"Anything out there is vulnerable to attack given enough time and resources." - Kevin Mitnick
Kevin's quote definitely summarises the value proposition for implementing security. It's a constant cat-and-mouse game, always trying to gain the upper hand against the bad guys. Attempting this in a Startup can be a real ordeal whilst trying to juggle building a product and forming a sturdy team. The principle to follow therefore is to implement enough security so that the attacker requires so much more time and resources to target our infrastructure that he finds it unfruitful.
Following our recent Bird.i Roundtable session on Cyber Security we discussed what we believe to be the top five tips for a startup to follow. Your mileage may vary depending on the security expertise in your team; you may be able to bite off more or less than this list depending on the knowhow in your team.
Top 5 Cyber-Security Tips for Startups
1. Follow Security Best Practices recommended for your Cloud Provider.
In this day and age, it is difficult to imagine building a product using bare-metal resources. The ease and financial benefits will always force a company to gravitate towards a Cloud Services provider. While Cloud services simplify a lot of work, security is still the responsibility of the company. But there is no need for panic, as the Cloud Services provider invariably publishes best practices for security. Amazon Web Services, for example, publishes a whitepaper on best practices for security in AWS. Other articles, papers, etc originated in blog sites exist too. Invariably, these are written by people with sufficient expertise and avoids us re-inventing the wheel.
2. Implement 'low hanging fruit'
These could be anything from password rules, 2 Factor Authentication to a password manager for the company. At the minimum, the following resources will be used in a Startup:
a) A Mail service.
b) A communication service, typically Slack.
c) A workflow tool such as JIRA.
d) A Documentation tool such as Confluence.
e) Repository Management such as Github. Could be AWS CodeCommit too.
f) Cloud Service Provider such as AWS, Google Cloud or Microsoft Azure.
g) Social Networking tools such as Twitter, Facebook, LinkedIn, etc.
Depending on the company there could be more.
With time and company growth, enforcing password safety and rules will get difficult. Implementing established protocols and practices such as password complexity and life, Multi Factor Authentication and a Password Manager for all employees will in the long run prove beneficial. Furthermore, implementing these do not take effort or time, but their advantages are enormous.
3. Use the Secrets Manager that your Cloud provider offers.
Many Cloud Service providers offer a service that safely store passwords and secrets and then be securely retrieved in code over TLS/SSL. This obviates the problem of storing secrets such as database passwords, connection strings, resource identifiers in configuration files or repositories. AWS for example, offers a service called AWS Secrets in which passwords can be stored and can be retrieved from code over TLS. Further, these secrets can be rotated at a regular frequency offering an added layer of security.
4. Design your architecture around the data
Do so after duly classifying them into public, private and restricted. A corollary of the postulate, “Algorithms + Data Structures = Programs” (Courtesy, Niklaus Wirth) is the concept that Programs + Data = Product. Data forms the foundation of a company’s existence, especially that offers services. Data security, particularly of sensitive data is not only critical, but loss of such data can harm a company’s survival, reputation and finances. The best approach to mitigate such situations is to identify the classification of data even before creating it and then making sure that it resides behind the appropriate safeguards.
5. Use your Cloud Provider’s Audit / Trail Tools.
One of the biggest advantage any Cloud Service Provider offers is scalability. Provisioning compute and storage resources are just button clicks. Rapid prototyping and development on the cloud means that very often security takes a back seat. It sometimes helps if regular audits can be done to ensure that resources are safe and secure. One easy way to achieve this is to use your Cloud Provider’s Audit / Trail tools. For example, AWS offers a service called Trusted Advisor that generates a report on possible security violations in the resources. These include very liberal firewall rules, open policies for data stores, absence of MFA for users, etc.
This list is by no means exhaustive been arrived at after weighing the challenges in a startup in balancing between product development versus security. The list encompasses security measures that can be implemented easily. No doubt, there could be more tips added to this list!
If you’re a start-up and interested in finding out more about our roundtable discussions or would like to join our next one, contact us here!