Note: This is the first installment in a blog series on startup security in a DevOps world. This series is an adaptation of an e-book published in 2017, which was originally contributed to by JumpCloud CEO Rajat Bhargava and guest contributors Alan Shimel and Ben Tomhave. The information has been updated to include new IT developments and reflect the current business climate, particularly for startups. Read the authors’ bios below.
Most startups have so much promise and potential, even though they begin under conditions of extreme uncertainty. Unfortunately, given this uncertainty and the often frenetic pace in a startup, it’s not uncommon to see corners being cut, especially with security. Security is often viewed as a cost of doing business, not as added value; however, if startups can take the proper and critical steps to secure themselves, the benefits of doing so are significant.
Another factor in the accelerated development of startups is the DevOps way of software development, deployment, and operations. The convergence of new technologies with new ways of leveraging them has changed the way business is done. For startups, specifically, the changes have been seismic. A well-built DevOps program oriented around a CI/CD (continuous integration/continuous deployment) pipeline can further bolster agile execution that easily supports pivoting quickly when necessary.
In this blog, we’ll explore some of the basics of startup infrastructure – particularly, identity infrastructure – and security and how to approach them with a DevOps mindset to help enable agility, execution, and quality.
Base Infrastructure Decisions
One of your first major decisions in a startup will be where to build and host your offering. The Infrastructure-as-a-Service (IaaS) phenomenon has transformed the startup ecosystem. Companies can be started for far less money than ever before, and that’s creating a new wave of innovation. But, with this technology also comes great responsibility. Securing your cloud infrastructure is more important than ever. It’s important to realize that using a cloud service does not necessarily change or reduce the need for security practices. In fact, many of those same security practices and requirements persist in the cloud, but present in a different manner. As such, it’s important to remember that being in the cloud does not exonerate you from your security responsibilities.
Another key decision that affects infrastructure, as well as core business processes and functions, is your approach to development and deployment. For a lean startup, agile development is generally the go-to solution, and that will often lead to a DevOps approach. Be careful, however, to ensure that you don’t just stop at DevOps, and that you take the time to invest in your CI/CD pipeline so that it provides a suitable basis for automation of key tasks, like builds, testing, and deployment. Be mindful to build in flexibility and resilience from the outset so that you can adapt to changing requirements and challenges down the road.
A key takeaway here is to spend a little extra time thinking about infrastructure engineering up front so that you’ll be less encumbered in later stages. It’s understandable to want to rapidly build your MVP and get it out the door, but don’t harm or hinder yourself in the process. Even if you aren’t able to plug-in key security practices like application security testing or vulnerability scanning, design with those practices (and more) in mind, plan for automated builds, testing, and deployments so that patch management is a much easier problem to solve.
Key Security Considerations
There are many things to consider when it comes to security, and much of it can be overwhelming, distracting, or outright limiting for a startup. We think the following topics are important to address up front because they will save you pain and suffering down the road as your venture grows and succeeds.
Identity and Access Management (IAM): The First Line of Defense
Despite all the different areas of concern facing organizations today, there is one topic that is universally important, difficult, and distressing: managing user accounts and access. We could write an entire book on this topic, but for the sake of brevity we’ve reduced this to a few simple takeaways, which are:
- Minimally, setup a central system of record identity. There are several ways of accomplishing this goal. One is to make use of a federated identity provider (identity-as-a-service, or IDaaS). Another method is to work with a central directory service as a means of integrating your existing directory with cloud services.
- Invest in a flexible multi-factor authentication (MFA) capability. MFA is becoming increasingly critical to fend off many types of common attacks.
- Don’t forget all the supporting practices. All access must be authorized and reviewed on a regular basis. Some form of audit trail must be maintained to grant and reauthorize access, while having data for compliance. If you don’t use a directory service that is already integrated into your cloud infrastructure, make sure your IDaaS or alternative can also map into cloud infrastructure environments, such as by using federated identities instead of creating separate users and striking a balance between limiting productivity by over-restricting permissions and granting people too much access. Routinely review access and, as your company grows, establish mechanisms to ensure that personnel have their access reviewed when changing roles. Also, once you reach a suitable size (likely as small as a dozen people), don’t forget to formalize your termination process.
As a side note, there is much conflicting information today about passwords and password management. Much of this information is outdated and no longer applicable. When it comes to passwords, there are three things you should know:
- Length is the most important attribute. Discussions and guidance about “complexity” and “strength” are now outdated. The purpose of these requirements is to reduce the ease of guessing someone’s password. This can be easily achieved through setting a length requirement of at least 14, if not 16, characters. Along these same lines, encourage users to choose passphrases or wordsets instead of passwords.
- Besides IDaaS, invest in a commercial password vault/manager solutions. Something relatively inexpensive can provide a viable mechanism for protecting passwords. These tools will also often allow password information to be securely shared (NOTE: password sharing is strongly discouraged, but we realize there are some cases where it must be done, such as securely archiving the AWS root credential in a place accessible to all authorized systems administrators). More expensive password vault solutions for servers, applications, and networks (often called privileged access management solutions or PAM) may also be useful as you grow.
- Ensure you have a human fail-safe for the most important systems. For example, ensure a two-key system of sorts for large financial transactions. There continue to be significant attacks on smaller organizations across multiple industries that attempt to trick personnel into making fraudulent wire transfers to criminals. Determine an appropriate threshold and then set up an out-of-band mechanism where suspicious attempts are independently verified.
Security Architecture in Remote and Hybrid Environments
The traditional approach to security architecture is to look at protection, detection, and correction balanced against the business’s priorities around confidentiality, integrity, and availability. However, in this modern IT environment where almost everything is in the cloud, we often find that availability trumps everything, followed by confidentiality as needed, and then maybe integrity. Protection solutions are prevalent and easily deployed, but a point of diminishing value can be quickly found.
Additionally, the ability to manage remote work is becoming integral to a business’s IT setup. Startups should prioritize the following when designing their IT architecture to accommodate remote work:
Facilitate Secure Network and Resource Access
Traditionally, VPNs have been the vehicle for remote access to a private network and its resources. These still work for many companies; however, the shift to cloud hosting is bringing cloud-based solutions to the forefront. Cloud directory platforms can encrypt direct resource access with secure protocols like LDAP, RADIUS, SCIM, SAML, and OAuth to facilitate access to all the resources a user needs.
Restrict and Regulate User Networks
Even when using a VPN or other encryption method, the user’s network still matters. For example, an unprotected network could grant bad actors visibility into a user’s activity, including confidential work and data. Create policies around remote WiFi use and use conditional access to heighten restrictions or deny access to resources from unprotected networks.
Automate Onboarding and Offboarding
Startups tend to experience rapid growth and frequent personnel changes, which call for a streamlined onboarding and offboarding process. Single sign-on (SSO) and just-in-time (JIT) provisioning accomplish this by automating onboarding and offboarding; users can be automatically provisioned access to the resources they need based on their assigned user group and then de-provisioned from everything at once with the click of a button. This helps speed up provisioning and prevent any loose ends after offboarding, which create serious security risks.
Implement Zero Trust Security
Enforce robust security regardless of an employee’s location with a layered, Zero Trust approach. Zero Trust Security acknowledges that the perimeter is now software-defined rather than bound by a physical office space, and calls for layers of software-driven security to protect resources from all attack vectors, regardless of their source location. Startups should implement Zero Trust Security with secure authentication/authorization protocols and layered security tools like multi-factor authentication (MFA) to trust nothing until its identity is verified.
An alternative approach is to think about visibility (what can I see?), control (what control can I assert?), remediation (how do I fix things?), and response (how quickly can I intervene?). Applying these four principles across endpoints (comprised of servers, user devices, and mobile/IoT devices), networks, applications, and data, we can achieve a fairly interesting view into security architecture strategy, planning, and decision-making. Where this approach becomes particularly interesting is when we start finding tools and techniques that give us benefit in multiple areas (see table 1), such as endpoint security solutions that not only give us insight into endpoint activity, but also allow us to assert control over those devices, and further facilitate remediation and response (such as automated patching and collection of forensics data for investigations).
Optimize Your Security
Basic security hygiene is incredibly important, regardless of whether you’re in a traditional or cloud architecture, or whether in the office or remote. Seek solutions that will give you wins in multiple boxes and that will provide measurable value both today and in the future.
Startups can afford to be light on process, policy, and documentation, but don’t forget them completely. It’s especially important to ensure a reasonable level of formal process and control around access management. Leverage tools like directory services and federated identity (cloud IdP and IDaaS) to ease the burden of user and access management.
To learn more about securely enabling your workforce, watch our recent webinar with DoorDash’s system administrator, The Fine Art of Making Security Policies Palatable.
About the Authors
Note: Bios are as of the original e-book’s publication in 2017 and may not reflect current positions or work.
Alan Shimel, Founder and Editor-In-Chief of DevOps.com
An often-cited personality in the security and technology community and a sought-after speaker at industry and government events, Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology.
Rajat Bhargava, Co-Founder and CEO of JumpCloud
Rajat Bhargava is co-founder and CEO of JumpCloud, the first cloud directory platform. JumpCloud securely manages and connects employees’ identities to their systems, applications, files, and networks. An MIT graduate with over two decades of experience in industries including cloud, security, networking and IT, Rajat is an eight-time entrepreneur with five exits including two IPOs, three trade sales and three companies still private.
Ben Tomhave, Security Architect with New Context
Ben Tomhave is a Security Architect with New Context, a Lean Security company that automates the orchestration, governance, and protection of critical infrastructure and the industrial internet. He holds a MS in Engineering Management from The George Washington University and is a CISSP. He’s previously held positions with Gartner, AOL, Wells Fargo, ICSA Labs, LockPath, and Ernst & Young. He is former co-chair of the American Bar Association Information Security Committee, a senior member of ISSA, former board member for the Society of Information Risk Analysts, and former board member for the OWASP NoVA chapter. He is a published author and experienced public speaker, including engagements with the RSA Conference, MISTI, ISSA, Secure360, RVAsec, RMISC, DevOps Connect, as well as Gartner events.