Staying Safe in the Cloud
/whois me
helsinkijs.org
define: security
● availability
○ no access
● reliability
○ data loss
● privacy
○ data leak
Availability
● Pingdom
● Where’s it Up?
● StatusPage.io
○ status.myservice.com: ~ 10%
● Hosting & Infrastructure
○ CDNs li...
Reliability
● Funding or lack thereof, business model
○ or corporate strategy, think Google Reader, G+
● PEBKAC
○ Google D...
Privacy
● Third party JS, GA has 20M accounts
○ BuiltWith
● Retargeting cookies
● Email/IP to user info on social media
○ ...
Attack Vectors
● Social engineering, war driving, sniping,
drones?
○ Apple Amazon hack
● Rootkits, keyloggers
○ Vodafone G...
Attack Vectors
● Infrastructure providers
○ HDDs reused
○ Internal sniffing, e.g. MongoDB
○ OSS clients libs not audited, ...
Countermeasures
● Encrypted laptop drives
● Secure passwords
○ LastPass or PwdHash
● Two Factor Authentication 2FA
○ Not e...
Preemption
● Security audits
● “Honeypots”
● Production/Staging divide
● Bug bounty programs
Politics: NSA, etc.
● Hosting outside of US by a non-US legal
entity is a competitive advantage
○ e.g. Upcloud, younited
○...
Shadow IT
● Bring Your Own Device (BYOD)
● Bring Your Own Service (BYOS)
● Most companies don’t know what software
their e...
Case Study: StartHQ
● first contact:
○ password reset mails
○ access log monitoring
○ break in
○ disable /admin
○ apply fi...
Case Study: Buffer
Trade-offs
● Self Reliance vs. Reliability
○ Self host MongoDB or go with MongoHQ
○ Speed and time to market critical
● Se...
Reality
● Everyone gets hacked
○ Atlassian story
● Users largely don’t care
● Case in point: StartHQ extension
○ see video
Resources
Security Engineering by Ross Anderson
Light Blue Touchpaper blog
Resources
Chaos Computer Club TV
Resources
OWASP Top 10 Project
Homakov blog
Thank you!
@olegpodsechin
Staying safe in the cloud
Staying safe in the cloud
Staying safe in the cloud
Staying safe in the cloud
Staying safe in the cloud
Staying safe in the cloud
Staying safe in the cloud
Staying safe in the cloud
Staying safe in the cloud
Staying safe in the cloud
Staying safe in the cloud
Staying safe in the cloud
Upcoming SlideShare
Loading in …5
×

Staying safe in the cloud

899 views

Published on

My talk on security at the Estonia Cloud Meetup.

Published in: Internet, Technology, Business
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total views
899
On SlideShare
0
From Embeds
0
Number of Embeds
19
Actions
Shares
0
Downloads
10
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

Staying safe in the cloud

  1. 1. Staying Safe in the Cloud
  2. 2. /whois me
  3. 3. helsinkijs.org
  4. 4. define: security ● availability ○ no access ● reliability ○ data loss ● privacy ○ data leak
  5. 5. Availability ● Pingdom ● Where’s it Up? ● StatusPage.io ○ status.myservice.com: ~ 10% ● Hosting & Infrastructure ○ CDNs like CloudFlare - test with Blitz etc. ○ DaaS like AWS RDS, MongoHQ etc. ○ deployment, e.g. NPM ○ third party JS, tag management e.g. GTM ○ DDOS with botnets, HTTPX
  6. 6. Reliability ● Funding or lack thereof, business model ○ or corporate strategy, think Google Reader, G+ ● PEBKAC ○ Google Docs, Yammer ● API availability ~ data backup an option ○ programmableweb.com ○ Kimono ● Backupify, Import2
  7. 7. Privacy ● Third party JS, GA has 20M accounts ○ BuiltWith ● Retargeting cookies ● Email/IP to user info on social media ○ Rapleaf, Rapportive ○ Intercom ○ FOAF ● FastMail, Minerva Fabric ○ PGP
  8. 8. Attack Vectors ● Social engineering, war driving, sniping, drones? ○ Apple Amazon hack ● Rootkits, keyloggers ○ Vodafone Greece example (pre NSA) ● Packet sniffing, port scanning ● 0 day exploits, exploit marketplaces ○ WebGL, Java, Rails, OpenSSL/Heartbleed ● DNS, SSL intercept ○ compromised rootcerts ○ Arab Spring example
  9. 9. Attack Vectors ● Infrastructure providers ○ HDDs reused ○ Internal sniffing, e.g. MongoDB ○ OSS clients libs not audited, Nodetime example ● Phishing mails ● Cross site attacks: XSS, CSRF ● Malicious extensions: e.g. Window Resizer ● OAuth, third party app access ○ ~60% use Google for login ● etc. etc.
  10. 10. Countermeasures ● Encrypted laptop drives ● Secure passwords ○ LastPass or PwdHash ● Two Factor Authentication 2FA ○ Not enforced by most ● Suspicious activity detection ● Access logs ○ per user audit trail?
  11. 11. Preemption ● Security audits ● “Honeypots” ● Production/Staging divide ● Bug bounty programs
  12. 12. Politics: NSA, etc. ● Hosting outside of US by a non-US legal entity is a competitive advantage ○ e.g. Upcloud, younited ○ caveat: traffic goes via Sweden ● How many SaaS companies from Estonia? ○ Sportlyzer ○ Weekdone ○ GoWorkaBit ○ InventoryAPI
  13. 13. Shadow IT ● Bring Your Own Device (BYOD) ● Bring Your Own Service (BYOS) ● Most companies don’t know what software their employees use ○ … and don’t want to know ● Shared accounts ○ Bitium, Meldium
  14. 14. Case Study: StartHQ ● first contact: ○ password reset mails ○ access log monitoring ○ break in ○ disable /admin ○ apply fix ● two weeks later: ○ second break in ○ mail sent to all @starthq.com ○ apply second fix, more attempts, no more breakins
  15. 15. Case Study: Buffer
  16. 16. Trade-offs ● Self Reliance vs. Reliability ○ Self host MongoDB or go with MongoHQ ○ Speed and time to market critical ● Security vs. Convenience?
  17. 17. Reality ● Everyone gets hacked ○ Atlassian story ● Users largely don’t care ● Case in point: StartHQ extension ○ see video
  18. 18. Resources Security Engineering by Ross Anderson Light Blue Touchpaper blog
  19. 19. Resources Chaos Computer Club TV
  20. 20. Resources OWASP Top 10 Project Homakov blog
  21. 21. Thank you! @olegpodsechin

×