Читать книгу Start-Up Secure - Chris Castaldo - Страница 17

Nearly gone are the days of setting up a physical server in your garage that runs the website, email, build, dev, staging, and production environments for your start-up. Software-as-a-service (SaaS) allows start-ups to both launch and scale quickly and take advantage of enterprise-level cybersecurity controls. Even in the shared security model adopted by most infrastructure-as-a-service (IaaS) providers like Amazon Web Services (AWS)¹¹ or Microsoft Azure,¹² a start-up is starting ahead of the game with SaaS.

Starting a business requires a lot of data and documentation and collaboration on that data and documentation. Whether you are developing the next mobile app to disrupt the housing market or developing a new fireproof fabric, the information and intellectual property surrounding that must be secured. Hundreds of platforms exist for collaboration, which I can't discuss at length in this book.

However, I will discuss some of the more popular platforms for sharing data. Some of the most common are Dropbox, Box, Google Drive (part of Google Workspace) and Microsoft OneDrive (part of Microsoft O365). You've probably noticed by now that encryption and access are key components to protecting information. When storing that data you should encrypt it if possible. There are many solutions that have the ability to encrypt files you store in those file-sharing tools and share with your team in an even more secure manner. This doesn't always scale but can help protect your sensitive information early on. Additionally, this level of file-based encryption should be kept for only the most sensitive data to maintain efficiency of your start-up.

In the case of software development, care should be taken when considering access to services such as GitHub,¹³ which is a service that allows developers to store and retrieve software code they've written. Ensuring you've enabled all security settings in regard to user access is critical, as you are relying on the service to protect the data once it is on their system. Basics such as making sure you have a strong passphrase set and have enabled multi-factor authentication; making sure your repositories are set to private; and storing things like credentials and keys in a proper secrets manager and not hardcoded in your source code, are essential. Secure development will be discussed further in Chapter 9.

Using SaaS products are not necessarily more secure but they do reduce cost and enable start-ups to remain as lean as possible for as long as possible. Additionally, many of those SaaS platforms will scale with your business, and pricing models adjust accordingly. At some point though, you must use a computer to actually access those services, whether it is a desktop, laptop, or mobile device. For those services to be useful you need availability.

A benefit to using an SaaS platform is a far higher availability rate than if you tried to duplicate the services in your own data center. While the risk can be reduced, you cannot completely outsource risk. If you are negligent with sensitive customer data, like credit card data, you can still be held liable even if you don't host any part of your product in your own data center. This is also referred to as the shared security model.

I've talked about services you might use and the security surrounding them, but you must also consider the security of the devices you use to access them. Desktops, laptops, and mobile devices will continue to be the most likely initial access vector in a data breach along with your credentials. To get your credentials, an attacker must either dupe you into giving your credentials to them, referred to as social engineering, or take advantage of a vulnerability in the computer you are using, referred to as an exploit. Or if you are a high-value target, they may go as far as to gain physical access to your device.