+ All Categories
Home > Internet > Staying safe in the cloud

Staying safe in the cloud

Date post: 13-Jan-2015
Category:
Upload: oleg-podsechin
View: 420 times
Download: 0 times
Share this document with a friend
Description:
My talk on security at the Estonia Cloud Meetup.
Popular Tags:
33
Staying Safe in the Cloud
Transcript
Page 1: Staying safe in the cloud

Staying Safe in the Cloud

Page 2: Staying safe in the cloud

/whois me

Page 4: Staying safe in the cloud
Page 5: Staying safe in the cloud
Page 6: Staying safe in the cloud

define: security

● availability○ no access

● reliability○ data loss

● privacy○ data leak

Page 7: Staying safe in the cloud

Availability● Pingdom● Where’s it Up?● StatusPage.io

○ status.myservice.com: ~ 10%

● Hosting & Infrastructure○ CDNs like CloudFlare - test with Blitz etc.○ DaaS like AWS RDS, MongoHQ etc.○ deployment, e.g. NPM○ third party JS, tag management e.g. GTM○ DDOS with botnets, HTTPX

Page 8: Staying safe in the cloud
Page 9: Staying safe in the cloud

Reliability

● Funding or lack thereof, business model○ or corporate strategy, think Google Reader, G+

● PEBKAC○ Google Docs, Yammer

● API availability ~ data backup an option○ programmableweb.com○ Kimono

● Backupify, Import2

Page 10: Staying safe in the cloud

Privacy

● Third party JS, GA has 20M accounts○ BuiltWith

● Retargeting cookies● Email/IP to user info on social media

○ Rapleaf, Rapportive○ Intercom○ FOAF

● FastMail, Minerva Fabric○ PGP

Page 11: Staying safe in the cloud

Attack Vectors

● Social engineering, war driving, sniping, drones?○ Apple Amazon hack

● Rootkits, keyloggers○ Vodafone Greece example (pre NSA)

● Packet sniffing, port scanning● 0 day exploits, exploit marketplaces

○ WebGL, Java, Rails, OpenSSL/Heartbleed● DNS, SSL intercept

○ compromised rootcerts○ Arab Spring example

Page 12: Staying safe in the cloud
Page 13: Staying safe in the cloud
Page 14: Staying safe in the cloud
Page 15: Staying safe in the cloud
Page 16: Staying safe in the cloud

Attack Vectors

● Infrastructure providers○ HDDs reused○ Internal sniffing, e.g. MongoDB○ OSS clients libs not audited, Nodetime example

● Phishing mails● Cross site attacks: XSS, CSRF● Malicious extensions: e.g. Window Resizer● OAuth, third party app access

○ ~60% use Google for login● etc. etc.

Page 17: Staying safe in the cloud
Page 18: Staying safe in the cloud
Page 19: Staying safe in the cloud

Countermeasures

● Encrypted laptop drives● Secure passwords

○ LastPass or PwdHash● Two Factor Authentication 2FA

○ Not enforced by most● Suspicious activity detection● Access logs

○ per user audit trail?

Page 20: Staying safe in the cloud

Preemption

● Security audits● “Honeypots”● Production/Staging divide● Bug bounty programs

Page 21: Staying safe in the cloud
Page 22: Staying safe in the cloud

Politics: NSA, etc.

● Hosting outside of US by a non-US legal entity is a competitive advantage○ e.g. Upcloud, younited○ caveat: traffic goes via Sweden

● How many SaaS companies from Estonia?○ Sportlyzer○ Weekdone○ GoWorkaBit○ InventoryAPI

Page 23: Staying safe in the cloud
Page 24: Staying safe in the cloud

Shadow IT

● Bring Your Own Device (BYOD)● Bring Your Own Service (BYOS)

● Most companies don’t know what software their employees use○ … and don’t want to know

● Shared accounts○ Bitium, Meldium

Page 25: Staying safe in the cloud
Page 26: Staying safe in the cloud

Case Study: StartHQ

● first contact:○ password reset mails○ access log monitoring○ break in○ disable /admin○ apply fix

● two weeks later:○ second break in○ mail sent to all @starthq.com○ apply second fix, more attempts, no more breakins

Page 27: Staying safe in the cloud

Case Study: Buffer

Page 28: Staying safe in the cloud

Trade-offs

● Self Reliance vs. Reliability○ Self host MongoDB or go with MongoHQ○ Speed and time to market critical

● Security vs. Convenience?

Page 29: Staying safe in the cloud

Reality

● Everyone gets hacked○ Atlassian story

● Users largely don’t care

● Case in point: StartHQ extension○ see video

Page 31: Staying safe in the cloud

Resources

Chaos Computer Club TV

Page 33: Staying safe in the cloud

Thank you!@olegpodsechin


Recommended