The Chan Zuckerberg Initiative (CZI) is committed to leveraging our core principles of collaboration, open science and diversity, equity, and inclusion to realize our mission of a better future for all. In doing so, we build tools with dedicated technology teams and fund technology development to accelerate progress in science and education. From software development to our Central Technology Security Engineering team, CZI’s “Tech Talks” series features members of our technology teams who are working to develop and support tools that drive innovation and create impact.
In this edition we meet Annie Ku, a software engineer on the CZI security engineering team supporting the infrastructure for all of the CZI program teams building tools in education and science, in addition to the infrastructure requirements for teams across the entire organization to do their work securely and efficiently. Annie joined CZI shortly after graduating from Olin College with a major in electrical and computer engineering. Her interest in computer security grew after a few small security projects and internships that led her to join the CZI Central Technology team.
I consider my role on the Central Technology team as one of the necessary layers to building our initiatives’ technology and tools.
What does it mean to work as an engineer on the Security Engineering team at CZI?
The Security Engineering team’s main goal is to make the “secure thing” easy to do for all teams at CZI. The Education and Science Initiatives might have different challenges but they both have assets and data that require security and protection. I work with both the Science and Education Initiatives and the larger Central Technology team to roll out better security processes to protect our systems and users from attack.
Tell us how your role in central tech at CZI supports the various initiatives and programs?
I consider my role on the Central Technology team as one of the high-leverage layers to building our science and education technology and tools. The first layer is level one, in which technology teams within science or education build specific products for scientists, educators, and students. My role is the next layer, and I support those level one teams by identifying common security issues and developing ways to avoid introducing insecure code.
Are you working on challenges that are unique to CZI?
I find CZI’s challenges really interesting. Multiple communities rely on CZI’s products — from educators, researchers, scientists, community leaders, and more. It’s challenging because we’re tasked with balancing security and usability for different tech stacks and audiences.
Do you have any examples or stories that really highlight these challenges?
One of the biggest challenges I face in my role at CZI is defining adequate access controls. It’d be easy to give everybody more permissions than needed, but that would mean someone might see or change something they shouldn’t. To help further improve our access control with increased efficiency, I migrated more than 100 apps and services from our legacy Identity Provider(IdP) to a new one. Our new production-ready IdP dynamically utilizes employees’ HR profile data, like their job family or product team, to auto-assign the apps they need. The work was rewarding because we could make onboarding more efficient with security guarantees, no matter what tech stacks they use or what team they are on.
When you joined the team, where was CZI’s infrastructure and security? And how have you been involved in advancing the technology?
When I first joined CZI, the security engineering team consisted of only two people. The team has continued to grow with the commitment to build the security infrastructure for CZI engineers to continue to develop secure science and education products.
Our team’s intention is to make it easier to do the “secure thing” based on security industry best practices. For example, when we were managing static Amazon Web Services’ (AWS) credentials a little more than two years ago, I developed aws-oidc, which allows us to tie ephemeral AWS credentials to a corporate “identity” defined by our identity provider. This is important because leaked credentials won’t be effective for long as you’ll have to verify your identity again before requesting new credentials.
Can you tell us a little bit about the technologies used in your role?
In my role, if I build something from a blank slate, like an authentication flow or a microservice that hasn’t been built before, I usually opt to go with Golang. Golang is relatively easy to iterate, easy to distribute, and easy to update dependencies. In other instances, I have to understand and design what infrastructure components are needed — from data storage to defining how the service runs in the first place. Through my work, I’ve also become an avid proponent of managing all of our assets in code. That way we can continue to iterate the code based on our needs.
When available, we build upon existing vendor technologies by using Okta as our identity platform and AWS as our cloud infrastructure provider.
I also want to highlight some of the awesome open source work by the security engineering team at CZI: blessclient, cztack and fogg. I’m constantly in awe of my teammates because they simplify really complex technologies into usable units available to benefit our entire technology team.
How does work on infrastructure and security make a difference across the organization?
Our Central Technology team is helping CZI be good stewards of its resources, from sensitive user data to product credentials. The security engineering team focuses on the developers’ perspective, trying to address questions such as what does it take to secure our cloud infrastructure? Or how can we do this in a way that makes it frictionless for engineers? We’re consistently figuring out problems like this to make the secure thing easy to do.
How does your work support CZI’s larger mission to help solve some of society’s toughest challenges and to build a more inclusive, just and healthy future for everyone?
CZI is pretty unique in that building technology is an integral part of how we do our work. Co-Founder and Co-CEO Dr. Priscilla Chan says, “Luck is not a national strategy. We need to build strategies that take luck out of the equation for every person.” For my job, we have to convey why Information Security is an important component of any technology today. Our challenge is making it accessible for everyone, not just a select few.
The Chan Zuckerberg Initiative is a new kind of philanthropic organization focused on engineering change at scale. Interested in joining our central technology team to support the development of software and our strategic partners that are developing tools to accelerate progress in science and education? Explore CZI career opportunities now.