Now Shipping: New Security Features
June 26, 2013 | Chris UelandAs you may have read, we had a security breach a few weeks ago. We're putting together the full postmortem, so expect a detailed post in the next few days. Until then, we'd like to highlight the new security features we've been working on (around-the-clock) to further secure your data and account.
Control Panel SecurityWe've added almost a dozen new features to the Control Panel, including:
- Two Step Authentication is now available to Administrators and Sub-Users through Google’s Authenticator Mobile App.
- Allowed IP Whitelist Restrict account access to a whitelist of IP addresses by user account. Enterprise customers have requested this feature so they can limit logins to be from their office IP Address.
- Email Alerts: Emails are sent to Account Owners to keep you informed whenever your origin is modified. Emails are also sent to account owners every time a new IP is seen logging in for the first time.
- Activity Stream: Now provides logging for more action and includes User Agent and Location.
- Re-issued SSL certificates and keys
- Password reset email expiration time has been lowered to 3 hours
- Improved CSRF (Cross Site Request Forgery) validation
- Improved XSS prevention
API SecurityOn the API side, you can now limit individual API keys to Reports Only, Purge Only, Specific zones or any combination of these. This new feature will make individual keys that only need limited access more secure in things like cron jobs used for generating reports.
Internal Security MeasuresWhile we can't discuss everything happening behind the scenes, here are a few security improvements we can share:
- Penetration testing by third party security researchers
- Enabled Two Step Authentication on every web service we use (where supported)
- Provided education for employees and vendors on the cause of the breach and how to prevent further incidents