Now Shipping: New Security Features
June 26, 2013 | Chris Ueland
As you may have read, we had a security breach a few weeks ago. We’re putting together the full postmortem, so expect a detailed post in the next few days. Until then, we’d like to highlight the new security features we’ve been working on (around-the-clock) to further secure your data and account.
Control Panel Security
We’ve added almost a dozen new features to the Control Panel, including:
- Two Step Authentication is now available to Administrators and Sub-Users through Google’s Authenticator Mobile App.
- Allowed IP Whitelist Restrict account access to a whitelist of IP addresses by user account. Enterprise customers have requested this feature so they can limit logins to be from their office IP Address.
- Email Alerts: Emails are sent to Account Owners to keep you informed whenever your origin is modified. Emails are also sent to account owners every time a new IP is seen logging in for the first time.
- Activity Stream: Now provides logging for more action and includes User Agent and Location.
- Re-issued SSL certificates and keys
- Password reset email expiration time has been lowered to 3 hours
- Improved CSRF (Cross Site Request Forgery) validation
- Improved XSS prevention
This combination of features improves everyone’s security out of the gate.
On the API side, you can now limit individual API keys to Reports Only, Purge Only, Specific zones or any combination of these. This new feature will make individual keys that only need limited access more secure in things like cron jobs used for generating reports.
Internal Security Measures
While we can’t discuss everything happening behind the scenes, here are a few security improvements we can share:
- Penetration testing by third party security researchers
- Enabled Two Step Authentication on every web service we use (where supported)
- Provided education for employees and vendors on the cause of the breach and how to prevent further incidents
Some might say all this should have been setup in the first place, and we can only agree. We’re taking immediate steps to shore up our practices, and while this may put a temporary hold on new platform features, in today’s online environment over-the-top security has to be at your core. Features must be balanced with mitigation and ongoing prevention of attacks.
We’d like to give sincere thanks to our customers, partners, and vendors for their understanding while recovering from this breach. We know our service is now better and stronger than ever because of your support.