Building a secure IT infrastructure for a startup

Joining a startup as an IT apprentice can be an exciting but challenging experience. Startups are known for their fast-paced, dynamic environments, where every day is different, and there's always something new to learn.

Cybersecurity, a concern at every level

Cybersecurity has become a crucial topic for all companies. When we think we have seen it all, phishing e-mails, social network account take-overs, large companies or hospitals being hacked, there’s always something new around the corner.

I joined Epsidy in the middle of 2022 as an IT professional, in charge of. I was seduced by the vision and mission of Epsidy, and by the prospect of joining at an early phase to build everything from scratch. It also matched my ambition of bringing innovation and best practices in IT security to a new business.

Some say that securing an IT infrastructure is expensive. Yes and no. First, your IT network can’t be 100% bulletproof: if someone really wants to break in, has the skills and resources to do so, they will find a way to break in. Cybersecurity is all about slowing down hackers and making the benefit ratio of a hack unfavorable. Second, you must be realistic: the level of security is linked to the company's resources and the potential loss from the exploitation of a breach. If your company’s servers and computers have not been updated in the last 5 years, the investment in an antivirus or an EDR (Endpoint Detection and Response system) will be steep and inefficient. In the context of Epsidy, it was unnecessary and unrealistic to reach the level of security of GAFAM (Google, Apple, Facebook, …) data centers.

Cybersecurity is well summarized by the concept of CIA: Confidentiality, Integrity and Availability. Company’s data shall not be modified by, shall not be intercepted by, nor made available for unauthorized people or services. Some classic attacks which break the CIA triad include:

-          DoS/DDos (Denial or Distributed Denial of Services) -> Availability

-          Man In The Middle -> Confidentiality

-          Ransomware -> Integrity

The best way to protect Epsidy’s IT infrastructure, in my experience, was to invest wisely and to follow the basics before going further and acquiring specialized solutions.

Setting up the IT infrastructure

In a startup, the first step in putting an IT infrastructure in place is to understand the needs of the business. This involves working closely with other team members to identify software and hardware requirements. I had to conduct research and explore different options to identify the best tools needed for the job.

Next, I had to create a plan. This involved setting up servers, configuring the network, installing software, and ensuring that everything was secure and worked correctly.

During implementation, I had to test and troubleshoot any issues that arose. This involved working closely with the team to identify problems and come up with solutions.

Maintaining and keeping services up to date

An updated system protects Epsidy from most (but not all) known vulnerabilities. When services are directly accessible from the internet, they are more sensitive and must be placed behind a firewall. Is a startup a target for attackers? Of course! Bots (automated programs) scan the internet relentlessly in search of easy-to-exploit vulnerabilities.

Default passwords

Often, companies are content with default passwords. This is easily spotted by bots and facilitates the process for attackers, as default passwords are sometimes publicly accessible. For instance, some websites reference all hacked webcams, and many of them still use their default passwords, available in plain text from their product manuals.

Network security solutions

A physical firewall provides an indispensable protection against unwanted connections. It can be quite sophisticated, compatible with SD-WAN (Software Defined WAN), VPN (Virtual Private Network), and/or NIDS/NIPS (Network Intrusion Detection/Prevention System).

Secured protocols

Everyone should learn the differences between HTTP and HTTPS: not only the lock icon in the search bar, but the way data is being transmitted. HTTPS ensures the authenticity of a correspondent and encrypts connections using certificates and cryptographic algorithms. In web-based applications, HTTPS protects the confidentiality of the data and ensures that no one impersonates the service you wish to contact.

Client-to-Site VPN also protects the confidentiality of the data by cryptographic algorithms, a must for remote work.

Beyond HTTP/HTTPS, some other protocols have secure variants: DNS/DNSSEC; LDAP/LDAPS…

Security policy

An IT security policy provides guidelines, expectations, user training, and a general strategy to safeguard the CIA triad of the company data. For instance, minimum password requirements can be set in the security policy. At Epsidy, every newcomer must be trained on and sign the IT security policy.

Users are often pointed out as being the weakest part of a company’s IT security, but they can be taught the risks and common attacks they could face. This is a crucial point as attacks often exploit social engineering tactics.

Following the principle of the least privilege

The principle of least privilege (PoLP) is about giving users or services just the needed privileges to perform a task at hand they have to perform. There is an interesting parallel between PoPL, and the concept of delegating decisions. Epsidy’s core values of Trust and Ownership means that decisions should be made at the lowest possible level in the organization. However, limiting access privileges for users, accounts, and computer processes to the bare minimum, reduces the risk that illegitimate functions are performed. For instance, never ask the CEO to take a day-to-day decision, and never use admin accounts to perform day-to-day tasks.

Security at Epsidy

Throughout the process of deploying a secure IT infrastructure at Epsidy, I need to regularly communicate with other team members and to keep them informed of progress. I also work closely with top management to ensure a good alignment with Epsidy's vision and mission.

Our goal at Epsidy is to provide our partners and customers with the best experience possible, building on our core value of Trust. To secure our operations, we continuously strive to protect the CIA triad of our data and IT infrastructure.

Previous
Previous

5 reasons you need a 3 Tesla for cardiac MRI, and 10 reasons you do not 

Next
Next

Artificial intelligence for detecting heartbeats