Auditing Your Backup Storage on DigitalOcean

Auditing Your Backup Storage on DigitalOcean

Andrew Abwoga
23 June 2020

More than ever before, the adoption of cloud storage is taking more precedence over traditional storage technologies. One of the main security issues inherent to cloud storage is the increased level of exposure to attacks. Unlike traditional storage technologies - which were mostly tacked up in internal corporate networks - cloud storage technologies are more exposed to the open internet. With that in mind, it's safe to say that access control becomes quite a critical issue when it comes to reducing that level of exposure from attacks. 

Auditing is key in being able to track access activity and to continuously refine the access controls to reduce exposure to attacks. In previous blogs, we reviewed auditing features on AWS and GCP. This blog discusses steps you can take for you to manage access and protect backup storage on DigitalOcean.

Unfortunately, DigitalOcean provides no auditing of your backup storage. We delve into how it handles identification, authentication, and authorization to enhance your security review. DigitalOceans S3-compatible storage feature is commonly called Spaces, as opposed to Buckets in GCP and AWS. Essentially, when you want to create S3 storage on DigitalOcean, you create a Space and space will contain your storage objects in it. 

Identification and Authentication

When it comes to identification and authentication, you have the option of creating Spaces access keys which form a unique key pair. You can create one to an unlimited number of access keys which is probably not a good idea if you want to reduce exposure. It’s a good practice to only generate the number of keys that you can manage.

How to generate access keys

  1. Login to the DigitalOcean management portal.
  2. Select Spaces on the left navigation bar.
DigitalOcean Identification and Authentication
  1. Select the Manage Keys button on the upper right-hand side. Clicking the button will redirect you to another page.
DigitalOcean Identification and Authentication
  1. Find the Spaces access keys section on that page and click the Generate New Key button.
  2. Fill the Name column with a Name of your choice, select the tick button when ready and a key pair (access key and secret key) will be generated on the key column.
DigitalOcean Identification and Authentication

You can use the key pair (access key and secret key) generated above to configure credentials on the Backup Ninja web portal.

DigitalOcean Identification and Authentication

Authorization

When it comes to configuring the level of access for a Space, you have the option to control the visibility of a file in a Space. The visibility of the file can be set to be public or private. In the case that it’s private, only the file owner can view its content as opposed to when it’s public where everyone on the internet can view its contents.

How to change file permissions for a file

For any particular Space, you can change the permission of an individual file by:

  1. Selecting the Files tab.
  2. Selecting the More dropdown on the right-hand side of the file that you wish to change permissions. 
  3. Then, choose between the private or public permission options and click Update as in the screenshot below.
How to change file permissions for a file DigitalOcean

You can additionally limit the files that a user can view in a Space. Below are the steps on how you can set file listing permissions.

How to set file-listing permissions

For any particular Space, you can change the permission of an individual file by:

  1. Select the Settings tab.
  2. Select the Restrict File Listing option or the Enable File Listing option.
  3. Then, click the Save button.
How to set file-listing permissions DigitalOcean

Audit Logging

DigitalOcean has no facility to track/log operations on your Spaces. You have the option of using a Cloud Access Security Broker (CASB) that has the capability of brokering access to your storage and keeping an audit trail. That means that authorization using file permissions will be your best option for securing your backups storage on DigitalOcean.

Conclusion

When using DigitalOcean you should consider the tips below for securing your backup storage:

  1. Ensure you keep your backup storage private by ensuring the private permissions are set on your objects.
  2. Limit the number of access keys that you have to create and manage to reduce mishandling and ultimately exposure to your backups.
  3. Make a habit of regularly reviewing the individual file permissions and file-listing permissions in your Spaces.

Use a Cloud Access Security Broker (CASB) that will generate an audit trail of access activity to your backups.