github linkedin email rss

Realities of security at a smaller company

Sep 26, 2019

Leading the early infrastructure efforts at Quid, security always loomed top of mind during the work of the team. However, as Quid’s client base grew and we started handling increasingly sensitive data, I took on the lead of our security efforts in a more official capacity. This meant working with an external security advisor, writing our security policies, and evangelizing our security practices throughout the company. Oh, and filling out a a never ending stream of wonky Excel based security surveys from potential clients. A true welcome to the world of corporate security!

Fresh off a migration to AWS in early 2018, I participated in a fireside chat with ScaleFT (now Okta) to share our experience with their zero trust security tooling we introduced in our workflow during the migration. While the chat starts out pretty specific to ScaleFT, we end up covering many of my general experiences concerning and approaches to security at a smaller company.

You can watch the full chat embeded just below or read a few selected highlights in bullets at the bottom of this post.

  • When we moved from Rackspace to AWS, we decided to start embracing a zero-trust security model. We chose tooling from ScaleFT based on the BeyondCorp implementation from Google. The crux of the idea is to shift access controls from the network to individual devices. By taking such an approach, we were able to eliminate our VPN and maintain much finer controls on developer access to servers and thus customer data.

  • When we turned off our VPN, nobody noticed. Thanks to ScaleFT, we were able to introduce better security controls with minimal friction. This is something the security industry should pay more attention to. Security wins when it’s the easier path. I was most successful at my job when I made things easier and less so when I dumped policies on people or introduced inconvenience for the sake of security.

  • While most employees would like to handle things securely, they ultimately (and fairly) care about getting their job done more. If an employee has to choose between getting their job done and your security practices, they are going to choose their job. This is not a surprise and should significantly inform your security practices.

  • Ultimately, security comes down to the choices of the humans with access to systems and data which means much of security is best effort. And if security is not ingrained in the culture in a positive way, you have people resisting instead of participating.

  • Least access is probably the smartest defacto policy for security. If somebody does accidentally leak a document or take a peak at sensitive customer data, at least have controls to ensure this person was supposed to even have access in the first place. Better a stakeholder make a mistake than a fly by contractor accidentally stumble into trouble.

  • Any startup handling any kind of money will immediately hire an accountant to take care of their finances. You (should) never find a company asking an employee “Hey Ryan, you’ve played with Excel before, how about you take care of our taxes this year?“. This is not a thing and you would significantly jeopardize the future of the company by doing so. Yet, startups with similar responsibility by handling sensitive data on day one will not hesitate to either completely skirt or under-resource security. This is extremely problematic, and I hope starts to change as tooling improves or regulations pass.

  • There’s still a huge opportunity in the security space addressing the realities of a modern technology company’s reliance on flexible tooling and workflows. As a small company, we had to use external tools and vendors for addressing security. We had no choice. There’s no way we could build everything ourselves. Google spent multiple years and many very smart people to bring something like BeyondCorop to life. We did not have those resources.

  • Much like how codifying infrastructure really accelerated operations, I am very excited to see the same softwartization happening in security. While a lot of the emerging tooling is still quite frustrating as none of the pieces interpolate the gaps very well, the future is bright!

Back to posts