{"id":5069,"date":"2021-07-16T11:00:00","date_gmt":"2021-07-16T15:00:00","guid":{"rendered":"https:\/\/www.jumpcloud.com\/blog\/?p=5069"},"modified":"2024-01-29T16:39:43","modified_gmt":"2024-01-29T21:39:43","slug":"security-checklist-startup","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/security-checklist-startup","title":{"rendered":"A Security Checklist for Your Startup"},"content":{"rendered":"\n
In today\u2019s business environment where workforces are mobile and the most important data is stored in the cloud, security is paramount. This is especially true for startups because they change quickly, are often working with fewer resources and less specialized personnel than their more established counterparts, and are operating with a relatively small budget. <\/p>\n\n\n\n
Despite these challenges, however, startups\u2019 newness can also play to their advantage: they\u2019re generally less entrenched in legacy equipment and processes than large, established companies. This gives startups a fairly blank slate to build an IT infrastructure that\u2019s optimal<\/em> rather than convenient<\/em>, and their size and modernity give them the nimbleness they need to pivot quickly and execute on initiatives effectively.<\/p>\n\n\n\n One critical part of building the optimal IT infrastructure is developing a comprehensive and strategic security plan. This checklist is not all-encompassing; individual processes, equipment, goals, and other factors will influence each company\u2019s security needs. However, it does provide a solid foundation for building an effective startup security plan. <\/p>\n\n\n\n One of the most critical parts of any security strategy is to control user access<\/a> to all the IT resources within your infrastructure. This includes devices and equipment, applications, files (in cloud storage or a NAS), network(s), data and databases, reporting and analytics, and more.<\/p>\n\n\n\n The most effective way to control user access to the resources they need is with a robust IAM program. The ideal IAM program for a startup includes:<\/p>\n\n\n\n Your IAM solution should be able to manage users that are in the office, mobile, and remote. Even if your startup is fully office-based (or will go back to it after the pandemic subsides), having the flexibility to pivot to a hybrid model, or even enable fully remote work, only improves efficiency and builds agility into your organization\u2019s core operating model. <\/p>\n\n\n\n In addition to choosing an IAM solution with the above capabilities, startups should follow user security best practices: <\/p>\n\n\n\n For a full list of recommended policies, read our in-depth blog on password security best practices<\/a>.<\/em><\/p>\n\n\n\n Read our LDAP security blog to learn more.<\/em><\/a> <\/em><\/p>\n\n\n\n All too often, organizations end up creating mini-directories rather than creating a central directory service that integrates with everything in the infrastructure. However, a piece-meal IAM approach makes provisioning, deprovisioning, modifying, and securing user access challenging and inconsistent. <\/p>\n\n\n\n Fortunately, startups aren\u2019t bogged down by the legacy technology that keeps longer-standing companies tethered to inefficient solutions. Modern cloud directory services provide all of the user control needed to keep user identities secure; however, many large companies are too entrenched in older, on-prem solutions like Microsoft Active Directory<\/a> (AD or MAD) to make the switch to a cloud-based platform. As a startup, take advantage of your minimal on-prem infrastructure and look into starting off on the right foot with a cloud directory platform<\/a>. <\/p>\n\n\n\n Consult our recent blog for a full run-down of recommended BYOD security policies<\/em><\/a>. <\/em><\/p>\n\n\n\n Fortunately, some MDM tools can implement and manage essentially all of the security configurations on network-connected devices. Better yet, cloud directory platforms can combine IAM with MDM<\/a> to create a cohesive ecosystem that unifies and manages users and their devices, regardless of operating system or location.<\/p>\n\n\n\n Remote, mobile, and hybrid work have expanded traditional ideas of the network and perimeter, transitioning from brick-and-mortar boundaries to software-defined ones. This calls for tighter, software-driven (versus physical, location-based) security when it comes to network access and use. For WiFi, the SSID and passphrase approach is not enough; WiFi access needs to be connected to the core directory service via RADIUS to create unique access. For remote workers, secure connections to the network and resources are a must, and companies need to make sure they\u2019re protecting their central network with modern, reliable safeguards that can block all foreseeable attack vectors.<\/p>\n\n\n\n Traditional directories like AD are restricted when it comes to providing resource access; they\u2019re either bound to on-prem, Microsoft-centric models, or they require several add-ons and integrations to expand their reach (e.g. SSO, MDM, MFA, IGA, PAM, and more). JumpCloud,<\/a> on the other hand, can facilitate and secure access to virtually all of your IT resources. JumpCloud is a cloud platform that uses secure protocols like SAML and LDAP, SSH and PKI keys, SSO, encryption, and more to facilitate users\u2019 secure access to all the tools they need in a remote, hybrid, or on-prem environment. <\/p>\n\n\n\n Your organization\u2019s staff is often the weakest link in your security strategy. Many of the common human-driven security risks \u2014 like shadow IT, credential sharing, poor responses to phishing attacks, and others \u2014 can be avoided with training. <\/p>\n\n\n\n When developing training, remember that not all end users have the same level of technical knowledge as your IT team. Eliminate any background information that isn\u2019t necessary for users to understand what\u2019s expected of them, and center training around what to do and what not to do. Use graphics and imagery where needed to help orient users \u2014 if you require MFA, for example, take a screenshot of the steps in action so they know what to expect the first time they do it. Any configuration requirements you need users to implement themselves are always best communicated with instructions and UI screenshots. <\/p>\n\n\n\n Not sure where to start? Run through this checklist and consider which elements IT admins can configure and control, and which require actions or understanding from the user. Compile those that involve the user and use those items as a starting point for your training content. <\/p>\n\n\n\n At a minimum, your security training should include:<\/p>\n\n\n\n For more information on startup security training, read our blog, <\/em>Security for Startups: Securing Employees and Devices in Remote and Hybrid Workspaces<\/em><\/a>.<\/em><\/p>\n\n\n\n Zero Trust Security<\/a> is a security approach that addresses the new \u201cperimeter-less<\/a>\u201d business environment by trusting nothing and verifying everything. With Zero Trust, security is software-driven and layered, and authorization is only granted once an identity, device, and network path is proven safe via multiple layers of security. Zero Trust is becoming more widely adopted as traditional security methods continue to fall short in the face of new and developing threats. <\/p>\n\n\n\n MFA is a critical component of Zero Trust Security; for this reason, we included MFA as a recommendation for every section of this checklist. One factor should never be enough for authentication to access IT resources. <\/p>\n\n\n\n Different tools can help reduce the friction MFA creates to empower full productivity. Conditional access<\/a> can either heighten or relax security measures based on the conditions of an attempted login; if a user is confirmed to be logging in with their assigned device on a recognized network, those factors can act as verification and allow the user to skip the MFA step. Alternatively, if a user logged in from public WiFi, they may be required to complete additional security steps or denied access until they logged in through a different network or VPN.<\/p>\n\n\n\n Other tools, like push notifications, significantly reduce MFA friction by making the second step as easy as tapping a button on the user\u2019s phone. Biometrics on a user\u2019s device, like facial recognition and fingerprints, also make MFA steps fast and easy without reducing their security.<\/p>\n\n\n\n Read Get Zero Trust Ready with JumpCloud Conditional Access<\/a> for more information about conditional access and Zero Trust.<\/em><\/p>\n\n\n\n The best way to keep all of the factors above \u2014 users, devices, networks, and resources \u2014 unified and secure is with a core directory. Microsoft Active Directory has been a popular directory choice for decades; however, it isn\u2019t evolving as quickly as the world around it. New, modern companies (especially startups) are increasingly opting for a cloud directory platform instead of AD\u2019s on-prem one and Microsoft\u2019s AD extension solution, Azure AD, for a few reasons: <\/p>\n\n\n\nControl User Access to IT Resources<\/h2>\n\n\n\n
Securing Users<\/h2>\n\n\n\n
\n
\n
\n
\n
\n
\n
Making User Security Possible with Tooling<\/h3>\n\n\n\n
Securing Devices<\/h4>\n\n\n\n
\n
\n
Securing the Network<\/h4>\n\n\n\n
\n
\n
Securing Resources and Data<\/h2>\n\n\n\n
\n
\n
Train Your Staff<\/h2>\n\n\n\n
\n
Follow Zero Trust Security Principles<\/h2>\n\n\n\n
Start Off on the Right Foot<\/h2>\n\n\n\n
\n