Security vs. Flexibility in Remote Working Startups

In the early years of a startup, the biggest hurdle is usually managing its cash flow and keeping it afloat. Akin to young hatchlings without parents, most startups don’t survive the harsh realities of the world for more than a few years. But for the small percentage that do, the transformation from startup dynamics to those of a medium-level company can also be challenging. Maintaining the flexibility of a startup while scaling the company is especially tricky.

Finding good people and retaining them is a challenge for any company. And it’s even more difficult for a bootstrapping startup because it has to compete with large companies for limited resources. However, a startup can offer significant benefits beyond just money. The flexibility of working from home—or anywhere in the world, for that matter—is a luxury that small companies can offer, but which larger companies often find difficult to accommodate because of their scale.

Illustration of King Kong of old ways
Illustration by Mike Rohde for REMOTE by 37Signals

This flexibility comes with its own challenge, however—managing the security of company resources.

Traditionally, a company’s internal resources are accessible only through its intranet, and employees are meant to go into the office to get access to them. If the company has offices across the country or world, they are connected by either lease lines or site-to-site VPN connections, constructing a wide area network (WAN). When it comes to startups and companies in transformation, this kind of setup is infeasible due to the large cost associated with such setups and/or the diverse and widespread nature of its small group.

Dilbert comic strip on data security

As mentioned elsewhere, Vesess was founded by five youngsters. Even though our team hasn’t grown massively during the last ten years, its logistics have changed dramatically. At this moment, some of the team members are working from our office in Colombo, some from their homes, one from Thailand, another from The Netherlands, and I’m writing this post from a spot near the U.S.-Canadian border. So it’s clear that the traditional approach of site-to-site security is of little use to a team like us, and most probably to many other startups all around the world.

Fortunately, there’s an alternative to IPSec-based VPNs in the form of SSL VPNs, which have grown in popularity during the last decade. They provide better portability and easier deployment while providing comparable security in terms of confidentiality, integrity, authentication, and non-repudiation—the four pillars of information security. Several popular open-source and proprietary offerings of SSL VPNs also exist, making this option affordable to startups for a fraction of the cost of traditional VPN deployments.

With your company’s communication channels secured, the next step is to expand your internal resources to the “cloud.” With most of the hosting services nowadays providing the ability to create separate private and public subnets, this can be achieved very easily. Even if your hosting service doesn’t offer such a feature, it’s possible to regulate access to your internal resources through your VPN gateway by using firewall software such as iptables.

Vesess GitLab screenshot
We use GitLab to manage code.

Aside from these security concerns, there are many other useful tools for any IT startup or medium-level company. One is GitLab, which we have been using for a long time for distributed code management. It definitely helps us save time and manage projects efficiently. Many open-source continuous integration (CI) tools also exist, including GitLab’s own CI service, which you can use to make sure new updates won’t break your existing code—this ultimately speeds up the development process. To deploy code from internal repositories to application servers, you can use a tool like Capistrano with the SSH agent forwarding option or create a reverse SSH tunnel to your local workstation.

With today’s advances in the web, we have many conveniences that weren’t there just a decade ago. So it’s possible for startups and even companies a little larger than startups to scale their operations without trading off their flexibility. The trick is to adopt these conveniences to meet your requirements with an eye to security concerns. Balancing these correctly will definitely make your team’s life easier.