How startups can stay on top of their security game

Serious about scaling your startup but not 100% sure you’re doing cloud governance the right way? We feel you! But at this point in the game it’s a must-have, not a nice-to-have.

Thankfully, it doesn’t have to be painful, confusing, or expensive. We’ve put together a sanity checklist to help you stay proactive, avoid major costs, and have peace of mind knowing your cloud setup is secure.

Not sure where to start?
Just focus on these 7 areas and you’ll already have your bases covered. You can implement all these recommendations quickly without breaking the bank (or keeping your CFO up at night).

1. Keep the “shared responsibility model” in mind

Remember that cloud providers (e.g. Google Cloud, AWS, etc.) are responsible for the security of the cloud itself. But you are responsible for everything you set up on your side, i.e. the security of your own applications that you deploy in the cloud. Keeping this in mind will ensure that you avoid nasty surprises down the road.

2. Make sure only authorized people can access your services

You don’t want to end up in a situation where you lose access, as restoring it will take a significant amount of time (that you need for countless other things!). Thankfully, there’s a variety of ways to limit access to only the “right” people:

  • Keep user identities and permissions to the bare minimum (a.k.a. the principle of least privilege)
  • Use single sign-on (SSO)
  • Make two-factor or multi-factor authentication mandatory
  • Store all your passwords in a password manager (e.g. Bitlocker or Lastpass or KeePass)
  • Duplicate critical responsibilities (i.e. 2-3 admins in smaller startups and 3-5 admins in larger companies are considered best practice) 
  • Log all access so you have a constantly updated overview

3. Know and protect your intellectual property (whatever form it has) 

The primary way to keep your IP safe is to avoid losing access and ensure you employ the principle of least privilege. That way, you can be reasonably sure you’ve done what you can to avoid your IP getting snatched up.

4. Know what other kind of data (including customers’ data) you have

Are you storing Personal Identifiable Information (PII) that falls under GDPR rules, and do you need to be able to demonstrate compliance with data protection principles? If yes, you need to take a stand on how you protect this data. Whether it’s through bucket tagging/labeling, versioning, deletion protection, access logs, or something else entirely: your solution has to be able to strengthen the security of sensitive data.

5. Isolate production workloads from other workloads and general assets

Don’t wait until the last minute to get into a scale-up mindset! You’ll want to isolate your production workloads (e.g. development and testing) from the go. That way, you’ll avoid production issues that may lead to data loss and extended downtime (never a good time for anyone involved!). Sooner or later in the future, you’ll have to give development and/or testing purpose access to external parties as your business scales. The best way is to separate your deployments into production, testing, development, etc environments by using separate projects (GCP) or accounts (AWS) for this.

6. Use the security tools of your cloud provider 

Google Cloud has the Security Command Center, AWS has its Security Hub. Both tools continuously evaluate your environment according to security best practices. They will also give you suggestions on how you can improve the security of your cloud setup. You can immediately reap the benefits of these suggestions, but by starting to use them from day 1, they are also a great way to avoid large-scale reengineering down the road (saving you a lot of time and money!).

7. Be conscious about costs

Keep a close eye on what you’re paying and why. Budgets are tight in startup land, and investors want to know that funding is being spent in the most optimal way. Thankfully, you can set up budgets and alerts for your cloud setup, so you can react quickly if your costs escalate. Credits given to you by cloud providers can be tempting, but they’re really good as a temporary solution at best (and at worst, cost a pretty penny down the line anyway). Try to adopt a more long-term solution that is both secure and cost-efficient, from startup to scaleup, to enterprise. Your CFO will thank you for it.


Mooncascade is an official Google Cloud, Google Workspace, and Amazon Web Services partner! Feel free to reach out to us if you’d like to find out even more about setting up governance practices that scale with your business at contact@mooncascade.com 


Join us for a sTARTUp Day side-event on the 24th of August at 4 PM, when technical knowledge meets legal knowledge at the Mooncascade Tartu office (Narva mnt 9). Certified Google Cloud and AWS partner Mooncascade along with the top-tier commercial law firm TGS Baltic invite you to join us for a discussion on how to operate in the modern cloud environment while being compliant and diligent from day one. Read more about the event from here.

Published by Asko Seeba

. Asko is the Co-Founder of Mooncascade, a leading Product Development and AI Consultancy Company. He’s been working in the tech industry for the last 20+ years. Currently, Asko’s focus is on data science (big data, machine learning, AI, data analytics) and business impact driven product development.