Ashkaan Security Meeting - Recommendations

Date: September 29, 2025
Duration: ~3 hours
Participants: Quan, Charlie, Kris Neal, Steven Hanna, Ashkaan Hassan (EO, cybersecurity expert)

---

🎯 Core Security Principles

1. Principle of Least Privilege — Every user gets bare minimum access to perform their function, nothing more
2. Top-Level Permissions — Declare permissions at folder/share level, not ad-hoc per file
3. Single Source of Truth — All company files in Google Drive (no WorkDrive, Dropbox, local storage)
4. MFA Everything — Multi-factor authentication on every system, no exceptions
5. Climbing the Tree — 90% protected = extremely unlikely to be attacked (bad guys target low-hanging fruit)

---

🌐 DNS & Domain Security

Critical Actions

• Move DNS to Cloudflare (from InMotion)
  • Cloudflare supports DNSSEC + CAA certificate
  • One-click security solutions
  • No space issues in DKIM records
• Enable DNSSEC — Prevents domain spoofing attacks
• Enable CAA Certificate — Blocks DNS injection attacks (fake SSL certificates)
• Upgrade DMARC — Change policy from none to quarantine
  • ChatGPT can generate correct DMARC record
  • Test after deployment to avoid spam issues
• Verify DKIM — Test records (InMotion had spaces, but Google confirmed working)

Hosting

• Current: InMotion (website), GoDaddy (parking)
• Recommendation: Keep InMotion for now, or migrate to WP Engine or Flywheel (WordPress-optimized)
• GoDaddy hosting also acceptable

Marketing Domain

• Use goztag.com for mass email campaigns (separate from main domain to avoid blacklisting)

---

🔐 Google Workspace Security

Two-Factor Authentication (MFA)

• Enforce 2FA company-wide (Security → 2-step verification)
  • Give users 1 week to set up
  • Warning: May lock out users randomly (Google bug) — be prepared
• Disable SMS/phone call MFA (vulnerable to SIM jacking)
• Allow only:
  • Authenticator apps (Google Authenticator, 1Password)
  • Security keys (optional)
  • Backup codes
• Service accounts (noreply@ztag.com):
  • Option 1: Use Modern Auth (token-based, preferred)
  • Option 2: Create app-specific password (if Modern Auth not supported)

Admin Accounts

• Separate admin accounts — Quan should have:
  • quan@ztag.com (daily driver, standard user)
  • admin@ztag.com or quan-admin@ztag.com (MFA'd, admin-only)
• Limit super admins — Remove Clances from super admin, create custom role (e.g., user management only)

Gmail Protection

• Enable spoofing protection (Apps → Google Workspace → Gmail → Safety)
  • Turn on all protections
  • Set to "show warning" (not quarantine, to avoid breaking workflow)
• Enable malware sandbox (optional, adds 1+ minute delay)
  • Detects ransomware, crypto-hijacking
  • Google auto-detects and allows rollback
• Test DKIM authentication (already confirmed working)

Gmail Client

• Recommendation: Migrate from Superhuman back to native Gmail
  • Superhuman circumvents Gmail security protections
  • Gmail shortcuts equally powerful once learned
  • Fewer bugs (e.g., snooze/boomerang failures in Superhuman)
  • Build filter rules to automate inbox (replaces Superhuman's selling point)

---

📂 Google Drive Security

Team Shares (Shared Drives)

• Migrate all files from MyDrive to Team Shares
  • MyDrive = user-owned (bad for company continuity)
  • Team Shares = company-owned (proper)
• Design folder structure using EOS framework
  • Start with 4 top-level roles: Integrator, Sales, Operations, Finance
  • Fan out recursively: Finance → Legal, HR, Accounting → Legal Contracts (Sales), Legal Contracts (Vendors), Legal Disputes
  • Create new team share for each permission boundary (e.g., if not everyone in Sales needs closed deals, create separate "Sales - Closed Deals" share)
  • Criteria: Every person declared on a share must need 100% of files in that share
  • Result: Could have 40-50+ shares (normal, even for 6-person company)
• Naming convention:
  • External - Sales (for shares with outside access)
  • Finance - Legal - Vendors, Finance - Legal - Sales, etc.
• Set top-level permissions:
  • Use Google Groups (e.g., sales@ztag.com group) for permissions (not individual users)
  • Onboard/offboard users via groups (automatic access control)

Share Settings (Admin Console → Apps → Google Drive → Sharing)

• Prevent users from creating shared drives (enable after initial setup)
  • Admins must untick → create drive → re-tick (annoying but necessary)
• Default shared drive settings:
  • Disable "allow members/managers to override settings"
  • Disable "allow users outside ZTAG to access files" (default internal-only)
  • Disable "allow people who aren't shared drive members to be added to files" (⚠️ CRITICAL)
  • Disable "content managers can share folders"
  • Enable "download/print/copy" (opinion: doesn't add real security, prevents screenshots)

Sales Documents Exception

• Current: Operations manual + sales docs shared via "anyone with link"
• Recommendation:
  • Create External - Sales shared drive
  • Allow "anyone with link" on that share only
  • Company retains ownership even for public links
  • Alternative: Host truly public docs on website (not Drive)

Work-in-Progress Files

• No "private" files — everything in team shares
• Use file naming: [WIP] Document Name or WIP - Document Name
• Alternative: Create single-user team share (e.g., R&D - Quan for code scratch work)

Backup

• Deploy Google Drive backup (recommendation: DropSuite)
  • Alternatives: Synology (physical box), QtBackup (self-hosted)
  • Protects against: user mistakes, 30-day retention expiration, ransomware (rare but possible)
  • Classic 3-2-1 backup: 3 copies, 2 mediums, 1 offsite (DropSuite = 2-1-1, acceptable for modern cloud)
  • Alternative: Manual SSD backup via Google Drive sync app (loses metadata/permissions)

---

⚙️ Zoho Security

User Permissions Audit

• Review every user's access (Admin → Directory)
  • Check each module (CRM, Books, Desk, etc.)
  • Check permission level (User, Admin, Manager, Member)
  • Apply principle of least privilege
• Remove unnecessary admin access (especially for remote workers)

Multi-Factor Authentication

• Migrate from Zoho OneAuth to 1Password (once deployed)
  • Zoho OneAuth uses binary "Allow/Deny" prompts (dangerous — users click yes reflexively)
  • 1Password uses OTP codes (number game, safer)
• Disable SMS MFA (Security → Password Policy → MFA Settings)
• Disable YubiKey (optional, debated, but physical keys = lost key problem)
• Keep only OTP authentication

Password Policy

• Increase minimum password length to 12+ (currently 10)
  • Use "Good" or "Strong" preset
• Biometric 60-day re-auth (keep as-is)

Resolved Issues (Sep 29)

• ✅ Kris Neal's MFA reset (lost work phone)
• ✅ Password manager confusion (Google vs Keeper vs Zoho Vault)
• ✅ Zoho Vault = separate login from main Zoho account

---

🔑 Password Management

Deploy 1Password Business Edition

• Sign up for 1Password Business ($7-8/month per user)
  • Includes personal + business vaults per user
  • Desktop app + browser extension + mobile app
  • QR code scanning from extension (no need to pick up phone)
• Migrate passwords:
  • Quan: Keeper → 1Password
  • Kris/others: Google Password Manager → 1Password
  • Zoho Vault → 1Password (for MFA)
• Company policy: All business credentials must be in 1Password
  • No passwords in iCloud Keychain, Google, browser storage, notes, spreadsheets
  • Auto-generated passwords only (never memorized)
  • Master password = only password to remember

Why Not Google Password Manager?

• Cannot generate strong passwords reliably
• Cannot edit site URLs (causes confusion with multiple logins)
• No desktop app (extension-only)
• Missing enterprise features

---

👥 Contractor & Remote Worker Security

Current Setup ✅

• All contractors have @ztag.com emails (correct approach)
• Philippines team: Clances (super admin → downgrade), Kermi, Tin, Paula

Best Practice

• Contractors/freelancers must use company email for data access
• Email ≠ employment (document in contract)
• Alternative: Some companies allow external emails but declare them in team shares (less ideal)

---

🎓 Security Awareness Training

Deploy Breach Secure Now (or KnowBe4)

• Sign up for Breach Secure Now (preferred) or KnowBe4
  • Ashkaan is a reseller (can assist with setup)
• Annual training: 1-hour CSI-style video (entertaining, memorable)
• Weekly 1-minute videos + 4 quiz questions
  • Leaderboard creates psychological engagement (competitive)
  • Quan's company: least tech-savvy person became #1 (happens consistently)
• Phishing simulations: Fake emails to test weak links
• Dark web monitoring: Spider searches for @ztag.com passwords on dark web
• Connect to Google Workspace: Auto-pulls user list, auto-enrolls new hires

Benefits

• Cybersecurity insurance discount (proof of training)
• Real-time protection (video topic = actual attack 2 weeks later)
• Cultural shift (team starts caring about security)

---

🤖 AI Security Policy

Create Company AI Policy

• Approved AI tools only (ChatGPT, Claude, etc. — define list)
• Obfuscate client information:
  • Use "Company A, Company B, Person X, Person Y" (not real names)
  • Exception: ChatGPT sometimes remembers variables ("Company X last week" ≠ "Company X this week")
• Risk analysis before inputting data:
  • PII (Personally Identifiable Information) = strict no for cybersecurity/HIPAA/etc.
  • ZTAG exception: Public sector customers, no NDAs, product doesn't collect PII → less strict
  • Leadership decision: Quan puts company finances in AI (value > risk)
• LEM list enrichment okay (standard practice for sales AI agents)

---

🛠️ Miscellaneous Recommendations

Email Deliverability

• SPF record: ✅ Perfect (Google + Zoho authorized)
• DMARC: ⚠️ Set to p=none (should be p=quarantine)
• DKIM: ✅ Working (despite weird spaces in InMotion)
• MX records: ✅ Good

Legacy Systems

• Migrate WorkDrive files to Google Drive (minimal usage, mostly Quan's legacy docs)
• Audit Dropbox usage (personal accounts, not company-wide)

Website Hosting

• Current: InMotion (WordPress)
• Keep or migrate to WP Engine / Flywheel (WordPress-optimized, better security)

Media Assets Folder Cleanup

• Media Assets Official folder owner = Quan (should be company-owned)
• Migrate to team share during restructure

---

📊 Priority Matrix

Critical (Do First)

1. Enable 2FA on Google Workspace (all users)
2. Deploy 1Password Business Edition
3. Move DNS to Cloudflare + enable DNSSEC + CAA
4. Audit Zoho permissions (especially remote workers)
5. Migrate MFA to 1Password (away from SMS/Zoho OneAuth binary prompts)

High Priority (Next 30 Days)

6. Design team share folder structure (EOS framework exercise)
7. Migrate MyDrive files to team shares
8. Set default shared drive settings (disable overrides, external access, non-member adds)
9. Deploy Breach Secure Now training
10. Create AI usage policy

Medium Priority (Next 90 Days)

11. Backup solution (DropSuite)
12. Upgrade DMARC to quarantine
13. Migrate from Superhuman to Gmail (optional, team preference)
14. Separate admin accounts (Quan)
15. Create Google Groups for permission management

Low Priority (Ongoing)

16. Monitor dark web scans
17. Review phishing simulation results
18. Periodic permission audits
19. WP Engine/Flywheel migration (website hosting)
20. WorkDrive/Dropbox cleanup

---

🔗 Tools Mentioned

• Cloudflare — DNS, domain parking, DNSSEC, CDN
• 1Password Business — Password manager ($7-8/month)
• Breach Secure Now — Security training (Ashkaan is reseller)
• KnowBe4 — Security training (alternative, less funny)
• DropSuite — Google Drive backup (cloud-based, expensive but best)
• Synology — Google Drive backup (physical NAS box)
• QtBackup — Google Drive backup (self-hosted app)
• WP Engine / Flywheel — WordPress hosting (premium, optimized)
• N8N — Automation (Zapier alternative, more reliable)
• Mermaid — Coded flowcharts (GitHub renders natively)

---

🎯 Ashkaan's Analogies

• Locking a convertible — Security won't stop a determined attacker (they'll take photos), but adds social/technical friction
• Bear analogy — Don't need to be fastest, just can't be slowest
• Climbing a tree — Higher you go (more protections), less likely bad guys pursue you (looking for low-hanging fruit)
• 90% protected — Extremely unlikely to be attacked (bad guys move on to easier targets)

---

📝 Follow-Up Actions from Meeting

• Kris Neal MFA reset (completed during call)
• Kris password reset + Google Password Manager cleanup (completed during call)
• Quan: Sign up for 1Password Business
• Quan: Move DNS to Cloudflare
• Quan: Design team share structure (EOS exercise)
• Team: Participate in Breach Secure Now training once deployed
• Ashkaan: Available for follow-up questions, 1Password migration guidance (15-min call)

---

Meeting Sentiment: Overwhelmingly positive. Team engaged, Ashkaan patient and thorough. Kris felt it was "Chinese to me" but Steven translated well. Quan committed to implementation ("we'll rinse this and figure out optimal path forward"). Charlie concerned about organic folder permissions pitfalls (Ashkaan reassured: team will surface needs organically).

Next Steps: Transcript review → prioritize actions → phase implementation (not flip-of-switch).