Endpoint Security

Statement

The team that operates ClaimGuard works from a small set of laptops authenticated through Google Workspace. Today our endpoint posture relies on platform defaults (full-disk encryption, OS-vendor patching, browser sandboxing) plus the Workspace identity perimeter (mandatory MFA, no password reuse for production access). We do not yet run a managed-endpoint (MDM) program or a third-party EDR agent — that is a planned investment for the SOC 2 prep cycle.

This control sits at partial because the platform-default posture is real but the documented policy + central enforcement layer (MDM / EDR) are not yet in place.

Implementation

Identity and access

• Google Workspace (dtectvision.ai) is the identity perimeter for production access. See Identity provider.
• MFA is mandatory at the Workspace policy level for every account. See MFA.
• GCP CLI access uses short-lived OAuth tokens issued by gcloud auth login — no long-lived JSON service-account keys on operator laptops. See Privileged access.

Disk encryption

• macOS: FileVault is enabled by default on operator laptops. Verified by manual attestation rather than central reporting (no MDM today).
• Windows / Linux: same expectation; same gap on central reporting.

OS patching

• Each operator's OS receives vendor patches via the platform's built-in update channel (Software Update on macOS, Windows Update on Windows, the distro's package manager on Linux). We do not centrally enforce a maximum patch lag today.

Browser and software baseline

• Production access is exclusively via the Cloud Console + the GitHub web UI in a current browser (Chrome / Edge / Firefox / Safari). Browser sandboxing + per-site isolation is effectively the first line of defence against drive-by compromise.
• Operators are expected to use a password manager (1Password, Bitwarden, or platform keychain). Choice is individual.

What an endpoint compromise would expose

• The operator's GCP OAuth token (short-lived, refreshable), scoped to whatever IAM roles they hold. See Privileged access for the role inventory.
• Their GitHub session (read access to the private repo; write access if they're in the maintainers group).
• Their Workspace session (mail, drive, etc.).

The blast radius of a single laptop compromise is bounded by those three sessions plus whatever is locally cached on the laptop. There is no production data persistently on operator laptops by design — claim data and customer documents live in the GCP project, not on workstations.

Status

partial — verified 2026-05-03.

What's in place:

• Workspace identity perimeter with mandatory MFA.
• Short-lived OAuth tokens for cloud access.
• Platform-default full-disk encryption + browser sandboxing.
• No persistent production data on operator endpoints.

Known gaps

• No MDM (Mobile Device Management). Operator laptops are not centrally enrolled. Cannot enforce screen-lock timeout, password policy, FDE check, or remote-wipe centrally; relies on operator self-attestation.
• No EDR / endpoint protection. No CrowdStrike / SentinelOne / equivalent agent. Detection of laptop-side compromise depends on the OS-vendor signals (XProtect, Defender) only.
• No central patch-lag reporting. We can't currently say "every operator endpoint is on N-1 OS patch level."
• No on-/off-boarding endpoint checklist beyond IAM/Workspace account lifecycle. Adding a documented list is queued.
• No bring-your-own-device policy — we currently assume the laptop is the operator's primary work device. Formalising a BYOD-versus-company-laptop policy is a SOC 2 prep item.

Roadmap

• MDM enrollment for all operator laptops (likely Google's endpoint management for Workspace accounts; evaluate Kandji / JumpCloud as alternatives). Closes the central enforcement + reporting gap.
• Endpoint policy document — screen-lock, FDE, OS patch cadence, allowed software, password manager requirement, reporting a lost device. Becomes the SOC 2 evidence artefact.
• EDR evaluation at SOC 2 Type II preparation time. Below the bar for Type I.