The Challenge
Good security isn’t just about not getting hacked (though that certainly is extremely important!). Threats can be internal as well as external. It’s important to ensure that every employee and application has only the permissions they require to do their job. Are all of your systems patched and up-to-date with the latest security fixes? Is your business ready to handle sensitive information like personal health information and credit card transactions? Do you have a tested disaster recovery plan in place?
At stack.io we can:
Set up automated, zero-downtime security updates for your systems
Help configure and set up defences to attacks against your SaaS web-applications, including DDoS protection, Web Application Firewalls, and more!
Help you standardize employee access to sensitive systems against a trusted identity provider like Identity and Access Management (IAM), Active Directory, LDAP, or anything else you might be using.
Help you achieve compliance goals you may need as part of your business. (eg. PCI DSS)
Audit your existing systems to confirm that they’re set up and secured the way you think they are in order to meet requirements such as SOC and ISO 27001.
Help build a private infrastructure on AWS, GCP, Azure, Oracle, Digital Ocean, and IBM Cloud services.
Improve security in the key/secret management control to help avoid storing any credentials within code.
Set up environment segmentation.
Ensure that a natural disaster or cyberattack is only a setback, and not a company-ending event.
DevOps Maturity
Where does your setup fit on our DevOps maturity scale?
+ Poor
- We are not sure when the last time our systems were patched.
- The operating system or application stack we’re using is no longer supported by the vendor.
- We are unsure if systems are backed up, or we know for a fact that key data is not backed up.
- We know that our business is not in compliance with regulations or our customers’ requirements.
- We’re not sure who has access to what and the process of adding a new user is entirely undocumented.
+ Fair
- We’ve patched our systems after every major vulnerability is announced.
- It’s difficult to keep track of all of our credentials to different systems, and sometimes login credentials slip through the cracks when employees are being onboarded and offboarded.
- Our data is backed up but we haven’t tested our backups.
+ Good
- We regularly patch our systems. Some systems are extremely difficult to patch due to uptime requirements but we try to update those when we can.
- We know how to scan for vulnerabilities in our stack if required.
- We are in compliance with all necessary regulations and security requirements.
- We have an effective onboarding and offboarding process for our employees, and we know who has access to what.
- Our data is backed up and we regularly conduct tests to ensure that restoring from backups will succeed.
+ Great
- Software patching of all systems is automated safely and does not incur downtime. Updates are tested before reaching production.
- We regularly scan for vulnerabilities in our application stack and mitigate or patch issues as they are detected.
- We have been certified by a third-party that we meet all required regulations and security requirements.
- All of our logins and credentials use a trusted identity provider and single-sign on wherever possible. We know who can login to each system and onboarding and offboarding is a breeze.
- Our data is backed up to at least two different storage types (disk, tape, cloud storage, etc.) in at least 3 locations (with one of these storage types being offline), and we periodically test our restore procedures.