No one doubts that security is important for cloud infrastructure. The potential for harm to your business, your customers, and your reputation is real, and that potential increases with your business’ success. And yet, customers will not reward you for weeks spent locking each credential down to the barest minimum of permissions. You will not increase your site traffic numbers by meticulously applying network segmentation to your cloud environment. Your product doesn’t become more useful if everyone on your team has MFA enabled.

So, should you do these things? Well, it depends (except for MFA: do that). It depends on who you are. It depends on what you have at stake. And it depends on what the threat is. Finding and fixing what really matters to stay secure is not one-size-fits-all.

Who Are You? Are you a single developer, or small shop? Broad permissions for you and your team are probably ok. These should still be applied at a group level, rather than to an individual, but you probably don’t need to think too hard about limits yet.

On the other hand, if you don’t personally know everyone with access to your account, it’s past time to start applying some stricter grouping and permissioning.

What do you have at stake? Do you avoid collecting Personally Identifying Information? Do you avoid hosting content uploaded by users? You may not need a full audit trail for every data access in your system.

On the other hand, if you host sensitive information, verifiable logging starts to look like a pretty good idea. Effort spent ensuring your data is encrypted at every stage is probably worth it.

What is the threat? Are you a smaller or mostly unknown business? Your biggest risk is probably from automated scans and phishing attacks. Keep your buckets and credentials private, keep your firewall locked down, and enable multi-factor authentication.

On the other hand, if you are worried about targeted attacks, you’ll need more serious measures. Intrusion detection and limiting blast radius become requirements, rather than distractions.

At Gold Fig, we think it’s important to understand your situation before making a security assessment. Presenting a red wall of security failures guarantees that nothing will be addressed. Prioritization matters. Prioritization means more than just attaching a severity score to each security check in a scan. Once you’ve closed gaping holes, ROI becomes a major driver in the discussion. Meaningful security improvements come from matching a company’s current stage to a handful of immediate steps to make. Peace of mind for your infrastructure team comes from building this process into your routine.

Want help prioritizing your security projects? Talk to us!