Skip to Content
Client Environments

Working in Client Environments

Many engagements involve working directly within your infrastructure. Here’s how we adapt.

Environment Models

Fully Client-Hosted

In this model, all work happens within your infrastructure:

What You Provide:

  • Workstations (physical laptops or VDI)
  • Development environments
  • Repository access
  • Communication tools (email, chat)
  • All necessary software licenses

What We Do:

  • Follow your security policies and procedures
  • Complete your required security training
  • Use your authentication systems (SSO, MFA)
  • Adhere to your access management processes
  • Submit to your monitoring and audit systems

Best For: Maximum client control, highly regulated industries, engagements with sensitive data

Hybrid Model

Some systems client-hosted, some Soal-managed:

Common Split:

  • Client-hosted: Production systems, sensitive data, core business applications
  • Soal-managed: Development workstations, staging environments, collaboration tools

What We Coordinate:

  • Secure connectivity between environments (VPN, private endpoints)
  • Consistent identity management where possible
  • Clear boundaries on what lives where
  • Defined data flow policies

Best For: Balancing client control with operational efficiency

Soal-Hosted with Client Access

We host the environment with client visibility:

What We Provide:

  • Managed workstations or VMs
  • Development and staging infrastructure
  • Standard tooling and collaboration platforms

What You Get:

  • Audit access and logging visibility
  • Defined security controls and policies
  • Regular compliance reporting
  • Incident notification

Best For: Faster onboarding, engagements without highly sensitive data access

Adapting to Your Policies

When working in your environment, we comply with your requirements:

Authentication & Access

  • Enroll in your identity provider (Okta, Azure AD, etc.)
  • Use your MFA solution
  • Follow your password policies
  • Request access through your processes
  • Accept access reviews and recertification

Endpoint Requirements

We’ll meet your endpoint requirements, which may include:

  • Installing your MDM/endpoint agent
  • Using your approved EDR solution
  • Accepting device compliance checks
  • Using only approved software
  • Disabling specific features (USB, screen capture, etc.)

Network & Connectivity

  • Connect via your VPN solution
  • Accept network monitoring
  • Use only approved network paths
  • Follow your firewall and proxy requirements

Training & Compliance

  • Complete your security awareness training
  • Acknowledge your acceptable use policies
  • Sign any required attestations
  • Complete role-specific training (HIPAA, etc.)

What We Ask From You

To work effectively in your environment:

Access Provisioning

  • Clear process for requesting and approving access
  • Reasonable turnaround time for access requests
  • Point of contact for access issues
  • Documentation of what access is available

Tooling

  • Development tools adequate for the work (IDE, terminal, etc.)
  • Sufficient system resources (memory, CPU)
  • Ability to install or use necessary development dependencies
  • Network access to required resources (repositories, APIs, documentation)

Support

  • IT support contact for workstation/access issues
  • Clear escalation path for blockers
  • Reasonable response time for issues affecting productivity

Communication

  • Defined communication channels
  • Access to necessary team members
  • Clear project expectations and requirements

Security Alignment Meeting

Before starting work in your environment, we recommend a security alignment session:

Topics to Cover:

  • Your security policies and expectations
  • Required training and certifications
  • Access request and approval process
  • Acceptable use boundaries
  • Incident reporting procedures
  • Points of contact for security questions
  • Monitoring and audit expectations
  • Offboarding and access revocation process

Compliance Considerations

Your Regulatory Requirements

If you operate under specific regulations (SOC 2, HIPAA, PCI-DSS, etc.):

  • We’ll follow your compliance requirements
  • Complete any required training
  • Accept relevant audit scopes
  • Provide documentation as needed

Our Commitments

Regardless of environment model:

  • Squad-based isolation maintained (only assigned team accesses your systems)
  • Confidentiality obligations still apply
  • No data or code moves to other client contexts
  • Offboarding procedures executed at engagement end

Transitioning Between Models

Engagements sometimes shift between models:

Starting in Your Environment, Moving to Hybrid:

  • Common as projects scale or development needs change
  • Requires defining what moves and what stays
  • Establishing secure connectivity

Starting Soal-Hosted, Moving to Client Environment:

  • Typical as project moves toward production
  • Code and documentation transferred
  • Development practices adapted to your environment
Last updated on
Confidentiality & IPIncident Response