Cloud Security

7 Cloud Security Mistakes We See in Every Indian Startup (And How to Fix Them)

At Verentix, we have conducted cloud security assessments for startups across India — from pre-Series A companies running on AWS free tier to Series C companies with complex multi-account architectures. And we see the same fundamental mistakes in almost every engagement.

Mistake 1: Using the Root Account for Everything

This is the single most dangerous cloud security practice, and we see it in about 40% of Indian startups. The AWS root account or Azure Global Administrator is used by multiple people for daily operations — sometimes without even MFA enabled. If this account is compromised, the attacker has complete control over your entire cloud environment.

Fix: Lock down the root account immediately. Enable MFA. Create individual IAM users with least-privilege permissions.

Mistake 2: Public S3 Buckets and Azure Blob Containers

We find publicly accessible storage in roughly 60% of assessments. One Indian startup we assessed had their entire MongoDB backup — containing 3 lakh customer records including Aadhaar numbers — in a public S3 bucket. They had no idea.

Fix: Enable S3 Block Public Access at the account level. Audit every storage resource.

Mistake 3: Security Groups Wide Open

Security groups allowing SSH or RDP from any IP address. Database ports open to the internet. Sometimes all ports open.

Fix: Never open management ports to 0.0.0.0/0. Use VPN or bastion hosts.

Mistake 4: No Encryption at Rest

Many Indian startups leave databases and storage unencrypted. Your customer data sits in plain text on shared infrastructure.

Fix: Enable encryption at rest for every storage service. Use AWS KMS, Azure Key Vault, or GCP Cloud KMS.

Mistake 5: Developers Have Admin Access

Every developer has AdministratorAccess. The reasoning is always 'it is easier.' Later never comes.

Fix: Implement least-privilege IAM from day one.

Mistake 6: Logging Disabled

About 50% of startups have CloudTrail or Azure Activity Log disabled. If someone accesses your data — you have no record.

Fix: Enable comprehensive logging from day one.

Mistake 7: No Network Segmentation

Everything in a single VPC subnet. If an attacker compromises any instance, they can reach everything.

Fix: Use separate subnets for different tiers. Place databases in private subnets.

Start With an Assessment

If you recognised your startup in any of these mistakes, you are not alone. The good news is that every single one is fixable, usually within a few days. A cloud security assessment from Verentix will identify all of these issues and provide specific remediation guidance with exact commands and configuration changes for your cloud provider.