Today’s startups increasingly rely on the cloud for their tech infrastructure and thus an IT and cloud security environment that differs significantly from traditional managed servers and network firewalls. Public cloud adoption will grow 18 percent this year alone, increasing from a global value of $209.2 billion last year to $246.8 billion by the end of 2017, Gartner projects.(1) Companies now run a majority of their workloads in the cloud, with 41 percent of workloads running in private cloud environments and 38 percent running in the public cloud, RightScale’s latest survey shows.(2) $7.6 billion has been invested in cloud-based startups over the past half-decade, North Bridge Growth Equity and Venture Partners estimates.(3)
With this startup shift to the cloud comes unique cybersecurity challenges. If you’re running your company in the cloud, here are four steps you should take to ensure your sensitive data stays protected from cyber attack.
Commit to Using Larger Established Platforms
One of the best ways startups can beef up their network security is by relying on established platforms from major companies such as Microsoft Azure, Amazon Web Services, Google Cloud, IBM Bluemix, and Rackspace.
Large cloud providers such as this have big budgets to invest in professional, full-time in-house security teams equipped with the latest tools and techniques to conduct penetration testing and make sure no vulnerability goes unnoticed.
In contrast, as Telegraph Hill founder David Brian Ward(4) points out, startups are often too cash-strapped to invest in security on this scale. Consequently, startups tend to defer comprehensive security investments until their product has found its market, pursuing a Minimal Information Security strategy in the meantime.
During this transitional phase, the most cost-efficient way to ensure you remain protected from cyber threats is to rely on the resources of large cloud providers after carefully selecting foundational software stack components.
Maximize Use of Native Cloud Security Tools
To get the maximum benefit from your cloud security provider, make sure you make full use of the native security tools built into your platform. For instance, Microsoft’s Azure is supported by Azure Security Center,(5) which provides a central interface for viewing all your Azure resources, verifying that your configurations are correct, and identifying any resources that require your security team’s attention.
Additionally, Azure’s Security Center interfaces with Azure Marketplace, where you can find and deploy security applications from Microsoft’s trusted partners. AWS provides Amazon Inspector,(6) which automatically assesses the security of applications you deploy on the platform and helps you correct deviations from best practices. Making the most out of these types of tools will greatly increase the efficiency of your security.
In our blog post on Lean Startups and Business Data Quality we reviewed how growing companies can competently navigate data management platforms as they grow.
Assign Team Members to Conduct Code Reviews and Key Security Duties
Teamwork is another essential element of effective cloud security. Several aspects of InfoSec best practices are too large for any single individual and require effective teamwork. For instance, implementing a code review is the single most effective method for identifying security flaws, according to the Open Web Application Security Project.(7)
While this process can be assisted by automated tools, it requires human verification, which is a huge task best distributed among multiple team members. Other key security duties should likewise be delegated to ease the burden on individual team members and make full use of your staff’s collective capabilities. Organizations without dedicated InfoSec security staff may wish to assign a functional SecOps role to a senior staff member to ensure specific practices are being carried out and automated when possible.
Make Effective Password Security Easy
Making password management easy is another key to successful cloud security. The latest National Institute of Standards and Technology digital identity guidelines(8) recommend allowing users to choose passwords of at least up to 64 characters in length, with no arbitrary expiration date, supported by two-factor authentication. While allowing such long passwords can enhance security, it also makes it difficult for human users to remember authentication information without resorting to such unsafe practices as writing passwords on notes posted near computers.
The best way to avoid issues in this area is to make password management easy by employing password management software that automatically generates and enters long, secure passwords. PCMag(9) provides reviews of today’s leading password manager apps.