In today’s business environment where workforces are mobile and the most important data is stored in the cloud, security is paramount. This is especially true for startups because they change quickly, are often working with fewer resources and less specialized personnel than their more established counterparts, and are operating with a relatively small budget.
Despite these challenges, however, startups’ newness can also play to their advantage: they’re generally less entrenched in legacy equipment and processes than large, established companies. This gives startups a fairly blank slate to build an IT infrastructure that’s optimal rather than convenient, and their size and modernity give them the nimbleness they need to pivot quickly and execute on initiatives effectively.
One critical part of building the optimal IT infrastructure is developing a comprehensive and strategic security plan. This checklist is not all-encompassing; individual processes, equipment, goals, and other factors will influence each company’s security needs. However, it does provide a solid foundation for building an effective startup security plan.
Control User Access to IT Resources
One of the most critical parts of any security strategy is to control user access to all the IT resources within your infrastructure. This includes devices and equipment, applications, files (in cloud storage or a NAS), network(s), data and databases, reporting and analytics, and more.
The most effective way to control user access to the resources they need is with a robust IAM program. The ideal IAM program for a startup includes:
- User data stored in a central directory that extends to all cloud and on-prem resources.
- Secure user authentication and authorization that supports multi-factor authentication (MFA).
- Automated provisioning and de-provisioning of resources based on user groups and policies.
- Customizable security policies that can be implemented remotely.
- Policy-driven user groups.
- Single sign on (SSO) and user provisioning/deprovisioning to IT resources via SAML, SCIM, LDAP, and other secure protocols.
- Audit logging, insights and reporting.
Your IAM solution should be able to manage users that are in the office, mobile, and remote. Even if your startup is fully office-based (or will go back to it after the pandemic subsides), having the flexibility to pivot to a hybrid model, or even enable fully remote work, only improves efficiency and builds agility into your organization’s core operating model.
In addition to choosing an IAM solution with the above capabilities, startups should follow user security best practices:
- Assign users the lowest privilege necessary.
- Create role redundancy so that privileged access doesn’t rely on one sole person in case of an emergency.
- Make sure personally identifiable information (PII) is only accessible by privileged users.
- Disable guest accounts if you don’t need them (most startups don’t).
- Make sure all users and their information and activity are tracked and visible.
- Ideally, your IAM program should be able to flag issues like lockouts, suspicious login attempts, expired passwords, and other data that needs an admin’s attention.
- Follow password security best practices.
- Include a minimum length (we recommend 12-16 characters at least).
- Create complexity requirements, if required.
- Require password rotation periodically (try once every 90 days), again, if required.
- Don’t allow name or username to be used in the password.
- Encourage password uniqueness — ideally with a password manager.
- Prohibit password sharing.
For a full list of recommended policies, read our in-depth blog on password security best practices.
- For LDAP directories, follow LDAP security best practices:
Making User Security Possible with Tooling
All too often, organizations end up creating mini-directories rather than creating a central directory service that integrates with everything in the infrastructure. However, a piece-meal IAM approach makes provisioning, deprovisioning, modifying, and securing user access challenging and inconsistent.
Fortunately, startups aren’t bogged down by the legacy technology that keeps longer-standing companies tethered to inefficient solutions. Modern cloud directory services provide all of the user control needed to keep user identities secure; however, many large companies are too entrenched in older, on-prem solutions like Microsoft Active Directory (AD or MAD) to make the switch to a cloud-based platform. As a startup, take advantage of your minimal on-prem infrastructure and look into starting off on the right foot with a cloud directory platform.
- Choose an MDM tool that can manage devices in your environment (including user-owned devices and different operating systems).
- Assign devices to users — installing a PKI certificate on the device for authentication is ideal.
- Assign devices to policy-governed device groups.
- Turn on disk encryption for all machines.
- Require MFA login for all devices (conditional access may bypass this if the device can be verified via PKI certificate).
- Enforce a screen lock after inactivity (we recommend short sessions — try a minute, if possible).
- Update and patch devices regularly.
- Use a patch management tool to track patching and avoid creating vulnerabilities by missing an update.
- Make sure all network-connected devices are visible and trackable. Similar to an ideal IAM solution, your MDM solution should be able to alert IT admins to items that need their attention, like lockouts, computers with disks that aren’t encrypted, and devices without MFA enabled.
- Restrict device sharing, especially for remote workers. Employees shouldn’t allow others to use their work devices, and they shouldn’t use their work devices for non-work activity.
- Develop and enforce a BYOD policy. This is especially important for remote and hybrid environments.
Fortunately, some MDM tools can implement and manage essentially all of the security configurations on network-connected devices. Better yet, cloud directory platforms can combine IAM with MDM to create a cohesive ecosystem that unifies and manages users and their devices, regardless of operating system or location.
Securing the Network
- Establish a means for secure remote connections. Many organizations accomplish this with a VPN, but startups are increasingly opting for cloud directories to facilitate secure access to resources with SAML, LDAP, RADIUS, and other secure authentication/authorization protocols.
- Use RADIUS to avoid shared credentials for network access and VPNs.
- Implement MFA.
- Use conditional access policies to increase or relax MFA based on the conditions of the login attempt. For example, try creating a policy that requires users to complete MFA when logging onto the network with an unrecognized device or when accessing a highly sensitive application.
- Use VLANs to segment the network, only allowing access to sensitive information on the VLAN designated for users with the permissions to access it. Dynamic VLAN assignment is ideal — it allows you to automatically assign users to their appropriate VLAN based on their directory-issued permissions using RADIUS.
- Implement a next-generation firewall that includes application-level inspection and intrusion prevention.
- Prohibit network and resource access from unprotected WiFi.
Remote, mobile, and hybrid work have expanded traditional ideas of the network and perimeter, transitioning from brick-and-mortar boundaries to software-defined ones. This calls for tighter, software-driven (versus physical, location-based) security when it comes to network access and use. For WiFi, the SSID and passphrase approach is not enough; WiFi access needs to be connected to the core directory service via RADIUS to create unique access. For remote workers, secure connections to the network and resources are a must, and companies need to make sure they’re protecting their central network with modern, reliable safeguards that can block all foreseeable attack vectors.
Securing Resources and Data
- Encrypt data in transit. This means opting for secure protocols like HTTPS, SSL, TLS, SSH, and others when transmitting data from one location to another. Organizations should develop standards of acceptable protocols for different data transmission types.
- Encrypt data at rest. Full disk encryption is a great start; for data stored in the cloud, check the encryption policies of the company or application storing the data.
- Store passwords with a cryptographic hash and salt the hash.
- Use MFA where possible.
- Avoid account or password sharing. This is common in startups looking to save money on licensing; however, it drastically increases the risk of account compromise. These risks far outweigh the cost benefits.
- Don’t re-use login information.
- Use a password manager to help users create strong, unique passwords without having to remember them all.
- Use SSO to allow users to sign into everything with one secure set of credentials. It also simplifies and secures onboarding and off-boarding as well as logging of all access.
- Keep track of vendors, and only work with those who demonstrate security and compliance practices that meet your company’s standards.
- Update software, applications, and equipment regularly.
Traditional directories like AD are restricted when it comes to providing resource access; they’re either bound to on-prem, Microsoft-centric models, or they require several add-ons and integrations to expand their reach (e.g. SSO, MDM, MFA, IGA, PAM, and more). JumpCloud, on the other hand, can facilitate and secure access to virtually all of your IT resources. JumpCloud is a cloud platform that uses secure protocols like SAML and LDAP, SSH and PKI keys, SSO, encryption, and more to facilitate users’ secure access to all the tools they need in a remote, hybrid, or on-prem environment.
Train Your Staff
Your organization’s staff is often the weakest link in your security strategy. Many of the common human-driven security risks — like shadow IT, credential sharing, poor responses to phishing attacks, and others — can be avoided with training.
When developing training, remember that not all end users have the same level of technical knowledge as your IT team. Eliminate any background information that isn’t necessary for users to understand what’s expected of them, and center training around what to do and what not to do. Use graphics and imagery where needed to help orient users — if you require MFA, for example, take a screenshot of the steps in action so they know what to expect the first time they do it. Any configuration requirements you need users to implement themselves are always best communicated with instructions and UI screenshots.
Not sure where to start? Run through this checklist and consider which elements IT admins can configure and control, and which require actions or understanding from the user. Compile those that involve the user and use those items as a starting point for your training content.
At a minimum, your security training should include:
- Personal data security best practices.
- Password best practices.
- Device best practices.
- Using MFA and other security initiatives.
- Recognizing and reporting phishing or other suspected security vulnerabilities.
For more information on startup security training, read our blog, Security for Startups: Securing Employees and Devices in Remote and Hybrid Workspaces.
Follow Zero Trust Security Principles
Zero Trust Security is a security approach that addresses the new “perimeter-less” business environment by trusting nothing and verifying everything. With Zero Trust, security is software-driven and layered, and authorization is only granted once an identity, device, and network path is proven safe via multiple layers of security. Zero Trust is becoming more widely adopted as traditional security methods continue to fall short in the face of new and developing threats.
MFA is a critical component of Zero Trust Security; for this reason, we included MFA as a recommendation for every section of this checklist. One factor should never be enough for authentication to access IT resources.
Different tools can help reduce the friction MFA creates to empower full productivity. Conditional access can either heighten or relax security measures based on the conditions of an attempted login; if a user is confirmed to be logging in with their assigned device on a recognized network, those factors can act as verification and allow the user to skip the MFA step. Alternatively, if a user logged in from public WiFi, they may be required to complete additional security steps or denied access until they logged in through a different network or VPN.
Other tools, like push notifications, significantly reduce MFA friction by making the second step as easy as tapping a button on the user’s phone. Biometrics on a user’s device, like facial recognition and fingerprints, also make MFA steps fast and easy without reducing their security.
Read Get Zero Trust Ready with JumpCloud Conditional Access for more information about conditional access and Zero Trust.
Start Off on the Right Foot
The best way to keep all of the factors above — users, devices, networks, and resources — unified and secure is with a core directory. Microsoft Active Directory has been a popular directory choice for decades; however, it isn’t evolving as quickly as the world around it. New, modern companies (especially startups) are increasingly opting for a cloud directory platform instead of AD’s on-prem one and Microsoft’s AD extension solution, Azure AD, for a few reasons:
- The cloud directory doesn’t require anything to be on-prem (but it can still connect you to on-prem resources if you have them).
- Cloud directories securely connect and manage all the resources listed above (users, devices, resources, and networks). This includes cloud applications, devices on different operating systems, network access via RADIUS, and more.
- Cloud directories require fewer (if any) additional tools to accomplish the same goal. Cloud directory platforms offer features like MFA, Single Sign-on (SSO), and Mac and Linux management. With AD or AAD, many of these would all be separate add ons, with separate recurring payments for each.
- Inertia is one of the top reasons companies continue using AD, and often expand to use Azure AD. Startups are new to the scene and unencumbered by legacy technology; they can use this to their advantage to build an IT infrastructure that’s modern, cloud-based, and adaptable to change.
- Cloud platforms are cost-friendly for small and growing startups. Cloud directory platforms don’t require a hefty up-front investment for on-prem equipment. In fact, JumpCloud offers its cloud directory services free for the first 10 users and devices you add. If you need support, JumpCloud extends its 24×7 Premium in-app chat support for 10 days. Further, licensing costs allow you to scale smoothly and only pay for what you need, keeping your business powerful, nimble, and ready to grow.
JumpCloud is the market-leading cloud directory platform that can unify user, cross-OS device, network, and resource management. Based in Zero-Trust Security, it allows for granular configuration of security policies for users and devices, and it doubles down on security with offerings like MFA, SSO, conditional access, and more.
Startups Take Aim At Security
As a startup, not having enough time or money to secure your business is not an excuse to skip critical security measures — and hackers will be able to spot (and exploit) the vulnerabilities you create when you take a lightweight approach to security. Following a few of the steps outlined in our security checklist will drastically reduce your chances of a breach, and simply having these elements in place will deter most bad actors from even trying to hack your organization.
To learn more about securing your startup, download the Security Playbook for SaaS Startups written by the CISO of JumpCloud.