Why Tech Startups Need to Rethink Cloud Security

 

By Kumar Saurabh, CEO of LogicHub

LogicHub CEO Kumar Saurabh

LogicHub CEO Kumar Saurabh

Database setup costs for budding startups have plummeted in the past decade or so, thanks largely to the cloud. Twenty-five years ago, a significant portion of seed or A round funding went to hiring a system administrator who set up a server room with a raised floor and stacks of equipment. Today, founders have the opportunity seamlessly sign up for Amazon Web Services with a credit card. Cloud infrastructure is available quickly, easily and affordably, enabling founders to focus on writing code and finding customers, instead of unboxing servers and running Cat5 cables.

Founders trust Amazon and other cloud providers to run all their services—and they trust them for security, too. After all, every SaaS, PaaS, or IaaS has some language on their site about security. Cloud security, in general, has improved. So why shouldn’t tech startups assume that their cloud services are secure?

Here are five reasons startups tend to get complacent around cloud security:

  • 1. Limited security coverage
    AWS and other PaaS and IaaS services provide infrastructure security, not application-level security. They do nothing to thwart security attacks against application vulnerabilities.
  • 2. Default or commonly used security settings that are inherently risky
    In the past few months, we’ve seen news stories about the Republican National Committee (RNC) leaking voting records for 198 million Americans and Verizon leaking 6 million customer records, among others. All these breaches resulted from faulty configurations of public-cloud security features. The problem is so widespread that Amazon is now warning S3 users to be more careful about the security settings for their S3 buckets. The fast, easy sign-up process for cloud services needs to be followed with a rigorous security assessment and possible investment in additional IT security tools.

  • 3. Lack of security expertise and dedicated personnel
    Along with the raised-floor computer room went the IT administrator who managed and kept an eye on data security. Founders and other team members may have a basic understanding of security best practices, but early stage startups tend to de-prioritize employing a full-time person dedicated to the availability and security of the company’s infrastructure.
  • 4. Cultural differences that lead to security being an afterthought
    Even if a startup has a security lead, that person’s priorities are liable to be a cultural and operational mismatch for the developer-centric priorities of the rest of the organization. Founders and investors are typically focused on developing products and gaining market share, not battening down the hatches of IT infrastructure. Security inevitably restricts choices and complicates workflows—practices that are anathema to the “move fast and break things” culture of startups today.
  • 5. Security attacks that can damage your company
    Startups would be wise to consider the cautionary tale of CodeSpaces.com, a code-hosting and project management service run by a New Jersey-based startup called Able Bots. The service promised fully redundant back-ups of the software it was hosting. Unfortunately, hackers broke into the company’s Amazon Elastic Compute Cloud (EC2) account, accessed its control panel, and deleted all its customer data—including code stored in Amazon S3, Amazon Elastic Block Store (EBS) snapshots, Amazon Machine Images (AMIs), EBS instances, and test machine images. Unable to restore the contest entrusted to it by over 200 companies despite having advertised a business continuity plan, CodeSpaces.com was forced to close its doors. As PC World noted, “the incident overall is an unfortunate example of the challenges companies face when it comes to securing their cloud-based environments and assets.”

Addressing Cloud Security Challenges with Modern Automation

The cloud reduces costs and improves scalability, but it doesn’t change the fundamentals of IT security. Now as before, startups must put rigorous security controls in place, or hackers—who are increasingly determined and ingenious—will find a way to break in, steal or erase data, and wreak havoc.

Fortunately, the cloud does offer startups one powerful new advantage, even if it’s an advantage that—at least in the area of security—is often overlooked. That advantage is automation, including automation powered by machine learning.

In addition to reviewing all their security settings and ensuring that permissions are appropriately strict, startups should look for ways to automate threat detection and threat analysis.

Startups have a wealth of data already on hand for detecting and characterizing threats. For example, many have Amazon Virtual Private Cloud (VPC) Flow logs or AWS CloudTrail logs. They might keep these files around for the sake of troubleshooting or compliance, but few analyze them routinely as part of an ongoing security practice.

We recently helped a startup client whose IT team had assumed their cloud logs would be devoid of value for security analysis. Examining the files, though, we discovered some of their servers were wide open to public scanning. More troubling, some of these servers were being accessed by IP addresses that IBM X-Force had identified as high risk. We also found signs of suspicious traffic.

Manual inspection of log files is not always practical or cost-effective for lean, fast-moving startups, but automating this analysis is. By automating threat detection and analysis, and leveraging deep data analysis and data correlation using machine learning, startups can enjoy the power and cost-savings of cloud services like AWS, while remaining confident their services are secure.