Provisioning Your People to be Productive

You just hired a new employee, great news! Luckily you have an easy onboarding process to get them access to all of the systems that they will need to access… right? If you just had a moment of panic, then keep reading because you're not alone.  Standardize Roles  Granting access to your databases and servers for a new user can be a painful process if you have to do it

Read more

Physical Facility Access Policy Best Practices | A SOC 2 Primer

Physical security is not just a concern for large companies. A small business also needs an established physical security policy to protect their physical assets and provide their employees with a sense of protection and safety. In this policy, you will define the controls, monitoring, and removal of physical access to your company’s facilities. Here are five practices for writing your office physical security policy: Create an access control system

Read more

Implement a BYOD Policy | Best Practices for SOC 2 Compliance

Writing Your BYOD PolicyThis article will point you to the core concepts of BYOD, removable device, and cloud storage policies so that you understand best practices before writing your own. Removable media, cloud storage, and BYOD devices can be a quick and convenient way for employees to handle data.  But with this convenience comes some serious security concerns. Unprotected removable storage is an easy entry point for end users to

Read more

Automating Access For On-Call

If you manage any system that requires consistent availability then you are probably already familiar with services like PagerDuty. For those of you who are unfamiliar with on-call management, it is a class of services that integrates with your monitoring and alerting systems to ensure that someone gets notified of issues in a timely manner. Typically there is a team who shares the responsibility of being on call on a

Read more

Why ASICS Digital Builds 12-Factor Apps with a Focus on Infrastructure

How ASICS Digital Created a Culture of You Build it, You Run it John Noss is a Senior Site Reliability Engineer at ASICS Digital, formerly Run Keeper. In this talk, he shares how ASICS Digital builds 12-Factor apps with an emphasis on infrastructure. Listen as they walk through how and why they made a dev culture of 'You Build It, You Run It' and download the slides now.

Read more

How Hearst Eliminates DevOps Complexity — An Architecture Review

Hearst Eliminates DevOps Complexity with Automation Jim Mortko is responsible for leading all Internet-based engineering and digital production efforts, along with ecommerce and marketing initiatives that support Hearst Magazines’ diverse units including 20 U.S. magazines, Hearst Digital Media, the Hearst App Lab and Hearst Magazines UK. He is credited with spearheading the launch of five internal systems, along with supporting the launch of more than 10 websites. In this talk,

Read more

How Betterment Secures Server Access – Automate the Boring Stuff

Chris Becker, SRE, Betterment Chris Becker is an SRE at Betterment. Previously, he did similar work on Warby Parker's Infrastructure team. At Betterment, he earned the label APT (advanced persistent threat) thanks to consistently tripping alarms with his peculiar scripts and commands. In this talk, he discusses how Betterment's approach to server access controls evolved as the team grew exponentially. With more people and keys to manage, the SRE team

Read more

Why Fair Eliminated Static Credentials — A Retrospective

Fair Eliminates Static Credentials with strongDM Cat Cai is currently the Director of Platform Engineering at Fair. In this talk, alongside Jack Wink and Marshall Brekka, they discuss how Fair eliminated static credentials through automation and tooling decisions. Listen as they walk through how they make sure they enforce least privileged access, and rotate credentials without causing a huge headache in the organization.

Read more

Log management best practices: auditing production systems

Log Management Best Practices

Why would I need to audit my production systems?First reason: Legal RequirementsSome regulated environments requires that access and action on a database be tracked.The image below is a capture of version 3.2.1 of the PCIDSS standard:For health data the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information is a bit less prescriptive but the obligation results in a good audition system in place:“Persons and entities

Read more

DevSecOps Conference Highlights | Speakers from Splunk, Betterment, Fair, ASICS

See What You MissedWatch highlights from all the speakers DevSecOps: The Core Curriculum Opening Remarks By Laura Franzese August 25, 2019 Blog, Conference DevSecOps: The Core Curriculum -- opening remarks My brother like 15 years ago asked me what song I would come up to if… Read more Why ASICS Digital Builds 12-Factor Apps with a Focus on Infrastructure By Laura Franzese August 1, 2019 Blog, Conference, Uncategorized How ASICS

Read more