Information Security Best Practices:
Keeping Your Company’s Data Safe

Hello!
I am James Patterson
COO & CISO, Resolver
james@resolver.com
Your
Photo
Here!

Information Security
Confidentiality Integrity Availability

Principle Least Privilege
• Every module (process, user, program,
environment) must be able to only access the
information and resources that are necessary for its
legitimate purpose
• Start from nothing, only add what is needed

Defense in Depth
Use of all available security mechanisms in the
different aspects of the application deployment
infrastructure to minimise potential attack vectors by
creating multiple layers of protection in case one
mechanism fails.

Layer Cake
• BCP & DR
• Monitoring
• Procedures
• Automation
• Policies
• Penetration Testing
• Third Party Validation
• Corporate Environment
• People
• Technical Controls
• Network
• OS
• Application
• Data Storage and Access
• Physical Security

Corporate Environment
• Security Culture
• Tone at the Top
• Trusted Guardian of Your
Data
• Transparency
• Risk Assessment
• Documentation
• Investment

People
Security
Roles
Job
Descriptions
Hiring
Decisions
(background
checks)
Onboarding/
Offboarding
(least
privilege)
Ongoing
security
training

Security Architecture Principles
▪ Segmented Environments
▪ Server Isolation
▪ Least Privilege
▪ Private Network for Server Management
▪ Minimal public surface area
▪ AWS Managed Services Wherever Possible
▪ MFA and Credential Complexity

Technical Controls - Network
▪ ALB (Application Load Balancer) or Nginx secure reverse
proxy
▪ CloudFront for Content Distribution, DDOS attacks
▪ AWS Shield (WAF)
▪ EC2 Security Groups (AWS Firewall)
▪ IAM Users and Roles
▪ Transport Encryption
▪ Private Management Subnet through MFA Enabled VPN

Technical Controls - Operating System
▪ Server Hardening
▪ Anti-virus
▪ Anti-malware
▪ Intrusion detection systems – AlienVault and AWS
GuardDuty
▪ Monthly Patch Management
▪ Critical patches analyzed for applicability within 48
hours

Technical Controls - Application
▪ Security by Design
▪ Access and Authorization checked at every level
▪ Resolver Application Level Authentication control
▪ Resolver as identity provider
▪ Single Sign On
▪ Role and Data Based Authorization Control

Encryption at
Rest
Data
Segregation
Access
Review
High
Availability
and
Durability
Access
Controls
• Least privilege
• Encrypted
credentials
Data Storage and Access

Physical Security - AWS
▪ Site selection
▪ AWS employee access only
▪ Access logs
▪ Access review
▪ CCTV and MFA access

• AWS Regions and Availability Zones
• Regular Backups with Validation
• Monthly Testing
• Auto Scale and Self Healing
Business Continuity Planning &
Disaster Recovery

Monitoring
▪ AWS Cloud Watch – Log Aggregation preservation
▪ Cloud Trail – AWS Account Config Changes
▪ Application Audit Trail
▪ Alien Vault – SIEM, HIDS
▪ Site 24x7 – External availability
▪ Pager Duty – Notification
▪ Nessus – Vulnerability Scanning
▪ Guard Duty – Machine Learning SIEM

Standard Operating Procedures
▪ Disaster Recovery
▪ Change Management
▪ Incident Management
▪ Monthly Maintenance
▪ Vulnerability Management
▪ Other SOPs
▪ Common operations (onboard & offboard customers)

▪ Faster
▪ Removes human error
▪ Scripting for common tasks
▪ New customer
▪ Resolver Core environment deploy
▪ Cattle, not pets
▪ Replace servers with secure versions
▪ No need to remote into containers
Automation

Policies
▪ InfoSec Policy
▪ Change Control
▪ Hiring Process
▪ Termination Process
▪ Security Assessment Process
▪ Incident Management Policy
▪ Security Awareness Training
Policy
▪ Server Capacity Policy
▪ Server Hardening Policy
▪ Data Classification
▪ Password Policy
▪ Cryptography Policy
▪ Patch Management Policy
▪ Remote Access Policy

Penetration Testing
▪ Annual
▪ Third Party
▪ Black box, authenticated, comprehensive
▪ OWASP
▪ Top 10
▪ Application Security Verification Standard
▪ Data segregation
▪ Application logic

Third Party Validation

Thanks!
Any questions?
james@resolver.com