With the mounting threat and liability of security breaches in today’s tech landscape, no startup can afford to launch without a security plan. And with privacy, usability and regulations to consider, there’s no such thing as a one-size-fits-all approach.
With Cyber Monday looming, it's more important than ever to have your affairs in order.
We asked the experts at three Austin tech companies focused on security and identity management what matters most when you draw up your company’s plan. The Q&As below should help you find the right questions to ask, the constraints to consider and the new trends you should know about.
Co-CTO Philip Molter
What security standards matter the most when building an online community?
When building an online community today, the most important standard is simply to encrypt all communication and data. This allows for protection of user privacy and security from eavesdropping. That makes the TLS (Transport Layer Security) protocol the most important standard for network communication, and the AES (Advanced Encryption Standard) encryption ciphers the most important standard for data encryption. Encryption doesn't solve all of the security problems, but if you don't start with it, all your other efforts are compromised.
What are the most important questions a company should ask when making decisions about security features and safeguards to implement? How do you evaluate risk?
Companies really need to ask how they can be compromised and what information can be obtained. Companies tend to focus on external threats, whether they're active like malicious hackers or passive like government eavesdropping. Companies can just as easily be compromised through internal channels as well. Target, for example, was compromised through an internal vendor. We call these the attack vectors, and asking what they are and working to minimize them is key to security.
What are some ways to balance security with convenience for users?
The misconception is that security and convenience are mutually exclusive. In fact, improving convenience for users can actually enhance security, because it makes it easier for them to protect themselves. Tools like Golden Frog’s VyprVPN make security more ubiquitous because they make it more convenient. The best way to balance security with convenience is to make security more convenient, not to sacrifice some security for convenience.
Tell us about some emerging technologies in this area. How will they impact security?
Zero-knowledge protocols, which allow service providers to provide data transfer services without any access to the data itself, are really coming to the forefront of the privacy and security debate. Messaging apps like Golden Frog's Cyphr are making use of it to provide secure and private individual and group conversations. Even Apple is pushing this technology to protect their newer iPhones and iPads. This technology and the mindset behind it is pushing security and privacy control to the end-users. People no longer have to trust an intermediary to treat their data securely.
Founder Mary Haskett
What security standards matter the most when building an online community?
You really need to start by analyzing what you are doing and thinking about the risks if you have a security breach. The less sensitive data you have, the less there is to protect. Things like SSL are important for sensitive financial data, and less important for, say, a discussion board.
There aren’t a lot of formal security standards tied to online activity but there are a lot of best practices around managing security, keeping unnecessary ports closed, and implementing “white list” access for databases.
What are the most important questions a company should ask when making decisions about which security features and safeguards to implement? How do you evaluate the risk?
It’s always tricky to balance increased security with its total cost. Sometimes it’s hard to even calculate the total cost – there is purchase price and implementation effort but also user friction. You have to ask “How many users will I lose if I implement this feature?” How effective is it – what is the false positive/false negative rate? What can happen if I don’t implement it – what is my risk exposure? And then once you implement it you have to be rigorous about tracking metrics to measure user abandonment rates and how well it is working.
What are some ways to balance security with convenience for users?
Before BeehiveID, I worked in the defense industry and nobody cared about the end users convenience. In the commercial world, you have to balance security with friction, because the perfectly secure solution that has zero customers doesn’t work. Almost every security measure you take will make you lose some customers and money, but not having security will invite fraud and you will also lose money. Most companies have to balance the risk and are constantly adjusting to balance fraud and friction. That involves a lot of A/B testing and tracking of metrics. It depends a lot on what kind of industry/community you are building – some will tolerate more invasive security because there is a lot of fraud.
Tell us about some emerging technologies in this area. How will they impact security?
We’re really excited about the emergence of biometrics as a quick way to authenticate users. Consumers are much more open to it now, and if strong identity is implemented correctly, it actually preserves privacy. It prevents the most common type of online fraud—a person creating multiple accounts as an imposter and performing a successful scam over and over again. We are seeing some clever things around second factor authentication—not just with phones, but also with GPS, tokens and social verification—asking a friend if a particular action sounds like it would be OK for you. There is a lot of innovation going on in this space, but it’s barely keeping up with the ingenuity of the fraudsters.
CEO Steve Shoaff
What security standards matter the most when building an online community?
A key aspect of building an online community is converting anonymous users to registered, known customers. Social login is not only becoming an increasingly popular and convenient way to authenticate customers by using an existing social media account like Facebook, but also can be implemented very securely.
What are some ways to balance security with convenience for users?
Adaptive authentication allows you to balance ease-of use with security based on the situation or type of transaction. For example for high value transactions or those that expose very sensitive data, you can implement additional security measures such as re-entering a password, sending a pass codes to the user's mobile device, or other multi-factor authentication techniques to prevent fraud.
Tell us about some emerging trends in this area. How will they impact security?
Another data security best practice is the use of centralized policy controls to govern access to customer data. Having a centralized way to specify who can access the data, precisely what data can be accessed, what data can be shared and what regulatory policies should be applied will prevent misuse of data and keep you in compliance in an increasingly complex regulatory environment.