Security Checklist for your technology

Posted by in Devops, Engineering Management, Startup, Technology

I was recently interacting with one of the startups at 91springboard here in Mumbai, who are going to work closely with the governments of different countries. One of the important things which came to my mind is that how are you ensuring that what we are building is compliant. Based on my past experiences at HackerRank where the enterprise clients from fin-tech sector use to ask us to fill their security audit sheet, I think if you are covering up following things you are in better place to be compliant and also ensuring that your IT infra is safe. I will break down the checklist into 4 major groups:

  1. Infrastructure
  2. Data
  3. Product (Your technology)
  4. Others

Infrastructure

  1. Private Cloud – This is very important. Your entire infrastructure should be in a private cloud. The only way any public person can get in should be through load balancers.
  2. Connection to your machines should be over VPN of some sort. This ensures that not anyone can access machines in your infrastructure.
  3. Access to your production setup. Anything which holds or connects to production data should have limited access.
  4. Auditing/Tracking – You should be tracking activities of people who are accessing your production environment, when they logged in, what they executed.

If you are using a cloud solution, then you have to be more careful with your setup, as the cloud solutions are more prone to attacks.

Data

  1. User personal information encryption – Any personal information of the user should be encrypted and stored, like passwords, email addresses, phone numbers, etc.
  2. Data Auditing – You should have a trail on who changed what on any data in your database. I mean not the database user but the actual user.
  3. Accessibility – Your production data should be only accessible by limited people.
  4. Backup / Recoverability – How robust are your data stores, can they recover on themselves. Can you restore when something goes wrong.

Product

  1. Policy on code base access – who can access your codebase. Do you ensure that the code is removed from the persons machine when he leaves.
  2. Company laptops – People should be using laptops issued by the organization.
  3. Encryption – The devices which have your code base should have encrypted.

Others

  1. Is your premises secured? Do you keep track of who is entering and exiting your office space
  2. Is your network encrypted, people should not be able to hack into your network and access information.

If you have any questions how can you achieve them, or any suggestions on the item which should be added. Just drop a comment below 🙂