I can be a perfectionist at times, it’s true. I want to spend days making everything perfect, work perfect, no errors, no bugs, fully documented, etc. Doing a tech install for me isn’t just about rack-n-stack, it’s about handing over something to my customer that works, works well, and is Operationally Ready. What I want isn’t always what the customer wants to pay for though and most of the time we are targeting the 80/20 rule. Focusing on getting the most bang for their buck and being satisfied with “good enough” so we can get on to the next project.
Particularly for non-customer facing infrastructure, security is always the first thing to get scratched off the list. Policy, Procedure, Hardening, Vulnerability Testing, Access Control, SSL Certs. These things are usually set aside because they take too much time. Either the team I’m working with doesn’t have time to invest in the project, they don’t want day to day operations and maintenance to take longer, or they don’t want to pay for the Professional Service hours to get these things accomplished.
My advice is not to skip these things. Pay for somebody to do them if you have to or just take the time to get it done early. There are countless reasons why. Everything from avoiding Technical Debt to simply covering your rear. I promise that the time and cost of handling a breach or even a routine remediation exercise are significantly higher than doing the work up-front. I will elaborate on the “why” in each relevant section.
So what to do? When I google Security or Cyber Hygiene, what do I find? I find loads of useless academic criteria, loads of poorly mapped product marketing, and very little in the way of practical advice. In fact the most useful thing I was able to find is a NIST white paper that is 100% abstract. That’s not very helpful at all. In the interest of helping out people who might be actually looking for the WHAT and HOW, rather than the WHO and WHY, I decided to put some of my experience down here where anyone can make use of them.
So by way of compromise, rather than pedantically ranting about Best Practice, I will offer up my advice for getting “close enough” with minimal effort. For anyone who isn’t putting much effort into security, these 80/20 approaches should drastically improve your security posture and your audit results. Set security as an MBO for next quarter and let’s knock it out of the park together!
For those of you who are doing it perfect, please share why and let us know how important it is. Please do not offer boat loads of criticism about why my approach is wrong or irresponsible. I will justify each exercise in their own section.