How To Make Network Segmentation More Secure And Less Difficult For Everyone

By Blog, Security

Why Network Segmentation Is Hard Very few things frustrate me more than administrative roadblocks that slow me down or make it more difficult to do work. I want to get from staging to production with as little interference as possible. The question every engineering team faces is how to allow that without compromising security? That’s the challenge of network segmentation. The goal is a segmentation strategy that creates enough segmentation between systems that you can…

Alternatives to Gravitational Teleport

By Blog

Gravitational Teleport is a powerful tool allowing organizations to secure access to SSH servers and Kubernetes clusters via a centralized authentication method. However, if you need to secure access to databases, Windows servers or internal web applications in addition to Linux servers/Kubernetes, there are other options to consider. This blog post looks at a few alternatives and discusses the pros and cons of each. For the impatient, I’ve put together a quick feature matrix that…

SOC 2 Terminology Glossary

By Blog, SOC 2

SOC 2 compliance, like so many things related to IT and security, is chock full of terms and acronyms to learn.  If you are just getting started with SOC 2, it’s helpful to get familiar with this alphabet soup ahead of time so you can move your compliance efforts forward with confidence.  Below is a SOC 2 terminology glossary to get you started: AICPA The American Institute of CPAs, formed in 1887, set…

Writing Your Security Incident Response Policy

By Blog, Security, SOC 2


The Security Incident Response Policy (SIRP) establishes that your organization has the necessary controls to detect security vulnerabilities and incidents, as well as the processes and procedures to resolve them.  The tricky thing about this policy is that it needs to be both concise and comprehensive, and finding that balance can be a delicate dance. This article will point you to the core concepts within the SIRP so that you understand…

PostgreSQL logging best practices

By Blog

There are several reasons why you might want an audit trail of users’ activity on a PostgreSQL database: When things go wrong you need to know what happened and who is responsible You store sensitive data, maybe even PII or PHI You are subject to compliance standards like SOC 2 or PCI DSS Both application and human access are in-scope. Since application activity can be logged directly within the app, I’ll focus on human access:…

Alternatives to Hashicorp Vault

By Blog

HashiCorp Vault is a powerful secrets management tool that is well suited to automating the creation, distribution, and destruction of secrets. However, if your goal is to secure access to sensitive systems, a secrets store is not the only approach. In this blog post we’ll look at a few alternatives, with my take on the strengths and weaknesses of each approach. First, however, a quick matrix comparison of features may give you the…

Identity Federation on AWS and Azure Instances

By Blog, Uncategorized

Why? That’s a good starting question to start with, what’s the goal? Here we’re talking about managing access to instances on AWS and Azure in a unified way and there’s a bunch of possibilities, including (not exhaustive): Local users from a csv list with a script Local users using a configuration management tool Using a central directory (NIS, AD, LDAP) Using strongDM While the two first options are legit for local services accounts, they really…

Scaling Your SSH Strategy

By Blog

In our last post, we discussed some of the challenges that are inherent to management of SSH keys across your infrastructure as you scale the number of team members and servers. In this post, we will dig into some of your options and the trade-offs that they provide. Review Before we get going, let's recap the main criteria that we are concerned with for any solution that we implement. Briefly, we want to ensure that…

How To Prepare For Your First SOC 2 Audit A 30-90-120 Day Plan

By Blog, SOC 2, SOC 2 Type 1

Despite thousands of articles, there’s shockingly little actionable advice to help startups complete SOC 2. When you don’t have dedicated compliance teams or six figure budgets, we set out to answer: When to pull the trigger on SOC 2. Who needs to be involved in prep work & what tasks can/can not be delegated. How to narrow the scope and save as much time as possible. What are achievable best practices for each…

The Key To Your SSH Strategy

By Blog

If you work with systems that run any variety of Linux or BSD then the probability is high that you have dealt with SSH. Invented in 1995 and established as an internet standard by the IETF in 2006, Secure SHell has become the default mechanism for remote access to servers by individuals and teams everywhere. SSH Authentication Authenticating yourself to *nix servers can take a variety of forms, but the most common among…

How to create a Linux bastion host and log SSH commands Part 2 | A step-by-step tutorial

By Blog

Want to secure remote access to a private network? In this series of technical posts, we will share step-by-step instructions to create a Linux bastion host and create an audit trail by logging SSH commands.   This article is split into three parts: Part 1: Creating your bastion hosts This post shows you how to create Linux virtual machines in Amazon Web Services, setup virtual networking, and create initial firewall rules to access the…

How to create a Linux bastion host and log SSH commands Part One | A step-by-step tutorial

By Blog

Want to secure remote access to a private network? In this series of technical posts, we will share step-by-step instructions to create a Linux bastion host and create an audit trail by logging SSH commands.   This article is split into three parts: Part 1: Creating your bastion hosts This post shows you how to create Linux virtual machines in Amazon Web Services, setup virtual networking, and create initial firewall rules to access the…

Practical Tips to Improve Data Center Security and Compliance

By Blog, SOC 2

In this post, we’ll answer the following questions: How do I know what rules and regulations I need to follow when protecting my data and data center? Where should I host my secure data center infrastructure (on-prem vs. colocation facilities vs. cloud vs. hybrid solution)? How do I plan for - and recover from - a physical data center failure?

How to Write Your Software Development Lifecycle Policy

By Blog, SOC 2

With headline-grabbing software vulnerabilities becoming more and more prevalent, now is the time to tighten up your development practices into a well-written SDLC policy. This particular information security policy will help your development teams standardize on coding tools and practices, as well as get everybody on the same page from a security standpoint. And come the time when you do have a incident, you will be able to demonstrate to your customers that you do…

System Changes Policy 101

By Blog, SOC 2

In the world of SOC 2, the general rule is to write a policy, procedure or log entry for just about everything that happens in your environment. This is especially important when it comes to system changes, as auditors want to see that you have detailed logs of what’s happening in your environment, that the changes are properly documented and communicated across your organization, and that you can effectively debug problems after a change is…

How to Write a Disaster Recovery Policy

By Blog, SOC 2

As you prepare your company to endure and recover from a disaster, two primary information technology policies should be in place: business continuity and disaster recovery. These two policies help you plan for – and recover from – adverse events, but the difference lies in the goals of each policy: business continuity focuses on returning your business to normalcy, while disaster recovery details the minimum necessary functions for your business to survive.

Log Management and Review Best Practices

By Blog, SOC 2

When an information security incident occurs, you need to be able to gather as much information about it as quickly as possible. There’s also a very real possibility that you will have to involve outside parties - such as an incident response team - to help you as well. That means you can’t approach log management and retention as a simple checkbox. Instead, you need to have rich data that captures audit logs from all…

Defining Your IT Vendor Management Policy

By Blog, SOC 2, SOC 2 Cost

Here are four practices to consider when creating your IT vendor management policy: 1. Evaluate vendors IT services vendors are generally very good at assuring you their product or service is like oxygen - you can’t live without it! They will throw around a lot of acronyms and buzzwords like “next-gen” in hopes of dazzling you into signing on the dotted line. Resist that temptation for now, and instead create a template with questions to…

Password Policy Best Practices

By Blog, SOC 2, Uncategorized

Passwords are one of the most common targets for hackers, so it’s imperative that your company enforce a strong password policy. This policy will not only define the requirements of the password itself but the procedure your organization will use to select and securely manage passwords.

SOC 1 vs SOC 2 | When Is The Right Time To Pursue SOC 2?

By Blog, SOC 2, SOC 2 Type 1

Confusing SOC 1 and SOC 2 is easy. While both compliance frameworks attest to the controls used within your organization, the frameworks differ in focus. SOC 1 looks at your organization’s financial reporting, while SOC 2 focuses on how you secure and protect customer data. This blog post will focus on exploring the differences between SOC 1 and SOC 2.

Remote Access Policy Best Practices | A Practical Guide to SOC 2 Compliance

By Blog, SOC 2

Our world has changed.  Gone are the days of an 8 to 5 work day at a physical office, and leaving all your responsibilities behind at the end of the day.  We now live in a 24x7 global economy and are perpetually connected to our corporate networks with cell phones, laptops, and tablets.  The convenience of “work from anywhere” introduces some exciting challenges for your information security and information technology teams, and that’s where the…

Workstation Security Policy Best Practices | A Practical Guide to SOC 2 Compliance

By Blog, SOC 2

Some might say that workstations are a necessary evil.  Users with varying degrees of technical and security aptitude are using them 24/7, communicating with the world and taking care of business.  With workstations being an indispensable part of business comes a substantial security burden, especially for your information technology staff.  In the workstation security policy, you will define rules intended to reduce the risk of data loss/exposure through workstations. Often, information security best practices are…

Encryption Policy Best Practices | A Practical Guide to SOC 2 Compliance

By Blog, SOC 2

You wouldn’t leave the house without making sure your doors and windows were locked, and that any valuables were hidden or secured in a safe. That way, if you were robbed, the burglar would have a difficult time accessing your most precious assets. In the same way, you need to make sure your organization’s critical data is well protected. While layers of defense such as firewalls and IDS/IPS are essential, they are not…

Access Onboarding and Termination Policy | A Practical Guide to SOC 2 Compliance

By Blog, SOC 2

It's easy to focus on cybersecurity threats like social engineering and phishing. However, internal threats, such as human error and disgruntled employees, can be just as dangerous - and are often overlooked. A mature onboarding and termination policy is essential to preventing a data breach. Employees and other internal users were the cause of 60% of data breaches - both intentional and accidental - in 2016. In the world of SOC 2, these types of…

Business Continuity Policy Best Practices | A Practical Guide to SOC 2 Compliance

By Blog, SOC 2

A business continuity policy is a critical part of your SOC 2 preparation. An estimated 25% of businesses never fully recover from a major disaster. For small businesses, in particular, it can be difficult to return to normalcy after a significant disruption. Most companies have insurance and emergency funds, but those won’t protect you from failure to provide business functions at an acceptable level to your customers. A business continuity policy is critical to your…

How SOC 2 Saves Time On Security RFI | A Practical Guide To Answer Any RFI

By Blog, SOC 2

You’ve gone through the rigorous process of completing your SOC 2 certification.  Your policies are thorough, you have airtight procedures, your staff is sufficiently trained, and if anybody so much as sneezes around your datacenter you’ll know about it before someone says, “Gesundheit!”  It’s time to kick back in your chair, throw your feet up on the desk and relax, right? But what if a customer sent over an RFI (Request For Information) this afternoon?…

Data Center Security Policy Best Practices | A Practical Guide for SOC 2 Compliance

By Blog, SOC 2

There are many things to consider and questions to ask yourself when setting up your data center. Should you host your data on-premise or in the cloud? If the data is cloud-hosted, who is responsible for security? Is it the company who owns the data, the cloud provider, or both? for answers to all your SOC2 questions. The data center security policy outlines procedures and information security measures to prevent unauthorized physical access to your…

What’s Included in a SOC 2 Report: A Breakdown

By Blog, SOC 2, SOC 2 Type 1

A SOC 2 report (Service Organization Control report 2) focuses on the controls a company uses to protect customer data, as well as the operational effectiveness of those controls. A SOC 2 report should not be confused with a SOC 1 report, which focuses on a company’s financial reporting, nor should it be confused with a SOC 3 report, which has similar output to a SOC 2 report but in more natural language.…

How Long Does It Take To Complete a SOC Audit | A Timeline To Plan for SOC 2

By Blog, SOC 2, SOC 2 Type 1

You scheduled your on-site SOC 2 testing. While the initial step is complete, there is still a lot of process and time before you’re past the finish line. This post will help plan and manage time expectations and establish a timeline of deliverables - working backward from your SOC audit start date.  The Purpose of SOC 2 Audits SOC is a system of service organization controls. SOC stands for “system and organization controls,” and controls…

Which Compliance is Right for Me?

By Blog, SOC 2, SOC 2 Cost

HIPAA. NIST. ISO. FedRAMP. FISMA. SOC 2. These are just a few of the acronyms for compliance frameworks that your customers may be asking you about. The big question your organization needs to answer is, “Which compliance is right for me?” This blog post will focus on helping you understand some of the popular compliance frameworks, and specifically how they relate to SOC 2. HIPAA vs SOC 2 HIPAA (Health Insurance Portability and Accountability Act)…