Posts tagged cloud security
It’s safe to say that your API keys represent the keys to your cloud kingdom. Anyone in possession of these API keys can access your applications, hardware, and other software in a given cloud environment.
API keys, or access keys as they are sometimes known, are necessary in today’s computing environments. They provide the means to pass credentials between a cloud provider and an enterprise.
Potential for Harm When Access Keys are Stolen
Access keys are created when an organization is first setting up its cloud management services, and a great deal of damage can be done if they fall into the wrong hands. This is not just a possibility; this scenario has happened several times in the past. A cyber attacker breached OneLogin’s databases after gaining access to a set of Amazon Web Services (AWS) API keys.
There is a definite need for collaboration between organizations and cloud providers. The benefits offered in such arrangements are powerful business enablers and can help keep enterprises afloat in a very competitive landscape. That being the case, there needs to be a very solid approach to securing API keys, so that they can’t be stolen and used in criminal ways.
Some companies have learned that hard-coding API keys into their applications is a big mistake, because these can easily be intercepted. Access keys can be coded directly into applications and scripts and then forgotten about. Then they are left sitting in the applications, available to the first clever cyber attacker.
Securing Your Company’s API Keys
Here are some of the best ways to secure your company’s access keys against criminal attack:
- Identify and list all keys – there are some very good discovery tools available, which can scan your entire cloud environment for any and all API keys that may have been left unprotected. After enumerating all these access keys, you should then check any infrastructure weaknesses which may exist, and gather together all audit information relative to key usage.
- Eliminate embedded access keys – after having found all hard-coded access keys stored in your executable scripts and software applications, remove them so no one can access freely them. It’s a good idea to also cut all direct access from your own employees.
- Make your API keys secure – protect your access keys by storing them in a secure data vault with strong access controls, so that only authenticated users and authenticated applications can gain access.
- Rotate API keys – change your access keys every so often so they don’t remain static for a long period of time.
- Apply least privilege principle – use the principles of least privilege in granting access to your secure API keys. Grant access only to those entities that need them to carry out their normal functions. Also, cut any redundant permissions which were set up for the account role associated with the API key.
- Automate securing your credentials – to avoid direct access by employees, make sure that all API key access to your digital vault is automated by whatever tools and scripts are necessary to carry the process out securely. Guarantee that API access to applications is secure by using application authentication and machine IDs where appropriate.
API Keys are Necessary, but Keep Them Secure
Securing access keys may seem like a hassle, but it should be remembered that there are enormous benefits to cloud computing. It should also be kept in mind that by establishing that kind of setup with a cloud provider, a greater attack surface is made available to criminal-minded individuals on the Internet, and great care must be taken to deter their efforts.
If a cyber attacker were to gain control of your company’s access keys, they could control your entire cloud infrastructure. That would allow this person to disable any security controls and steal any sensitive company data or customer data.
Your company can avoid this doom-and-gloom scenario by following the steps listed above. When access keys are properly managed and kept as secure as possible, you can have peace of mind about the threat of cyber attackers, and can focus on leading your business to sustained growth and success.
Cloud Storage Privacy: Safely Navigating the Cloud
You may have had enough security concerns about your data being stored digitally. Now you know that it’s out there in the cloud, and for many, that is an even greater concern. Sure, we love having access to our saved data from any location and on any device. The tradeoff is privacy vulnerability. How can you improve cloud storage privacy and protect your personal data? Here are a few tips.
First of all, let’s talk about photos. Before you use any app or social networking site, you need to check the TOS to see how your photos are stored and used. Some companies maintain a copy of your photo—even if you delete it from your profile or device. See if there is a setting that disables that function. The same holds true for your device backup. Many backup services such as iCloud, Google Drive, or OneDrive (Microsoft’s cloud storage service) may hang onto copies of pics that you have deleted from your device. Check the settings on your cloud backup. You don’t want that picture you take at the bar over the weekend to end up floating around the web for years to come.
Another major security must for cloud computing is two-factor authentication. This requires something other than just your password (like a security question, or a place to enter a code you request via text) in order to log in. It’s available on most popular services such as Dropbox and those mentioned above. But this is never the standard option, so if you want a second step to logging in, you need to turn the option on from the settings. It’s a tradeoff in convenience for some extra peace of mind.
Finally, stick to the basics. Make sure your passwords are all strong. Maintain a secondary backup for vital data in case the cloud server goes down for your primary service. Finally, don’t put anything in the cloud that you absolutely can’t afford to have hacked. Remember, cloud storage privacy is partly oxymoronic, as nothing is absolutely protected in the digital world.