Chris Castaldo - Start-Up Secure

Chat programs like Slack 6 and Microsoft Teams 7 (included with Microsoft O365) have become hugely popular in large and small businesses alike. It provides an easy-to-use platform to collaborate across teams and physical distances. Like all services, there can be limitations to security based on cost. Some free versions may not allow the same amount of control over data within the platform that you would get if it was paid for.

It is critical to understand the difference between free and paid versions of the same product as well as to read through the terms of service. Most of these platforms encrypt data when it travels over the Internet but may not store it in an encrypted state. The ability to scroll back to the very first message is convenient but also comes at a risk cost of that data being stored somewhere, possibly encrypted. And if that service provider suffers a data breach, it could reveal your chat logs. If it is critical to have total confidentiality and integrity over the messages or data you need to share, then don't use chat platforms.

Access to all of these great tools requires nearly the same things: a username and password, at a minimum. Unless you've been living a disconnected lifestyle in the wilderness of Montana, you'll most likely have heard about every major breach in the last 10 years. Of the vendors that respond to these data breaches, one in particular, Verizon, publishes a report 8 every year on the breaches they respond to.

Every year in those reports, the compromise of usernames and passwords are at the top of the list of initial causes of those data breaches. You should treat your usernames and passwords (i.e., credentials) as you would your new amazing start-up intellectual property. Protect them at all costs. Many of the services I discuss in this book provide extra layers of security you can enable called multi-factor authentication (MFA).

The use of MFA is a business requirement today and can drastically reduce, if not eliminate, the possibility of someone that has stolen or guessed your credentials from logging into your account. There are various forms that MFA can come in; a text message is one of the most popular capabilities. However, as we have already discussed, text messages can be insecure.

Multi-factor authentication requires you to enter an additional piece of information when you log in with your credentials. You might even already use a feature like this with your bank where you receive a code via text message that you have to enter to complete the login process. While not all services you use will have this capability, you should enable it immediately, especially if you are like 80% of users that reuse passwords across many sites.

Some more advanced services like Google Workspace for Business allows users to use an app on their phone to conduct the MFA portion of their login. This app is called Google Authenticator and is free to use. Authy 9 and LastPass 10 are also popular free apps. For sites that support this type of MFA, you simply log in to your specific account, enable MFA, and the website provides a QR code that you then take a picture of with the authenticator app.

When using these apps, you will typically be presented with backup codes when you set up this type of multi-factor authentication. Print these codes out and put them in a secure place. If you lose your phone you lose your ability to authenticate into the services you've protected. I'm saying this twice because it is critical: print out and save your backup codes.

FIGURE 1.1Yubikey Product Line

Source: https://www.yubico.com

This syncs your phone and the specific account. When you log in with your credentials again you simply open the app and enter the code displayed. There are alternative services to this app, such as Authy. Both of these apps work on iPhone and Android. Large organizations may even employ a physical token that displays a number that changes every 30 seconds. These physical tokens offer a higher degree of security but are more expensive to deploy and maintain.

FIGURE 1.2Google Titan Security Keys

Source: https://cloud.google.com

Nearly gone are the days of setting up a physical server in your garage that runs the website, email, build, dev, staging, and production environments for your start-up. Software-as-a-service (SaaS) allows start-ups to both launch and scale quickly and take advantage of enterprise-level cybersecurity controls. Even in the shared security model adopted by most infrastructure-as-a-service (IaaS) providers like Amazon Web Services (AWS) 11 or Microsoft Azure, 12 a start-up is starting ahead of the game with SaaS.

Starting a business requires a lot of data and documentation and collaboration on that data and documentation. Whether you are developing the next mobile app to disrupt the housing market or developing a new fireproof fabric, the information and intellectual property surrounding that must be secured. Hundreds of platforms exist for collaboration, which I can't discuss at length in this book.

However, I will discuss some of the more popular platforms for sharing data. Some of the most common are Dropbox, Box, Google Drive (part of Google Workspace) and Microsoft OneDrive (part of Microsoft O365). You've probably noticed by now that encryption and access are key components to protecting information. When storing that data you should encrypt it if possible. There are many solutions that have the ability to encrypt files you store in those file-sharing tools and share with your team in an even more secure manner. This doesn't always scale but can help protect your sensitive information early on. Additionally, this level of file-based encryption should be kept for only the most sensitive data to maintain efficiency of your start-up.

In the case of software development, care should be taken when considering access to services such as GitHub, 13 which is a service that allows developers to store and retrieve software code they've written. Ensuring you've enabled all security settings in regard to user access is critical, as you are relying on the service to protect the data once it is on their system. Basics such as making sure you have a strong passphrase set and have enabled multi-factor authentication; making sure your repositories are set to private; and storing things like credentials and keys in a proper secrets manager and not hardcoded in your source code, are essential. Secure development will be discussed further in Chapter 9.

Using SaaS products are not necessarily more secure but they do reduce cost and enable start-ups to remain as lean as possible for as long as possible. Additionally, many of those SaaS platforms will scale with your business, and pricing models adjust accordingly. At some point though, you must use a computer to actually access those services, whether it is a desktop, laptop, or mobile device. For those services to be useful you need availability.

A benefit to using an SaaS platform is a far higher availability rate than if you tried to duplicate the services in your own data center. While the risk can be reduced, you cannot completely outsource risk. If you are negligent with sensitive customer data, like credit card data, you can still be held liable even if you don't host any part of your product in your own data center. This is also referred to as the shared security model.