Minutes - otio-platform/security GitHub Wiki

November 22th, 2023

Attendees included: Barnett, Kent Buss, Krishan, Woodward, Gleason,

iValt

  • Baldev, some new features in 10-14 days. Working with Techslayers to resolve some encryption issues.

QuSecure

  • Garrison, worked with Barnett after the status update to continue troubleshooting. Garrison believes it is an easy fix but we will need to wait for LinGe or Jeff to assist on Monday.

TAS

  • Barnett, working on the final step of registering a client in the QuEverywhere UI. The client is not moving into the active state for some reason and we have not figured out exactly why yet. Barnett is working with Gaige, Jeff, and LinGe to resolve it. After this I will be able to test the system against a generic website and then proceeding to test against a staging version of our application, TxPro.

November 15th, 2023

Attendees included: Barnett, Kent Buss, Debban, Knapp, Krishan, Lottman, Qui, Wentzel, Gleason,

iValt

  • New features come next month, and pending feedback on embedded code.

QuSecure

  • The product does require Splunk and Open Shift administrators for existing documentation.
  • The existing documentation appears to require RHEL throughout every instance.
  • Script could be provided to help install/configure Splunk, but this works contrary to the initial business goals.
  • We will bring standup backs to help bring day-to-day troubleshooting and resolution on board.
  • Meeting concluding with parking log conversation between Nathan and Jeff and a fly on the wall.

TAS

  • Barnett, on step 14/15. Issues from last week were resolved and allowed movement on to the next step. Open Shift and first QuSecure installed completed 100%.
  • Splunk errors still blocking progress to the next step. Possible confusion regarding lack of details to install Open Shift and Splunk.
  • Splunk and Open Shift administrators are required for custom installation of QuProtect's documentation. We will help fill in any details documentation is missing. But, this has added challenges to figuring out how this all comes together.

November 8th, 2023

Attendees included: Barnett, Lottman, Baldev, Brian, LinGui, Jeff, Garrison, Jeff.

iValt

QuSecure

TAS

  • Wentzel was unavailable for this meeting as he was meeting with Tommy, Amit, Ammo, and Shadow.
  • Barnett reviewed an existing game plan to destroy the old cluster, create new cluster with a special config from Gaige, reconfigure missing load balancer ports, run the installer, run Splunk integration installer, and run the QuEverywhere installer and registration.

November 1th, 2023

Attendees included: Barnett, Kent Buss, Debban, Knapp, Krishan, Lottman, Qui, Wentzel

iValt

  • New app update in app stores in mid-November with security fixes.

QuSecure

  • Brian reported on the status from QuProtect. We're on step 13 with 10 more to go in order to get up and running.
  • Jeff reports that we are on the first of three installer bundles. Any updates to the configuration file require a fresh reinstall because certificates were updated.

TAS

  • Nathan recently sent Jeff an email with the installer saving images to the registry server. The current issue may be related to the firewall port 5000 and configurations may be necessary for the registry services. Jeff and Nathan will work together to resolve this installer issue.
  • Aaron to reach out to Skip in regards to license terms and flexibility.
  • Nathan estimates remaining Splunk heavy forwarder section and QuEverywhere may take additional time. Estimate one more week. Status update on Friday afternoon. May implement daily standup syncs as needed to work through remaining items.
  • Aaron met with TechSlayer on iValt IoT solution.

October 18th, 2023

Attendees included: Barnett, Kent Buss, Knapp, Krishan, Lottman, Qui, Wentzel

iValt

  • Baldev reporting on some FIDO2 standards and how iValt integrates with this standard. May be available in the next week.
  • Baldev reports that the latest version is still in the app store. The next round of updates to be available at the end of the month.
  • Nate Brown gearing for user patterns on the front-end stack with documentation and is expected to publish at the end of the month.
  • Aaron to discuss AI / ML models to suggest progressively enhanced security which would tie into the user patterns under development by TAS. (parking lot)
  • Aaron to discuss with Brian/Baldev on Authenticator apps and implementations. (parking lot)

QuSecure

  • Brian Lottman to discuss the process per the schedule to have QuSecure start installing today.
  • Nathan Barnett's on a week delay for QuProtect to be installed. This puts the project at risk. Catchup work is required to regain traction on the schedule.

TAS

  • Quick status check around teams on TechSlayer.
  • At risk of 11/1 due to lost week of effort. Will try to recover last traction.

October 11th, 2023

Attendees included: Barnett, Kent Buss, Knapp, Krishan, Lottman, Qui, Wentzel

iValt

  • An updated IoT package for Rasberry Pi was provided by Krishan to TAS.
  • Updated mobile app software was updated last week and another round of updates is soon to be available this week related to security improvements.

QuSecure

  • Lottman provided the workback schedule detail in Word to be used by TAS moving forward.
  • On schedule with QuProtect install by next Wednesday.

TAS

  • Server, Workers, and Controllers with Bootstrap installers are set up and configured. Ready for OpenShift installation to begin tomorrow (Thur).

October 4th, 2023

Attendees included: Krishan, Stout, Barnett, Sanzeri, Debban, Lottman, Kent Buss, Knapp, Wentzel

iValt

  • POC on mobile solution implementation on iOT solution from iValt.
  • Brown had a conflict today, so will perform a demo of PassKey implementation next week on iValt / Otio solution.
  • Brown provided Baldev with future feature requests.

QuSecure

  • Brian discussed the QProtect target date on the work back schedule from November 1st, similar to what Skip had discussed last week. This timeline aligns to our internal timeline. Aaron absolutely needs completion with at least one month remaining on POC to project operational costs in production.
  • Skip to provide pricing on production with 250-500 users. Skip's visit in Tucson next Wed/Thu.
  • Garrison to provide a schedule, if possible, in markdown to be added in this Wiki.

TAS

  • Nathan has completed the OpenShift server configuration to move forward on the next step.

September 27th, 2023

Attendees included: Baldev, Bob, Nate, Nathan, Jeff, LinGe, Skip, and Garrison, Wentzel

iValt

  • Baldev discussed the new version of the mobile application and informed us that is is now available on Android and iOS.
  • Nate demonstrated Otio's login experience w/ iValt integration. Nate will provide documentation on further improvements that could be made.

QuSecure

  • Standing by for Nathan as needed during the installation procedure.
  • Skip requested documentation on deliverables and expectations.

TAS

  • Nathan Barrett completed the Splunk implementation and is mid-way through OpenShift cluster install and will proceed QuEverywhere installation.

September 20th, 2023

Attendees included: Aaron, Bob, Craig, Nate, Nathan, Jeff, LinGe, Brian, Skip, Wentzel

iValt

  • Update via email from Baldev, "we have our app in the app stores and ready for testing by your team and it has the features we had discussed in prior meetings."

QuSecure

  • We found some additional dependency requirements for a registry and Splunk non-cloud versions that may require additional resources and cost. We will provide feedback on this in an email. Otherwise, making good progress on the implementation initial POC infrastructure.
  • Craig mentioned the delineation in the tech stack in the context of compliance. Will add new feature request to provide any middle or backend details that may be required for compliance and that could potentially be included as part of the initial implementation. For example, we will have a Web Component that easily integrates to bring the UX for User Management. What if one step further we also provide the backend through a script to define the data model or any key points related to compliance? Seems like a great idea.

TAS

  • Continuing to work on Scoping for SOC2
  • Evaluating Yubikey infrastructure
  • To engage with Forrester on PQS

September 13th, 2023

Attendees included: Aaron, Baldev, Nathan, Jeff, LinGe, Brian, Wentzel

iValt

Updates provided by Baldev.

  • Issues where the provider needs every SMS user to be approved by the carrier. Having t-mobile approve part of the registration process
  • User authentication is required before biometrics can be used.

QuSecure

Updates provided by Jeff, Nathan Barnett, and Aaron Wentzel.

  • Architectural review of new baseline infrastructure has been reviewed by all parties and is approved
  • Significant progress was made in the past week to script major parts of the system VPC, subnets, gateway, routing tables, security groups, and installer and proxy machines.
  • Next steps to finish scripting in Terraform and test installation, test configuration, etc.
  • Nathan to schedule a meeting to review QuEverywhere Dashboard
  • Nathan to implement without white glove services to give better insight back to QuSecure on our experience installing, configuring, and updating.

TechSlayer

Updates provided by Aaron Wentzel and Baldev.

  • iValt has completed its scan and is working to mitigate all issues.
  • TAS has completed its scan and is working through the full SOC/2 compliance process

August 30th, 2023

  1. Introductions: Nathan, Petrus, LinGe, Brian L, Jeff, Craig, Garrison, Brian, Baldev, Skip in attendance.
  2. Introductions for those new to the meeting.
  3. Nathan Barnett to ask technical questions and tentatively schedule future technical meetings outside the Team vSync.
  4. Updates on iValt from Baldev regarding iOS/Android rollouts of Geofencing.
  5. Updates on QuSecure from Craig on TechSlayer PenTesting and process. We've all now had initial scans and working to remediate them.
  6. Updates on QuSecure from Garrison on team structure and general guidance.
  7. Updates on TAS from Aaron, that SOW is now pending DocuSign completion. Also, received information on obtaining a Splunk Ent Dev license.
  8. Nate / Jeff / LinGe to schedule a new meeting to review QuProtect management plane for context on how Splunk is integrated and for awareness on management of Qu Products.