How to Start Up Your Cloud Security
Startups may think they can postpone implementing a cloud security program but should in fact take early action - here’s why, and easy steps for doing so.
Until recently, cloud security was not a top priority for startups. With so many balls in the air -- from urgent focus on product, engineering, financing, legal and more -- company founders tended to push security to a later stage. They aimed to get to it after the next round of funding or, upon realizing they needed to be compliant, before an IPO.
But the technology landscape has changed. The growing incidence of cyberattacks and increasing customer awareness of security and privacy are driving startups to take action sooner. Doing so is a play for both the long-term and short-term. In the long-term, investing in security early saves time and resources later -- not to mention protecting the organization and its unique resources. In the short-term, proving compliance or the ability to secure data can make or break a deal. In the early stages of a new company, such deals can have a huge impact on the business and its ability to thrive.
In this article, we take you - founders, leadership and advisors to startups - through the main security issues that we recommend you act on to ensure your business scales with success.
This blog post is based on a recent cloud security webinar with Chris Castaldo, CISO at Crossbeam and author of the book Start-Up Secure: Baking Cybersecurity into Your Company from Founding to Exit.
Getting Started: Adding a Security Expert to Your Founding Team
A startup founding team often finds itself doing everything, including sales, contract management and partner discussions. Security isn’t on the list because, until today, it wasn’t considered a basic requirement. As a result, founding teams typically do not deal with security, let alone bring in a security expert. However, certain startups probably should.
Startups that operate in sensitive industries or have customers with high security demands should indeed add a security expert to the founding team. This expert can help plan and create a strong security by design framework for the business and product from the get-go. The security expert will also help find solutions for needs like “where to store contracts” or “how to prevent phishing.”
Create a Business-Focused Security Roadmap
Cybersecurity is a massive domain that has multiple, bifurcated domains within it, such as red teaming, penetration testing, product security, compliance and more. Founders are faced with the challenge of finding the right security domains to invest in, at minimal risk and maximum ROI. Lack of funds and resources makes this a crucial decision, as not implementing the security coverage you need can have a detrimental impact on the startup.
Therefore, when deciding where to start building security into your roadmap, we recommend creating a plan of bite-sized actions that can be worked on individually, based on the realities of your business and customers. Take into account the nature of your product, your customers’ needs, the problems you solve, where you store your data, your architecture, compliance regulations for your industry and how you are building your business.
For example, let’s look at data storage. Let’s say your data lives in the public cloud, probably one of the large cloud service providers (CSPs), such as Amazon Web Services (AWS), Microsoft Azure or Google Cloud Platform (GCP). These CSPs provide certain security controls but don’t secure everything in the cloud. For such companies, we recommend putting guardrails around your data in the cloud to prevent attackers from gaining access to it. You will want to lock down workloads, manage access and more.
It’s important to build a security plan you can actually carry out -- so seek to build in modular implementation. Be sure that you can make decisions, including how basic the education will need to be, based on the maturity level of your organization and the capabilities of relevant teams. Keep it agile: your team resources are probably not likely able to spin up and deploy a year’s worth of work in one go. Also, even the most advanced cloud security platforms may not be a good fit for what your organization can actually handle. Look for platforms that are built for your needs today.
Finally, don’t copy-paste security processes from other organizations. While you can let yourself be inspired and informed by them, no two security processes -- that of another organization’s and that of yours -- are completely alike. Make sure you answer your own business’s needs, not someone else's, and take into account the specific threats your own organization might be exposed to.
Ensure a Security Framework Designed for the Cloud
One very important aspect of your product is your infrastructure, since it will determine and shape the delivery of your product to your customers. We therefore recommend dedicating time to thinking about and understanding what your infrastructure choice means security-wise.
Most organizations today are building SaaS solutions in the cloud, leveraging AWS, Azure or GCP. In addition, more and more they are migrating legacy systems from their existing solutions on their own servers to cloud infrastructure. This transition requires a different approach to security compared to how we’ve been securing our organizations for decades.
The public cloud infrastructure is different from on-premises infrastructure, with a completely different technology and stack in place. New security challenges have emerged, alongside new potential threats that you will want to be aware of and protect against. The cloud computing reality includes reckoning with a new security perimeter (identities) and new paradigms for securing login, data (S3 buckets and more) and your web server. It requires a security mindset when configuring compute, encrypting migrating instances and controlling IAM. The inability to properly manage cloud infrastructure security can have severe consequences.
Therefore, it’s important to have actions and solutions in your security plan that help in detecting, managing and reducing risk to your cloud entities. These could include hiring the right DevSecOps talent or cloud security expert, or finding the right security management platforms. Which brings us to the next topic...
Use Tools - Not Spreadsheets
If you have to scroll down a spreadsheet to manage your assets, it’s probably time to buy a tool. This goes for managing your cloud assets, as well, such as cloud servers, AWS accounts, data stores, etc.
With so many cloud and associated security tools out there, it can be confusing trying to find the right one. If you’re not sure which tool to buy, try to identify which tool can help alleviate multiple problems. Specifically, make sure it can alleviate multiple problems that you have. Read more in this guide on how to evaluate a security vendor.
Stay Updated and Engaged
Technology is constantly evolving and so are the security solutions (and challenges). We recommend that you stay in the know about new cloud security products and threats. Some of our favorite sources are:
- Google Search - Seems silly to mention but can be quite revealing as well as highlighting trends you will want to be aware of. Look up cloud security keywords and latest news at least twice a month.
- Industry reports - Follow analysts like Gartner and Forrester to learn about emerging categories and where the market is heading
- Network - Connect with influencers and experts on Linkedin and at events, talk to them and follow their postings
- Seek out demos and PoCs - Be open to viewing demos and engaging in PoCs of different security tools. It’s the only way to find the golden needle in the haystack that is right for your organization.
- Online journals - Follow leading security publications for thought leadership insights and to better understand the latest attacks
The complex nature of the public cloud makes it impossible for a new business to ignore security. Your plate is full, so it’s essential that you build a modular security game plan for your cloud growth platform, early on. Cloud security tools are proliferating like mushrooms on a rainy day but serve an important role in protecting your data, keeping you compliant, helping you automate to save time and incorporating security expertise your team may lack. Choose well: learn what tools bring differentiating value and will be stepping stones in sync with your cloud maturity model. And don’t take anyone else’s word for it -- try them out to see for yourself if they address your organization’s own needs.
To listen in and learn more, catch the full webinar on-demand.