Why your startup needs Zero Trust cyber security

Zero Trust means only authorised devices can access your systems. It's for the best, argues Alonso Bustamante of Cloudflare
Alonso Bustamante
A bouncer vets a queue of girls for entry into a nightclub
Zero Trust: if your name's not on the list, you're not coming in

If you want to see what business ingenuity looks like, just run a search for ‘startups’. From recruitment and media, to food, fintech and health, there is wave upon wave of exciting new businesses driven by people with real vigour ready to be the next big thing. Despite their differences, what links them all is technology, and the empowering benefits it brings to business and people.

But if technology is the common thread, then security must also be part of these innovative ventures. Not as some after-thought or bolt-on but sewn into the very fabric of a new venture from day one.

That’s why, of all the well-intended advice that is thrown at startup founders, this has to be top of mind. When it comes to security, Zero Trust is a must.

What is Zero Trust security?

Zero Trust security is an IT security model that requires strict identity verification for every person and device trying to access resources on a private network. It doesn’t matter whether it sits inside or outside the network perimeter, if the user can’t be verified, then access is denied.

In a way, it’s like a bouncer on the door of a glitzy event at a nightclub. You may be an instantly recognisable celebrity, but unless your name is on the list – and you come armed with your invite – you’re not coming in.

That may seem harsh or even obsessively security conscious. That’s the point. It’s meant to be.

A Zero Trust approach to security isn’t about plugging in more hardware and running more layers of code. It can’t be achieved simply by throwing more money at the problem to get added protection. Instead, it’s a much more holistic approach to network security that incorporates different principles and technologies. In other words, it’s a mindset – a belief system, if you like – that should be employed from day one to ensure security is hardwired into every aspect of the operation.

Castles and moats belong in the history books – not modern IT security

Zero Trust security differs from traditional approaches to network security which tended to be based on a sealed perimeter model often referred to as the ‘castle-and-moat’ concept. While these fortifications are designed to keep unwanted intruders out, the assumption is, if someone or something is within the castle walls, they must have been allowed entry. They must be ‘ok’. Which is fine…until an attacker imitates an employee. By then, the damage is done.

Put simply, traditional perimeter-based IT network security trusts anyone and anything inside the network. Zero Trust architecture trusts no one and nothing. Once this is accepted and taken on board, it opens the door to a much safer and structured way to approach security.

Security can’t be relegated to an afterthought during the excitement of building the next ‘must have’ app. Startups need to ensure security is a core product design principle from day one.

As part of security for your startup also consider:

  • Auditing your assets. While it’s important to keep tabs on who has access to what, it’s also essential to keep an inventory of all your Internet-facing assets, from your website, SaaS tools, to your social media accounts. Leave nothing out, and leave nothing, even redundant assets, behind.
  • Access controls. When it comes to system access, think about who has access to what. Startups can grow at such a pace staff turnover can be high. Make sure you have a tight rein on management access rights. While people need the right access to the right tools, giving everyone
    carte blanche is the opposite of ‘Zero Trust’.
  • Email security. Zero Trust also extends to email security. Email is the largest cloud application for any business and as such the largest security threat. US cyber security agency, CISA, found that more than 90% of successful cyber-attacks start with a phishing email. You should build in phishing, malware, business email compromise mitigation as part of your Zero Trust approach.

If all this sounds daunting – or even expensive - remember that there are plenty of free tools available for companies like yours (e.g., DDoS protection, VPNs, Password managers, etc). You can begin to secure your employees, your data, and your customers with entry-level product tiers.

Do remember, however, you won’t be a startup forever. At some point, you’ll be expanding, and you’ll need to make sure your tech grows with you. Building good relationships with vendors from the outset means suppliers can join you on your journey and flex – both in terms of scale and sophistication – as you do.

Enacting Zero Trust now saves costs for the future

At first glance, this may be a lot to take on board. But for anyone starting up a business now, it could be argued that they are better placed than those more established businesses who are only now realising the limits of traditional approaches to security.

What’s becoming clear is that businesses and organisations that have developed their own IT security systems based on traditional castle and moat architecture are increasingly turning to Zero Trust to help protect themselves. Businesses in the position to adopt such Zero Trust approach from the early days are best placed to do so and should take the lead.

Ultimately, security needs to be lived and breathed by the very top of the organisation so that it becomes embedded throughout the business. Ideally, it should become a core value of the organisation instilled from the very beginning. Not only will it pay dividends for the business, the adoption of Zero Trust – and the positive impact it has on the wider connected world – it’s a sign that the new wave of entrepreneurs has a stake in the future.

Written by
Alonso Bustamante