Young tech companies running in the cloud often deal with the same cloud security issues as larger organizations that are moving to the cloud from legacy or on-prem solutions. In fact, the unique requirements of tech companies — like continuous development cycles and cutting-edge, rapidly evolving processes — can sometimes add even more complexity to security. If you fall into this camp, this post should be helpful. In it, we’ve rounded up some of our best advice on how you can strengthen your cloud security posture and start building out a proactive cloud security strategy starting now, without putting a strain on your budget and resources.
1. Start Where You Are
Tech companies (especially startups) have a lot going on at any given time. On a day-to-day basis, security is not likely to be the number-one priority. Often, the approach is “We can tackle it later.” Except with security, the best time to act is always now.
That doesn’t mean you need a full-blown security program on Day 1. Even if you’re not ready to invest in security monitoring or build a full-on security operations center, there is a lot you can do to make sure you’re moving in the right direction. Here are five security recommendations to get you going:
- Start with an understanding of what your security objectives are, where you currently are in terms of security maturity, where you’re covered, and where you’re not. This will help you create a prioritized framework to use when planning security measures. It will also allow you to establish a phased approach to security that will enable you to continually and proactively add strength to your security posture without putting excessive demands on your resources, personnel, and budget. For a great job aid that will help you define your security objectives and priorities, download our Cloud Security Requirements Analysis Worksheet.
- Recognize that all companies — big, small, tech-focussed or not — are subject to risk and fortunately, security solutions are available to help every type of company. No matter your budget or goals, there’s something that will reduce risk and strengthen your security. (Also keep in mind that no single solution will address all your requirements.) For guidance on how to assess whether a solution suits your needs, look at: Cut Time & Costs: 7 Best Practices to Follow When Choosing a Cloud Security Solution.
- Prioritize security visibility above all else. If you can see what’s going on throughout your build-time and run time environments, you can make effective decisions about how to keep it secure. We’ve written quite a bit about full stack security observability and recommend the following posts for the insights they offer on how to achieve full stack security observability: Defining the “Full Stack” in Full Stack Security Observability and Cloud Security Observability: How to Reduce Risk in Your Cloud-Native Infrastructure.
- Pick solution providers that embrace security, educate their customers, and offer products that will integrate with your current stack. The best tools will help you achieve security and improve operations — without giving you one more thing that will add to your administrative overhead. For more, take a look at 14 Questions to Ask Yourself Before Committing to a Cybersecurity Vendor.
- Build a security roadmap. You can’t check everything off the list today because security is an ongoing process. But a roadmap will help you keep track of priorities and take meaningful steps to achieve continuous improvement, and that’s the key to building and maintaining a security program that evolves and scales as your organization does. For a detailed look at how to develop a comprehensive cloud security strategy, download Jump Start Cloud Security: A Guide to Starting Your Cloud Security Journey. (Since compliance will likely be part of your concerns at some point, you should also know how to build a compliance strategy that’s suited to your organization. For details on key compliance issues and frameworks, read How SaaS Companies Can Build a Compliance Roadmap.)
2. Prioritize Security Tasks
It can be difficult to look at all your applications and environments and figure out where to begin. On top of this, many tech companies have limited resources to devote to security, so it’s essential to prioritize security tasks so you can focus on the ones that will have the greatest impact on your overall posture.
We recommend taking these three steps to help you prioritize security tasks:
- Create a snapshot of your organization’s cloud security as a starting point for implementing a continuous plan for strengthening your security posture. Feel free to take our Cloud SecOps Maturity Assessment. You can also download a copy of Cloud Security Observability: A Guide to Reducing Your Cloud Native Infrastructure Risk along with Security That Keeps Up With Your Evolving Infrastructure.
- Ensure end-to-end visibility throughout your build- and runtime environments. Continuous monitoring centered on the workload (not just logs) is the key to gaining visibility in the cloud. Using host-based intrusion detection for continuous monitoring, you can know in real time what’s happening across your infrastructure. For specific information on what we mean by full stack security observability as well as guidelines on how to achieve it in your environment, consider these four posts: Defining the “Full Stack” in Full Stack Security Observability; Cloud Security Observability: How to Reduce Risk in Your Cloud-Native Infrastructure; Stretch Right With Application Security Monitoring; and Stretching Left With Threat Stack Application Security Monitoring.
- Automate Analysis. You should be able to analyze security events and determine the root cause without having to dig through logs. Automated, continuous monitoring will streamline and speed the process of investigating an incident, analyzing root causes, and getting systems back to normal as quickly as possible.
With an understanding of your organization’s security maturity combined with security observability and automated analysis, it will be much easier to prioritize security tasks and focus on measures that will drive results. Don’t wait until issues pile up. Start where you are and make incremental progress over time. Following this approach is like tapping into the power of compound interest: Invest a little at regular intervals. Your investment will start producing ROI right away and will increase in value over time as you continue to build out your security strategy.
3. Leverage Automation
Manual security processes don’t scale well, they demand a lot of time and resources, and they’re also prone to error. Automation eliminates or reduces the need to manually process tasks (like alert response), freeing you to focus more of your resources on security priorities and critical business goals.
One of the most important metrics that automation can impact is Mean Time To Know (MTTK), which measures how fast someone can sort signal from noise when an alert comes through. You can probably see why this number is hard to make an impact on. Getting alerts in real time is one thing, but knowing what they really mean and whether they actually require a response is much more complex. Manually sifting through the noise to find a signal that indicates a real cause is massively time consuming. With automation, however, tech companies can make a serious impact on MTTK. The bottom line is that tech companies need to be focused on catching and responding to real threats quickly, and implementing automation can help them do this effectively. For more, read How to Use Threat Stack to Reduce Mean Time To Know and How to Transform Alert Fatigue Into Proactive Security Management — 5 Must-Read Blog Posts.
4. Establish a Security Awareness Program
Security strategies are not totally rooted in technical solutions. Human factors also play a large part, so along with the steps outlined above, it’s important to get buy-in and appropriate involvement from your whole team. If your employees and stakeholders understand how they are a key part of the security equation, it’s more likely they will avoid risky behavior, report suspicious emails or websites, and ask questions when something doesn’t seem quite right.
What does it take to build a successful security awareness program? First, we recommend drafting a handbook. This doesn’t have to be long or detailed. Giving employees an easily accessible guide that answers the most common questions will lessen your IT or security team’s burden and reduce many preventable incidents. Consider formatting it as a wiki so it’s readily accessible and easy to update so it can evolve along with your business.
We also recommend that you set up a real-time communication channel focused on security (such as a #security channel in Slack), host lunch-and-learn sessions, and consider holding a “security day” or “security week” to increase overall awareness and knowledge of relevant issues within your company.
Final Words . . .
If you’re just getting started with cloud security, the scope and number of issues can seem overwhelming. But it doesn’t have to be. If your organization is high on security requirements and low on time and resources, make security an integral and ongoing part of your operations starting now. Work with a strategic plan, and take incremental steps. As you continue to reduce risk, you’ll increase security while adding to the velocity of your business, even as it scales.