Gradual Perimeter Permissions
With all of the current learning and planning strategies, my goal is to start from a position where each server begins in a state of complete lockdown. This essentially means that the only way to access the server is locally, and nothing can run on the server which needs to communicate with the external environment locally or online. Easily achieved and quickly.
From this starting point, my aim is to then begin adding specific permissions that are highly customised to the particular role of the server (there will be multiple types) and expected users. And this means understanding the nature of the particular services that need to run on each type of server, the kinds of processes and permissions they need to run, whether these processes require permissions that are static or these can be made dynamic and time-based, and how the planned maintenance and monitoring processes will work.
As I go through each of the current progressive steps, and learn about and/or develop new processes and services, my focus in terms of the defensive perimeter is to only grant access for the required tasks, for the briefest time possible, and immediately return the perimeter to the highest level lockdown possible while maintaining ongoing processes. The same approach will be used when structuring the security approach to containers and their internal images.
So I have a plan. It's just insane. Kinda the way it should be 🙂
Stay awesome,
EMH
HOW MOOVPAD IS BEING BUILT
For the overview of how MOOVPAD apps are being developed, the reasoning behind particular decisions during development, policies, and more in relation to all the technical things, please see the link to the left.
This will be an ongoing work in progress, and will always be linked to the bottom of each upcoming Blog post.