How to stay on top of your security game as a startup?
This article was written by Harles Paesüld, Head of Cloud at Mooncascade.
Serious about scaling your startup but not 100% sure you’re doing cloud governance the right way? We feel you! But at this point in the game, it’s a must-have, not a nice-to-have.
Thankfully, it doesn’t have to be painful, confusing, or expensive. We’ve put together a sanity checklist to help you stay proactive, avoid major costs, and have peace of mind knowing your cloud setup is secure.
Not sure where to start? Just focus on these 7 areas and you’ll already have your bases covered. You can implement all these recommendations quickly without breaking the bank (or keeping your CFO up at night).
1. Keep the “shared responsibility model” in mind
Remember that cloud providers (e.g. Google Cloud, AWS, etc.) are responsible for the security of the cloud itself. But you are responsible for everything you set up on your side, i.e. the security of your own applications that you deploy in the cloud. Keeping this in mind will ensure that you avoid nasty surprises down the road.
2. Make sure only authorized people can access your services
You don’t want to end up in a situation where you lose access, as restoring it will take a significant amount of time (that you need for countless other things!). Thankfully, there’s a variety of ways to limit access to only the “right” people:
Keep user identities and permissions to the bare minimum (a.k.a. the principle of least privilege, which states that a user is given the minimum levels of access or permissions needed to perform their job)
Use single sign-on (SSO)
Make two-factor or multi-factor authentication mandatory
Store all your passwords in a password manager (e.g. Bitlocker or Lastpass or KeePass)
Duplicate critical responsibilities (i.e. 2-3 admins in smaller startups and 3-5 admins in larger companies are considered a best practice)
Log all access so you have a constantly updated overview
3. Know and protect your intellectual property (whatever form it has)
The main way to keep your IP safe is to avoid losing access and ensure you employ the principle of least privilege. That way, you can be reasonably sure you’ve done what you can to avoid your IP getting snatched up.
4. Know what other kind of data (including customers’ data) you have
Are you storing Personal Identifiable Information (PII) that falls under GDPR rules, and do you need to be able to demonstrate compliance with data protection principles? If yes, you need to take a stand on how you protect this data. Whether it’s through bucket tagging/labeling, versioning, deletion protection, access logs, or something else entirely: your solution has to be able to strengthen the security of sensitive data.
5. Isolate production workloads from other workloads and general assets
Don’t wait until the last minute to get into a scale-up mindset! You’ll want to isolate your production workloads (e.g. development and testing) from the go. That way, you’ll avoid production issues that may lead to data loss and extended downtime (never a good time for anyone involved!). And some beautiful day in the future, you’ll likely have to give access to external parties as your business scales. The best way to approach this is by creating several projects and accounts. How this is done will depend on the cloud provider you’re using.
6. Use the security tools of your cloud provider
Google Cloud has the Security Command Center, AWS has its Security Hub. Both tools continuously evaluate your environment according to security best practices. They’ll also give you suggestions on how you can improve the security of your cloud setup. You can immediately reap the benefits of these suggestions, but they’re also a great way to avoid large-scale reengineering down the road (saving you a lot of time and money!).
7. Be conscious of costs
Keep a close eye on what you’re paying and why. Budgets are tight in startup land as it is, and investors want to know that funding is being spent in the most optimal way. Thankfully, you can set up budgets and alerts for your cloud setup, so you can react quickly if your costs escalate. Credits given to you by cloud providers can be tempting, but they’re really good as a temporary solution at best (and at worst, cost a pretty penny down the line anyway). Try to adopt a more long-term solution that is both secure and cost-efficient, from startup to scaleup, to enterprise. Your CFO will thank you for it.
As luck would have it, Mooncascade is an official Google Cloud, Google Workspace and Amazon Web Services partner! Feel free to reach out to us if you’d like to find out even more about setting up governance practices that scale with your business at firstname.lastname@example.org