[r4vik]

It's all about good hygiene early.

- MDM for laptops/phones, don't let people use their own devices. The point of MDM isn't to stop people installing their favourite IDE, the point of it is to make sure the device is patched and running latest OS. If you have a VPN (even AWS Client VPN supports this...) tie MDM together with device attestation so only patched machines can connect to your VPN.

- Unified login, for a start up you can use Google workspace or even GitHub as your identity provider (this gets weird if you have non-devs but you can push it for a bit). Don't have more than one account/password for things, you just log into your google account then use OIDC/SAML to auth against internal apps. If you do this you probably don't need VPN. Use this to auth into AWS too.

- Don't share accounts on SaaS services (e.g domain registrar), this will make rotating stuff when someone leaves a nightmare. If a service doesn't support teams or you don't want to pay for the enterprise version then it's OK for the CTO and 1 other person to have their own login.

- Minimise/avoid static credentials for your infra (e.g. web server talking to postgres) prefer to use AWS Instance roles with short lived dynamic credentials.

- Make sure network isolation is set up correctly, your Mongo db shouldn't be listening on the internet

- Use 2fa but make sure it's WebAuthn/FIDO. Issue everyone with 2x security keys. People wipe / screw up their phones/TOTP authenticator apps far too much.

- Centralised logging, make sure your apps can output logs to opensearch/datadog/whatever. Whenever a user performs an action make sure this gets logged.

- Don't let people manage prod infrastructure without using Infrastructure as code tools (CDK/Pulumi/Terraform), best thing would be not to give people prod access and all changes have to go through CI

- Make sure you know your product is down before your users start calling/emailing. Set up healhchecks.io / pingdom whatever.

[PowerBar]

I would recommend only issuing a single MFA device. If you only issue 1, then the employee is forced to come to IT if/when they lose it to get a new one issued. IT will need to use their admin access to activate the new fob (and deactivate the old one), but at least you're assured that employees aren't losing them without telling anyone.

If you issue 2 you greatly increase the chances of MFA devices going missing without it being reported to IT since people will either A) use one of them and forget they even have the other and not keep track of it or B) lose one and just start using the other one and never bothering to report it to IT so they can invalidate the missing one.

Employees are VERY reluctant to report lost devices, even after being told there are no consequences or costs to them as long as they report it. I've seen employees get buddies to buzz them into the building for weeks before finally admitting to IT that they lost their access badge.

The main complication is if your company relies on outside software that doesn't have provisions for administrator oversight. For example, if you're using Google Apps, any admin can go in and replace a missing MFA device for an employee, but this isn't possible if you're using some other platforms (especially the free tiers).

[dissent]

MDM for laptops? No thanks. It's a world of security theatre - the main purpose of which seems to be to stop me doing my job. Also it invariably means Windows.

[eswat]

MDM doesn't have to be a heavy-handed thing and solutions exist for macOS at least. Even something that just makes sure the OS and critical apps always have the latest security patches - and ideally pushes those changes when it’s not disruptive to the host – can go a long way.

[dissent]

Doesn't have to be, invariably is in my experience. I prefer the approach of taking the phrase Zero Trust literally.

[r4vik]

From what I can remember when I set this up last all our MDM did was:

- Ensure full disk encryption

- Time limit on how long people can defer OS upgrades

- Report on software installed and versions

- Enforce somewhat complex password

- Enforce password after screen has become locked

- Allow us to remote wipe the machine if lost/stolen

It didn't stop you from installing / uninstalling anything - even itself. Although if your machine stopped phoning home for a certain amount of time we had some alerts set up for the IT support team to follow up.

[tptacek]

At startups, MDM almost invariably means Macs; it's usually some mixture of Jamf and osquery.

[r4vik]

unfortunately yes - I was in charge of this decision as a previous employer and I went with Macs+JAMF even though I'm a die hard Linux user. My work around was to run a fullscreen Linux VM but that does defeat the purpose somewhat.

I'm hoping things are better now - I think Canonical have some sort of MDM for Ubuntu but I couldn't figure out how to pay for it.

[senorsmile]

I'm trialing fleetdm atm. It works on all 3.

[bradwood]

I'm also in the market for some kinda MDM setup that will work on BYOD dev Linux hosts without annoying developers... How are you finding fleetdm?