. And our engineers love it because it’s easy to use and integrates seamlessly into our software development lifecycle without asking them to do any extra work. That’s a huge win for us, equipping us with the real security we need to meet compliance obligations and safeguard our customer's privacy.”
Beyond the benefits of the platform, Paige says a key component of Flexport’s relationship with Tonic has been the responsiveness of Tonic’s engineers. “They’ve been fully involved and super helpful to our team, answering all our questions as they come up. We’re very happy to have found them.”