Note: This is the third installment in a blog series on startup security in a DevOps world (read the first here and the second here). This series is an adaptation of an e-book published in 2017, which was originally contributed to by JumpCloud CEO Rajat Bhargava and guest contributors Alan Shimel and Ben Tomhave. See their bios below.
Startups are no stranger to being lean. In fact, as a startup, you may be intently focused on building and selling that MVP (minimum viable product). However, don’t forget about other key tenets of the lean movement, such as fostering a cooperative environment that creates generative culture of which security is an inherent, emergent property. Putting value on respectfulness, mindfulness, and cooperation means that everyone has a shared responsibility for your startup’s success, which includes ensuring the security of your systems, networks, applications, data, and people (both personnel and customers).
Beyond technical practices, there are a handful of soft-skill practices that are universally important and applicable, especially for startups operating under the DevOps model. This blog focuses on some of these non-technical practice areas.
Security Awareness Programs
Many people associate security awareness programs with anti-phishing testing, new hire training, and poster programs. While there isn’t anything inherently wrong with using these practices, they often have limited tangible value because they aren’t incorporated into standard business culture and practices, and they often lack reasonable measurements and objectives for modifying human behavior.
Startups should absolutely invest in awareness programs, but consider focusing yours on changing behaviors and measuring results to determine positive impact. Awareness programs may focus on improving decisions overall or promulgating specific practices or tool usage (like supporting a password manager deployment or improving cross-team collaboration and cooperation). Use your awareness program to help grow the culture you want within your organization.
Security Training Programs
Security training programs are distinctly separate from awareness programs. There may be some overlap, but understand that training is about the delivery of specific information through a variety of formats.
As noted in the previous section, training programs should have a specific, measurable objective being addressed. That objective may be to improve code quality, reduce security incidents, or teach how to get the most value from new or existing tools. Don’t forget to evaluate a variety of training delivery methods and measure people’s attitudes and perceptions about training programs (not just efficacy, but also attitudes about it). Lastly, ensure that you’re not punishing people (such as by not accommodating deadlines) for attending the training you’ve required them to take.
Training for Physical Security
For startups with an office space, employees’ awareness of their surroundings is critical. While the office may be small or shared, knowing who should be in the office is important. If a stranger is in the office, employees should know to ask them why they are there. Hackers will often try the old technique of masquerading as an employee or a visitor.
Many offices have some sort of physical access control, either through a key, fob, or card access system. Consider investing in a digital solution with regular logging of who enters and exits to track unsolicited visitors, as in the in-person social engineering tactics described above. Video cameras are also advisable to monitor your equipment and materials — some cameras are intelligent and network-connected, so they can alert you to after-hours activity and save footage in the cloud.
Just as you would only assign administrative privileges to a select few people, you should keep the server room just as tightly restricted and monitored, if you have one on-prem. If your organization still has on-prem servers, keep them locked up, only grant access to people who need it, and keep track of those who have access.
(As a note, organizations that have the flexibility to move off of on-prem servers might consider doing so. A cloud-based environment allows for more flexibility, both for your workforce and network architecture. Even directory services can be moved to the cloud for a unified IAM approach despite a decentralized workforce.)
Lastly, WiFi security should not just be an SSID and passphrase; this level of security is simply too easy to compromise. Each user should have unique access to the WiFi network through an authentication system like RADIUS, which authenticates each user individually. RADIUS eliminates the problems that shared network credentials pose (like writing the WiFi password on the office whiteboard). Ideally, RADIUS should integrate with the user directory to streamline user data and maintain one central repository system.
For an additional layer of protection, create a separate guest VLAN with restricted access to ensure security while providing a positive user experience.
Measuring for Success
As a lean startup, everything you do should be for a purpose. That purpose should be reasonably well defined and understood, and you should have a means of determining whether or not that purpose has been achieved and is delivering value as hoped.
The same is true for security. For all the discussion here about security practices for startups in a DevOps world, the bottom line is that there is tremendous opportunity to boost efficiency and effectiveness while also improving security practices. Instilling a core value around measurement within your organizational culture will help set the bar high for further decisions and investments.
Cooperation and Generative Culture
Another key cultural value that will greatly benefit your startup is establishing, fostering, and growing a sense of cooperation that transcends roles and responsibilities. The only way security initiatives will persist and be successful within your company is if you make it everyone’s duty to ensure endpoints, networks, applications, data, and people are reasonably secure. Orienting around this shared value of cooperation will lead to what is termed a generative culture, meaning that these values will not only exist today when you’re lean and hungry, but they will promulgate with your organization as you grow from 10 to 100 to 1000 people and beyond.
Next Steps: Getting Security Policies Right
We know these are just the foundational elements of a robust startup security plan. As you build out your security program, you’ll need to dig into the specifics of your security policies to strike a balance between security and usability. As a security company with a high-growth DevOps mindset ourselves, JumpCloud recently sat down with DoorDash’s system administrator to learn how they implemented their security program. Watch the free webinar for more security insights you can apply to your startup.
About the Authors
Note: Bios are as of the original e-book’s publication in 2017 and may not reflect current positions or work.
Rajat Bhargava, Co-Founder and CEO of JumpCloud
Rajat Bhargava is co-founder and CEO of JumpCloud, the first cloud directory platform. JumpCloud securely manages and connects employees’ identities to their systems, applications, files, and networks. An MIT graduate with over two decades of experience in industries including cloud, security, networking and IT, Rajat is an eight-time entrepreneur with five exits including two IPOs, three trade sales and three companies still private.
Ben Tomhave, Security Architect with New Context
Ben Tomhave is a Security Architect with New Context, a Lean Security company that automates the orchestration, governance, and protection of critical infrastructure and the industrial internet. He holds a MS in Engineering Management from The George Washington University and is a CISSP. He’s previously held positions with Gartner, AOL, Wells Fargo, ICSA Labs, LockPath, and Ernst & Young. He is former co-chair of the American Bar Association Information Security Committee, a senior member of ISSA, former board member for the Society of Information Risk Analysts, and former board member for the OWASP NoVA chapter. He is a published author and experienced public speaker, including engagements with the RSA Conference, MISTI, ISSA, Secure360, RVAsec, RMISC, DevOps Connect, as well as Gartner events.
Alan Shimel, Founder and Editor-In-Chief of DevOps.com
An often-cited personality in the security and technology community and a sought-after speaker at industry and government events, Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology.