3 Free Ways to Improve your Startup’s Internal Security Posture

By Gabi Leibovich, Senior Software Engineer responsible for DevOps and Security at Donut.

Let’s be honest, no one really likes to talk about internal security at an early stage startup. Everyone’s too busy moving fast, breaking things, and onboarding new team members to care about shared passwords and API keys littered in your Github. But no matter your size, users have entrusted you with their sensitive data, funds, documents, and more. It’s our responsibility as builders to keep them safe, whether you have just one, or one million users.

While we might do our best to enforce solid security paradigms on our public facing products and APIs, it’s often internal users who pose the greatest threat to any organization. Unfortunately, many advanced internal security tools and practices are just out of reach for small teams, so I’ve put together three free ways to improve your internal security posture that you can implement right away!

1. Ditch the VPN and go Zero Trust 🥷

Self-hosted applications like Metabase, Kibana and Grafana dashboards are often the go-to for young startups. They are cheap and easy to setup, especially with the simplicity of Helm Charts on Kubernetes. But add customer support applications and other internal services to your network with various user profiles like investors, devs, and less-technical team members all requiring different levels of access and security and they quickly become a pain to manage.

Since opening up these apps on public IPs can give attackers multiple new attack vectors on your resources, it should only be done with the utmost care. Many teams choose to use a VPN to keep everything on their network closed. While this may solve the problem of public access, VPNs are also annoying to manage, require lots of setup on the user and dev side, and often come with significant operating costs. On top of all that, there is little way to easily segment your network. This means that all VPN users will have access to your entire network, giving attackers even more entry points that can be leveraged to jump to your more sensitive resources.

vector provided by freepik.com

All these issues are the reason why the industry is starting to ditch the VPN and move to Zero Trust Networks. The TLDR of Zero Trust is removing the single point of network access of VPNs in favor of leaner tunnels that control access on a per service basis — each with their own set of rules and restrictions. Cloudflare Access makes implementing these access controls quick, painless, and cheap. Free for up to 50 users, it plays nicely with different identity providers (IdPs) like Google Workspaces. Plus it has plenty of robust security features like device posture checking and context aware access rules.

If you’re running your apps on Kubernetes, then the Cloudflared container image can be used to quickly spin up a Deployment to start tunnelling to any service running on your cluster. You can then easily set up and manage all your rules and user groups from the Access dashboard. If you’re running any of your own internal services, like a customer support application, you can also use Access as an auth provider to easily verify the identity of the internal user making requests using the authentication headers automatically appended by Cloudflare.

2. Use a Secret Manager 🔐

Secure secret management in a huge pain in the a** for both humans and servers. But as we have all turned to password managers like 1Password or Keeper for our day-to-day needs, our server secrets are left riddled in git repositories or sitting unencrypted somewhere with no clear audit logging or access restrictions. BUT there’s a better way.

Both AWS and GCP offer free/low-cost secret management solutions, with plenty of other offerings out there like 1Password Developer Tools or HashiCorp Vault. Things to look for in a secret manager are audit logging, strong encryption, and smart context-aware IAM rules. This way developers can create and update new secrets, but only the services that need them can access them at run time with clear access logs. If you’re running on GKE, then Workload Identity is a quick and easy way to give your pods access to the secrets they need on GCP Secret Manager. You can do this by running each pod with its own service account and using the Secret Manager client to grab secrets as needed.

3. Keep your Users’ Private Data (PID) Locked Down 🤫

vector provided by freepik.com

Not too long ago Robinhood reported a leak of million of customers’ personal data points seemingly due to unauthorized access of their customer support systems using stolen employee credentials. Cases like these exemplify that every internal user with PID access represents an additional attack vector for bad actors. Young startups far too often give all team members unrestricted privileges to PID, especially through tools like Metabase or Google Data Studio that might not have solid access controls on their free tiers.

Your users have trusted you with their personal information. Information that can harm their privacy or lead to identity theft, and that’s not something any team should take lightly.

With PID you should always ask yourself:

1. What’s the minimum amount of access that a tool or team member needs to do their job?
2. If we do give someone access to sensitive data, what kind of common sense restrictions can we impose? Maybe team members can only access data from their work laptops (checking device posture)? Maybe all your team members are in a select number of locations (context awareness)? Maybe an internal cx user needs access to 100 user profiles a day, but not one million? Maybe you can automatically enforce MFA across all your tools?
3. Lastly, how can we keep a record of access so that if there is a breach, compromised services and user accounts can quickly be quarantined and fixed?

The easy and free way to start implementing these practices can be to use multiple SQL user accounts with logical privilege restriction on tables with PID, enabling audit logging on all tools and databases, having your applications encrypt PID at rest with a KMS service, and/or leverage free tools like Cloudflare Access to make sure your team members can connect securely with MFA, context awareness, and strict device posture checking.

Say Hi 👋

I hope you enjoyed this little overview of some easy and free ways to jumpstart a security mindset for internal applications at your startup. If you have any feedback, leave a comment or if there’s any concept or tool you think I should go more in-depth on or make a tutorial about, please let me know!

If you think you might fit in with our hacky vibes then come and join us!