Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There are various levels of offline. For example you can have an S3 bucket with write-only access. No, it's not perfectly offline. But it's isolated from both vulnerabilities and from hacked employees, which covers most common types of breaches. You can solve 99% of the offline storage features without having an actual physical location with tapes.


what about hacked employees' aws accounts?


Employees shouldn't have default access to those credentials. This applies to audit/backup/account management/billing privileges. You can have very dedicated roles with lots of restrictions for those specific things.


Unless they're highly privileged enough to turn on read access to the bucket, you're fine. Thus, you can contain most breaches of credentials.


If the organisation doesn't use SSO coupled with MFA and the enforcement of the least amount of privileges principle on a cloud platform, then they have no right to complain about security breaches.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: