Compliance can be a slog. Many of the controls are not super useful, especially at smaller organizations. But there are some security fundamentals that everyone should implement. They'll make your life easier for SOC2 when you get there, and you'll benefit from the increased security in the meantime.
Here is a top ten list of things you can do today that will make you more secure and get you on the right path to security compliance when the time comes.
- Make a password policy
Prohibit password reuse and require use of a password manager. Simple enough right? Just write it down and socialize it to your employees. 1Password or a local encrypted password manager that supports yubikey and/or biometric unlock. KeepassXC is nice.
- Implement SSO
You'll thank me. It reduces your account management overhead and prevents onboarding and off-boarding errors, the latter of which can be dangerous and costly. Okta or similar.
- Enroll in your hardware vendor's asset management program
For people on Mac this means enroll in ABM so all your machines get automatically associated with the company. This allows you to bootstrap MDM when you get there, manage inventory etc.
- Encrypt your disks and lock your screens
While we're talking about employee computers, If someone steals a laptop the last thing you want to do is worry about data loss. On Mac it's FileVault or on Windows Bitlocker.
- Branching policy
Make a policy/plan about how to handle branches.
e.g. Everyone develops on a feature branch, code review is required for merge into master, code is auto deploy to stage on merge into master, manual merge into release deploys to prod. Tune as you see fit, but at least have something.
- Infrastructure as code
This will make your life a lot easier if you go multi-region or don't yet have a separation between stage and prod. I recommend Terraform. Feel free to override that if you can make a compelling argument. If you think Cloud Formation is better, come at me. If you like Pulumi better we can be friends. (But how? The old infra guy built this all with clickops? terraformer can import existing infrastructure into terraform).
- Cloud IAM restrictions
Create roles and policies based on the principle of least privilege.If everyone is Admin you did it wrong. If your CEO has admin in your cloud account, but all he does is look at the bill, GOTO line 1. Make a read-only account and grant it billing access.
- Secrets management
If you check secrets into code you're going to have a bad time. AWS secrets manager is a good compromise between secure and easy. Your solution must include a way to rotate secrets. If it doesn't rotate, it isn't a solution. Again AWS secrets manager is quick and solves the problem.
- Log aggregation
You want your forensic logs off the box, but your app logs probably should go somewhere easily accessed by developers too. Your prod access will be wildly simplified if you do this. An ELK stack is one solution. Simple is fast. "Fast and Done" is way smarter than "Optimal, but not completed yet". If you want to talk to me about Hashicorp Vault get ready to buy the next couple rounds.
- Someone needs to "wear the security hat"
It can be a role that the person assumes when needed, but someone needs to own it. If you've got 3 people or 30 there needs to be someone in charge of security. If the person you choose feels like they need help, give us a call. That's what we do.
- Enable 2fa for sensitive accounts
I know I only promised ten but I'm going to turn it up to eleven. Get dat 2fa. I'm in love with Okta Verify with push and faceid. (Honestly this makes it 3fa, but love lets me forgive the misnomer). It might be infinitely better than sms 2fa (which we should probably call 1.5fa).