asked on
Cybersecurity Measures for Offshore Development
Hi Folks,
Our company is working on an outsourcing software development to 3rd party and wants to ensure that robust security measures are in place to protect our sensitive data and code.
So, I turn to this knowledgeable community to seek your expertise and advice.
What are the most effective security measures for remote access to our servers, code, data & infrastructure? Any recommended strategies or solutions that have worked well for you or your organization?
Thank you in advance for your valuable insights and contributions.
For vendor management, we have done the following, if there is anything else needs to be done:
Your efforts in assessing and mitigating potential risks related to outsourcing software development are satisfactory. In addition to what you've done, what has also been mentioned in my previous input, here are some additional measures that could help increase the security of your outsourcing endeavors:
- Define Exit Strategies: Include clear terms within the contract about how data will be handled once the contract is over. Ensure all sensitive data is returned or destroyed securely as per agreement.
- Vendor's Vendor Management: Make sure your contract also covers how your vendor should handle their third-party interactions. Your vendor might also outsource specific tasks, which could create further vulnerabilities.
- Security Testing: Regular security testing, including penetration testing and vulnerability assessments, should be a part of your agreement with the vendor. This will help identify and rectify potential weaknesses before they can be exploited.
Yes the Azure Desktop is useful. That is mostly on the endpoint security. To enhance the security, you should consider the development pipeline and versioning as well as segregation on the codes checked in by offshore developer from the production. It is about the layer of defence even for development.
i believe the cut and copy is part of remote access policy. in any case, to you can further explore on the MS Dev Box if you are into Windows. Azure Virtual Desktop only has device-based and user configuration management capabilities, while MS Dev Box provides comprehensive, centralized management capabilities in Microsoft Endpoint Manager and Intune. You can still use remote client to connect to Dev Box and have user policies with role based group created to enforce policies.
https://learn.microsoft.com/en-gb/azure/dev-box/concept-common-components
https://learn.microsoft.com/en-us/mem/intune/protect/mde-security-integration?pivots=mdssc-ga
ASKER
Hi Madunix
For vendor management, we have done the following, if there is anything else needs to be done:
Hi Btan
We are precisely interested in implementing Azure Virtual Desktop. By doing so, we can enforce security measures such as prohibiting file copying or clipboard access to prevent any potential data leaks. All data will remain within the virtual machine (VM), ensuring that there is no direct network access apart from the VDI portal. Additionally, we can implement conditional access and IP filtering, as well as utilize multi-factor authentication (MFA) and privileged access management (PAM) for any privileged access. Furthermore, session recording can be enabled. VPNs are still relevant, I am not particularly fond of solely relying on VPNs for network access, as it grants direct access to RDP or applications.