Random thoughts
Tuesday, September 9, 2014
Vienna DevOps & Security and System Architects Group meetup summary - Sept 9, 2014
Some twenty developers and security experts gathered at the Stockwork Coworking Space for today´s joint Vienna DevOps & Security and System Architects Group meetup http://meetu.ps/2v2DGg.
Starting services on AWS is easy. So is stopping.
Recent incidents show that a compromised infrastructure can cause more than short disruptions. Several companies went out of business when not only their online services but also data stores and backups were gone:
The (fancy!) slides are available here: https://speakerdeck.com/xeraa/i-am-what-iam-for-devops-vienna
The structure of ISO 27001 looks somewhat similar to ISO 9001 Quality Assurance, including the monitoring and continuous improvement loop of Plan-Do-Check-Act (PDCA).
For a successful implementation and certification, the ISO 27001 efforts must be supported and driven by the company leadership
The third talk about Splunk unfortunately had to be postponed.
Best practices for AWS Security
Philipp Krenn (@xeraa) nicely explained the fundamental risks of AWS services:Starting services on AWS is easy. So is stopping.
Recent incidents show that a compromised infrastructure can cause more than short disruptions. Several companies went out of business when not only their online services but also data stores and backups were gone:
- Code Spaces goes dark after AWS cloud security hack
- DrawQuest permanently shuts down after security breach
- Bonsai.io suffers from an AWS security incident
- Lock away the root account. Never use this account for service or action authentication, ever.
- Create an IAM user with a password policy for every service or action to limit damage in case an API key gets compromised.
- Use groups to manage permissions.
- Use two-factor authentication (2FA) using Google Authenticator.
- Never commit your credentials to a source code repository.
- Enable IP restrictions to limit who can manage your services even with an API key.
- Enable Cloudtrail to trace which user triggered an event using which API key.
The (fancy!) slides are available here: https://speakerdeck.com/xeraa/i-am-what-iam-for-devops-vienna
ISO 27001 - Goals of ISO 27001, relation to similar standards, implementation scenarios
Roman Kellner, Chief Happiness Officer :-) at @xtradesoft, gave an overview of the ISO 27001 and related standards:- ISO 27001:2013 Information Security Management System (ISMS) Requirements
- ISO 27002:2013 Code of Practice
- ISO 31000 Risk Management
The structure of ISO 27001 looks somewhat similar to ISO 9001 Quality Assurance, including the monitoring and continuous improvement loop of Plan-Do-Check-Act (PDCA).
For a successful implementation and certification, the ISO 27001 efforts must be supported and driven by the company leadership
The third talk about Splunk unfortunately had to be postponed.
Labels: cloud, events, itarchitecture, security, technology