Every young company discovers that installing security in place can be expensive. So they need to manage the priorities. In the presentation we discuss the various phases in start-up life cycle and which security controls should be placed on each phase.

1. Moshe Ferber, CCSK
Onlinecloudsec.com
Cloud Security
For Startups
Aligning Risk with Growth

2. About:
 Moshe Ferber, 39, lives in Modiin (+2).
 Information security professional for over 20 years.
 Popular industry speaker and lecturer.
 Founded Cloud7, Managed Security Services provider (currently owned
by Matrix).
 Shareholder at Clarisite – Your customer’s eye view
 Shareholder at FortyCloud – Make your public cloud private
 Member of the board at MacshavaTova – Narrowing societal gaps
 Co-Chairman of the Board, Cloud Security Alliance, Israeli Chapter.
2

3. The benefits of cloud computing are
clear, What are the risks?

4. Cloud
attack
vectors
Provider
Administration
Wide
Dashboard
Multi tenancy
&
Virtualization
Automation &
API
Chain of supply
Side Channel
attack
Insecure
Instances

5. Cyber attacks trends for
cloud computingCloud services
ransom malwares
Bitcoin
API
Attacks
Supply chain
Attacks

6. So, how to build your security?
Infrastructure security
Application Security
Operational security

7. Good Security is based on controls…
Preventive
• Firewall
(Security
Groups)
• Authentication
• AntiVirus
• Guards
Detective
• IDS
• System
monitoring
• Motion
detector
Corrective
• Upgrades &
Patches
• Vulnerability
scanning
Compensatory
• DRP & Backup
• Firewall logs
• Reviews
• Audit &
reconciliation
Based on http://www.sans.edu/research/security-
laboratory/article/security-controls

8. The security phases of startup
Phase 1 –
Building blocks
• From Seed to
the first
customers
Phase 2 –
Maturing
• Growing and
adding
customers.
Phase 3 – Build
trust
• Maturing your
services.

9. Phase 1 – Make sure you got the right
building blocks
 Plan your architecture: logical and physical segmentation.
 Understand your data lifecycle.
 Laws and regulations to consider.
 Choose your partners: software, IT, backend.
 Start your SSDLC building block – threat modeling.
Architecture.
 Implement IaaS best practices:
• Identity & Access.
• Compensating controls

10. Build your dashboard with permissions
Users &
resources
RolesGroups

11. Best practices for IAM
Don’t use master
account
Delete root access key
Enable MFA for critical
users
Apply good password
policy
Rotate credential
periodically
Safeguard your host &
access keys
Create individual users with
specific roles

12. Compensating controls
Activate billing
alerts
API & Dashboards
logs
Cold
Backup
Active
Secondary
site
External & Multi Cloud
Backups:
Encrypt data in
transit

13. Phase 2
 Production environment is now maturing. Its time for roles
separation at production.
 Authentication mechanism should be mature by now.
 Security in Software Development life cycle (SSDLC) should
take more focus.
vulnerability scan &
penetration tests
Identity Federation
Services
Encryption of data at
rest
Security training for
R&D

14. Phase 3
 operational security begins to matter.
 More detective controls should be placed.
 Incident management procedures should mature.
 Transparency will be an advantage.
DR, BC and active
secondary location
Log management &
Event correlation.
Patch & change
management
Automation of
configuration
Ongoing security
awareness program

15. Questions?

16.  Cloud security is maturing fast (it took us over 20 years to
secure the PC…)
 Security is expensive, but with the right building blocks you
can integrate with the grow of business.
 Make sure you do the basics from the first day, it will be hard
to add them later.
To wrap things up…
Don’t be the next CodeSpaces

17. Keep in Touch
 Moshe Ferber
 moshe@onlinecloudsec.com
 www.onlinecloudsec.com
 http://il.linkedin.com/in/MosheFerber
Cloud Security Course Schedule can be find at:
http://www.onlinecloudsec.com/course-schedule