Cloud Security

A development server recently became compromised, and while this isn’t necessarily a good thing, it does raise awareness and provides impetus to strengthen security measures.

Access Control

A few axioms: – Access control is better through certificates (what you have) than passwords (what you know) – Two-factor authentication is better than both (what you have + new knowledge communicated) – The point is to be reasonably hardened, but have monitoring which alerts upon compromise (intrusion detection) – Regularly conducted penetration testing should help inform the hardening process – Encryption is necessary, eventually end-to-end but in any case when logins are being used – Apache is a big attack vector, so keep it patched, and with limited rights – Various exploits against web content and databases, security-aware software development standards required – Simple is better, because simple gets done where complicated does not – Users should not share accounts – Have a disaster recovery process because there will be a future when it will need to be used