Lessons that founders must learn from the CloudPets breach
As a founder and innovator, you can't help but love the cloud. It's easy to use, it lets you get projects started quicker, and helps deploy them faster, too. But, as quickly as you can innovate and go to market with the cloud, you can also fail -- particularly if you don't pay attention to the small details and implement security from the get go.
I’m sure CloudPets hired experienced developers to build the software needed for the business in a rapid fashion. After all, we’re in an agile, DevOps-centric world. And we can now see, clearly, that critical steps were missed on the security side of the product lifecycle. The team clearly had a precise vision of security for their product usage, as defined on their website, through creating an approval-based messaging system to prevent Internet-based abuse of the children’s toy. However, they overlooked the necessity to deploy a multi-layered defense that covered their flank, which is ultimately where they lost the battle.
For many businesses, including CloudPets, it is typically okay to go to market with some known risks, but companies should always circle back around and fix the vulnerabilities in a meaningful way, once the launch pressure is off. Moving fast is amazingly powerful, but you can't neglect basic security hygiene and leave numerous gaps in your security strategy in the name of revenue. At a brief glance, we can imagine the damaging event at CloudPets beginning with a developer who rolled out an easy-to-use database technology without a mindfulness for security. This strategy is great for accelerating delivery of products and services, but is a dangerous long-term play as ease-of-use often comes at the expense of security.
Once the product was up and working, the team shifted focus to launch activities and getting this product on the market. Nobody thought to go back and make sure they had shored up the datastore, properly implemented network flow control policies, or ran a pre-launch security checklist. This was the mistake that brutalized another cloud company with a lot of potential, a disproportionate cost compared to the effort it would have taken to prevent this disaster.
Today, we see companies getting destroyed at an increasing rate because they're not building security into their development and deployment processes. They wait until the last possible moment to discuss and implement security measures, which can leave them open to attack or ransom. In some cases, it can put them out of business.
As founders, we have to acknowledge that no matter how much experience you have, you're not immune to mistakes. You can build a great team of super smart people, and all it takes is one person to be distracted, and your whole company can be gone tomorrow. This is the reality of the Internet-powered world we live in.
I often think about my job as being one of placing the right bets at the right time. If you place a lot of big bets (a bet on speed to market, a bet on security, a bet on UX), you'll be more successful than if you placed just one big bet (like speed to market). Early on in the life of a company, you're so focused on just staying alive that it takes a certain amount of discipline to remember to look up and look around and keep track of risks that are part of your business. A few years in, it starts to become second nature. You can anticipate most of the risks, and you've had the time to start implementing better processes and policies and automation.
Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level. After years of building, operating, and securing services in AWS, he set out to make security approachable and repeatable for companies of all sizes. Tim led technology teams at Adobe, Ingenuity, Ticketmaster, and McAfee.