

Ask HN: How to benefit from big corporate policies? - gbog

Since five years, we created an increasingly complex IT system for internal use in the start-up I work for. A very big corporation entered in the game recently, and at the same time one of our clients required us to get certifications. So we got this big corp's kind help and received a huge set of policies we should comply with.<p>The problem is that all these policies imply a traditional IT set-up, with a local network having servers serving files, database, accounts, group policies, etc., all behind a expensive hardware firewall, and with a DMZ for the web-apps (if any). Our architecture is the exact opposite: we have nothing, no sensitive data of any sort locally, everything is in a web-app, in the cloud. We have no real "local servers", just a few single tasked Linux boxes for router, NVR, etc.<p>The single concept of a DMZ don't apply for us, but still they tell us we should "move the database machine outside the DMZ, into the local network, for increased security". Our PostgreSQL rack is far away in the cloud, behind it's own firewall and hardened config like any other other of our web-app machines.<p>These big corp security policies not only tell us which format is to be used for our visitor badges, they also require us to use some MS stuff we really would prefer to avoid, both because we expect MS blobs to spread virally due to their closed formats and protocols, and also just for obvious security reasons I don't even have to mention.<p>Not everything is negative though, we have a lot to learn from a more formal security process in many respects, and anyway we have to get this fabulous certification, but we fear if we are not careful enough we could lose a great part of our agility, which helped us building something better and faster than our competitors, with a much smaller team.<p>Did anyone here got into the fabulous process of the integration in a big corp, or security certification, and have some advice on how to keep the daily job enjoyable for both tech team and tool's users?<p>By the way, do someone have guidelines on how to install MS servers in a Linux environment in a sane way?
======
brudgers
Assuming certification is not viable, adopt those policies you can implement,
and create policies which address the issues behind the policies you cannot
meet.

Then sit down with your client and sell them security.

Certification is CYA on paper. Security protects value.

The advantage you have is trust.

 _Edit:_ Is there a security certification that you can obtain more readily?

 _Edit:_ Is the client's request for certification based on a change in their
business?

~~~
gbog
Our client required ISO 27001 certification, we have to give them that one.

------
brudgers
You might get more bite with a title about ISO27000 compliance.

