BioTrackTHC Case Study

How BioTrackTHC is Building Security Into the Cannabis Industry

Home > Resources > Case Studies > BioTrackTHC Case Study

There are few industries garnering more attention than the cannabis industry – recently transforming from a taboo subject into a significant money maker for a number of progressive states. As the benefits become crystal clear to anyone with an open mind, more states are continuing to pass laws to legalize marijuana use in some form or fashion, leading to the rapid growth of a nearly $7 billion industry in the US alone, with expected growth to $24 billion by 2025. New industries come with new challenges, which create opportunities for forward-thinking companies to solve.

Recognizing the need for a consistent, legal method of tracking cannabis across the entire supply chain, BioTrackTHC opened its doors in 2010 to provide business management and government oversight software to the industry. Its Seed-to-Sale track and trace technology monitors key data points during cultivation, harvesting, extraction, packaging, transporting/distributing, and dispensing by assigning a globally unique identifier to a marijuana seed before it is planted, tracking the plant and all of its derivatives through the product life cycle. The company implemented the Washington State Traceability System in 2013 - the first of its kind – and have since won contracts in New York, Illinois, Puerto Rico, New Mexico, Arkansas, North Dakota, Hawaii, and Delaware, as well as the local municipality of Arcata, California.

"We're glad that through ScaleFT we’re now able to offer our customers a product that puts us on par with Google’s own internal processes and policies. Having the same type of infrastructure and security controls is important to us."

- David Terrell, CTO of BioTrackTHC

Meeting Industry Challenges Head-on

The nascent industry is also one of the most scrutinized, with regulators and hackers alike continually knocking at the door, looking for compliance gaps to penalize and vulnerabilities to exploit. Since its founding, BioTrackTHC has demonstrated a strong commitment to software security and remains on a mission to bring standards to the entire cannabis industry; raising the bar with regards to security of the data and processes involved. The company isn’t shy to take the lead and hold everyone accountable, as evidenced by an open letter to the state of Washington. They are also the first company to be endorsed by a number of former state Attorney Generals as the "gold standard of marijuana traceability systems".

Meeting compliance standards is important to the maturity of the industry, however BioTrackTHC is looking even further. The industry carries a number of unique characteristics that require a personal touch to ensure the security controls in practice adhere to the policies in place.

For example, Personal Health Information (PHI) is protected by HIPAA regulations, forcing vendors to comply with a strict set of guidelines for data storage, data access, and data in transit. The PHI associated with the cannabis industry is even more sensitive, however. It’s one thing to leak data about your doctor visits, but it would be another to leak your cannabis use. Some employers may look down on that activity, leading to potential personal consequences. Although the industry is not currently protected by HIPAA as it is a federal program, BioTrackTHC has long focused on ensuring HIPAA compliance for when the day inevitably comes that the industry becomes federally regulated, at whatever level that may be. Passing the latest audit isn’t enough assurance on its own that customer data is safe and secure, however. At what point do the traditional compliance standards line up with real security in practice?

Another unique example with the cannabis industry lies in the mismatch of state and federal laws. This makes it difficult to leverage common business services most of us take for granted, such as banks and insurance companies. The challenge only compounds with the sensitivity of the inventory, and protection of the supply chain. Route data thus becomes a high target for a physical attack, but data that needs to be shared. How can the cannabis industry stay ahead of hackers, while staying ahead of industry demands?

BioTrackTHC is making a real difference across the industry by building security that gives customers and stakeholders better assurances that the data is protected – both personal and procedural. While other companies in the space place a lot of effort into clever marketing tactics, BioTrackTHC has kept its focus on strengthening its core engineering and security practices – and it shows in the quality of their product and care for the data they handle.

Adopting Zero Trust Principles

There is a movement making waves within the cyber-security industry – Zero Trust. At its core, it’s a security model with the mantra "Verify, then trust". In practice, this means ensuring that all access to protected resources are fully authenticated, authorized, and encrypted. This is in contrast to traditional perimeter-based security measures which grant trust just by "being in the network".

As a point of reference for the movement, Google went through a security transformation in the wake of a 2009 nation-state attack that targeted them and a number of large enterprises. As a result, Google began an internal initiative named BeyondCorp, which resulted in a Zero Trust security architecture that only grants access to company resources once a request is fully authenticated and authorized based on dynamic user and device conditions.

ScaleFT as a BeyondCorp Partner

BeyondCorp isn’t limited to Google alone, and companies of all kinds are looking to achieve similar security and productivity outcomes, but without having to go through such a significant transformation. Looking to find bleeding edge best practices and apply them to the nascent cannabis industry, BioTrackTHC turned to ScaleFT as the leading provider of BeyondCorp-inspired access management solutions delivered as an easy to adopt service.

Centralized Access Controls

Securing privileged access across all infrastructure environments is critical to mitigate the risk of an insider attack. As veteran security professionals, the team at BioTrackTHC understands the dangers of shared credentials and shared developer environments, where an insider with privileged access is able to move around laterally, undetected. Traditional methods, such as storing SSH keys in a vault, or maintaining a key rotation policy, may pass compliance checks, but they don’t hold up well in fast-paced, automated cloud environments.

With ScaleFT, every login attempt from every developer is individually managed and independently tracked. ScaleFT authenticates, authorizes, and centrally logs every SSH session, issuing an ephemeral client-certificate through its built-in Certificate Authority. Each certificate is limited in scope and time so it’s only valid for one-time use. There are no shared keys, nor shared developer environments, which significantly limits the attack surface.

With ScaleFT natively integrated with the company’s Identity Provider, BioTrackTHC enforces multi-factor auth as a policy requirement on server administration – something that would require custom development to hook up with alternative solutions. This workflow doesn’t impact the end user experience, and in fact, the team of nearly 20 engineers greatly enjoy how seamless ScaleFT operates.

Hybrid Infrastructure Environments

BioTrackTHC has two core lines of business – a commercial seed-to-sale tracking and business management product and the SaaS government traceability systems. The company operates a handful of data-centers local to its state customers, as well as multiple deployments in AWS GovCloud. BioTrackTHC is the first company in the cannabis industry to launch a live traceability system in a FedRAMP Authorized environment, Hawaii Department of Health's Traceability System. Since then, they've successfully transitioned nearly all of their government systems to this highly secure environment, and are able to offer the same for its future state Traceability Systems.

In order to comply with the requirements of FedRAMP, ScaleFT deployed a dedicated instance of its platform within the BioTrackTHC GovCloud account, ensuring a secure network along with the secure access controls provided by the platform. By leveraging secure cloud environments, BioTrackTHC can focus its efforts on meeting the challenges of the industry head-on without being distracted by IT operations.

The Path to BeyondCorp Starts With ScaleFT

BioTrackTHC is a believer in the BeyondCorp product, and recognizes that Zero Trust is the right security architecture for a modern organization operating in such a fast-paced industry. We’re happy to see the company continue to make strong moves across the entire cannabis industry, and are honored to play a key role in their top-notch security posture.

Sick of VPNs?

All of our plans start with a 30 day free trial. No credit card required. See our flexible Pricing Plans.

Start a Free Trial Request a Demo