Running tech at a startup is a hard job. You’re on a shoestring budget, if you even have one. You’re constantly understaffed. Everyone needs that new feature or server set up. They need it yesterday. While you were reading the intro to this blog post, someone from sales promised three new features to a customer that aren’t on your road map yet. In short, you’re swamped.
If you’re like a lot of startup CTOs, you’re not spending as much time thinking about security as you could. You know that you should do more, but you’re so busy. So, you ignore it, then you feel bad about it.
You don’t have to fall into this cycle. It’s possible, even when you’re swamped, to practice proactive behavior around security. In this post, we’re going to walk through some high-leverage actions you can take today to ensure the security of your infrastructure. This is not a complete list, but are all items you should pursue to uplevel your security.
Encrypt your APIs and sites
One of the simplest and most effective ways to increase your organization’s security is to encrypt the content you put out into the world. For most sites, this is very simple: use SSL. SSL encrypts the data that your users send to your servers while it’s in transit. Every major web server handles SSL by default. So does every major browser. You might think that you can get by only encrypting part of your site. Maybe you use SSL on your login form, but everything else travels over plain-text HTTP.
In reality, you should consider SSL your default way to talk to the world. That means both your website sections that seem sensitive (like a login form) and website sections that aren’t sensitive at all, like your company landing page. You should also encrypt all access to any networked data APIs your company publishes.
Why is site encryption important?
Site encryption serves a number of purposes. For starters, it ensures that nobody can read in on the conversation between you and your customers. If you handle any kind of sensitive data, that’s valuable all by itself. However, even if you don’t handle sensitive data, there’s value in encrypting your communication.
Another valuable part of SSL encryption is the ability to make sure that what you send the customer is what they actually receive. When your communications are not encrypted, malicious actors can intercept those communications and modify them. That means that what you think you’re sending your customer might not be what they’re actually reading.
Finally, SSL serves another crucial purpose. When you publish a certificate on your website, and use it for SSL encryption, your customers are sure that it’s your company they’re talking to. Good SSL certificates establish not only secure communication, but also your identity in the browser.
As a bonus, it’s easier than ever to set up effective encryption. Like we said, budgets are tight. The good news is, Let’s Encrypt serves as a public certificate authority. Their certificates are free to set up and use. It takes a few minutes to get a certificate, and they’re trusted in just about every browser.
Protect yourself against DDoS attacks
A distributed denial of service (DDoS) attack is where someone attempts to overflow your network connections in order to take your website or services offline. The biggest problem with protecting against Denial of Service (DoS) attacks is that they’re just about the simplest attacks anyone might execute. They involve flooding your network connections with junk data to slow down or stop access by legitimate customers.
A DDoS attack is only slightly more complicated. Instead of originating from a single point, the DDoS is, as its name implies, distributed. The goal is for the attacker to use hundreds or thousands of computers from all over to flood your network.
If someone targets you for a DDoS attack, it’s a real challenge to overcome. Because they’re so cheap, attackers might keep them up for hours or days. Often times, the best way around a DDoS is to move your service to an entirely new network to avoid the flooding.
If you suspect that your organization might be at risk for DDoS attacks, contracting someone like CloudFlare is a good decision. By setting up this protection now, you ensure that you’ll avoid issues with DDoS attacks down the road.
Understand your security posture
In addition to encrypting your content, there are many other high-leverage steps you can take to upgrade your security. The better news is that most of these changes are one-off changes. You can set them, and they’ll protect you for years to come, with just a few minutes’ investment.
The best place to get started is with Sqreen’s security grader. Answering the questions on this quiz will give you a sense of how your security stacks up against industry benchmarks, and can point you in the right direction for where to start improving it.
Isolate your network assets
This is a recommendation that hits home the most for distributed startups. If your entire tech team isn’t collocated into a single office, it’s likely that you have some resources sitting on the open internet that are accessible by anyone who knows where they are. While it’s important to make those resources available to the people who work with them, it’s also critical that you ensure that only those people can access those servers. If your database server is publicly available on the internet, attackers have a basically unlimited number of attempts to compromise it.
Instead, look into segregating your network assets behind firewalls. If you have your servers collocated in a physical location, you probably already do this, at least a little. When that’s the case, the key is simply to treat all your servers the way that you treat the ones located in your data center. If you’re using a cloud hosting provider, things can seem more complicated. It’s not immediately obvious how to achieve the same benefits of physical collocation when you’re working in the cloud.
The good news is, it’s entirely possible to set up your cloud service provider to enforce the same levels of access restriction. AWS, for instance, provides VPC Subnets that restrict access based on the origin point of the request contacting the server. When correctly configured, your database server will only talk to your application server. Attackers won’t have unlimited attempts to try to guess your database administrator password. They won’t even have one.
Focus on the effective
I get it. You’re still really busy. Your time is very precious, and so is your organization’s money. So you want to focus your efforts on high-leverage actions that will significantly improve organizational security with minimal time investment. The items on this list were specifically chosen to do that. Some of them are a little harder than others, but each represents significant bang for your buck.
If you’d like to explore more ways to improve organizational security, I recommend a checklist that Sqreen put together. It categorizes security actions you should take and outlines at what startup stage you should focus on those security measures. It’s an invaluable resource for the busy but security-conscious CTO.
This post was written by Eric Boersma. Eric is a software developer and development manager who’s done everything from IT security in pharmaceuticals to writing intelligence software for the US government to building international development teams for non-profits. He loves to talk about the things he’s learned along the way, and he enjoys listening to and learning from others as well.