True or false: Companies born in the cloud naturally understand security.
Young and tech-savvy companies running in the cloud often deal with the same cloud security issues as larger organizations that are moving to the cloud from legacy or on-prem solutions. In fact, the unique requirements of tech companies — like continuous development cycles and cutting-edge, rapidly evolving processes — can sometimes add even more complexity to security. If you fall into this camp, you may find this blog useful. In it, we’ve rounded up some of our best advice so you can learn how to strengthen your cloud security posture and start building out a cloud security strategy starting now, without a big drain on your budget and resources.
1. Start Where You Are
Tech companies (especially startups) have a lot going on at any given moment. On a day-to-day basis, security is not likely to be the number-one priority. We can tackle it later, you might think. Except with security, the best time to act is always now.
Here’s the deal. Even if you’re not ready to invest in security monitoring or build a full-on security operations center, there’s a lot you can do to make sure you are moving in the right direction. Here are five security recommendations to get you going:
- Start by making sure you understand what your security objectives are, where you are in your security journey, where you’re covered, and where you’re not. This will give you a framework to use when planning security measures. (Take a look at the “Your Company” section of this post for questions that will help you define your situation and objectives.)
- Recognize that all companies big, small, tech-focussed or not, are subject to risk and fortunately, there are security solutions that can help every type of company. So no matter your budget or goals, there’s something that will reduce risk and strengthen your security. (Also keep in mind that no one solution will address all your requirements.)
- Prioritize visibility above all else. If you can see what’s going on throughout your environment, you can make good decisions about how to keep it secure.
- Pick solution providers that embrace security, educate their customers, and have products that integrate with your current stack. The best tools will help you achieve security, not give you one more thing that will add to your administrative burden.
- Build a security roadmap. It’s okay if you can’t check everything off the list today, because security is an ongoing process. But a roadmap will help you keep track of priorities and take meaningful steps to achieve continuous improvement, and that’s the name of the game.
2. Kick Off a Security Awareness Program
Along with the five steps outlined above, it’s important that you get buy-in and appropriate involvement from your whole team. If your employees and stakeholders understand how they are a key part of the security equation, it’s more likely they will avoid risky behavior, report suspicious emails or websites, and ask questions when something doesn’t seem quite right.
What does it take to build a successful security awareness program? First, we recommend drafting up a handbook. This doesn’t have to be long or super-involved — in fact, the simpler and more straightforward the better. Giving employees an easily accessible guide that answers the most common questions will relieve your IT or security team’s burden and reduce many preventable snafus. Don’t worry about making it perfect, and consider formatting it as a wiki or other regularly updated document so it can evolve alongside your business.
We also recommend that you set up a real-time communication channel focused on security (such as a #security channel in Slack), host lunch-and-learn sessions, and consider holding a “security day” or “security week” to increase overall awareness and knowledge of relevant issues within your company.
3. Be Smart at Conferences
Conferences are an excellent way to build your network, sell your products and services, and offer continuing education opportunities to your employees. It’s no wonder that many tech companies attend them regularly. That said, conferences can actually be a hotspot for security incidents, so don’t let your defenses slip the moment you walk outside your office. Learn how to stay secure at conferences, and communicate this information to all employees who attend these events.
In a nutshell, you want to practice good Opsec (which we define as actions you take to ensure that information leaks don’t haunt you). It may sound like something out of spycraft, but good Opsec often boils down to simple awareness of your surroundings and context. For example, conference-goers should be aware of what devices they have with them (e.g., laptops, iPads, smartphones, etc.). They should always use auto-lock features and never leave devices unlocked and unattended in a public place. They should also be required to use two-factor authentication (2FA) when available and use strong passwords, as well as avoid connecting to unsecured wifi.
Most importantly, when it comes to company secrets and intellectual property, they should be careful what they say (and post online), when, and where. A simple conversation about a customer issue could easily turn into an Opsec nightmare if overheard by the wrong person. (For more detailed information on this subject, take a look at our post, How to Stay Secure at Conferences.)
4. Rely on Automation
Manual security processes tend not to scale very well, and they’re also prone to error. Automation eliminates or reduces the need to manually process tasks (like alert response), and also helps you increase accuracy, slash time, and optimize the use of resources. This frees you to focus more resources on security priorities and critical business goals.
One of the most important metrics that automation can impact is Mean Time To Know (MTTK). Mean Time To Know measures how fast someone can sort signal from noise when an alert comes through. Now, you can probably see why this number is hard to make an impact on. Getting alerts in real time is one thing, but knowing what they really mean and whether they actually require a response is much more complex. With automation, however, tech companies can make a serious impact on MTTK, reducing time from hours or days to minutes or seconds. The bottom line is that tech companies need to be focused on catching real threats quickly, and implementing automation can help them do this very effectively. (For more information, take a look at How to Use Automation to Reduce Mean Time to Know. For a post that provides interesting data on reducing Mean Time To Resolution (MTTR), have a look at Shifting to High-Velocity Cloud Security Operations.)
5. Prioritize Security Tasks
Does the very mention of security overwhelm you and your team? If so, you’re not alone. It can be difficult to look at all your applications and environments and figure out where to begin. Many tech companies have limited resources to devote to security, so it’s a good idea to prioritize security tasks so you can really focus on the ones that will have the most impact on your overall posture.
We recommend taking these three steps to help prioritize security tasks:
- Audit Your Current Environment: Do your infrastructure configurations follow best practices? Keeping in mind the fact that 73% of organizations have at least one critical misconfiguration, it’s a good idea to audit your current configurations to learn precisely where the problems are. With a tool like Threat Stack’s Configuration Auditing, you can quickly survey and automatically prioritize steps you need to take.
- Ensure End-to-End Visibility: Continuous monitoring centered on the workload (not logs) is the key to gaining visibility in the cloud. Using host-based intrusion detection for continuous monitoring, you will know in real time what’s happening across your modern infrastructure.
- Automate Analysis: You should be able to analyze security events and determine the root cause without having to dig through logs. Automated, continuous monitoring will streamline and speed the process of investigating an incident, analyzing root causes, and getting systems back to normal as quickly as possible.
With knowledge, visibility, and automation on your side, it will be much easier to prioritize security tasks and focus on the measures that will drive results for your organization. Don’t wait until you have time to do it all (because that time will never come). Start where you are and make incremental progress over time. (Following this approach is like tapping into the power of compound interest: Invest a little at regular intervals. Your investment has immediate value, starts producing ROI right away, and increases in value over time as you continue to build out your security strategy.)
Final Words . . . Jumpstart Your Journey
If you’re just getting started with cloud security, the scope and number of issues can seem overwhelming. But it doesn’t have to be. If your organization is high on security requirements and low on time and resources, make security an ongoing and integral part of your operations starting now. Work with a strategic plan, and take incremental steps. As you continue to reduce risk, you’ll increase security while adding to the velocity of your business, even as it scales. To get started with your security program, feel free to download a copy of our eBook Jump Starting Cloud Security.