Blog

Avatar
Contributor

PostgreSQL logging best practices

June 3, 2019

There are several reasons why you might want an audit trail of users’ activity on a PostgreSQL database: When things go wrong you need to know what happened and who is responsible You store sensitive data, maybe even PII or PHI You are subject to compliance standards like SOC 2 or PCI DSS Both application and human access are in-scope. Since application

Read more

Alternatives to Hashicorp Vault

May 21, 2019

HashiCorp Vault is a powerful secrets management tool that is well suited to automating the creation, distribution, and destruction of secrets. However, if your goal is to secure access to sensitive systems, a secrets store is not the only approach. In this blog post we’ll look at a few alternatives, with my take on the strengths and weaknesses of each

Read more
Avatar
Contributor

Identity Federation on AWS and Azure Instances

May 15, 2019

Why? That’s a good starting question to start with, what’s the goal? Here we’re talking about managing access to instances on AWS and Azure in a unified way and there’s a bunch of possibilities, including (not exhaustive): Local users from a csv list with a script Local users using a configuration management tool Using a central directory (NIS, AD, LDAP)

Read more
Tobias Macey
Host, Data Engineering Podcast

Scaling Your SSH Strategy

April 17, 2019

In our last post, we discussed some of the challenges that are inherent to management of SSH keys across your infrastructure as you scale the number of team members and servers. In this post, we will dig into some of your options and the trade-offs that they provide. Review Before we get going, let’s recap the main criteria that we

Read more

How To Prepare For Your First SOC 2 Audit A 30-90-120 Day Plan

April 17, 2019

Despite thousands of articles, there's shockingly little actionable advice to help startups complete SOC 2. When you don't have dedicated compliance teams or six figure budgets, we set out to answer: When to pull the trigger on SOC 2. Who needs to be involved in prep work & what tasks can/can not be delegated. How to narrow the scope and

Read more
Tobias Macey
Host, Data Engineering Podcast

The Key To Your SSH Strategy

April 16, 2019

If you work with systems that run any variety of Linux or BSD then the probability is high that you have dealt with SSH. Invented in 1995 and established as an internet standard by the IETF in 2006, Secure SHell has become the default mechanism for remote access to servers by individuals and teams everywhere. SSH Authentication Authenticating yourself to

Read more
Brian Johnson
Contributor

Practical Tips to Improve Data Center Security and Compliance

March 26, 2019

In this post, we’ll answer the following questions:How do I know what rules and regulations I need to follow when protecting my data and data center? Where should I host my secure data center infrastructure (on-prem vs. colocation facilities vs. cloud vs. hybrid solution)? How do I plan for - and recover from - a physical data center failure?

Read more
Brian Johnson
Contributor

How to Write Your Software Development Lifecycle Policy

March 19, 2019

With headline-grabbing software vulnerabilities becoming more and more prevalent, now is the time to tighten up your development practices into a well-written SDLC policy. This particular information security policy will help your development teams standardize on coding tools and practices, as well as get everybody on the same page from a security standpoint. And come the time when you do have a incident, you will be able to demonstrate to your customers that you do indeed take their security seriously - it’s not just lip service.

Read more