Dialogue with Web3 Excellent Security Service Provider: The "Offensive and Defensive Battle" of Cloud Security

The ecosystem built by Web3 with the underlying technology of Blockchain (Distributed Ledger) is rapidly iterating, the technological innovation of public chain L1 and L2 makes it feasible to become the next generation of underlying computing networks, various infrastructures are constantly improving like “Lego” components, and Web3 BUIDLers continue to build rich dApps in multiple application tracks.

As a particularly important underlying facility of Web3, cloud services are also indispensable to the entire Web3 ecosystem, with tens of thousands of programs running on cloud servers every year. According to publicly reported data from Immunefi’s security agency, “46.5% of the financial losses in 2022 came from the underlying infrastructure, with the management, practices, and emergency response plans for private keys being the most important.” Web3 cloud security continues to face challenges, such as private key leakage, unauthorized access, SmartContract analysis and auditing, DDoS attacks, insider threats, compliance and stability, and other issues that have plagued Web3 BUIDLers, and also brought new challenges to cloud service providers and security service providers.

As the first company to launch cloud services, Amazon Web Services (AWS) has always been a leader in the field of cloud services, and now AWS is actively embracing the Web3 ecosystem, and jointly launched a series of online and offline seminars on “Web3 Security” with CrossSpace, a leading Web3 community brand, to go deep into the field of cloud service security, listen to the security practice challenges from exchanges, public chains, infrastructure and dApps, and discuss practical solutions.

As part of this series, we are honored to interview four leading Web3 security service providers, Beosin, CertiK, MetaTrust and SlowMist, as well as AWS cloud security experts, to discuss the current challenges of cloud security and how to solve them.

Why is Web3 cloud security so important?

Security is a top priority for any business. Cloud services and Web3 are mutually reinforcing. Since the launch of the Bitcoin mainnet in 2009 and the launch of the Ethereum mainnet in 2015, security incidents and asset losses have increased year by year, so security as the cornerstone of the Web3 world needs to be paid more attention. Whether it is a centralized exchange, or a decentralized DeFi, GameFi, NFT, DAO, Social, Bridge and other scenarios, there will be various application scenarios based on tokens. How to ensure the security of the entire token processing process has become a problem that Web3 BUDLers needs to carefully consider. As an expert in the field of cloud security and an organization that has served many Web3 project parties, AWS has been paying close attention to the security of the Blockchain and Web3 field, actively communicating with project parties, and holding various forms of Web3 security sharing and training.

Towards the end of 2023, the bull market signal is gradually clear, the number of Web3 projects deploying cloud servers will increase rapidly, and the role of cloud as an infrastructure layer is becoming more and more important, so cloud security is a security element that every developer and BUDLers must pay attention to.

What are the major challenges facing cloud security today?

In this interview, security company Beosin said, “The attack of cloud service data providers is one of the main types of attacks in recent times, mainly through DDoS attacks, account hijacking, malicious implantation and other means, against the computing and storage services provided by cloud service data providers, and the consequences are sensitive data leakage and service interruption.” The team shared, "Mixin Network and Fortress IO recently lost $200 million and $15 million, respectively, due to attacks on cloud service providers. ”

The leakage of sensitive data, especially the leakage of private keys, is the cause of security incidents mentioned many times by various security experts during this interview. CertiK’s Q3 security quarterly report also stated that “private key leaks were one of the reasons for significant losses in the quarter.” The 14 incidents of theft of private keys resulted in a total loss of $204 million. ”

In addition to data breaches, the SlowMist team also identified several other categories involving cloud security threats, including:

1. Account Compromise and Unauthorized Access: Hackers can gain unauthorized access to user accounts and credentials through password cracking, social engineering, or weak password attacks.

2. DDoS attacks: Distributed denial-of-service (DDoS) attacks can render cloud services unavailable, cripple services by hogging resources or flooding network traffic, leading to business disruption.

3. Malicious Insider Threats: Insider users or employees may abuse their authority to steal data, destroy information, or engage in other malicious acts.

4. Compliance and data management: The project team did not effectively use various tools to protect data in the process of processing data on the platform of the cloud service provider, resulting in data confusion or loss.

In the face of hackers’ multi-dimensional attack angles and potential internal security risks, Web3 security experts call on everyone to realize that cloud security requires a comprehensive security strategy, so it is not just a one-dimensional simple security prevention.

Cloud Security’s “Battle of Attack and Defense”, How to Break the Game?

In the face of the continuous challenges of cloud security, how to do a good job of “defense” to help users’ privacy data and funds security? Experts and teams from various security agencies gave their views.

Beosin Team:

"Sensitive data breaches occur frequently, and it is recommended that technicians encrypt data when storing and transmitting it to avoid access by unauthorized third parties. For sensitive data such as private keys, we recommend that you use privacy-preserving computing and homomorphic encryption technologies to prevent private key leakage.

At the same time, the project team needs to ensure that the client only accesses the cloud service through secure APIs to avoid malicious activities such as injection attacks and cross-site scripting. You can also use APIs to authenticate and verify data before accessing cloud services to ensure access security and data security. Considering that the security protection capability of personal computers as clients is weak, it is not recommended to directly call APIs to access and operate the system through personal computers, but to complete relevant access through cloud virtual desktops or secure jump servers. ”

Prof. Kang Li, Chief Security Officer, CertiK:

"We mainly observe two common types of risks when using cloud platforms, namely the user’s improper configuration of cloud data and the risk caused by users hiding the services of the cloud backend to dApps. Most of the time, the cloud provides a lot of resource protection and data control, but often due to the user’s improper use of the configuration, outsiders have the opportunity to enter the user’s backend. Another type of risk comes from the fact that the developers of the project side hide the services of the cloud background from the dApp - in order to facilitate their own use, some developers will design an interface for the entire project that they think is only used internally, so that the dApp can be directly accessed by the mobile App without being exposed to the public. Although the project team’s cloud API has special control, this still leads to a lot of interaction between the dApp and the backend.

In the face of these two types of risks, CertiK has established security services for both cloud and cloud-based dApps, including code audits, risk assessments, team identity verification, and background checks. "If you can’t guarantee that the development team can be trusted, it’s important to have an audit expert conduct a complete audit of the dApp. ”

Prof. Yang Liu, Co-founder of MetaTrust:

"As an infrastructure layer, cloud security needs to do a good job in data security and user privacy protection. Build end-to-end, full-stack security, with a special focus on data protection. Set access permissions for different types of data to prevent unauthorized access. The mechanism of cloud services is complex, and different types of data need to have independent access mechanisms.

In addition, data compliance also needs to be taken seriously. At present, a lot of data in the cloud is in the same cloud, which may be restricted due to different regions. If you don’t understand this situation, it can easily lead to compliance problems caused by cross-border data breaches. Therefore, access control and authentication are also very important. We need to build a strict and fine-grained access control and authentication mechanism to prevent unauthorized access. ”

SlowMist Team:

"Cloud security requires a comprehensive security strategy, including appropriate access control, encryption, continuous monitoring, and professional security agencies to conduct a full range of audits, education and training and other measures to ensure the security and stability of the cloud environment. For example, end-to-end encryption of critical data, if encryption is to be used, the security management of the encryption key is crucial, keep a backup of the key, preferably not in the cloud. For example, by preventing basic vulnerabilities such as misconfigurations, cloud security risks are greatly reduced. Finally, whether you’re an individual, a small or medium-sized business, or an enterprise-level cloud user, it’s important to ensure that your network and devices are as secure as possible. ”

AWS: Security is an onion-type multi-layered protection

Whether in Web2 or Web3, AWS is actively providing cloud computing and security services for a variety of projects. As a leading enterprise and active participant in cloud computing, AWS Web3 technical experts believe that security is not a single-layer protection of the egg model, but an onion model of multi-layer protection, which is progressively and unfolded layer by layer. Specifically, the first layer is threat detection and incident response, the second layer is identity authentication and access control, the third layer is network and infrastructure security, the fourth layer is data protection and privacy, and the fifth layer is risk control and compliance. AWS provides a complete solution for each layer to help Web3 project owners manage the entire application system more securely.

Conclusion: To win the offensive and defensive battle of Web3 cloud security, it needs to rely on the joint efforts of all parties

The security of the Web3 ecosystem is inseparable from the security of cloud infrastructure, and all participants related to cloud infrastructure, including project parties, cloud service providers, and security service providers, need to establish a comprehensive security strategy, conduct regular audits, and conduct self-security checks to ensure maximum security.

For Web3 developers, in addition to enhancing their own ethical level, they also need to continue to improve their security-related skills, and can actively participate in AWS’s activities and training for developers, such as Web3 Ethical Hacking and Security Best Practice, to identify common contract risks.

Our common goal is to build a secure Web3 ecosystem and achieve sustainable development in the industry, and we hope you can take inspiration from this interview and actively apply it to your daily practice.

If Web3 projects need to know how to build secure cloud applications, click the link to learn more: