The following post is by Ran Levitzky, General Partner at Magenta Venture Partners, and formerly a Principal at Viola Ventures from 2015-2018.
Many startups today rely heavily on cloud services to run their operations, from email and productivity through Office 365 or Google apps, storing files on DropBox or Box, collaborating on Slack, taking notes on Evernote, using Salesforce, and so on – and for good reason: These services are easy to use, they don’t require heavy upfront costs, and you can rely on them to be there 24/7 without having to worry about high availability or patching servers. But it also means that instead of storing your most important data on on-premise servers that you fully own and control, it sits on multiple globally distributed data centers, and is accessible to anyone with a valid username and password.
And beyond your emails, files, and internal data, you’re probably running your product and your customers’ data on a cloud platform as well, like Amazon AWS, Microsoft Azure, or on the Google Cloud Platform. So basically, if you’re not taking the necessary steps to protect all the data you’re storing in the cloud, you could be setting yourself up for a major “datastrophy”.
Security is a state of mind, and if you don’t “think secure” early on, then you’re essentially putting your hot new company at risk not just in terms of data but also your brand’s reputation. Just last month, for example, LastPass had a security incident that got a lot of attention which certainly didn’t help in the way of PR. Think about it: a company whose primary purpose is to hold and protect your access credentials to every digital asset you hold dear – was hacked! Would you trust this brand again with your passwords in the future? And there were other examples too, like the Sony and Target breaches last year, and going back a few years there were also the Adobe and LivingSocial incidents.
Getting security right from day one will help you reduce the risk of security breaches that might damage not only your brand but also your employees who can get hurt as well. So what can you do to protect your data? Happily, there are actually lots of options, from cloud access security brokers and virtual private clouds, to secure coding, and many more, but in this post I’d like to get back to basics and talk about protecting access to your cloud services’ accounts.
How to protect access to your cloud services accounts:
1) Make sure that the passwords to your cloud services are secured. This requires three things:
First, create strong passwords, using a combination of at least eight characters and a mix of numbers, lowercase and uppercase letters, and symbols.
Secondly, never use the same password for more than one account login otherwise if a service is hacked, someone now has your credentials to multiple services you use and you are far more exposed.
And third, use Two-Factor Authentication (2FA), where a code sent via SMS, or a code generated by a designated app is used to complete the login process. This adds “something you have” (your phone), to the “something you know” (your password) thus making your authentication far more secure (if someone steals your username and password they still can’t log in).
These days Two Factor Authentication is offered as an out-of-the-box feature on many of the leading cloud services or you can use a third party solution such as Duo Security. I personally enabled 2FA for most of the services I use for personal use as well, such as Facebook, LinkedIn, and Google. And remember, your inbox is usually the place where you get password-reset emails, and where you hold your most sensitive communications, so start from there and make it harder for someone to hack your email.
2) Start using a password manager to manage unique strong passwords. This way you don’t even have to try to remember multiple passwords; the only two passwords you need to know are your computer login password and the master password to your password manager. Using a password manager will ensure your passwords are saved in an encrypted file and help you make using long and strong passwords easy.
I personally use KeePass which is an open source password manager that has been around for years, and MiniKeePass on my iPhone while syncing the password database file via DropBox. KeePass has useful features such as strong password generator and auto password fill-in functionalities. Changing your passwords will become much easier using this method, it might even turn into a fun pastime! (Nothing beats a glass of good wine, music, and updating a hundred online passwords on a Friday night every once in a while. Right??).
3) Get your entire team to use iPhones. Android’s global popularity and openness has resulted in far more malware targeting Android. Also (as Apple reminds us each and every year), nearly all Android devices out there run versions of Android that aren’t the latest (Android Lollipop which has been out for more than 8 months now, is used by just 12 percent of Android users), which means that security vulnerabilities are not patched on most Android devices.
iPhones on the other hand, update to the latest iOS with just a few clicks and most users run the latest iOS version. Also, apps are more carefully controlled and reviewed in the App Store pipeline and are more limited in their ability to integrate with the underlying OS. I’m not trying to sell you iPhones, but the reality is that if you want better security in your startup and to avoid your credentials being stolen by an app, you’d do well to get your team to use iPhones exclusively.
Don’t get me wrong, cloud platforms and services are in many ways a blessing, enabling agility, fast innovation, and setting up new companies with little IT investment and employees. When Instagram was acquired by Facebook for a billion dollars, for example, they were a team of just 13 employees. But in a world where every service has a front door on the web, the reality is that you need to prioritize protecting the access to those services, otherwise you may be vulnerable to breaches you might have avoided if you’d only “thought secure”.
More posts by Ran Levitzky:
5 Key Security Takeaways from RSA Conference 2016
AWS re:Invent 2016: Key takeaways and what they mean for early stage startups
Viola Ventures invests in Cloudyn, the startup empowering Enterprises to embrace the hybrid cloud