PostgreSQL logging best practices

There are several reasons why you might want an audit trail of users’ activity on a PostgreSQL database: When things go wrong you need to know what happened and who is responsible You store sensitive data, maybe even PII or PHI You are subject to compliance standards like SOC 2 or PCI DSS Both application and human access are in-scope. Since application activity can be logged directly within the app, I’ll focus

Read more

Alternatives to Hashicorp Vault

HashiCorp Vault is a powerful secrets management tool that is well suited to automating the creation, distribution, and destruction of secrets. However, if your goal is to secure access to sensitive systems, a secrets store is not the only approach. In this blog post we’ll look at a few alternatives, with my take on the strengths and weaknesses of each approach. First, however, a quick matrix comparison of features may

Read more

Identity Federation on AWS and Azure Instances

Why? That’s a good starting question to start with, what’s the goal? Here we’re talking about managing access to instances on AWS and Azure in a unified way and there’s a bunch of possibilities, including (not exhaustive): Local users from a csv list with a script Local users using a configuration management tool Using a central directory (NIS, AD, LDAP) Using strongDM While the two first options are legit for

Read more

Scaling Your SSH Strategy

In our last post, we discussed some of the challenges that are inherent to management of SSH keys across your infrastructure as you scale the number of team members and servers. In this post, we will dig into some of your options and the trade-offs that they provide. Review Before we get going, let’s recap the main criteria that we are concerned with for any solution that we implement. Briefly,

Read more

How To Prepare For Your First SOC 2 Audit A 30-90-120 Day Plan

Despite thousands of articles, there's shockingly little actionable advice to help startups complete SOC 2. When you don't have dedicated compliance teams or six figure budgets, we set out to answer: When to pull the trigger on SOC 2. Who needs to be involved in prep work & what tasks can/can not be delegated. How to narrow the scope and save as much time as possible. What are achievable best

Read more

The Key To Your SSH Strategy

If you work with systems that run any variety of Linux or BSD then the probability is high that you have dealt with SSH. Invented in 1995 and established as an internet standard by the IETF in 2006, Secure SHell has become the default mechanism for remote access to servers by individuals and teams everywhere. SSH Authentication Authenticating yourself to *nix servers can take a variety of forms, but the

Read more

How to create a Linux bastion host and log SSH commands Part 2 | A step-by-step tutorial

Want to secure remote access to a private network? In this series of technical posts, we will share step-by-step instructions to create a Linux bastion host and create an audit trail by logging SSH commands.   This article is split into three parts: Part 1: Creating your bastion hosts This post shows you how to create Linux virtual machines in Amazon Web Services, setup virtual networking, and create initial firewall rules

Read more

How to create a Linux bastion host and log SSH commands Part One | A step-by-step tutorial

Want to secure remote access to a private network? In this series of technical posts, we will share step-by-step instructions to create a Linux bastion host and create an audit trail by logging SSH commands.   This article is split into three parts: Part 1: Creating your bastion hosts This post shows you how to create Linux virtual machines in Amazon Web Services, setup virtual networking, and create initial firewall rules

Read more

How to Write Your Software Development Lifecycle Policy

With headline-grabbing software vulnerabilities becoming more and more prevalent, now is the time to tighten up your development practices into a well-written SDLC policy. This particular information security policy will help your development teams standardize on coding tools and practices, as well as get everybody on the same page from a security standpoint. And come the time when you do have a incident, you will be able to demonstrate to your customers that you do indeed take their security seriously - it’s not just lip service.

Read more