mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-14 03:15:16 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,106 @@
|
||||
# BeyondCorp Zero Trust Access - Migration Checklist
|
||||
|
||||
## Project Information
|
||||
| Field | Value |
|
||||
|-------|-------|
|
||||
| Organization | Acme Corporation |
|
||||
| Project ID | acme-prod-beyondcorp |
|
||||
| Lead Engineer | J. Smith, Security Architecture |
|
||||
| Start Date | 2026-01-15 |
|
||||
| Target Completion | 2026-04-15 |
|
||||
|
||||
## Pre-Migration Checklist
|
||||
|
||||
### Identity Provider Configuration
|
||||
- [x] Google Workspace or Cloud Identity configured as primary IdP
|
||||
- [x] MFA enforced for all users (FIDO2 security keys for privileged accounts)
|
||||
- [x] User groups defined and synchronized (engineering, finance, contractors, executives)
|
||||
- [x] Service accounts inventoried and mapped to applications
|
||||
- [ ] Break-glass accounts created with documented access procedures
|
||||
|
||||
### Google Cloud Infrastructure
|
||||
- [x] IAP API enabled on all production projects
|
||||
- [x] Access Context Manager API enabled at organization level
|
||||
- [x] BeyondCorp Enterprise API enabled
|
||||
- [x] Cloud Audit Logs enabled for IAP data access
|
||||
- [x] OAuth consent screen configured
|
||||
- [ ] IAP OAuth clients created per application tier
|
||||
|
||||
### Endpoint Verification
|
||||
- [x] Endpoint Verification extension deployed to Chrome managed browsers
|
||||
- [x] Device inventory populated (2,847 devices enrolled)
|
||||
- [ ] Device compliance baseline established (target: 95%)
|
||||
- [ ] Non-compliant device remediation plan documented
|
||||
- [ ] BYOD enrollment policy defined
|
||||
|
||||
## Access Level Design
|
||||
|
||||
| Access Level | Device Policy | Encryption | Screen Lock | Geo Restriction | Applications |
|
||||
|-------------|---------------|------------|-------------|-----------------|-------------|
|
||||
| basic-access | Any enrolled | Not required | Not required | None | Public wiki, cafeteria menu |
|
||||
| standard-access | Enrolled + managed | Required | Required | US, GB, DE | Email, calendar, chat |
|
||||
| enhanced-access | Managed + EDR | Required | Required | US, GB | Internal tools, CI/CD |
|
||||
| high-trust | Managed + EDR + patched | Required | Required | US only | Finance, HR, admin panels |
|
||||
|
||||
## Application Migration Tracker
|
||||
|
||||
| Application | Hosting | Protocol | Current Access | IAP Status | Access Level | Migration Date |
|
||||
|-------------|---------|----------|---------------|------------|-------------|---------------|
|
||||
| Internal Wiki | App Engine | HTTPS | VPN | Enabled | basic-access | 2026-02-01 |
|
||||
| CI/CD Dashboard | GKE | HTTPS | VPN | Enabled | enhanced-access | 2026-02-08 |
|
||||
| HR Portal | On-prem | HTTPS | VPN | Connector deployed | high-trust | 2026-02-15 |
|
||||
| Finance System | Compute Engine | HTTPS | VPN | Enabled | high-trust | 2026-02-22 |
|
||||
| Git Repository | GKE | SSH+HTTPS | VPN | Enabled | enhanced-access | 2026-02-08 |
|
||||
| Monitoring | Cloud Run | HTTPS | VPN | Enabled | standard-access | 2026-02-01 |
|
||||
| Admin Console | On-prem | HTTPS | VPN | Connector pending | high-trust | 2026-03-01 |
|
||||
|
||||
## Session Policy Configuration
|
||||
|
||||
| Application Tier | Session Duration | Re-auth Method | Re-auth Trigger |
|
||||
|-----------------|-----------------|----------------|-----------------|
|
||||
| General (Tier 1) | 8 hours | LOGIN | Session expiry |
|
||||
| Sensitive (Tier 2) | 4 hours | LOGIN | Session expiry, device change |
|
||||
| Critical (Tier 3) | 1 hour | SECURE_KEY (FIDO2) | Session expiry, IP change |
|
||||
| Admin (Tier 4) | 30 minutes | SECURE_KEY (FIDO2) | Any context change |
|
||||
|
||||
## Post-Migration Validation
|
||||
|
||||
### Functional Testing
|
||||
- [ ] All migrated applications accessible through IAP without VPN
|
||||
- [ ] Access denied for users not in authorized groups
|
||||
- [ ] Access denied for non-compliant devices
|
||||
- [ ] Re-authentication triggers working per policy
|
||||
- [ ] Break-glass access procedure tested successfully
|
||||
- [ ] On-premises connector failover tested
|
||||
|
||||
### Security Testing
|
||||
- [ ] Direct application access blocked (only through IAP)
|
||||
- [ ] IAP bypass attempts detected and logged
|
||||
- [ ] Session hijacking mitigations verified
|
||||
- [ ] Cross-tenant access properly denied
|
||||
- [ ] Audit logs capturing all access decisions
|
||||
|
||||
### Monitoring
|
||||
- [ ] BigQuery audit pipeline operational
|
||||
- [ ] Alert policies configured for repeated denials
|
||||
- [ ] Dashboard showing real-time access metrics
|
||||
- [ ] Monthly access review process documented
|
||||
|
||||
## VPN Decommission Timeline
|
||||
|
||||
| Phase | Date | Action | Status |
|
||||
|-------|------|--------|--------|
|
||||
| Parallel Start | 2026-03-01 | VPN and BeyondCorp running side by side | Pending |
|
||||
| VPN Monitoring | 2026-03-01 to 2026-03-15 | Track remaining VPN usage | Pending |
|
||||
| VPN Block New | 2026-03-15 | Block new VPN connections | Pending |
|
||||
| VPN Shutdown | 2026-04-01 | Decommission VPN infrastructure | Pending |
|
||||
| Post-Mortem | 2026-04-15 | Migration lessons learned review | Pending |
|
||||
|
||||
## Sign-Off
|
||||
|
||||
| Role | Name | Date | Signature |
|
||||
|------|------|------|-----------|
|
||||
| CISO | _________________ | __________ | __________ |
|
||||
| Security Architect | _________________ | __________ | __________ |
|
||||
| IT Operations Lead | _________________ | __________ | __________ |
|
||||
| Application Owner | _________________ | __________ | __________ |
|
||||
Reference in New Issue
Block a user