Grendel Consulting

Our Security Posture

We are committed to meeting our visitors and customers’ data protection and security needs. Below is a summary of our practices and policies, which help us keep your personal information safe and secure. We work hard to ensure our systems and infrastructure are protected against unauthorized or accidental access, loss, alteration, disclosure, or destruction.

If you have further questions or require more information, please contact us at: security@grendel-consulting.com.

Frameworks

Our security posture is strongly informed by the following frameworks: Cloud Security Alliance Cloud Controls Matrix (CSA CCM); NIST Risk Management Framework (RMF), CyberSecurity Framework (CSF), and SP 800-53; and, MITRE ATT&CK, and D3FEND.

We have on-the-ground experience implementing and operating ISO 27001:2022 (and 2013)s and SOC 2 Type II in other organisations. Our policies and controls draw upon that, in the context of the services and associated risks we provide.

Cloud Infrastructure

All of our systems, including this website, are deployed into Amazon Web Services (AWS), a highly-secure modern cloud provider. You can read about their Security and Compliance posture.

Our systems are serverless, meaning we use tpically use AWS in a Platform-as-a-Service (PaaS) capacity, and delegate responsibility for several concerns and functions to AWS under their Shared Responsibility Model

We have specifically hardened our infrastructure, which is deployed and managed through infrastructure-as-application (IaA, sometimes IaC). At the heart of this is a strong separation between systems and environments, limiting the potential blast radius of any threat or compromise.

We use Static Application Security Testing (SAST) and Software Composition Analysis (SCA) tools within our Continuous Integration and Continuous Deployment (CICD) pipelines to enforce such practises.

We use Cloud Security Posture Management (CSPM) tools to reconcile and verify compliance of our production systems.

Access and Authentication

We use strong, complex, unique passwords, typically forty random characters or more, with high-privilege and system access separated and scoped down to their role. Access by systems and processes use role assumption with short-lived sessions.

We use multi-factor authentication wherever we can, and hardware keys on critical systems and assets.

Data Encryption and Communications

We enforce HTTPS on our website and TLS connections, conforming to TLS v1.2 or higher, across all communication channels.

We use strong encryption for any data held at rest, conforming to AES-256 or higher; this is enforced at the infrastructure.

We use DMARC (supported by DKIM and SPF) policies to prevent spoofing.

Logging and Monitoring

We retain product, application and system logs to provide visibility and forensics. These logs are structured, auditable, searchable, and are retained for at least 30 days.

We use several external monitoring tools to provide an independent, non-privileged, view similar to what an external actor might see.

Patching and Maintenance

Dependencies, operating systems and other software are pro-actively managed to be evergreen, either through auto-updates or similar mechanisms. All security patches are applied within five to seven days, if not sooner.

Supply Chain

All software, including dependencies within our systems and toolchain, are carefully selected prior to use; this includes Software Bill of Materials (SBOM) monitoring for emerging risks, recurring review as part of third-party risk management; hardened configuration of critical Software-as-a-Service (SaaS) platforms, and cautious integration between such services.

We have hardened our CICD pipelines to detect anomalies connections, use pinned dependencies to verify and check all changes.

Endpoints

Laptops are hardened, including disk encryption and active firewall, and monitored using our fleet visibility tool.

Disclosures

We welcome investigative work and responsible disclosure carried out by well-intentioned, ethical security researchers. We are committed to thoroughly investigating and resolving security issues in our platform and services in collaboration with the security community, but are not currently operating a bug bounty programme.

Disclosures can be made through the contact mechanisms outlined in our security.txt, or at security@grendel-consulting.com.