Deploying Managed, Secure, Compliant Infrastructure without a Central Office Location

Last year I was busy implementing policies and procedures to achieve HITRUST CSF certification. At the same time nation state hacking tools and vulnerabilities were being released on a monthly basis. I felt like I was caught in an IT security riptide. The goal of security and compliance seemed to be getting further away no matter how fast we tried to swim towards compliance. Then I happened on to the book by Alfred Lansing Endurance: Shackleton’s Incredible Voyage.

Endurance is the true story of explorer Sir Ernest Shackleton’s voyage to Antarctica in 1914 in the ship named Endurance. Shackleton’s ocean voyage ended one day from their goal, when the Endurance became trapped in the ice. The ordeal then began, surviving in the Antarctic with no radio and no hope of rescue. All 28 of the crew survived from January 2015 to final rescue in August 2016. Imagine, surviving 19 months in Antarctica in 1915 with only the equipment available at that time.

I was inspired by this incredible story. Certainly, if Ernest Shackleton and his crew could survive 19 months in Antarctica in 1915, we can survive the onslaught of threats to our infrastructure and achieve security and compliance in 2018.

Many of the 12 rules that Shackleton followed before and during the adventure are what kept the men alive and moral as high as possible.  These rules also apply to IT/DevOps teams in these challenging times for achieving security and compliance in the face of ubiquitous, sophisticated, nation state sponsored hacking tools.  Rule number 12 is especially relevant to this IT/DevOps

Shackleton’s Way of Selecting and Organizing a Crew:

  1. Start with a solid crew of workers you know from past jobs or who come recommended by trusted colleagues.
  2. Your Number Two is your most important hire. Pick one who compliments your management style, shows loyalty without being a yes-man, and has a talent for working with others.
  3. Hire those who share your vision. Someone who clashes with your personality or the corporate culture will hinder your work.
  4. Fire quickly when it is clear you made a wrong recruiting decision even if it means legal action.
  5. Weed out potential slackers or people who are not prepared to do mundane or unpopular jobs.
  6. Be a creative, unconventional interviewer if you seek creative, unconventional people. Go deeper than job experience and expertise. Ask questions that reveal a candidates personality, values, and perspective on work and life.
  7. Don’t stick doggedly to your list of questions; rely on your intuition as well.
  8. Surround yourself with cheerful, optimistic people. They will reward you with the loyalty and camaraderie vital for success. Also, they will stick by you when times get tough.
  9. Applicants hungriest for the job are apt to work hardest to keep it.
  10. Hire those with the talents and expertise you lack. Don’t feel threatened by them. They will help you stay on the cutting edge and bring distinction to your organization.
  11. Spell out clearly to new employees the exact duties and requirements of their jobs, and how they will be compensated. Many failed work relationships start with a lack of communication.
  12. To help your staff do top-notch work, give them the best equipment you can afford. Working with outdated, unreliable tools creates an unnecessary burden.

 

This coming series of articles will focus on companies that are just starting to deploy infrastructure.  It is important to understand the new tools available today that allow new companies to start out with a solid foundation for supporting security and compliance.  Existing companies wanting to remediate an existing infrastructure or mature companies that did not deploy managed infrastructure can also apply these tools but their tasks are complicated by change management and replacing/integrating existing infrastructure.

All companies today need to address security and compliance to be in a position to prove that their customer’s data is safe. Customers are rightfully getting concerned about the security of where their data is being stored and accessed. The requirements for security and the need to prove security will only increase over time.  It is far easier to start off with a modern secure foundation than it is to pause in later stage growth to implement security and compliance.

Traditionally companies have started with an on premise directory service like Microsoft Active Directory and then built up from there.  Active Directory is complicated to make accessible to road warriors and a distributed workforce. Many times, new enterprises start using SaaS vendors like G-Suite, Box,com, Amazon Web Services without a centralized directory service.  Deploying SaaS services without a centralized directory server will inevitably become chaotic as the number of employees and the number of SaaS applications grow. User’s do not enjoy having different credentials for all of their SaaS application.

These articles will focus on how to deploy centralized “Directory as a Service (DaaS)” in the cloud using JumpCloud.  JumpCloud eliminates the need, complexity and cost for an on premise directory server and provides better management of users and systems by providing cloud based LDAP,  SAML Single Sign On, Radius as a Service. SSH Key Management and User Management for Apple Macs, Windows PCs and Linux systems (physical and cloud based)

Companies recognizing that a major weakness of SaaS applications is users have too many logins and credentials.  The various SaaS systems are harder to audit for access rights. Cloud based directory as a service providers are rapidly adding new features monthly.  Cloud based SaaS vendors are improving their LDAP and SSO integration capabilities every month also. This makes it a good time to be looking at cloud based directory services.

For example, JumpCloud can auto-provision users in G-Suite.  Auto-provisioning means that users are created/modified/deleted in G-Suite by using the JumpCloud portal.  JumpCloud uses the G-Suite APIs to sync the users between JumpCloud and G-Suite. JumpCloud also provides on-demand provisioning for AWS IAM users so that users do not need to be manually provisioned in IAM.  JumpCloud provides SAML Single Signon for SaaS vendors like Box.com where you would need to manually create the users in the SaaS vendor’s portal, but their login credentials are managed through JumpCloud Single Sign On.  JumpCloud also provides “Radius as a Service” for office WiFi authentication from a directory instead of the typical small office practice of static WPA keys handed out on post-it notes.

Leave a Reply

Your email address will not be published. Required fields are marked *