Internet/Network Security/Securing a SaaS
The environment: a small 50 person company with a software as a service product that is gaining traction with the fortune 100. Everyone and everything is moving very quickly to add in the rapid fire feature requests coming from the giant customers. Security has been taking a back seat with basic firewalling, PCI and SAS70 compliance brought in through the hosting environment. Currently the stack is windows based but there is talking of moving everything linux for scalability. This is a very open ended question. No wrong answer. :-) If you were in such a situation where you were network security manager (and network manager generally) with no direct reports and things were going a million miles an hour - what would be the five most important aspects of security you would focus on? When I go and look at the IT Governance books and other models they look like they were written for an environment that is not anything like start up. I appreciate your opinion!
This may be a good opportunity to get some managed services in to help.
Here is my quick, from the gut answer
-Secure public facing junction points-from locking down at the OS level, to access control, to web app blackbox scans and remediation
-Secure private data in transit(encrypt) and at rest(encrypt, Access control)
-Limit access to sensitive systems inside the firewall, segregate them from the external access layer
-Lock down endpoints that have access to sensitive data and limit the use of browsers to less privileged users to help mitigate
-Backup data, secure who has access