Start-Up Secure. Chris Castaldo
Читать онлайн книгу.the Internet. For example, if someone was able to intercept that email when it leaves your email provider's servers they could read the entire contents. For many start-ups, it is not feasible to build and maintain their own email server, so they rely on services like Google Workspace (formally G Suite)1 or Microsoft O365.
It is important to establish an enterprise-level email account once you register your company domain name. Operating from your personal Gmail, Live, Hotmail, or iCloud email limits the security controls you can place around your account, and does not lend to the credibility of your start-up.
Both Google Workspace and O3652 are referred to as software-as-a-service (SaaS), which means you don't own any software that you install on your desktop but pay a monthly or yearly service fee. However, there are services such as Virtru3 that are compatible with those services, both on your desktop and mobile devices, and that allow you to encrypt your emails and control if they can be forwarded and even set an expiration date. This does not prevent someone from copying and pasting the contents or taking a screenshot but would prevent a malicious person from eavesdropping.
For many entrepreneurs, email is not the only means of communication. Surprisingly, many companies operate by text message. Shorter messages that usually get a faster response than lengthy emails can keep start-ups agile but can also pose a risk. Short message system (SMS), also commonly known as text messaging, is insecure like email. You are completely reliant on your cell phone provider's network to provide security of your message. However, when it is transmitted it is unencrypted and you have no confirmation if it has been intercepted or even modified.
I recommend using programs like Signal4 or Wickr5 that provide end-to-end encryption, meaning the provider of the service cannot view or even decrypt your message. While too lengthy a topic for this book, this type of messaging is also referred to as zero knowledge encryption, where the service provider has no knowledge of encryption or decryption keys. Some of these providers also have the ability to set an expiration date on messages so they are automatically deleted from the recipient's phone after a specified amount of time. Sometimes, as a start-up, you can't follow every rule of the book to get things going; maybe it is more convenient to quickly share an administrator password to some system and then create a new user. Tools like Signal and Wickr can help you do that quickly and securely.
Chat programs like Slack6 and Microsoft Teams7 (included with Microsoft O365) have become hugely popular in large and small businesses alike. It provides an easy-to-use platform to collaborate across teams and physical distances. Like all services, there can be limitations to security based on cost. Some free versions may not allow the same amount of control over data within the platform that you would get if it was paid for.
It is critical to understand the difference between free and paid versions of the same product as well as to read through the terms of service. Most of these platforms encrypt data when it travels over the Internet but may not store it in an encrypted state. The ability to scroll back to the very first message is convenient but also comes at a risk cost of that data being stored somewhere, possibly encrypted. And if that service provider suffers a data breach, it could reveal your chat logs. If it is critical to have total confidentiality and integrity over the messages or data you need to share, then don't use chat platforms.
SECURE YOUR CREDENTIALS
Access to all of these great tools requires nearly the same things: a username and password, at a minimum. Unless you've been living a disconnected lifestyle in the wilderness of Montana, you'll most likely have heard about every major breach in the last 10 years. Of the vendors that respond to these data breaches, one in particular, Verizon, publishes a report8 every year on the breaches they respond to.
Every year in those reports, the compromise of usernames and passwords are at the top of the list of initial causes of those data breaches. You should treat your usernames and passwords (i.e., credentials) as you would your new amazing start-up intellectual property. Protect them at all costs. Many of the services I discuss in this book provide extra layers of security you can enable called multi-factor authentication (MFA).
The use of MFA is a business requirement today and can drastically reduce, if not eliminate, the possibility of someone that has stolen or guessed your credentials from logging into your account. There are various forms that MFA can come in; a text message is one of the most popular capabilities. However, as we have already discussed, text messages can be insecure.
Multi-factor authentication requires you to enter an additional piece of information when you log in with your credentials. You might even already use a feature like this with your bank where you receive a code via text message that you have to enter to complete the login process. While not all services you use will have this capability, you should enable it immediately, especially if you are like 80% of users that reuse passwords across many sites.
Some more advanced services like Google Workspace for Business allows users to use an app on their phone to conduct the MFA portion of their login. This app is called Google Authenticator and is free to use. Authy9 and LastPass10 are also popular free apps. For sites that support this type of MFA, you simply log in to your specific account, enable MFA, and the website provides a QR code that you then take a picture of with the authenticator app.
When using these apps, you will typically be presented with backup codes when you set up this type of multi-factor authentication. Print these codes out and put them in a secure place. If you lose your phone you lose your ability to authenticate into the services you've protected. I'm saying this twice because it is critical: print out and save your backup codes.
FIGURE 1.1 Yubikey Product Line
Source: https://www.yubico.com
This syncs your phone and the specific account. When you log in with your credentials again you simply open the app and enter the code displayed. There are alternative services to this app, such as Authy. Both of these apps work on iPhone and Android. Large organizations may even employ a physical token that displays a number that changes every 30 seconds. These physical tokens offer a higher degree of security but are more expensive to deploy and maintain.
FIGURE 1.2 Google Titan Security Keys
Source: https://cloud.google.com
SAAS CAN BE SECURE
Nearly gone are the days of setting up a physical server in your garage that runs the website, email, build, dev, staging, and production environments for your start-up. Software-as-a-service (SaaS) allows start-ups to both launch and scale quickly and take advantage of enterprise-level cybersecurity controls. Even in the shared security model adopted by most infrastructure-as-a-service (IaaS) providers like Amazon Web Services (AWS)11