Tuesday, September 9, 2014

 

Vienna DevOps & Security and System Architects Group meetup summary - Sept 9, 2014

Some twenty developers and security experts gathered at the Stockwork Coworking Space for today´s joint Vienna DevOps & Security and System Architects Group meetup http://meetu.ps/2v2DGg.

Best practices for AWS Security

Philipp Krenn (@xeraa) nicely explained the fundamental risks of AWS services:
Starting services on AWS is easy. So is stopping.

Recent incidents show that a compromised infrastructure can cause more than short disruptions. Several companies went out of business when not only their online services but also data stores and backups were gone:
(Some) recommendation for using AWS services:
  • Lock away the root account. Never use this account for service or action authentication, ever.
  • Create an IAM user with a password policy for every service or action to limit damage in case an API key gets compromised.
  • Use groups to manage permissions.
  • Use two-factor authentication (2FA) using Google Authenticator.
  • Never commit your credentials to a source code repository.
  • Enable IP restrictions to limit who can manage your services even with an API key.
  • Enable Cloudtrail to trace which user triggered an event using which API key.
Other cloud security providers may offer different security features

The (fancy!) slides are available here: https://speakerdeck.com/xeraa/i-am-what-iam-for-devops-vienna

ISO 27001 - Goals of ISO 27001, relation to similar standards, implementation scenarios

Roman Kellner, Chief Happiness Officer :-) at @xtradesoft, gave an overview of the ISO 27001 and related standards:
  • ISO 27001:2013 Information Security Management System (ISMS) Requirements
  • ISO 27002:2013 Code of Practice
  • ISO 31000 Risk Management
Information security management is not limited to computer security; it is equally relevant for paper documents, human knowledge, etc.

The structure of ISO 27001 looks somewhat similar to ISO 9001 Quality Assurance, including the monitoring and continuous improvement loop of Plan-Do-Check-Act (PDCA).

For a successful implementation and certification, the ISO 27001 efforts must be supported and driven by the company leadership

The third talk about Splunk unfortunately had to be postponed.

Labels: , , , ,

Comments: Post a Comment

Subscribe to Post Comments [Atom]










Page tools



Archives