The Bento Cyber Security Framework & Guides soft-launch started the weekend of July 4th. The timing is surprisingly appropriate as Kaseya suffered a massive ransomware infiltration that has affected hundreds of businesses. Kaseya is a critical vendors for IT companies, and as such a major factor in risk analysis of your supply chain. Among the 107 topics covered at launch, BCSF covers supply chain risks in extensive detail.
Where are we at launch?
There are three parts to our strategy: the framework, the guides, and professional services. The framework is the skeleton on which all of our security practices are based on and ready to be adopted by small companies. The guides publication platform, BENTO:GUIDES, brings the framework and all materially relevant publications into a single content source. Finally, professional services extend the knowledge into practical application. All three are ready at launch.
- The framework is complete and has no pending revisions.
- Guides is launching with 249 guides covering 108 topic categories.
- Professional services is primarily focused on assessments/implementation of BCSF & NIST 80-53 Revision 5 compliance.
The maturity of each of the three components varies. For instance, we aimed to have Bronze content feature complete while holding off on premium paid plans.
What we most proud of the backbone that operates BENTO:GUIDES. While our primary website is WordPress hosted on best-in-class infrastructure, BENTO:GUIDES is hosted entirely on our production Amazon Web Service environment and benefits form our home-grown technologies. Not only did we develop process and tooling to meet the launch objectives, we have integrated a number of market-leading technologies into our platform. They include Github and Amazon S3 for storage but have the capability to extend to Azure Blob Storage, DropBox, and Google Drive. We enabled multi-cloud authentication with Google Workspace and Auth0. We developed a monitoring and logging subsystem that exceeds the highest standards in BCSF. None of these things are extraordinary; instead, they are investment in a strategy that set forth in our own framework and are meant to be a living example of confidentiality, integrity, and availability.
Did we meet all our launch goals?
Simple answer: no, but we set the bar high. We had to make a last minute compromise on Azure Active Directory Authentication and decided to leave it off for next big upgrade (3.x). We had scuttled (late Spring 2021) Security Awareness Training modules as we opted to invest in existing options and put our spin on it. The user interface experience had no technical lead and did not have a dedicated team, which we know will be a concern as the framework is adopted. Finally, we opted to leave out automation for two major components: user provisioning and site provisioning. After completing a risk assessment of both pieces were best left to a future project when we are not busy with initial launch tasks.
There are a few things already in active development which will address some of our lapses.
- Generation 3.x content platform is due in Fall of 2021. It’s hard to believe we have a new codebase for 3.x when 1.x was never public and 2.x is just opening up. That’s how agile software development works; we focused on critical functionality in 2.x and we will focus on user experience in 3.x.
- The subscription and signup system will be architected under the cloud model.
- We have partnerships with key vendors for training materials which will be incorporated into our subscriptions.
- We are repositioning some of our methodologies as 2021 has created many ripples in cyber security management and some ideas need to change.