Blog

How Hearst Eliminates DevOps Complexity — An Architecture Review

July 31, 2019

Hearst Eliminates DevOps Complexity with Automation Jim Mortko is responsible for leading all Internet-based engineering and digital production efforts, along with ecommerce and marketing initiatives that support Hearst Magazines’ diverse units including 20 U.S. magazines, Hearst Digital Media, the Hearst App Lab and Hearst Magazines UK. He is credited with spearheading the launch of five internal systems, along with supporting

Read more

How Betterment Secures Server Access – Automate the Boring Stuff

July 30, 2019

Chris Becker, SRE, Betterment Chris Becker is an SRE at Betterment. Previously, he did similar work on Warby Parker's Infrastructure team. At Betterment, he earned the label APT (advanced persistent threat) thanks to consistently tripping alarms with his peculiar scripts and commands. In this talk, he discusses how Betterment's approach to server access controls evolved as the team grew exponentially.

Read more

Why Fair Eliminated Static Credentials — A Retrospective

July 26, 2019

Fair Eliminates Static Credentials with strongDM Cat Cai is currently the Director of Platform Engineering at Fair. In this talk, alongside Jack Wink and Marshall Brekka, they discuss how Fair eliminated static credentials through automation and tooling decisions. Listen as they walk through how they make sure they enforce least privileged access, and rotate credentials without causing a huge headache

Read more
Avatar
Contributor

Log management best practices: auditing production systems

July 25, 2019

Why would I need to audit my production systems?First reason: Legal RequirementsSome regulated environments requires that access and action on a database be tracked.The image below is a capture of version 3.2.1 of the PCIDSS standard:For health data the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information is a bit less prescriptive but the obligation

Read more

How Splunk Built A Practical Approach to DevSecOps At Scale

July 19, 2019

What Splunk Does Joel Fulton is the Chief Information Security Officer for Splunk. At Splunk, they've put effort into transforming their organization from a waterfall approach to agile, to now a DevSecOps approach. In case you're not familiar, Splunk is a software development company focused on machine data aggregation. They collect your data on to your on-prem and they count

Read more
Avatar
Contributor

How To Make Network Segmentation More Secure And Less Difficult For Everyone

July 16, 2019

Why Network Segmentation Is Hard Very few things frustrate me more than administrative roadblocks that slow me down or make it more difficult to do work. I want to get from staging to production with as little interference as possible. The question every engineering team faces is how to allow that without compromising security? That’s the challenge of network segmentation.

Read more

Alternatives to Gravitational Teleport

July 10, 2019

Gravitational Teleport is a powerful tool allowing organizations to secure access to SSH servers and Kubernetes clusters via a centralized authentication method. However, if you need to secure access to databases, Windows servers or internal web applications in addition to Linux servers/Kubernetes, there are other options to consider. This blog post looks at a few alternatives and discusses the pros

Read more
Brian Johnson
Contributor

SOC 2 Terminology Glossary

July 3, 2019

SOC 2 compliance, like so many things related to IT and security, is chock full of terms and acronyms to learn.  If you are just getting started with SOC 2, it’s helpful to get familiar with this alphabet soup ahead of time so you can move your compliance efforts forward with confidence.  Below is a SOC 2 terminology glossary to

Read more
Brian Johnson
Contributor

Writing Your Security Incident Response Policy

June 27, 2019

This article will point you to the core concepts within the SIRP so that you understand the purpose of this policy before writing your own. The Security Incident Response Policy (SIRP) establishes that your organization has the necessary controls to detect security vulnerabilities and incidents, as well as the processes and procedures to resolve them.  The tricky thing about this

Read more