Skip to main content

Death to Security Audits and Long Live Compliance

My idea security situation is one that never needs an audit.  It should be proactive and not let you hurt your self or require you follow a "Policy".  The future, especially in cloud environment, should be solutions like Chef Compliance and Dome 9 Security.  I am not saying these solutions are the ones you should pick but they are the ones that in body the principles you should have.  Your environment should be one that never gets audited.   It only tests your security controls.  Even the test could be automated, so that you can prove your compliance is in place and your new admin can't open port 3389 on your firewall or grant god permissions to accounts in your environments.

"This will never be us!!"  I hope you don't think this.  As I have said many times, this is a journey of continuous improvement.  Find ways to meet compliance through automation and prevention.

Comments

Post a Comment

Popular posts from this blog

2020 State of DevSecOps by Accurics

 This is an excellent report for all IT Pros and Engineers.   Highlights: Storage is most impacted solution Open security groups or network configuration Secrets are not so secret Unused resources are not secure. Take a look at these.  Look again.  These are not highly skilled problems.  They just need guidelines and proactive management.  The article uses policy as code as a solution for many of the problems.  I will drill into each of these more in the future.  I wanted to get the awareness out first and then, come back to solutions.  
Post a Comment
Read more

Learn Anti-Leadership from Basecamp

 There are many different articles out there and Twitter comments about the Basecamp drama.  I am not going to post any here because it might seem biased depending on the article.  Google them yourself.  In short, Basecamp made a policy to not allow political discussions at work.  Coinbase did this previously too and applauded Basecamp for it.   Apparently, for years there has been a list of funny customer names at floating around Basecamp.  This list or even the knowledge that Basecamp had a list, was disturbing to some employees.  Also, some employees tried to start a Diversity and Inclusion practice.  Despite how much the founders of Basecamp promoted DI, they didn't feel they were being taken serious.  They felt the company was only about the founders and not about employees.    If this isn't enough, the founders debated and even called out employees for their comments regarding the topics, publicly.  This is my s...
Post a Comment
Read more

Cloud Ops: The New IT for the Cloud Era

Over the past few months of interviewing and researching dozens of companies—particularly small to mid-sized SaaS businesses—one pattern keeps emerging: the desire to stand up a Cloud Operations (Cloud Ops) organization. It makes sense on the surface. Cloud is now the infrastructure of choice, so naturally, someone needs to “own” it. But what’s unfolding in practice often misses the mark. Many companies are attempting to solve growing cloud complexity by taking all their DevOps, SRE, and platform engineering talent and consolidating them into a Cloud Ops team. The idea? Share them across product teams so no one gets overwhelmed. If that sounds familiar, it should. It’s the same centralization tactic used by traditional IT for decades. And it's creating the same problems. When Cloud Ops Becomes Old IT in Disguise Here’s the playbook we’re seeing: Move DevOps, SRE, and Ops into a central Cloud Ops team. Let them handle infrastructure, CI/CD, monitoring, and cloud securit...
Post a Comment
Read more