Do You Know Where Your Stuff Is?
If your developer left today and you hired their replacement, could you tell them where all of your source code and other digital assets are? You know, all those things you’re paying thousands of dollars for? Furthermore, would you know how to disable access for the newly departed and grant it for your new hire?
I am amazed at how many times I work with companies, and when I ask them this question, they give me the blank stare. Fortunately for you, the next time someone asks you this question, you’re going to have a great answer.
There are three key disciplines to tracking your digital assets:
- Creating an initial inventory
- Regularly validating access
- Revoking access when there is a departure
Create Your Inventory
Here’s the minimum list of the things you need to be tracking as the owner of a technology business:
- Where is your source code repository being hosted?
- Where is your application running?
- Where are your domains registered?
- Where is your DNS hosted?
- Where is your email hosted?
- Who is your payments processor (if applicable)?
- What are the 3rd party services you’re using and their logins? (e.g. Hubspot, Google Analytics, Optimizely, etc.)
How are you doing so far? Do you have them all? If not, stop what you’re doin’ (cuz I’m about to ruin… yes, I did just do that) and at least make a spreadsheet and start writing this stuff down. Need a template? Use mine.
Once you’ve got everything written down, make sure you can get in and add new users, remove users, and generally control access. If you don’t understand how something works, ask your developers to give you a tour of the particular system and write down all of the details for getting access.
In case you’re thinking about tracking credentials in the spreadsheet I’ve provided, don’t. It may be obvious, but in the event that it’s not, you never ever store credentials in clear text in a document.
Periodically Validate
OK. Phew… you made the list and you’ve got everything documented. Feeling pretty good right? Unfortunately, you’ve only just begun. Your environment is constantly changing. Your developers are adding new services, you’re adding additional capacity, and creating new projects. The only thing constant is change, as the saying goes. How do you keep up?
- Add an item to your development backlog called “Credentials Check-In”
- Every month or so, add this item to a current sprint
- Repeat the initial inventory process with your dev team
This process will take you an hour or so every month, but will save your bacon. If you don’t have a product backlog, put a recurring reminder on your calendar for the beginning or end of every month.
Revoke Access
People are going to leave your team, and when they do, one of the things you must ensure happens is that access is revoked for all of the key systems. If for some reason, the newly departed still needs access (for example, to help with the person taking their place on code questions), grant them the least amount of access required.
For each system and service on your inventory, here’s your steps:
- Does the person leaving have access to this system? If yes, revoke or reduce to lowest possible permission level for transition period
- Does the person leaving have access to shared credentials for a given service? If yes, change the credentials for that service immediately
Leaving back doors open to former employees is one of the greatest security risks to your company. Even if they’re not going to use them, bad actors can gain access to their system and find old credentials lying around. Eternal vigilance is required.
Just Remember
Your digital assets are among the most valuable assets of your company. Just as you manage physical control, so it must be with digital.
- Create your initial inventory
- Periodically validate and update
- Remember to revoke access when people leave
By following these three simple steps, you’ll help to ensure business continuity during the inevitable transitions with your team.
Your Assignment
- By the end of this week, have your initial inventory completely done. No exceptions. Use my template or make one up, but don’t let this lag another week.
- Work with your development team to have a recurring item put in the product backlog to update your digital inventory
- Take your three most important systems and walk through, in detail, how to revoke access for each of them with your development team. Don’t know where to start? I’d start with source control, your production app environment, and your domain registry.