AWS Authentication Security: Securing Keys to the Cloud
ZDNet reports on the ‘extra layers of security’ introduced by vendors this week at the Amazon Web Services (AWS) re:Invent 2014 conference held in Las Vegas, with a focus on authentication security. Third-party vendor security has emerged as the cause of major data breaches in the news, including Target and Home Depot. More often than not, attackers target third-parties as they attempt to find easy points of access into enterprise networks.
A cloud hosting provider’s services also often includes an administrative management dashboard that allows an organization to manage their cloud services. That means your username and password are the master keys to your entire IT infrastructure, making the entry points to these cloud accounts even more valuable to potential attackers.
Datapipe, a hybrid cloud managed service provider, introduced new security software, Access Control Model for AWS (DACMA) at re:Invent that doesn’t require their enterprise clients to hand over their administrator/root credentials to give them access to manage their AWS infrastructure. Companies still have complete control over their environment with the ability to pull privileges at any time.
Two-factor authentication is another feature rolled into their security model - it is a requirement for all employees that log into their Datapipe Single-Sign On accounts as well as any enterprise AWS accounts. This can cut down or eliminate the ability for attackers to log into cloud accounts with a set of stolen credentials.
Another way they’re ensuring security in accessing cloud services is with automated logins and encrypted passwords to ensure that even Datapipe support staff never actually see their own AWS login credentials. This may be an effort in cutting down on human errors that lead to data leaks or breaches, including password-sharing and phishing email attempts.
In a worst case scenario, stolen AWS administrator credentials can lead to closure, as seen in the Code Spaces incident. The company was a Github and SVN hosting provider, but was forced to end their business when a hacker deleted backups and critical components of their infrastructure after they got their hands on the company’s AWS EC2 management console login.
Echoing Datapipe’s theory that once your cloud credentials are stolen, it’s very difficult or impossible to get them back, the attacker ruined their environment in retaliation after they tried to change their password to regain control. Get the whole story in Protecting the Cloud with Two-Factor: AWS Authentication Security for IaaS Providers.
One example of using two-factor authentication is with the use of a USB device that lets engineers login with the push of a button on the device. FIDO (Fast IDentity Online), the coalition organized to standardize authentication technology and devices, created a standard called the Universal 2nd Factor (U2F) that uses public-key cryptography for phishing-resistant authentication. Find out more about Duo Security U2F.
Duo Security is also an official AWS partner - find out more about how administrators can protect their AWS infrastructure and applications with two-factor authentication for a number of integrations, from SSH to OpenVPN.
Setting up two-factor authentication for individual third-party accounts is easy - check out Duo Security’s Guide to Third-Party Accounts for screenshots and step-by-step instructions.