Skip to main content

Death to Security Audits and Long Live Compliance

My idea security situation is one that never needs an audit.  It should be proactive and not let you hurt your self or require you follow a "Policy".  The future, especially in cloud environment, should be solutions like Chef Compliance and Dome 9 Security.  I am not saying these solutions are the ones you should pick but they are the ones that in body the principles you should have.  Your environment should be one that never gets audited.   It only tests your security controls.  Even the test could be automated, so that you can prove your compliance is in place and your new admin can't open port 3389 on your firewall or grant god permissions to accounts in your environments.

"This will never be us!!"  I hope you don't think this.  As I have said many times, this is a journey of continuous improvement.  Find ways to meet compliance through automation and prevention.

Comments

Post a Comment

Popular posts from this blog

2020 State of DevSecOps by Accurics

 This is an excellent report for all IT Pros and Engineers.   Highlights: Storage is most impacted solution Open security groups or network configuration Secrets are not so secret Unused resources are not secure. Take a look at these.  Look again.  These are not highly skilled problems.  They just need guidelines and proactive management.  The article uses policy as code as a solution for many of the problems.  I will drill into each of these more in the future.  I wanted to get the awareness out first and then, come back to solutions.  
Post a Comment
Read more

Manage IT by Johanna Rothman

I just completed this book. I think it is a really good book which covers a whole lot of software development. This book could possibly be the best book for first time project managers. I believe many of the PMs understand PMM but do not understand software development. This book gives a view of each project role. The only one that it does not cover is Business Analyst or requirements documentation. It does cover QC, development and of course PMs. It gives a PM a view into development processes like TDD, CI and estimation. Many PMs that are new to SD can read this book and get a great start to manager an SD project. If you are a PM or know some, read this book. http://www.jrothman.com/
3 comments
Read more

Learn Anti-Leadership from Basecamp

 There are many different articles out there and Twitter comments about the Basecamp drama.  I am not going to post any here because it might seem biased depending on the article.  Google them yourself.  In short, Basecamp made a policy to not allow political discussions at work.  Coinbase did this previously too and applauded Basecamp for it.   Apparently, for years there has been a list of funny customer names at floating around Basecamp.  This list or even the knowledge that Basecamp had a list, was disturbing to some employees.  Also, some employees tried to start a Diversity and Inclusion practice.  Despite how much the founders of Basecamp promoted DI, they didn't feel they were being taken serious.  They felt the company was only about the founders and not about employees.    If this isn't enough, the founders debated and even called out employees for their comments regarding the topics, publicly.  This is my s...
Post a Comment
Read more