Niki op 22 March 2017

An interview with CTO and co-founder of Plek: David Clarisse

We would like to give you another peek into the world behind Plek. Earlier we explained that it's very important for us to keep Plek simple but still incorporate a lot of complex functions. Equally important is the safety of the platform. Users share lots of information on Plek. All this information should be easy to find for the right people, but should not fall into the wrong hands. Today we will focus on an important task: the security of Plek. We're interviewing David Clarisse, Technical Director and co-founder of Plek, about keeping Plek safe and secure.

Let's get to know David a little bit. Who is David?

“I studied computer science with a specialization in encryption. After that, I worked as a freelancer for a few years. I got to do all sorts of fun projects, and I met Stefan (co-founder of Plek) at one of them. Together we started Safeberg, a secure online backup application. We were working on other projects simultaneously, and that's how ILUMY began. We developed Plek a few years later. I'm CTO at ILUMY and Plek, and I work together with nine other developers to make Plek smarter, more simple, more beautiful and safer. We research new technologies and think about Plek's future to make sure we can offer the best, safest and most beautiful platform. Now and in the future.”

Can you tell us more about your role within Plek?

“As CTO I supervise the developers but I'm also often visiting clients to provide them with technical advice. Furthermore I am Plek's Product Owner. Different clients have different needs, and I have to decide what's best for Plek as a product. We would like to further develop Plek and add new features but we also need to look carefully at what's best for the quality of the product as a whole. Safety is very important to us, so I pay a lot of attention to that.

When we launched Plek in 2013, speed and user friendliness were our main targets. But we got more and more clients who greatly valued security. Plek was already hosted on supersafe servers with a redundant set-up (two data centers, so Plek keeps going if one of them is down) at True. But if you are serious about security, you also have to ensure that hackers can't get in. We underwent our first penetration test two years ago, in which ethical hackers tried to get into Plek. After that test we adapted Plek's architecture and rebuilt a large part of it to make it extra safe. We recently underwent another penetration test and passed with flying colors!”

How safe is Plek? And how do you know it really is safe?

“A penetration test is merely a way to check if a hacker can enter within a specific amount of time (usually 2 weeks). Successfully passing the test doesn't mean your product doesn't have any problems. That's why it is important to go for the safest option in every development within Plek. The framework in which we develop Plek doesn't allow hackers to insert malicious code. For example, a user can't place Javascript in a message. Everything a user does on Plek passes several checks, for example to prevent cross-site scripting. Furthermore, our chat is end-to-end encrypted by default. At the start of a chat a key is generated by person A and by person B. Each message they send is encrypted using the key of the other person.

We always opt for the highest standards when it comes to security. And should there be a security leak despite all our efforts, it's important to act quickly. In such a case we have the capacity to quickly update Plek and immediately inform users.”


Why is it so important to have a secure chat?

“I noticed there are usually two kinds of people sitting at our clients' tables: users and IT professionals. Users first and foremost want a simple social platform where they can quickly post messages with images and videos, like and comment on colleagues' posts, and upload and search documents. Privately they often use WhatsApp and they're looking for something similar to use for work. The Security and IT department are really only concerned with their high safety standards. One of their main concerns is to keep people from outside the office from gaining access to confidential company information. That's why they want the chat to be encrypted, and why they don't want the servers to be on American soil (to keep them from being subjected to the Patriot Act). The tricky part is to find a solution that works for both kinds of people.

The most convenient option is not always the safest one, and vice versa. Using an application like WhatsApp, which is outside the control of the organization, can easily cause leaks. And an application such as SharePoint may be very safe, but is not easy to use. Ultimately the most important thing for organizations is to get a communication tool that is friendly and preferably as easy to use as WhatsApp, but that simultaneously meets the high security standards of the IT professionals in the organization. That's Plek!”

What makes Plek better and safer than its competition?

“As for the Dutch competitors: their platforms are often not primarily focused on security. Usability is their main objective, and end-to-end encryption is generally not supported. Besides, many competitors only have a timeline, and no personalized homepage with blocks - which is actually very useful if you're in multiple groups - and they often don't have a chat. Conversely our major foreign competitor Slack mainly focuses on chat and fleeting communication. But they don't have a timeline at all. And besides, their servers are in the U.S.A., which means they are subject to the Patriot Act. For Plek we chose to combine a social intranet (with posts on a timeline plus a personalized homepage) with chat. This makes Plek suitable for short and fleeting communication as well as for more substantial long term content.”

What are you most proud of?

“I'm most proud of our deployment of Plek at KPMG. They really wanted to work with Plek but it quickly became clear that their security standards were much higher than those of our other clients. We had to answer an extensive questionnaire regarding security and underwent another penetration test. We also had to host Plek on Microsoft Azure servers for the first time. It was a long road but when we finally launched Plek at KPMG it really took off! On the first day, the app was downloaded 900 times and we had over 1,000 active users. Our commitment was truly rewarded. It makes me proud that a large organization like KPMG, with such high security standards, put its trust in a young organization like Plek.”

And what would you like to improve?

“I would like to work on some integrations. We now have an integration with SalesForce (when a sale is made, the sales team is notified in Plek chat). We are working hard to fully integrate SharePoint and Google Drive. Users don't need one single platform that does everything because that would be too complex. But they do need different platforms to work well together. Plek's main goal is communication, it's not a DMS (document management system). An integration with SharePoint or Google Drive would allow you to use documents in your communication, or to communicate about your documents. We determine which features should not be a part of Plek, and we create integrations for these so the user can still easily use these features within Plek.”

What is your vision for a supersafe Plek in the future?

“Ideally I would want to fully encrypt Plek. Of course the Internet connection is encrypted and the servers are secure. But only the chat is currently end-to-end encrypted. If we fully encrypt Plek, the information users share with each other is completely inaccessible to outsiders. The challenge is to make sure the search feature continues to work, and increase security at the same time. If you immediately encrypt all data entered by a user and only decrypt it when another user is accessing that data, all the data on the server has to be encrypted. But the search feature runs on the server, and it's not possible to search within encrypted data. So the challenge is to find a middle ground, such as a temporary decryption of data on the server so it can be searched.

We are also working on something entirely different: to speed up the rollout of new versions and security fixes of Plek. We currently work with a four week release cycle but we want to be able to do daily fixes and update as quickly as possible.”


Would you entrust your own secrets to Plek?

“That depends: which secret, and in which group?! As a company you should always carefully handle sensitive information. So within Plek you have to carefully think about who has access to what. We try to make it very clear in the interface who is going to see what you're about to post, so you won't accidentally share information intended for management with the intern.”