By definition, startups are entrepreneurial ventures in the form of a company, partnership, or temporary organization designed to search for a repeatable and scalable business model. Most startups have tons of promise and potential, even though they begin under conditions of extreme uncertainty. However, lean resources and aggressive goals can create challenging environments that, without the right precautions, policies, and solutions in place, could cultivate significant security risk. Further, as the business standard moves from on-prem to the cloud and from the office to a work-from-anywhere model, startups need to pay special attention to their cloud infrastructure and application security.
In this blog, we’ll cover the critical components of securing a startup with a focus on application and cloud infrastructure (think AWS, GCP, Azure) security. We’ll start by exploring the challenges startups face today, then dive into the practices and solutions that can prepare startups to tackle them head-on.
(For a deeper look into securing users, devices, and remote workspaces for startups, check out our companion startup security blog).
Startup Security Challenges
Startups have to execute and work fast to create product/market fit which means building, measuring, and iterating on the value that their products and services offer, without the resources of a fully fledged enterprise to accomplish that learning. For startups, that includes tighter budgets, a smaller workforce, and less specialized roles, since there is so much to do. And because startups haven’t been around a long time, they usually haven’t established well-worn processes that help them execute on critical tasks. Therein lies the conundrum for startups: they must secure their organization, while managing everything else. Of course, the attitude is often, “If we don’t succeed there won’t be much to secure,” which is typically why security takes a back seat, but in today’s market environment, security and privacy are as core to a startup’s success as their product or service.
Security for Startups Leveraging the Cloud
The IT industry’s shift toward cloud-based services and low-cost solutions is empowering many entrepreneurs to establish their own startups. Amazon Web Services (AWS), for example, equipped emerging companies to extend their resources farther by renting their computer infrastructure and only paying for what they needed, which usually amounts to a fraction of the comparable on-prem cost. Now, with cloud infrastructure and web applications becoming the new business standard, the cost of starting a business is far less expensive than it has ever been.
However, just because starting a company has become more accessible doesn’t mean it carries less risk: With the power of cloud computing, storage, and services, comes the responsibility of security. Cloud infrastructure providers only go so far with their security measures; customers should do their due diligence to check cloud providers’ security policies and either customize or supplement them to meet their organization’s security standards. Virtually every cloud infrastructure provider and SaaS platform conducts business under a shared security model — some aspects are covered by the provider and many others are the customer’s responsibility. Every startup should know and execute on their side of those security requirements.
The Keys to Getting Cloud Infrastructure Security on Lockdown
Configure Security Groups
An important first step in protecting your cloud infrastructure is appropriately enabling the firewall and network. AWS calls this function Security Groups, but just about every IaaS provider has an equivalent functionality. Make sure that you lock down inbound and outbound access to the most restrictive policy that works for your application and organization. You’ll want to make sure that every server that you spin up is behind the firewall and appropriately networked. It is easy to forget a server, leaving it unprotected on the public internet. Ideally, you’ll also have VPN access to the cloud infrastructure with restrictions such as certificate-based access or even IP/geolocation requirements to continue to level up security.
Trust us — even the most recent operating system images can need patches. Make sure that all of your servers and applications are up to date. Out-of-date servers (especially internet-connected ones) are highly susceptible to attack; they can be targeted by automated techniques that scan for (and exploit) known vulnerabilities, or fall to a zero-day exploit previously unknown to the manufacturer or public. Some cloud providers offer patching services, and we recommend supplementing with SaaS-based patching services like those from JumpCloud, which offers patching for virtual servers, virtual machines (VMs), and third-party solutions.
Tightly Control User Access
Cloud infrastructure security depends heavily on precise and tightly controlled user access. A central user management system, such as the JumpCloud Directory Platform, can solve this problem by managing who can access your Windows, Linux, or Mac systems (although Macs are less likely to be cloud servers). Users can be required to use complex passwords, SSH keys, or multi-factor authentication (MFA) to gain entry to the server infrastructure.
No matter how you manage credentialed access, the principles of least privilege should always apply. This can be challenging in a startup environment, where a small set of engineers, developers, or contractors may share accounts or be given full sudo (or admin) to maintain speed. However, the extra time spent determining who should have access to what and at what level could mean the difference between a security incident and a full-blown breach. With AWS SSO and AWS IAM solutions often being leveraged for access to various cloud infrastructure components, make sure that your users are designated with the right roles and permissions. Integrating a cloud directory with AWS SSO or AWS IAM is critical to having full control over user access to IT resources. Detailed logging of all user access is also a must in today’s compliance-heavy environments.
Encrypt Data at Rest
If possible, it’s best to secure data at rest with encryption. Different providers offer different levels and types of encryption, and the highest security encryption isn’t always enabled by default. Check your provider’s encryption policies and offerings; if they don’t meet your organization’s needs, there is a wide variety of tools and systems that can help you encrypt your data stored in the cloud.
Establish Secure Communication
In addition to at-rest encryption, you’ll need to protect your data in transit. For example, if your servers communicate with each other from behind different firewalls, you’ll want to make sure that there is secure communication between all of your components. This may be accomplished through VPNs or other mechanisms for encrypting data in transit. Whichever solution you choose, make sure it reliably secures traffic on the public internet.
Securing Your Applications
Many of the applications organizations use house critical data – and with startups increasingly building their infrastructure in the cloud, both cloud-hosted and on-prem applications need to be heavily secured and tightly provisioned. Discussed in more detail below, perhaps the number one area to look at with applications is user access — ensure that the right people have the right levels of access and then force them to use MFA to ensure that user access isn’t hijacked.
For robust and reliable application security that addresses both on-prem and cloud-hosted applications, consider the following key security elements.
Critical Elements of Application Security Protocols
Controlling user access to applications and effective user lifecycle management are some of the most important aspects of security in a growing startup. The modern organization now stores its critical data in several different locations: For example, a startup might store its source code in GitHub, customer data in Salesforce, and financials in Xero. In an environment where the crown jewels are stored in disparate locations, organizations need to be extremely restrictive and diligent about who they grant application access to.
Connecting user access to your core directory service can make the user lifecycle management process much simpler and more secure. Look for a directory service that can attribute roles to each user and intelligently provision application access and security policies based on that user data. Context also matters, and innovative organizations are leveraging conditional access techniques to ensure that access to critical web applications is verified and secure based on identity, device, network, and least privilege access.
The JumpCloud Directory Platform, for example, combines identity and access management (IAM) with customizable security policies, application integrations, single sign-on (SSO), and OS-agnostic device management. This allows companies to specify each user’s permission levels, automatically provision applications based on those permission levels, and enforce security policies — all while offering a seamless user experience. With JumpCloud’s conditional access policies, IT organizations can enforce access from corporate devices, on networks they know and trust, and require MFA among other policies.
No Shared Access
Shared access is a common issue in startups. Often, this occurs in an attempt to save on licensing costs or as the result of shadow IT; to move quickly and efficiently, employees at startups sometimes leverage solutions without involving IT (or they may not have a designated IT department to regulate application use). However, the cost or time-saving benefits don’t outweigh the risk of sharing credentials.
The reason passwords have served as the reigning access factor for decades is that they are presumed to be a secret only known to the user; thus, sharing a password by nature compromises the account’s security. Additionally, as soon as this happens, tracking who has access to the credentials with certainty becomes near impossible. Organizations should never cut corners by skimping on licensing or allowing users to share accounts with one another — especially when it comes to access to cloud infrastructure such as AWS or web applications.
However, despite a widespread understanding of the importance of password best practices, many users still do not follow them. This, coupled with hackers’ increasing sophistication in password cracking, drives a need for a more sophisticated login solution than a password alone. Many businesses are turning to a multi-factor approach.
Whenever possible, MFA should be turned on. This is a huge improvement in securing data as it requires a hacker (or anyone trying to infiltrate the system) to not only compromise a user’s password, but also have timely access to a second factor that’s proprietary to the user (often their personal smartphone or tablet). Many systems and applications have the option to enable MFA; for those that don’t, SSO solutions can apply MFA to all of a user’s applications with one secure login. Many MFA solutions are getting easier and easier for end users to leverage, with often just a button to click on a mobile phone as the second factor.
Eliminate Old Accounts
Retaining unused and unattended accounts is one of the top ways organizations are compromised. In fact, a recent study showed that 48% of former employees had continued access to at least some of their former organization’s IT resources. Not only are old credentials a security risk, but they are also a major compliance issue.
Applications today are a core part of every organization, and controlling access to them is one of the most important components of security for any startup. Cloud directory platforms drastically reduce the risk of leaving accounts open unattended through fast, integrated offboarding. When one overarching directory platform manages all of a user’s applications, you can deprovision them all at once for swift and secure offboarding. Reporting and analytics solutions can also highlight old accounts that are on systems that need to be removed.
Successful Startups: Core Security Steps Deliver a Net Positive
Nowadays, customers see security as a differentiator; it’s not uncommon for prospects to ask startups how they secure themselves and their customers’ data as well as what compliance standards they follow. Strong security can be a net positive for the business rather than the perceived net negative cost of maintaining security.
As a high-growth security-focused startup shifting into a late stage growth business, we’ve experienced the challenges that come with building a business firsthand, which is why we’re constantly analyzing processes and best practices. To further explore startup security, we’ve broken down the essentials of user, endpoint, and remote or hybrid office security for startups in a companion blog – read Security for Startups: Securing Employees and Devices in Remote and Hybrid Workplaces for a deeper look into the human side of startup security as you continue growing your venture.