Secure information, secure work, secure value
In this remote-first world, it’s impossible to separate information security from information value. At the UpTeam Accelerator, speed and trust are built into our processes, policies, and tools from the ground up. Everyone who works with our customers, their software, and infrastructure works within strict, clear security protocols.
Making the best of location-independent talent means mitigating risks for people and devices no matter where they are. There are many best practices derived directly from the world of cloud computing which we inhabit. Controls and processes derived from central office environments can also apply successfully to distributed work. Our goal is to secure and protect all the work on all the data at all times. It requires corrective avoidance of risky situations, rapid mitigation of incidents, and continuous improvement in the face of the evolving threat landscape
Our belief is that this discipline and mindset apply not only to our team but also to our work with you and your team. We work to continuously raise the security and operations standards across all of the work UpTeam does with your organization.
Security Operations Objectives
Security is a core element of our operating model, both for individual customer teams as well as the UpTeam Accelerator as a whole. The following objectives drive security operations:
- Maintain and update company-wide security policies
- Train all employees on security norms and protocols and keep them up-to-date
- Operate a toolset that regularly executes security audits for all teams and products
- Manage, triage, and root cause all security incidents
- Operate and maintain a database of attack vectors and remediations
- Maintain an active backlog of security improvement opportunities based on continuous monitoring of global security threats
Security Foundations: Policies & Procedures
Securing Cloud Services
As a cloud-first software development company, many of the operating assumptions of our development and deployment processes derive directly from cloud services. This inherits critical security benefits:
- Distributed platforms with no single point of failure
- Multiple levels of redundancy within and across platforms and data services
- Security Management using managed services and on online tools
- Managed services for end-user mobile devices, laptops and smartphones
- Avoid using network access control lists or network firewalls.
These assumptions also extend how end-users work with these resources.
- Multi-factor authentication, also known as 2FA, is a critical verification step offered by cloud service providers. It’s a very effective barrier against intrusion and unauthorized access.
- Google Authenticator provides a validated separation between the end-user and the service they use, based on the classic security tactic of “something you have in something you know.”
- All confidential information is shared on channels that use 2FA to prevent spoofing, including and especially password recovery codes.
- All password management is cryptographically controlled using LastPass. This streamlines logins, stores access credentials securely, and manages safe sharing for password recovery.
- Our IT operations team can control usage policies and user management using LastPass as a secure centralized resource, streamlining global application of policies and procedures wherever members and end-users or work.
- Google Meet and Zoom are our default live communications tools (whichever a client prefers). Session access is managed centrally using Google authentication mechanisms.
Secure document sharing and access
Fine-grained access control is critical. There’s no merit in making it easy with shortcuts that expose critical information, just as there is no point in making information secure by making it inaccessible. Document distribution and collaboration must be both secure and frictionless.
Our default identity and document access platform is Google G-Suite. It’s a unique combination of integrated cloud identity and easily manageable document sharing and management. It builds in clear standards for data ownership, data use, security, transparency, and accountability. That gives us control over compliance, reporting, as well as day-to-day identity and collaboration needs.
G-Suite as the backbone of our collaboration identity management confers several important advantages:
- Google Authenticator significantly reduces the risk of unauthorized access. Admins can also manage these keys at scale, and readily separate access based on organizational rules.
- Context-aware access ensures that employees have access only to assigned documents and resources. By default, members of each client team in the UpTeam Accelerator are denied access to any clients they are not assigned to
- Structured privileged roles add another layer of confidence and authorization. Compliance and oversight are managed with complete transparency within the scope of our contracted client relationship. For example, your team leads have access credentials that individual line staff members do not. Similarly, our global infrastructure specialists have clear policies and guidelines separating who can access what.
- Email security can be bolstered with customized rules such as using Secure/Multipurpose Internet Mail Extensions (S/MIME), as and when specific content is detected in email messages.
- Two-factor authentication can be added to any access within Google G-suite document collaboration.
- Single sign-on and 2FA together control access for AWS, Azure, Microsoft 365, and the like.
Access Control policies and procedures
All processes for account creation and termination are automated and centrally controlled. These are audited regularly. VPN is the default access mode for all distributed resources. Exceptions are granted only by joint approval of the CTO and a VP level executive.
Provisioning and revocation are formally managed for all services and systems. Using mechanisms SSO, password management, 2FA and more, we can verify monitor user legitimacy, and remove credentials/change access in a seamless and secure fashion.
All accounts and resources are by default set to zero trust. This means that all access grants at any level must be explicitly approved by privileged users in the management chain of command. We perform frequent audits to validate the relationship between user and role, as well as which roles are granted to which users. This keeps us up-to-date and ensures all users are accounted for with appropriate permission levels. We also use a user’s email and G Suite credentials to control access to third-party systems that contain company or client data.
Privileged access rights and responsibilities
Management of Privileged Access Rights
Resource administrators at the UpTeam Accelerator have significant access to systems and resources. As such, they have added responsibilities tied directly to security.
- Ensure any user has received appropriate credentials and security training before gaining access for any system
- Advise and approve security plans, documentation, processes, and risk assessments for resources and team leads, on a need-to-know basis.
- Consult with team leads and resource owners on any changes to DR or contingency planning, such as when client systems are deployed into new geography or availability zones.
- Implement a system for appropriate system auditing, log review, and applicable access procedures and mechanisms
- Document, report, or investigate violations or incidents, whether confirmed or suspected, and work with both client and security specialists from discovery to remediation
Confidential Authentication Credential Management
Anonymity is not compatible with rigorous security. Complete, comprehensive access and identity management means that all interactions must be associated with unique user identification information.
As it turns out, a complete understanding of who does what also has meaningful benefit outside of security, by providing transparent observability throughout the development process.
These dual benefits mean that ID and auth for systems and users are deliberately controlled. Usernames and service accounts are unique. Only authorized users receive user IDs for the systems. Written authorization, at a minimum through a slack chat, is required for access.
Audit and Compliance
Successful ongoing security operations requires ongoing review and audit to ensure compliance is maintained and improved as necessary. We perform global reviews and audits of all centralized control policies every six months to ensure they interoperate seamlessly with all other security policies. As a result of these audits, any improvements must be implemented within no more than 30 days.
When we introduce new technologies or services, we evaluate them against our existing policies. To be accepted, they must integrate with auditing, monitoring, reporting, event notification, and management.
The global infrastructure professionals at the UpTeam Accelerator have three discrete areas of responsibility:
- Security operations: regular monitoring of accounts and access control, incident reporting, and remediation of non-compliance
- IT operations: provisions and revokes account access across all UpTeam staff for common services, such as G Suite, JIRA, Slack, GitHub, etc.
- Compliance: works with third-party service providers to create and review audit-ready compliance reports and recommend actions to close compliance gaps.
The Compliance group can also work with specific UpTeam Accelerator clients in support of customer-specific compliance requirements, such as HIPAA, PCI-DSS, and FedRamp.
At UpTeam, our security operations principles are derived from international standards for security controls, security management risk assessment and mitigation. These include International Standardization Organization (ISO) 27005:2011, 27001:2013, and 27002:2013.
In addition, we apply security practices on data storage platforms, addressing data in transit and data at rest, as follows:
- G-suite, our default cloud storage and document management platform, provides 256-bit SSL/TLS encryption in transit and at least AES-128 for data at rest.
- GitHub Is our default for code versioning and Storage. get up hosts have encrypted disks, and transfer data using SSH and https
- Amazon Is our preferred data storage service. BLOBs and database backups are stored in S3, transferred via S3 encrypted connection, and encrypted (AES-256) by default.
- Each application has its own separate databases. In case of a security breach, this contains or at least minimize any potential exposure. Databases are backed up to S3 with these same protocols.
- Device provisioning & endpoint management is implemented for Apple devices using Apple Business Manager and Microsoft devices using Microsoft InTune.
As is the case in all modern cloud services, encryption is the default for any access or service. HTTPS requires TLS (we do not use standalone SSL). All resources must be served via HTTPS, and all requests received via HTTP must be redirected to the HTTPS counterpart, or be denied. Here is a list of the key cryptographic hash functions, systems, and algorithms we use
|Purpose||Example||Cryptographic system||Minimum key length|
|Asymmetric encryption||SSH||RSA||2048 bits|
|Symmetric encryption||IPsec||AES||256 bits|
|Key exchange||Diffie-Hellman (DH) / ECDH / IKE||2048 bits|
|Password hashing||PBKDF2 / Bcrypt / Scrypt|
|Message hash||SHA2||256 bits|
Threat Prevention and Mitigation
No security discipline is complete without recognizing the need for continuous vigilance in defending the attack surface. Global service level, incident mitigation and penetration testing work hand-in-hand to expose vulnerabilities and close them before they can cause harm.
Malware and scams worldwide are continuously growing as a threat in sophistication and pernicious effect. We engage our employees actively on the front lines, to make it as easy as possible for them to avoid and defend against such intrusions. Collaboration is critical. Team members avoid scams and exploits by maintaining open interaction with their colleagues across customers in company-wide Slack channels. Any staffer can raise a question about an inbound inquiry for information, so we can confirm the legitimacy of the message.
Slack also provides a rapid and seamless to alert channel about phishing or scams targeting a company or a marketplace. The same is true for devices. We make it easy for any staffer who suspects he or she has come across something questionable to report this to our IT security operations group. They follow well-documented protocols, including disconnecting the system for all resources until it can be cleaned, validated, and restored.
As part of end-user device management, we run malware protection solutions for all users. They are set up to perform regular in-depth inspections, including automated removal of suspect code, and disconnecting suspect devices. Malware detection runs in active protection mode. It concurrently notifies the user and quarantines any threats.
Global Developer Tech support
Making every developer successful starts with ensuring he or she has the knowledge and support to find and fix problems on their own – and making it easy to get expert help when they can’t. Our IT operations and security group provides up-to-date guidelines and policies in our employee handbook, provided to all new staff and regularly updated for veteran employees.
Part of the handbook includes FAQs. We regularly update them with inquiries from both new and experienced employees through the IT Operations Slack channel. Slack also provides consistent opportunities for improvement of our processes and procedures.
Remote-first software development and delivery extends to active troubleshooting and corrective action. Our IT operations group can provide remote support through Google Meet and Slack Video Conferencing. Slack also supports remote takeover of the end user’s device, so that the IT and security operations expert can intervene directly and speed time to restoration on behalf of our developers.