Information security encompasses a variety of different working groups. These security best practices support the functions of business operations, infrastructure, and product development, to name a few. Everybody is responsible for maintaining a level of security to support compliance [TODO], while raising the bar of our security posture.
Reference: Inspired by GitLab’s Security Practices.
As part of raising that bar, Lovia is implementing Zero Trust, or the practice of shifting access control from the perimeter of the org to the individuals, the assets and the endpoints. You can learn more about this strategy from the Google BeyondCorp whitepaper: A New Approach to Enterprise Security.
In our case, Zero Trust means that all devices trying to access an endpoint or asset within our Lovia environment will need to authenticate and be authorized. Because Zero Trust relies on dynamic, risk-based decisions, this also means that users must be authorized and validated: what department are they in, what role do they have, how sensitive is the data and the host that they are trying to access? We’re at the beginning stages in our Zero Trust roadmap, but as we move along in the journey, we’ll document our lessons learned, process and progress in our Security blog [TODO].
To learn more about the concept of Zero Trust, see this GitLab presentation from GoogleNext19.
Identity is a critical element of the implementation of a ZTN framework. Lovia is in the process of standardizing authentication for Cloud Application access and implement user-friendly SSO [TODO: in the mean time, see Collaboration Tools by Technology department].
Why We Don’t Have a Corporate VPN
In many enterprise environments, virtual private networks (VPN) are used to allow access to less secured resources, typically also protected by an enterprise firewall. At Lovia, as an all remote company, we do most of our work using other Software-as-a-Service (SaaS) providers that we rely on to maintain confidentiality of communication and data. Additionally adding VPN connectivity only marginally improves the security of using those systems. For the use case of laptop usage in untrusted environments, such as coffee shops and co-working spaces, a baseline of always-on host protections, such as up-to-date security patching, host firewalls, and antivirus, should be prioritized.
Team members should follow the system configuration guidelines [TODO] at a minimum to secure their workstations.
In relation to Zero Trust, a corporate VPN is a perimeter, which ZTN architecture de-emphasizes as a basis for making authorization decisions. Current access to critical systems is managed through alternative controls.
While a corporate VPN is not implemented at this time, there are other valid use cases for which individual team members may still wish to use a personal VPN, such as privacy or preventing traffic aggregation.
CEO & Executive Fraud
The CEO will not send you an email to wire cash, the CFO won’t send you a text message to ask for gift cards, or anything else that feels like CEO fraud or CEO scam. These types of spear fishing events will be more common as we grow. Feel free to verify any unusual requests with a video call.
What should you do if you receive a potential phishing email or text from Lovia’s CEO/CxO?
- If you are unsure whether the text or email is legitimate, confirm the request via Video Call or contact Security to review.
- If the email is determined to be fake, follow the instructions for phishing attacks below.
- If the text is determined to be fake: block the number, notify Security, and delete the text.
Security Process and Procedures for Team Members
Quick Overview of Tools Used
|Password Manager||Bitwarden||Using a good password manager (not just with Lovia, but for your own purposes) is strongly recommended. If you have never used a password manager before, we recommend Bitwarden (you can sign up for a free personal account and use it in all of your devices).|
|Single Sign-on||Now: Firebase Authentication / Google Cloud Identity Platform|
|You use your Gluu username and password to sign in to About Lovia and other resources. You may store your Gluu password in Bitwarden or your chosen password manager.|
|Shared accounts||Vault||We use Vault to manage shared account credentials for work purposes (e.g. Facebook, Instagram, API keys, access tokens, etc.).|
Accounts and Passwords
- Read and follow the requirements for handling passwords and other credentials in the Lovia Password Policy Guidelines below for all accounts used to conduct Lovia related work. Using Bitwarden to generate and store the passwords is strongly recommended.
- Set up your Lovia Gluu account [TODO], and use this as your primary means for accessing Applications supported by Gluu. As part of setting up Gluu, you’ll need to establish a strong password and set up at least one additional form of authentication.
- For your Gluu password and other passwords that you won’t store in Gluu, set up Bitwarden as your password manager and set a strong and unique master password.
- Keep your Master Password a secret. No other team members should know it, including admins. If the Master Password is known or disclosed to someone else, it should be changed immediately.
- Post a message in #it-ops if you forget your Master Password.
- Consider using a generated Master Password. Most human-created passwords are easy to guess. Let Bitwarden create a strong Master Password. But: you will need to memorize this Master Password.
- Do not let your password manager store the master password. It is okay to store the username.
- For more information, review Bitwarden: Setup and How To For Beginners by Password Bits (includes video) that guides you through the sign-up process.
- Enable two-factor authentication (2FA) with an authenticator, such as Authy or Super Gluu for on every account that supports it. This is required for Google, Lovia Chat, GitLab.com, and GitHub accounts.
Users without 2FA enabled that are stale for over 30 days will be blocked/suspended until resolved. This improves the security posture for both the user and Lovia.
- If you do not have a YubiKey, you may consider purchasing one. A Yubikey or other hardware token can be used as a convenient 2-factor authentication method after a first has been added to Gluu, G Suite, About Lovia, Chat, and many other sites. Purchasing Yubikey is not mandatory, but is considered as an extra layer of authentication for better security.
- When signing up for a new service on behalf of Lovia:
- Request a Security Review [TODO] by opening an issue in the Compliance project.
- If shared access is required by multiple team members to a single account, for example, a social media account, an Access Request [TODO] should be opened. The credentials will be stored and shared via Vault.
- If you find an existing shared account in Bitwarden, create an issue [TODO] to get it migrated to Vault.
Security for Customer Apps
- Firebase Authentication / Google Cloud Identity Platform, this is currently the default for both customer and intranet apps. Use Firebase whenever possible, but OpenID Connect and SAML is also available.
- ORY Hydra (OAuth 2.0, OpenID Connect).
Since using Firebase Auth/GCIP is relatively easy and cost-effective, it’s discouraged to use built-in authentication mechanism.
- Firebase Authentication
- Passport.js: OpenID Connect, SAML
Alternatives for role-based access control (RBAC) and fine-grained ACL permissions:
- Gluu UMA 2.
- For NestJS, nestjsx/nest-access-control.
- For general NodeJS, OptimalBits/node_acl.
- For WordPress: User Role Editor plugin.