Staying Safe in the Cloud
Staying safe in the cloud
Jan 13, 2015
My talk on security at the Estonia Cloud Meetup.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Staying Safe in the Cloud
/whois me
define: security
● availability○ no access
● reliability○ data loss
● privacy○ data leak
Availability● Pingdom● Where’s it Up?● StatusPage.io
○ status.myservice.com: ~ 10%
● Hosting & Infrastructure○ CDNs like CloudFlare - test with Blitz etc.○ DaaS like AWS RDS, MongoHQ etc.○ deployment, e.g. NPM○ third party JS, tag management e.g. GTM○ DDOS with botnets, HTTPX
Reliability
● Funding or lack thereof, business model○ or corporate strategy, think Google Reader, G+
● PEBKAC○ Google Docs, Yammer
● API availability ~ data backup an option○ programmableweb.com○ Kimono
● Backupify, Import2
Privacy
● Third party JS, GA has 20M accounts○ BuiltWith
● Retargeting cookies● Email/IP to user info on social media
○ Rapleaf, Rapportive○ Intercom○ FOAF
● FastMail, Minerva Fabric○ PGP
Attack Vectors
● Social engineering, war driving, sniping, drones?○ Apple Amazon hack
● Rootkits, keyloggers○ Vodafone Greece example (pre NSA)
● Packet sniffing, port scanning● 0 day exploits, exploit marketplaces
○ WebGL, Java, Rails, OpenSSL/Heartbleed● DNS, SSL intercept
○ compromised rootcerts○ Arab Spring example
Attack Vectors
● Infrastructure providers○ HDDs reused○ Internal sniffing, e.g. MongoDB○ OSS clients libs not audited, Nodetime example
● Phishing mails● Cross site attacks: XSS, CSRF● Malicious extensions: e.g. Window Resizer● OAuth, third party app access
○ ~60% use Google for login● etc. etc.
Countermeasures
● Encrypted laptop drives● Secure passwords
○ LastPass or PwdHash● Two Factor Authentication 2FA
○ Not enforced by most● Suspicious activity detection● Access logs
○ per user audit trail?
Preemption
● Security audits● “Honeypots”● Production/Staging divide● Bug bounty programs
Politics: NSA, etc.
● Hosting outside of US by a non-US legal entity is a competitive advantage○ e.g. Upcloud, younited○ caveat: traffic goes via Sweden
● How many SaaS companies from Estonia?○ Sportlyzer○ Weekdone○ GoWorkaBit○ InventoryAPI
Shadow IT
● Bring Your Own Device (BYOD)● Bring Your Own Service (BYOS)
● Most companies don’t know what software their employees use○ … and don’t want to know
● Shared accounts○ Bitium, Meldium
Case Study: StartHQ
● first contact:○ password reset mails○ access log monitoring○ break in○ disable /admin○ apply fix
● two weeks later:○ second break in○ mail sent to all @starthq.com○ apply second fix, more attempts, no more breakins
Case Study: Buffer
Trade-offs
● Self Reliance vs. Reliability○ Self host MongoDB or go with MongoHQ○ Speed and time to market critical
● Security vs. Convenience?
Reality
● Everyone gets hacked○ Atlassian story
● Users largely don’t care
● Case in point: StartHQ extension○ see video
Resources
Security Engineering by Ross AndersonLight Blue Touchpaper blog
Resources
OWASP Top 10 ProjectHomakov blog
Thank you!@olegpodsechin
Related Documents
