What The Code Spaces Disaster Means (And Doesn't Mean) For Your Cloud Backups
By now you’ve probably read about the sad fate of Codespaces.com. To recap, someone hacked Code Spaces’s Amazon Web Services account and demanded a ransom; when Code Spaces did not cooperate, the attacker deleted the majority of their (and their customers’) data, their backups, their offsite backups and their machine configurations, forcing Code Spaces to permanently close down. This is the ultimate nightmare of malicious intrusions, and our thoughts are with Code Spaces employees and customers.
This incident has also raised a lot of questions about cloud security, and we’ve seen some inquiries from people understandably concerned about the safety of their backups in the cloud. But “cloud” isn’t a monolithic term – there’s plenty of variety in how a cloud service might be built and managed. So, we’d like to take this opportunity to explain how our setup differs from what Code Spaces had, and how we protect our customers from similar attacks.
The Ownership Question
A major difference between Zetta and how Code Spaces was set up is in ownership of infrastructure. Code Spaces built their service on Amazon’s cloud. This might have offered initial capital savings, but it also ceded pretty much all control over how their system was set up.
We own our cloud, its logical infrastructure and the computers that run it, so we control all facets of how it operates. The safety of our customers’ data is very important to us and we pride ourselves on our high security standards. We use SSL encryption in flight and AES encryption at rest, with a unique encryption key for each customer. Our service is audited according to the SSAE 16 standard, and we’re compliant with strict regulations like HIPAA and ITAR.
But external security might not have mattered for Code Spaces – as of right now, it’s believed the attack against them was probably carried out with compromised credentials. What‘s stopping someone from stealing a Zetta user’s credentials and mounting a similar attack?
Partners, Not Landlords
Using Amazon Web Services is a bit like renting a physical office space – you get the keys from the landlord (in this case Amazon), and the rest is up to you. This is perfect for some use cases, but backups aren’t really one of them. In this case, the way Code Spaces set up their system allowed the intruder to essentially waltz in and burn the whole thing down from their AWS control panel.
As a professional disaster recovery solution, Zetta is more of a partner than a landlord. It’s our business to ensure that your backups are secure and ready for recovery if you should ever need them. For that reason, we have checks in place that prevent the wholesale deletion of data in our care.
Crucially, we don’t have a single point of failure. Part of our service is to take regular snapshots of a customer’s data for disaster recovery purposes. Unlike primary data, snapshots can’t be deleted by the end user – only by Zetta support personnel. This helps us protect our customers from malicious impersonators or rogue employees – even if an attacker were to illegally access a customer’s account and delete their primary data, those snapshots would still exist safely in our servers, out of reach. Additionally, our use of data replication technology means that even if a snapshot were deleted, it would still be recoverable from the replication.
Introducing 2-Factor Authentication
Our system protects our customers from losing their data if an unauthorized user accesses their account – but it’s even better if the unauthorized access just doesn’t occur. To that end, we’re proud to announce that Zetta will begin offering 2-factor authentication for all our customers this summer. This feature has been in the works for some time, but we’ve moved up the release announcement in light of the Code Spaces disaster.
If you aren’t familiar with it, 2-factor authentication helps protect your account by requiring two pieces of information in order to log in. The first is your password, which you would enter as you normally do. The second is a random number code sent to your phone, either by text or via an app. Even if a hacker steals your password in a phishing attack, they wouldn’t have the code from your phone and thus couldn’t log into your account. 2-factor authentication can greatly reduce the risk of account hijackings, and we urge all customers to use this feature as soon as it’s released.
There’s a lot to learn from the shocking attack on Code Spaces, but the biggest lesson might be that just because a service is “cloud” doesn’t mean it’s bulletproof. It’s important to remember that all clouds are NOT created equal. Like physical systems, clouds can be configured in ways that makes them more or less vulnerable to attack, and it’s important to do your diligence when selecting a cloud service. Hackers are going to keep getting more sophisticated in their attacks. The good guys have to keep up.