1. Embrace Single Sign-On (SSO)
SSO simplifies access and enhances security. Decide on an IdP (Identity Provider) early on and use that provider with every vendor your business integrates with. Some examples of IdPs are Google Workspace, Auth0 and Microsoft just to name a few.
2. Insist on Multi-Factor Authentication (MFA)
Implement MFA wherever possible, avoiding SMS-based methods due to their vulnerability to SIM swapping attacks. For enhanced security, consider hardware factor authentication options such as biometric scanners, including Touch ID or fingerprint recognition, and physical security keys like YubiKey.
- Add Multi-Factor Auth to Google Workspace
- Add Multi-Factor Auth to AWS
- Add Multi-Factor Auth to Microsoft Azure
3. Infrastructure as Code
Build your cloud infrastructure with tools like Terraform or OpenTofu as early as possible. Managing your cloud infrastructure as code will allow for peer review and easier spotting of insecure configurations. Remember, the more eyes on your code the better.
Most major cloud providers have officially supported providers:
⚛️ Extra Credit: Bonus points if you can automate your Infrastructure as Code pipeline with a tool such as Spacelift, Atlantis, Env0 or Terraform Cloud. Double bonus points if you use a plan policy to block insecure configurations from being applied.
4. Manage Your Secrets
Employee Secrets
A team-based password manager is essential. Instruct all employees to put credentials to any business related account into the password manager. It is imperative that all employees follow this practice, even the founders. This prevents situations where the business can be bottlenecked due to an employees exit or sudden unavailability.
Password managers we like:
Application Secrets
Sooner or later you will find yourself with the need to store a secret for your application to function. Figuring out a pattern that works for your team at the right stage is the key to making your life easier down the line. The below list is not comprehensive but will get you started in the right direction on any major cloud provider.
A few ways to store secrets:
💡 Operational Tip:
You will want to practice rotating these secrets. It is a matter of when not if you will have to perform this in response to an incident. Think of it like a fire ladder. You do not want to test a fire ladder for the first time when there is a real fire.
5. Know Your Vendors
Keep vendor management straightforward by categorizing them based on the level of risk and conducting basic due diligence. This step doesn’t need to be complicated, a spreadsheet of all known vendors and what kind of data they handle for the business will suffice to start.
- Remember: For high-risk vendors such as HR or Payroll, verify their security posture through documentation like SOC 2 and ISO 27001. They expect you to ask for this. Review it and flag any concerns before sharing any sensitive data.
6. Prioritize Software Updates
Keep browsers, operating systems, and servers updated, especially concerning known vulnerabilities. Most of the endpoint software will update itself or tell you when its ready. Maintain good hygiene around local updates and you can reduce a lot of risk here.
However, most of your cloud infrastructure won’t tell you when it needs an update. For this reason, it is important to keep the Shared Responsibility Model (GCP/AWS) in mind. Simply put, the Shared Responsibility model is how much security responsibility you have on your shoulders as the customer. How you design your infrastructure and the choices you make here directly influence how much responsibility you end up with.
🏛️ Architecture Example 1: Lets say we have a new product proof of concept. If we choose a Cloud Function (FaaS); it may have some technical limitations but it has the benefit of minimal maintenance overhead. You won’t have to worry about updating the Operating System for the Cloud Function. You can focus most of your time refining the proof of concept to deliver maximum value to your customers.
🏛️ Architecture Example 2: Now lets take that same example and deploy the same proof of concept to a Google Compute Engine instance (IaaS). We’ll have to spin up the instance, install the programming language interpreter, libraries, etc. We’ll be on the hook for the operating system and kernel updates as well. In this architecture, we’ll spend more time maintaining the system than refining product features and finding new customers. This may be an OK tradeoff to make but it entirely depends on your businesses stage.
💡 Operational Tip:
If you store your source code on Github, you can enable dependabot which will notify you if a vulnerable library is detected in your application.
7. Regular Security Training and Awareness
For resource-strapped startups, fostering a culture of security is crucial. Begin by focusing on the most impactful training that doesn’t strain your budget.
Key Focus Areas
- Phishing Defense: Start with training to recognize and avoid phishing attempts, as these are common and potentially devastating attacks.
- Password Hygiene: Emphasize creating strong passwords and using password management tools, since compromised credentials are a frequent attack vector.
Actionable Training Suggestions
- Lunch and Learn Sessions: Conduct informal training sessions over lunch, led by team members who can share their knowledge.
- Online Resources: Utilize free online courses and materials from reputable sources for structured learning.
- Real-world Examples: Discuss recent security breaches relevant to your industry to illustrate the importance of vigilance.
- Regular Reminders: Send out monthly email tips on security best practices to keep the team engaged and informed.
By prioritizing the most critical training areas and using cost-effective methods, even bootstrapped startups can significantly improve their security posture.
8. Proactively Hunt for Security Bugs
Schedule annual penetration tests and create channels for responsible disclosure, such as a dedicated email, to welcome reports from ethical hackers. Be prepared to respond to researchers and triage their reports.
Keep in mind, some researchers are just starting out so they may think something is an issue but it’s not. Conversely, you may find yourself handling a report from a seasoned researcher who can teach you things in just a few hours by reproducing their report.
- Caution: Be alert to extortion attempts disguised as bug reports.
9. Stay Informed with Security Alerts
Use tools like AWS GuardDuty or Google’s Security Command Center for security alerts without overwhelming yourself. Focus on actionable alerts to avoid fatigue.
By embedding these steps into your businesses engineering culture, you’ll not only bolster your security but also prepare your business for scalable and safe growth.
Ready to Secure Your Business?
Implementing a comprehensive security program may seem daunting, especially when resources are tight. But you don’t have to do it alone.
Lean on Our Expertise
Our team is ready to help you build a security program that not only protects your business but also supports your growth. Here’s what we offer:
- Customized Security Strategies: Tailored to fit the unique needs and constraints of your startup or small business.
- Hands-On Assistance: From policy creation to implementation, we guide you every step of the way.
- Ongoing Support: As your business evolves, so will your security needs. We’re here to provide the support you need to stay safe.
Get Started Today
Don’t wait for a security breach to realize the value of a solid security program. Contact us now and let’s secure your business together.