Security Foundations — Quickstart
March 2026 // V1.0
Classification
CLASSIFIED // FOR AUTHORIZED EYES ONLY
Security Foundations — Quickstart
CASE STUDY
MFG-2026-001
January 2026 — March 2026
V1.0 // March 2026
Client & Engagement Scope
Client Profile
Engagement Parameters
- • Google Workspace Identity (18 accounts)
- • Cloudflare DNS Infrastructure
- • Managed macOS Endpoints (18 devices)
- • AWS IAM Console Access
- • Production AWS Workload Architecture
- • Physical Security
Security Challenges
Meridian was 14 months post-launch, processing $4M in monthly loan volume through a 18-person team. Their cyber insurance renewal required documented MFA enforcement and email authentication controls to qualify for coverage. Simultaneously, a Series A term sheet included a pre-close security review clause. The team had no dedicated security person and no existing controls. They had 6 weeks.
“Eighteen Google Workspace accounts with no MFA enforcement, no DMARC policy, and no DNS filtering. Four accounts had never set passwords beyond the default. Browser extensions installed by engineers included two with known data exfiltration histories. A single phishing email reaching any employee could compromise the Google Workspace admin console, AWS, and the core lending platform simultaneously.”
Technical Controls
MFA Enforcement
Google Workspace 2-Step Verification enforced across all 18 accounts. Phishing-resistant security keys deployed for the 3 admin accounts. Legacy authentication protocols disabled. Break-glass account created, credentials vaulted, alert-on-use configured. MFA coverage reached 100% within 4 days. Deployed via Google Admin Console and Terraform googleworkspace provider.
Email Security & DMARC
SPF, DKIM, and DMARC DNS records published via Cloudflare. DMARC policy advanced from none to reject within 11 days following aggregate report analysis — one unauthorised sending source (an old Mailchimp account) identified and remediated. Material Security enrolled across all 18 mailboxes, sandboxing attachments and rewriting URLs on delivery. External forwarding rules blocked at the admin level.
Password & Auth Policies
Google Workspace password policy hardened: minimum 12 characters, complexity enforced, reuse prevention enabled. Account lockout configured at 10 failed attempts. Session idle timeout set to 8 hours for standard accounts, 4 hours for admins. Four accounts with default or weak passwords force-reset at policy rollout.
Account Inventory & Hygiene
Full account inventory run via Google Admin SDK. Found: 2 accounts from departed contractors still active (both with AWS console access), 1 shared ops@ account with no documented owner, and 3 service accounts tagged to employees who had changed roles. All remediated within 48 hours with client approval. Automated monthly cleanup script deployed — runs 1st of each month, flags any account inactive for 45+ days.
DNS & Web Filtering
Cloudflare Gateway deployed as the DNS resolver for all 18 endpoints via a Jamf-managed DoH profile. Zero cost — Cloudflare Gateway is free under 50 users. Ten threat categories blocked: malware, phishing, C2, cryptomining, ransomware, spyware, DNS tunnelling, botnets, DGA domains, and newly registered domains. 214 malicious DNS queries blocked in the first 30 days. All filtering enforced on and off the corporate network.
Browser Hardening
Chrome managed policy deployed to all 18 macOS endpoints via Google Admin Console. Extension installation blocked — only 1Password allowlisted by policy. Safe Browsing set to Enhanced Protection. Password saving to browser disabled. Chrome auto-updates enforced. Two previously installed extensions with known data collection histories removed. All 18 devices confirmed compliant via Chrome Browser Cloud Management.