As a cloud-first software vendor, you trust us to manage your critical data. Protecting it is job zero. How do we do it? Attend this session to learn the details of Resolver’s Information Security Program and learn some practices you can apply to your organization.
5. Principle Least Privilege
• Every module (process, user, program,
environment) must be able to only access the
information and resources that are necessary for its
legitimate purpose
• Start from nothing, only add what is needed
6. Defense in Depth
Use of all available security mechanisms in the
different aspects of the application deployment
infrastructure to minimise potential attack vectors by
creating multiple layers of protection in case one
mechanism fails.
7. Layer Cake
• BCP & DR
• Monitoring
• Procedures
• Automation
• Policies
• Penetration Testing
• Third Party Validation
• Corporate Environment
• People
• Technical Controls
• Network
• OS
• Application
• Data Storage and Access
• Physical Security
8. Corporate Environment
• Security Culture
• Tone at the Top
• Trusted Guardian of Your
Data
• Transparency
• Risk Assessment
• Documentation
• Investment
10. Security Architecture Principles
▪ Segmented Environments
▪ Server Isolation
▪ Least Privilege
▪ Private Network for Server Management
▪ Minimal public surface area
▪ AWS Managed Services Wherever Possible
▪ MFA and Credential Complexity
11. Technical Controls - Network
▪ ALB (Application Load Balancer) or Nginx secure reverse
proxy
▪ CloudFront for Content Distribution, DDOS attacks
▪ AWS Shield (WAF)
▪ EC2 Security Groups (AWS Firewall)
▪ IAM Users and Roles
▪ Transport Encryption
▪ Private Management Subnet through MFA Enabled VPN
12. Technical Controls - Operating System
▪ Server Hardening
▪ Anti-virus
▪ Anti-malware
▪ Intrusion detection systems – AlienVault and AWS
GuardDuty
▪ Monthly Patch Management
▪ Critical patches analyzed for applicability within 48
hours
13. Technical Controls - Application
▪ Security by Design
▪ Access and Authorization checked at every level
▪ Resolver Application Level Authentication control
▪ Resolver as identity provider
▪ Single Sign On
▪ Role and Data Based Authorization Control
15. Physical Security - AWS
▪ Site selection
▪ AWS employee access only
▪ Access logs
▪ Access review
▪ CCTV and MFA access
16. • AWS Regions and Availability Zones
• Regular Backups with Validation
• Monthly Testing
• Auto Scale and Self Healing
Business Continuity Planning &
Disaster Recovery
18. Standard Operating Procedures
▪ Disaster Recovery
▪ Change Management
▪ Incident Management
▪ Monthly Maintenance
▪ Vulnerability Management
▪ Other SOPs
▪ Common operations (onboard & offboard customers)
19. ▪ Faster
▪ Removes human error
▪ Scripting for common tasks
▪ New customer
▪ Resolver Core environment deploy
▪ Cattle, not pets
▪ Replace servers with secure versions
▪ No need to remote into containers
Automation
20. Policies
▪ InfoSec Policy
▪ Change Control
▪ Hiring Process
▪ Termination Process
▪ Security Assessment Process
▪ Incident Management Policy
▪ Security Awareness Training
Policy
▪ Server Capacity Policy
▪ Server Hardening Policy
▪ Data Classification
▪ Password Policy
▪ Cryptography Policy
▪ Patch Management Policy
▪ Remote Access Policy
21. Penetration Testing
▪ Annual
▪ Third Party
▪ Black box, authenticated, comprehensive
▪ OWASP
▪ Top 10
▪ Application Security Verification Standard
▪ Data segregation
▪ Application logic