a recent discussion has taken place about how best to address enterprise customer concerns on policies relating to holding of customer data.
While this issue isn't going to target a full solution to this problem, there are some key points that I feel most projects should adhere to.
I fully expect this to turn into a sliding scale, where basic requirements are:
- per user access to services
- every developer has most rights for ease of use
- bastion service for accessing service ports on infrastructure
to super hardened, where requirements are:
- per user access to services, with enforced MFA (maybe all of "what you know", "what you have", "what you are")
- follow principle of least privilege
- auditable access to sensitive material
a recent discussion has taken place about how best to address enterprise customer concerns on policies relating to holding of customer data.
While this issue isn't going to target a full solution to this problem, there are some key points that I feel most projects should adhere to.
I fully expect this to turn into a sliding scale, where basic requirements are:
to super hardened, where requirements are: