Dialogue with Web3 Excellent Security Service Provider The ‘Attack and Defense Battle’ of Cloud Security

Conversing with a Top-Notch Web3 Security Service Provider The Battle of Cloud Security Between Attack and Defense

The ecosystem built by Web3 using Blockchain underlying technology (Distributed Ledger) is evolving rapidly. The technological innovations of public chains L1 and L2 make them feasible as the next generation of underlying computing networks. Various infrastructures are continuously improving like “Lego” components, and Web3 BUIDLers are constantly building rich dApps in multiple application tracks.

Cloud services are particularly important as the underlying infrastructure for Web3 and are indispensable to the entire Web3 ecosystem, with tens of thousands of programs running on cloud servers every year. According to Immunefi Security Institution’s public report data, “In the security incidents of 2022, 46.5% of the fund losses came from underlying infrastructure, with the management, practices, and emergency response plans related to private keys being the most important.” Web3’s cloud security continues to face challenges, with issues such as private key leaks, unauthorized access, Smart Contract analysis and auditing, DDoS attacks, internal threats, compliance, and stability plaguing Web3 BUIDLers and constantly presenting new challenges to cloud service providers and security service providers.

As a company that was one of the first to launch cloud services, Amazon Web Services (AWS) has always been a leader in the field of cloud services. Today, AWS actively embraces the Web3 ecosystem and, together with Web3’s leading community brand CrossSLianGuaice, has launched a series of online and offline seminars on “Web3 Security,” delving into the field of cloud service security, listening to security practice challenges from exchanges, public chains, infrastructure, and dApps, and exploring practical solutions.

• Immutable to Eliminate Gas Fees for Gamers with Zero-Knowledge Proof Scaling Platform
• Distributed scientific concepts are popular. Can DeSci make scientific research work web3-enabled?
• Cardano’s Rise to Stardom: A Blockbuster Story

As part of this interview segment in the series, we are honored to interview four outstanding Web3 security service agencies – Beosin, CertiK, MetaTrust, and SlowMist – as well as experts in AWS cloud security. Together, we will explore the challenges and approach to solving the problems of cloud security in Web3 at present.

Why is cloud security in Web3 so important?

Security is of paramount importance to any enterprise. Cloud services and Web3 are interdependent. Since the launch of the Bitcoin mainnet in 2009 and the Ethereum mainnet in 2015, security incidents and asset losses have increased year by year. Therefore, security, as the cornerstone of the Web3 world, needs even more attention. Whether it is centralized exchanges or decentralized scenarios such as DeFi, GameFi, NFT, DAO, Social, Bridge, etc., various application scenarios based on tokens are involved. How to ensure the security of the entire token processing process is a matter that Web3 BUIDLers need to carefully consider. AWS, as an expert and service provider in the field of cloud security, has been closely following the security of the Blockchain and Web3 fields, actively communicating with project parties, and organizing various forms of Web3 security sharing and training.

As we approach the end of 2023, the bull market signals are becoming clearer. The number of Web3 projects that are positioning themselves on cloud servers is expected to increase rapidly. Cloud infrastructure is playing an increasingly important role, making cloud security a crucial concern for every developer and BUIDLer.

What are the major challenges in cloud security?

In this interview, security company Beosin stated, “Attacks on cloud service data merchants have been one of the main types of attacks recently. These attacks primarily involve DDoS attacks, account hijacking, malicious implantation, and other methods, aiming to compromise the computing and storage services provided by cloud service data merchants. The consequences of such attacks are sensitive data leakage and service interruptions.” The team further shared, “Recently, Mixin Network and Fortress IO suffered losses of $200 million and $15 million respectively due to attacks on their cloud service providers.”

The leakage of sensitive data, particularly private keys, was repeatedly mentioned as one of the causes of security incidents in this interview. CertiK’s security quarterly report for the third quarter also stated, “The leakage of private keys was one of the reasons for significant losses in this quarter. Fourteen cases of stolen private keys resulted in a total loss of $204 million.”

In addition to data leakage, the SlowMist team also identified several other categories of cloud security threats, including:

1. Account leakage and unauthorized access: Hackers can gain unauthorized access by cracking passwords, using social engineering, or launching weak password attacks to obtain user account credentials.

2. DDoS attacks: Distributed Denial of Service (DDoS) attacks can render cloud services unavailable by occupying resources or flooding network traffic, leading to service interruptions.

3. Malicious insider threats: Internal users or employees may abuse their permissions to steal data, destroy information, or engage in other malicious activities.

4. Compliance and data management: Project owners may lack effective tools to protect their data during the data processing on cloud service provider platforms, resulting in data confusion or loss.

Facing the multidimensional attack perspectives of hackers and potential internal security risks, Web3 security experts emphasize the need for a comprehensive security strategy for cloud security. Simple one-dimensional security measures are not sufficient.

In the “battle” of cloud security, how can we break the deadlock?

Faced with ongoing challenges in cloud security, how can we strengthen “defense” and protect user privacy data and funds? Experts and teams from various security institutions provide their insights.

Beosin Team:

“Given the frequent occurrences of sensitive data leaks, we recommend that technical personnel encrypt their data when storing and transmitting it to prevent unauthorized access by third parties. For sensitive data like private keys, we suggest utilizing privacy computing and homomorphic encryption technologies to prevent key leakage.

At the same time, the project party needs to confirm that the client only accesses the cloud service through a secure API to avoid injection attacks, cross-site scripting, and other malicious activities. Using APIs can also authenticate and verify client identities and data before accessing the cloud service to ensure access and data security. Considering that personal computers have weaker security capabilities as clients, it is not recommended to directly call the API through personal computers for data access and operations on the system. Instead, it is recommended to use cloud-based virtual desktops or secure jump hosts to complete the relevant access.”

Prof. Li Kang, Chief Security Officer at CertiK:

“We mainly observed two common risks when using cloud platforms, which are improper configuration of cloud data by users and risks caused by users hiding cloud backend services in dApps. Most of the time, cloud platforms provide protection for resources and control over data, but often external personnel get the chance to enter the user’s backend due to improper use of configurations. Another type of risk comes from developers of project parties hiding cloud backend services within dApps – some developers, for their own convenience, design an interface intended for internal use only, allowing dApps to be accessed directly from mobile apps without being publicly available. Although the project party’s cloud API has dedicated control, it still results in a lot of interaction between dApps and the backend.”

In response to these two types of risks, CertiK provides security services for clouds and dApps based on clouds, including code audits, risk assessments, team identity verification, and background checks. “Prof. Li Kang added: “If you cannot guarantee absolute trustworthiness of the development team, it is still necessary to have a comprehensive audit of the dApp carried out by audit experts.”

Prof. Liu Yang, Co-founder of MetaTrust:

“As a foundational layer, cloud security needs to ensure data security and user privacy protection. Building end-to-end full-stack security protection is particularly important, with a focus on protecting data. Set corresponding access permissions for different types of data to prevent unauthorized access. Cloud services have complex mechanisms, and different categories of data need independent access mechanisms.”

In addition, data compliance should also be emphasized. Many data in the cloud are within the same cloud, and access restrictions may be imposed due to different regions. Lack of understanding of this situation can easily lead to compliance issues resulting from cross-border data leaks. Therefore, access control and identity verification are also important. We need to establish strict and granular access control and identity verification mechanisms to prevent unauthorized access.”

The SlowMist team:

“Cloud security requires comprehensive security strategies, including appropriate access controls, encryption, continuous monitoring. Professional security institutions should be consulted for comprehensive audits, educational training, and other measures to ensure the security and stability of the cloud environment. For example, end-to-end encryption of critical data. If encryption is used, the secure management of encryption keys is crucial, and key backups should be kept, preferably not stored in the cloud. Basic vulnerabilities such as preventing configuration errors will greatly reduce cloud security risks. Finally, ensuring the security of networks and devices is crucial for individual users, small and medium-sized enterprise users, and enterprise-level cloud users.”

AWS: Security is like an onion with multiple layers of protection

Whether in Web2 or Web3, AWS is actively providing cloud computing and security services for various types of projects. As a leading company and participant in cloud computing, AWS Web3 technology experts believe that security is not a single-layer protection model like an egg, but rather a multi-layer protection model like an onion, with layers progressing and unfolding. Specifically, the first layer is threat detection and incident response, the second layer is identity authentication and access control, the third layer is network and infrastructure security, the fourth layer is data protection and privacy, and the fifth layer is risk management and compliance. AWS provides comprehensive solutions for each layer, helping Web3 projects to securely manage the entire application system.

Conclusion: To win the battle of defense and offense in Web3 cloud security, it requires the joint efforts of all parties

Security in the Web3 ecosystem relies on the security of cloud infrastructure. Participants associated with cloud infrastructure, including project owners, cloud service providers, and security service providers, need to establish comprehensive security strategies and regularly conduct audits and self-security checks to ensure maximum security.

For Web3 developers, besides enhancing their ethical standards, they should continuously improve their security-related skills. They can actively participate in AWS activities and training targeted at developers, such as Web3 Ethical Hacking and Security Best Practice, to identify common contract risks.

Our common goal is to build a secure Web3 ecosystem and achieve sustainable industry development. We hope you can gain inspiration from this interview and actively apply it in your daily practice.

If Web3 project owners need to understand how to build secure cloud applications, you can click the link to learn more:

https://aws.amazon.com/tw/local/hongkong/Web3/

We will continue to update Blocking; if you have any questions or suggestions, please contact us!