Skip to main content

Death to Security Audits and Long Live Compliance

My idea security situation is one that never needs an audit.  It should be proactive and not let you hurt your self or require you follow a "Policy".  The future, especially in cloud environment, should be solutions like Chef Compliance and Dome 9 Security.  I am not saying these solutions are the ones you should pick but they are the ones that in body the principles you should have.  Your environment should be one that never gets audited.   It only tests your security controls.  Even the test could be automated, so that you can prove your compliance is in place and your new admin can't open port 3389 on your firewall or grant god permissions to accounts in your environments.

"This will never be us!!"  I hope you don't think this.  As I have said many times, this is a journey of continuous improvement.  Find ways to meet compliance through automation and prevention.

Comments

Post a Comment

Popular posts from this blog

2020 State of DevSecOps by Accurics

 This is an excellent report for all IT Pros and Engineers.   Highlights: Storage is most impacted solution Open security groups or network configuration Secrets are not so secret Unused resources are not secure. Take a look at these.  Look again.  These are not highly skilled problems.  They just need guidelines and proactive management.  The article uses policy as code as a solution for many of the problems.  I will drill into each of these more in the future.  I wanted to get the awareness out first and then, come back to solutions.  
Post a Comment
Read more

Learn Anti-Leadership from Basecamp

 There are many different articles out there and Twitter comments about the Basecamp drama.  I am not going to post any here because it might seem biased depending on the article.  Google them yourself.  In short, Basecamp made a policy to not allow political discussions at work.  Coinbase did this previously too and applauded Basecamp for it.   Apparently, for years there has been a list of funny customer names at floating around Basecamp.  This list or even the knowledge that Basecamp had a list, was disturbing to some employees.  Also, some employees tried to start a Diversity and Inclusion practice.  Despite how much the founders of Basecamp promoted DI, they didn't feel they were being taken serious.  They felt the company was only about the founders and not about employees.    If this isn't enough, the founders debated and even called out employees for their comments regarding the topics, publicly.  This is my s...
Post a Comment
Read more

Character and Integrity above all

 How do you lead without stress?  I am finding that many leaders are under a lot of pressure, not healthy and not sleeping well.  A good leader may have ups and downs but their trust should never be questioned.  Your day to day work will be hard and require a lot but when you know you are making decisions with high integrity and treating your employees right, you should sleep well each night.   Each day is a new day.  You should begin each day with some quiet time, exercise and make a plan.  Then, you do your best that day.  Solve problems, help your team, mentor leaders, architect or remove toil.   Above all, do everything with character and integrity because when things get hectic or when you have to move on, you know you led with trust and integrity.   People will remember the way you lead more than what you did.  If you are weak in an area, hire someone to fill that need or go learn more.  This is part of leadersh...
Post a Comment
Read more