We're strictly a "model first" approach team and everything goes through the data model first. Right from the stage to raw vault to IM layer, all the fields including PII are vetted in the first layer itself by the manager, lead and modelers. If we have to bring in PII elements then it goes through legal team first, once approved then each layer table with PII data is suffixed with L2 and everyone knows that PII data is in that object which is always masked.
The infrastructure-as-code review section really resonated with me. I've seen too many Terraform configs get pushed without security input, and it's always the IAM roles that end up being way too permisive. Do you find that most teams actualy integrate security checks into their CI/CD, or is it still mostly an afterthought in practice?
We're strictly a "model first" approach team and everything goes through the data model first. Right from the stage to raw vault to IM layer, all the fields including PII are vetted in the first layer itself by the manager, lead and modelers. If we have to bring in PII elements then it goes through legal team first, once approved then each layer table with PII data is suffixed with L2 and everyone knows that PII data is in that object which is always masked.
The infrastructure-as-code review section really resonated with me. I've seen too many Terraform configs get pushed without security input, and it's always the IAM roles that end up being way too permisive. Do you find that most teams actualy integrate security checks into their CI/CD, or is it still mostly an afterthought in practice?
Having automatic checks as well as manual reviews is a good balancing act to catch misconfigurations.