Next Phase
Purpose
This page defines the short- to mid-term evolution priorities for Scheol Security Lab.
The objective is to:
- focus efforts on the most impactful improvements
- maintain alignment with identified risks and security debt
- avoid unrealistic or uncontrolled expansion of the environment
Guiding Principle
Prioritisation is driven by risk exposure and structural weaknesses, not by feature expansion
The next phase focuses on reducing critical risks and improving control effectiveness, rather than adding new components.
Priority Areas
1. Administrative Access Control
Objective:
Establish a controlled and auditable administrative access model.
Key actions:
- deploy and harden bastion host
- restrict direct SSH access to infrastructure
- enforce key-based authentication
- progressively introduce MFA
- reduce dependency on personal workstation
Related items:
- Risk: R-003
- ADR: ADR-003
- Security Debt: SD-003, SD-008
2. Centralized Logging & Detection
Objective:
Improve visibility and detection capabilities across the environment.
Key actions:
- deploy SOC platform (Wazuh)
- onboard VPS and internal systems
- enforce secure log forwarding (TLS)
- define initial detection rules
- review detection coverage
Related items:
- Risk: R-002
- ADR: ADR-002
- Security Debt: SD-002, SD-007
3. Service Segmentation (Heaven)
Objective:
Reduce lateral movement risks by separating exposed and sensitive services.
Key actions:
- move Gitea to a dedicated VPS
- isolate public services from internal components
- review network exposure and access paths
Related items:
- Risk: R-001
- ADR: ADR-001
- Security Debt: SD-001
4. Backup Strategy Reinforcement
Objective:
Ensure resilience against data loss and compromise.
Key actions:
- implement external backup storage
- introduce encryption and immutability
- validate restoration procedures
Related items:
- Risk: R-001
- Security Debt: SD-004
5. Web Application Exposure Hardening
Objective:
Reduce risks associated with publicly exposed applications.
Key actions:
- implement WAF capabilities or equivalent protections
- review reverse proxy configuration
- improve application-level security (Dolibarr)
Related items:
- Risk: R-001
- Security Debt: SD-005
6. Identity & Authentication Maturity
Objective:
Strengthen authentication mechanisms and identity management.
Key actions:
- extend MFA coverage to all sensitive services
- improve credential management practices
- prepare integration with centralized identity services (LDAP)
Related items:
- Risk: R-003
- Security Debt: SD-006
Deprioritised Areas
The following areas are intentionally not prioritised at this stage:
- deployment of additional services not required for current objectives
- advanced automation beyond current operational needs
- complex architecture extensions without direct risk reduction impact
Success Criteria
The next phase will be considered successful if:
- administrative access is fully controlled and centralized
- logs are consistently collected and usable for detection
- critical service co-location risks are removed
- backup strategy is reliable and testable
- major exposure risks are reduced
Current Maturity
At the current stage, planning is considered structured and risk-driven.
Established
- identification of key priorities aligned with risks
- linkage between roadmap, security debt and architecture
In Progress
- execution of critical improvements
- refinement of prioritisation based on constraints
Planned / Next Phase
- iterative reassessment of priorities
- integration with continuous improvement workflow
- measurable tracking of progress and outcomes
This roadmap reflects a deliberate focus on security fundamentals before expansion.