Cloud Security

A development server recently became compromised, and while this isn't necessarily a good thing, it does raise awareness and provides impetus to strengthen security measures.

Access Control

A few axioms: - Access control is better through certificates (what you have) than passwords (what you know) - Two-factor authentication is better than both (what you have + new knowledge communicated) - The point is to be reasonably hardened, but have monitoring which alerts upon compromise (intrusion detection) - Regularly conducted penetration testing should help inform the hardening process - Encryption is necessary, eventually end-to-end but in any case when logins are being used - Apache is a big attack vector, so keep it patched, and with limited rights - Various exploits against web content and databases, security-aware software development standards required - Simple is better, because simple gets done where complicated does not - Users should not share accounts - Have a disaster recovery process because there will be a future when it will need to be used

Comments are closed.