Spring Security Cleanup

So, we are done. Finished the work to enable the employees to work from home. Implemented a video conferencing solution. Enabled access to the company data for the home workers. And the CEO is happy too. He can now work from the tablet of his oldest daughter. Time to grab a beer and relax.

And after that well deserved beer it’s time to clean up. Have a look into the security rules and check that we are still up to date. Lets‘ see my checklist.

1. Check the remote access

Well, we opened out network to the outer world. Gave VPN access to all of our employees. Broaden the attack surface. Maybe the good old LDAP directory is not that secure anymore. Could be the right moment to enhance our login with a multi factor authentication? And may be assess the security status of all these remote-now devices?

2. Secure the new endpoints

Oops, all that devices out now. We told our people to take their company devices home. But hey – there was that guy ho said the video of his laptop was broken. We gave him VPN for his private computer. And the tablet of the CEOs‘ daughter. He said it is well managed because his daughters‘ friend knows IT and had made a million in Bitcoin. Maybe we should try to secure all that devices with an overall solution?

3. Create visibility in the network

Yeah, all that runs now for more than 3 weeks. What if somebody has already entered our network? There is enough stuff where he can hide. We should start to create some visibility. Maybe we can find these guys by looking for anomalies?

4. Reorganise Security Zones

And yes, we put all of our data on that network drive to make access as simple as possible. Hotline calls could have killed us. But right, now our financial data is visible to the engineering team. I think we should rethink what is visible to whom before these weird guys find out where to look.

5. Verify your cloud solutions

Ok, for god’s sake we started to use this cloud based messaging platform. I would not had slept for a week if we had to built that up on prem. But wait, yesterday I saw that the Executive Team shared their year end results? Hmm, it could make sense to have a closer look on how we protect our cloud services.

This text appears first at linkedin.