Security: Identity, SIEM, Vault & Certificates

Identity and Access Management, OSS SIEM with Wazuh, automated certificate management, and HashiCorp Vault as the secrets platform.

What this means for your organisation

  • Demonstrable compliance with GDPR, NIS2 and ISO 27001 without last-minute panic projects.
  • No more password spreadsheets, no more expired certificates on a Friday evening.
  • A SIEM that only pages your SOC for things that actually matter.

Overview

Security comes down to fundamentals: who your users are, which secrets are in circulation, how you know when something goes wrong, and how you keep TLS sharp everywhere. We deploy the building blocks that answer those questions, integrated into your existing infrastructure and without vendor lock-in.

Our Approach

  • Identity and Access Management: One identity layer across your entire stack via Active Directory, OpenLDAP, Kerberos and Keycloak. Single sign-on for users, federation to SaaS, MFA and RBAC where it belongs.
  • OSS SIEM with Wazuh: End-to-end Wazuh deployment with agents on your servers and endpoints, log collection, compliance reporting (CIS, PCI, GDPR), and alerting that only wakes your SOC or on-call for what actually matters.
  • Automated certificate management: cert-manager and step-ca for internal CAs, ACME (Let’s Encrypt) for public certificates, and automated rotation so an expired TLS cert never wakes you up again.
  • HashiCorp Vault: Vault as the central secrets platform with dynamic secrets, database credential rotation, a PKI engine, transit encryption, and integrations with Kubernetes, CI/CD and applications.
  • System Hardening: CIS and STIG baselines rolled out via Ansible, kernel parameters, sshd hardening, sudo policy, AppArmor or SELinux. Reproducible baselines that ship with every new machine.
  • System Auditing: auditd configuration for Linux, periodic CIS audits with Lynis and OpenSCAP, file integrity monitoring (AIDE), and compliance reporting for management or auditors.
  • Supply Chain & Compliance: Cosign-signed builds, SBOM generation, SLSA attestations, and compliance evidence for ISO 27001, NIS2, or equivalent programmes.

Technologies

  • Identity: Active Directory, OpenLDAP, Kerberos, Keycloak, FreeIPA
  • SIEM & Monitoring: Wazuh, OSSEC, Falco, Loki audit logs
  • Hardening: Ansible CIS / STIG roles, AppArmor, SELinux, sshd, kernel tuning
  • Auditing: auditd, Lynis, OpenSCAP, AIDE, ossec-rootcheck
  • Certificates & PKI: cert-manager, step-ca, ACME / Let’s Encrypt, Vault PKI
  • Secrets: HashiCorp Vault, External Secrets Operator
  • Supply Chain: Cosign, Syft, in-toto, SLSA attestations
Back to Services Get in Touch