Tag Archives: Security

Cloud Document Security

30 Monday Nov 2015

Posted by in General, Technology

Leave a comment

Tags

, ,

So an interesting piece of research was published by the Cloud Security Alliance. The research shows the growth of document sharing in the enterprise through the use of cloud services.  The interesting thing is one of the positives of adopting SaaS and PaaS is easing the challenge of ensuring environments are patched for security. But at the same time the need to educate the wider employee community even more on being security aware.

It also raises the question of managing the accidental or deliberate leakage in such an environment. As the article says, some sharing of documents to the public or 3rd parties to enable cross business collaboration may well be legitimate so businesses are going to need strategies to address this.

Just trusting security to VPNs

20 Thursday Aug 2015

Posted by in General, Technology

Leave a comment

Tags

, ,

I regularly encounter arguments where people justify relaxed security in a design with the argument of – well the connection between systems will be protected by a VPN (Virtual Private Network) – so everything is fine.

Trying to dissuade a someone like a project manager or business end user that just trusting to just a VPN is challenging, after all private networks are safe aren’t they. So I have tried to identify a few resources – that can simply and clearly explain why this approach alone is not good. Just pointing to the principle of ‘security in depth’ is difficult to sell. So hopefully the following will help:

Some Good Security Resources

29 Friday May 2015

Posted by in General

Leave a comment

Tags

, , ,

As a result of working my through several books (published and unpublished at present) I’ve come across a number of really useful security resources. So I thought i’d bring them together (as much for my own reference) as anything else. The following list provides a brief description of the resource and its link.

  1. SANS Institute (http://www.sans.org/reading-room/) site providing a alot of documentation security and research findings, in addition to more commercial arrangements such as training
  2. OWASP (https://www.owasp.org) guides on threat types and characteristics and guidance on developing secure solutions includes a training tool called webgoat
  3. CXOWare (http://www.cxoware.com/) – home of FAIR risk analysis process and guidance
  4. Metasploit (http://www.offensive-security.com/metasploit-unleashed/Main_Page) a site that provides free security training to help understand how hack attacks work. includes free tools
  5. RadioLabs (http://www.radiolabs.com/stations/wifi_calc.html) provides the means to calculate how far a wifi signal will carry. Important if you don’t want people parking up outside your home/office and hacking your wifi
  6. PolicyTool (http://socialmedia.policytool.net/) provides the means to create fair and reasonable polices for the use of social media in a work environment
  7. TrustedSec’s Atillery (https://www.trustedsec.com/downloads/artillery/) open source tool for detecting security attacks
  8. OSSEC (http://www.ossec.net/) open source intrusion detection system.
  9. NIST (http://csrc.nist.gov/) standards institute with a lot of information on security.
  10. CERT (http://www.cert.org/cert/) SEI’s security activities
  11. Stride (http://msdn.microsoft.com/en-us/library/ee823878) Microsoft’s threat assessment model

Free Network Security eBook

23 Tuesday Dec 2014

Posted by in Books, Technology

Leave a comment

Tags

, , , , , ,

I came across the following promotion via LinkedIn. The book isn’t that new, but looking at Amazon reviews suggests that there maybe some value still:

Network Security For Dummies — eBook (usually $22.99) FREE until January 1st!

Get quick, easy, low-cost solutions to all your network security concerns.

CNN is reporting that a vicious new virus is wreaking havoc on the world’s computer networks. Somebody’s hacked one of your favorite Web sites and stolen thousands of credit card numbers. The FBI just released a new report on computer crime that’s got you shaking in your boots. The experts will tell you that keeping your network safe from the cyber-wolves howling after your assets is complicated, expensive, and best left to them. But the truth is, anybody with a working knowledge of networks and computers can do just about everything necessary to defend their network against most security threats.

Whether your network consists of one computer with a high-speed Internet connection or hundreds of workstations distributed across dozens of locations, you’ll find what you need to confidently:

  • Identify your network’s security weaknesses
  • Install an intrusion detection system
  • Use simple, economical techniques to secure your data
  • Defend against viruses
  • Keep hackers at bay
  • Plug security holes in individual applications
  • Build a secure network from scratch

– Download from: http://opensourceuniverse.tradepub.com/free/w_wile145/?p=w_wile145#sthash.i4fHNQgA.dpuf

Adopting Collaboration Tools in the Workplace

14 Sunday Sep 2014

Posted by in General, Technology

Leave a comment

Tags

, , ,

I was recently reading an article from MIT Sloan about the use of collaboration tools in the enterprise. The article made the point that collaboration tools are being introduced into the workplace, but not being effectively leveraged and people continuing to use email. I think there is a correlation here to some of the statistics for mobile and web applications.

So let me start with some facts, and some thoughts before I bring it back to the point about office collaboration.

We know from research from organisations such as PEW (general view of use, older generation view) that there is a correlation between age and use of mobile devices, and mobile apps. This I believe reflects on technology in general. As collaboration technology goes, it is a fairly young set of ideas. Although many will associate collaboration with social – there is a difference when social is more simply just sharing information. Collaboration is not just sharing but collectively working on assets such as documents.

Add to this a view of the demographics of any enterprise leadership (although IT is something of an exception) and you will see that leadership is an older generation (illustrated by this FT article). So, understandably less likely to lead an organisation into technology adoption.

Add to this the constant noise and increased pressure on information security, remembering that the most harmful security compromises originate internally. So with this sort of consideration you’re likely to see downward pressure to keep things tightly controlled. Such tight reigns seriously impact collaboration from my experience.

The last key thread, is the fastest way to encourage adoption of something is for the executive and senior leadership visibly adopt something. Organisational role comes with an inferred command (a well established piece of psychology) best illustrated by a story where a chief exec wanted to motivate staff, so spent time wondering around talking with his staff, and in doing so made observations and suggestions to people thinking he was helping. But as his role inferred a level of command, he sound discovered that those suggestions and ideas had been read as instructions and his staff where rapidly implementing such suggestions.

So here you have a recipe, where executives potentially don’t get the power of collaborative technology, potentially nervous of the security implications and least of all not using position to leverage it. You can see why the technologies aren’t being effectively exploited.

What is worse, is that you will see hotspots of collaboration which will be established by those who get the ideas and will inspire their colleagues. This is the true risk of collaboration as it is unlikely to controlled or properly secured with no contingency or remedial actions in the event of a security breach as those situations aren’t being dealt with by

Evaluating SSL certificates for SaaS

29 Tuesday Jul 2014

Posted by in General, Technology

Leave a comment

Tags

, , , , ,

So when looking at SaaS solutions one of the things we consider is the strength of the SSL certificate, and when using a small provider who the Certificate Authority as commercial authorities will provide insurance for a breach which can go to paying some of the cleanup costs (assuming the breach isn’t from negligence).

So how to evaluate SSL certificates in terms of robustness (i.e. cryptographic strength) after all some people will talk. About 128 bit certificates and others such as Google mention 2048 which on the surface don’t seem comparable.

So the bit length is to do with the cryptographic algorithm used of which there are several such as AES, 3DES and so on. No I’m no expert on this so I won’t presume to explain the pros and cons of the different algorithms, there are other resources on the web for that (such as this document).

The point I have been working towards is that NIST (National Institute of Standards and Technology)(aside from being a good resource on security) have tables  that recommends the size of the key used to help build the certificate (the document is here and tables 1 & 2 contain the key details, more here). The tables shown below takes into account the algorithm (therefore a comparator on key size) but also a recommended growth in key size.

 

NISTTable2 NISTTable

 

An alternative representation of the same information can be found here and the 1st table here.

So why grow a key size well one of the factors in driving key size is that as computing power increases the time and effort to brute force crack of a key shrinks. So every time the key size increases so does the effort to brute force the cracking of the key.

This leads to secondary consideration – that of the certificate life i.e. how long the certificate is valid for. This is in effect to potentially greatest period of exposure based on the fact that someone may brute force your certificate and then simply listen to the traffic so you never know of the compromise. Obviously you can revoke the certificate at any time.

Finally remember the need and level of security should be informed by assessing the data being transferred (in motion). Data security should also be considered for data at rest I.e being stored (data loss from a data store is likely to be far more damaging).

Pure REST is not always a good thing

05 Saturday Jul 2014

Posted by in General, Technology

2 Comments

Tags

, , , , ,

So following REST web service best practice is not always a good thing, but of a controversial statement. That said I came across a situation that beautifully illustrated it.

I was recently asked for my opinion on a web solution that had to interact with customer data. The developers concerned implemented the functionality using REST web services and followed the principles to the letter. Except one of the services needed to locate a unique customer object. To do this the service enough customer details are provided in the URL to obtain a unique record.

So regardless of the security Implemented using strong SSL and payload encryption in the solution implementation we have just exposed every element in the network that can log URIs to DPA levels of security (not to mention information commissioner requests). That is before you consider man in the middle and packet URL attacks.

What to do, such sensitive web services need to be delivered without personal data in the URL, we could go via WSDL (but our use case points to REST being a better approach) or we follow the object creation pattern for REST (and pay the price of not caching the results on the web tier although if we are concerned about security then this isn’t such a bad thing and we can still get performance on the DB tier. Using the payload is probably the right thing to do.

Oracle Fusion Applications Development and Extensibility Handbook Chapters 3 & 4

23 Sunday Mar 2014

Posted by in Book Reviews, Books, General, Oracle, Oracle Press, Technology

6 Comments

Tags

, , , , , , , ,

Continuing with the review of Oracle Fusion Applications Development and Extensibility Handbook (Oracle Press) I’m going to look at chapters 3 & 4. Chapter 3 looks at the different types of Flex Fields from the well known Dynamic Flexfields (DFF) and the more advanced EFFs and KFFs (different ways to provide more advanced flex values such as linking other tables of data).

The book describes briefly the steps to utilise many of the capabilities with some screenshots but don’t mistake this for a detailed key this value followed by click that button combined with screenshots of every step for all aspects (if you did that we’d probably trying to read 5000 pages not 500). So if you want to see and feel all the different aspects explained you will need to have an instance of Fusion apps to try the techniques out with. For me, this is no bad thing, I want to understand what the capabilities are and a sense of the effort and complexity involved – if I want to have blow by blow guide I’d turn to OTN and the tutorial video clips being made available everyday by Oracle on YouTube.

The book also recognises not all strategies are available with all Fusion apps and what can therefore be done. Either by implementing the capability yourself, or asking Oracle to prioritise feature development in the Fusion apps domain.

Unusually rather than continuing with customisation capabilities in Chapter 4 we look at Security. This is no bad thing as if you want to achieve security in depth you need to understand how it can be incorporated at every level as you go rather than as an after thought at the end. But as you go through this chapter you’ll see just how central the security framework is to working with Fusion Apps.

The security perspective comes primarily from an authentication and authorisation (A&A) perspective so bringing in OAM and OID along with related tooling (including APM which is a central tool for Fusion Apps Security). The A&A framework provides an advanced hierarchy of roles and permissions as the capability to integrate extensions with it. The book again provides a solid foundation on which you can build specific implementation understanding.  Security comes in two forms – functional (i.e. restricting access to Fusion app capabilities) and data (which records a user can or cant see). The fascinating aspect for me is the data view because the different organisational possibilities that can influence the data you can or can’t see – for example by value, by internal organisational structures such as departments, by suppliers/partners/customers and so on (Oracle use the terminology of sets).

Security considerations go beyond just managing major roles, but how to autoprovision users (i.e. I create an OID entry for a new employee – how to provide them with a standard set of credentials). How to interact with Fusion Apps at the web service level from inside or outside the secured FusionApps environment.

As with Chapter 3, there are illustrations on how to establish some security settings and leverage security for your own development, but not in an exhaustive click by click manner.

Both chapters, particularly Chapter 4 introduce the ideas and approaches in a succinct manner explaining both the more well known concepts but also the more advanced capabilities along with identifying some common challenges and how they can be overcome (through the provision of tooling or technique for diagnosis).

So far this has been the best introduction to Fusion Applications I have come across.

Enterprise Security – A Data Centric Approach to Securing the Enterprise – A Slight Return

13 Thursday Mar 2014

Posted by in Books, General, mindmap, Technology

Leave a comment

Tags

, , , ,

A while back I reviewed the excellent book Enterprise Security: A Data-Centric Approach to Securing the Enterprise.  I had mentioned that I would in due course make a mindmap available based on my reading of the book as I use mindmaps as a memory jog when I need to go back to referencable material.

Well I have made by first cut of the mind map – which can be found with my shared mindmaps here. I shall be updating it and adding details, so it is worth checking back.

As WordPress prevents embedding iframes – I can only offer an image here – but the mindmap toolsite provides a fully interactive view to the mindmap.

Enterprise Security – A Data Centric Approach – A brief review

05 Wednesday Feb 2014

Posted by in Book Reviews, Books, General, Packt, Technology

Leave a comment

Tags

, , , , , , ,

So I have previously blogged a series of largely chapter by chapter reviews of Aaron Woody’s book Enterprise Security – A Data Centric Approach. This post tries to provide a brief summarised view pulling my thoughts of the book overall together.

As an Enterprise Architect I took an interest in this book as an opportunity to validate my understanding of security and ensure in the design and guidance work that I do I am providing good insights and directions so that the application architects and developers are both ensuring good security practices and also asking the helpful information available to other teams such as IT Security, operational support and so on.

The book has been overall very well written and extremely accessible to even those not versed in the dark arts of IT Security. Anyone in my position, or fulfilling a role as an application designer or product development manager would really benefit from this book. Even those on the business end of IT would probably benefit in terms of garnering an insight into what IT Security should be seeking to achieve and why they often appear to make lives more difficult (I.e. putting restrictions in, perhaps blocking your favourite websites).

So why so helpful, well Aaron has explained the issues and challenges that need to be confronted in terms of Security from the perspective of the organisations key assets – mainly its data (certainly the asset that is likely to cause most visible problems if compromised). Not only that the book presents a framework to help qualify and quantify the risks as a result device a justifiable approach to securing the data and most importantly make defensible cases for budget spend.

I have to admit that the 1st chapter that that introduces the initial step in the strategy was a bit of a struggle as it seemed to adopt and try to define a view of the world that felt a little too simplistic. The truth is that this the 1st step in a journey, and in hindsight important – so stick with it.

Once the basic framework is in place we start looking at tooling strategies and technologies to start facilitating security. The book addresses categories of product rather than specific solutions so the book isn’t going to date too quickly. The solution examination includes the pros and cons of their use (e.g wifi lock down) which is very helpful.

Finally to really help the book comes with a rich set of appendices providing a raft of references to additional material that will help people translate principles into practice.

To conclude, a little effort maybe needed to get you started but ultimately a well written, informative, information rich book on security.

Previous blog entries:

There is also a supporting website for the book athttp://www.datacentricsec.com/
Enterprise Security - A Data Centric Approach