[lug] NoVAD: Protecting Cloud Data

Dan Ferris dan at usrsbin.com
Sun Jul 13 17:45:01 MDT 2014


Here is a link that talks about what I said that's more concise:

https://www.xervmon.com/blog/84

If you do what's in that article you'll be ok.

The only other suggestion is that when your instances are built, use
your favourite config management tool and get rid of the ssh key that
you gave to Amazon for your instances.  That will keep the person who
gets into your account from logging into your instances.

On 07/13/2014 09:24 AM, Rob Nagler wrote:
> Dan Ferris writes:
>> In all fairness though, Cloud Spaces was using Amazon in the most stupid 
>> way possible and several things, like the S3 multifactor delete, IDM 
>> accounts/permissions, and bucket versioning would have prevented the 
>> problem.
> 
> These are excellent points.  We would like to make this part of
> NoVAD's message.  Both cloud providers and clients need to participate
> in protecting client data.
> 
> I'd greatly appreciate you writing this up and adding it to our site:
> 
> http://www.novad.club/en/clients.html
> 
> It's written in kramdown so very easy to add pages and such:
> 
> https://github.com/novadclub/novadclub.github.io
> 
> Send a pull request, and I'll be happy to include it.
> 
>> I use S3 for backups, and all of our stuff has its own write only IDM 
>> account to its own bucket and you have to have a Yubikey to delete anything.
> 
> One of the reasons for NoVAD is that the unthinkable does happen, and
> that's why it's a dramatic event: virtually assured destruction.
> Despite all the safeguards and sophisticated technology, nuclear
> reactors have gone critical, and people have died.  Edward Snowden did
> really steal a serious number of documents.  Target really had 40M+
> credit cards.  These are in other spaces than NoVAD is addressing, but
> it is only a matter of time before someone cracks a major SaaS
> company.
> 
> Consider what would happen if someone did get into your master account
> and clicked on the big red button, aka close account and button of
> mass destruction?  I don't think that button should exist.  It's a
> disaster waiting to happen for any company that relies on the cloud
> for its IT infrastructure.  For those who don't know about the button
> of mass destruction, read this article:
> 
> http://www.viarob.com/my/page/Nuclear_Deterrence_For_Your_Cloud
> 
> NoVAD is the layer of protection nobody wants to think about.  It's
> what happens if someone gets on the inside.
> 
> Rob
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
> 


More information about the LUG mailing list