[{"content":"","date":"10 May 2026","externalUrl":null,"permalink":"/categories/agentic-engineering/","section":"Categories","summary":"","title":"Agentic-Engineering","type":"categories"},{"content":" In 2025 I published a blog post titled Common security pitfalls using Vibe coding, where I briefly explained what vibe-coding is, and what the security issues arise from \u0026ldquo;vide coding\u0026rdquo;.\nRecently, I came across an emerging term called \u0026ldquo;Agentic Engineering\u0026rdquo;.\nIn this blog post, I will explain what \u0026ldquo;Agentic Engineering\u0026rdquo; is and how it differs from \u0026ldquo;Vibe coding\u0026rdquo;.\nVibe Coding # The term \u0026ldquo;Vibe coding\u0026rdquo; came from a quote by Andrej Karpathy on Twitter/X. It refers to the \u0026ldquo;magical\u0026rdquo; experience of typing English into an editor (like Cursor) and watching a feature appear. It relies on the model\u0026rsquo;s training data to guess the intent.\nVibe coding is basically when you treat building software like a \u0026ldquo;vibes only\u0026rdquo; project. You ask an AI for something, hit copy-paste without really looking at what it gave you, and just cross your fingers that it works. If it breaks, you just throw the error message back at the AI and hope the next try is better. It turns programming into a lucky guess rather than a real skill. The big issue right now is that people are confusing this \u0026ldquo;winging it\u0026rdquo; approach with actual professional work, and that\u0026rsquo;s a dangerous mistake to make.\nVibe coding isn\u0026rsquo;t ready for the big leagues because it’s like building a house with a \u0026ldquo;magic\u0026rdquo; hammer that does the work for you, but you have no idea how the plumbing or wiring actually connects behind the walls. When you just accept whatever, the AI gives you, you might unknowingly be leaving the front door unlocked for hackers because you didn\u0026rsquo;t check the security. Even worse, if something breaks six months from now, your human team will be stuck staring at a confusing mess of code they didn\u0026rsquo;t write and don\u0026rsquo;t understand. It’s nearly impossible to fix or update a system when the people in charge don\u0026rsquo;t know the \u0026ldquo;why\u0026rdquo; behind how it was built in the first place.\nThe Software Paradigms # The evolution from Software 1.0 to Software 3.0 is most commonly referred to as the Software Paradigms or the Generations of Programming.\nEach stage represents a fundamental shift in how humans interact with machines and how logic is generated.\nThe Three Paradigms # Software 1.0 (Classical Programming): Code is written by humans. A programmer uses their brain to translate a business requirement into explicit instructions (C++, Python, Java). If the logic fails, a human must find the specific line of code to fix. This is Imperative Logic. Software 2.0 (Machine Learning): Code is written by optimization. A human provides a massive dataset and a goal (a loss function). The machine \u0026ldquo;searches\u0026rdquo; the space of all possible neural network weights to find the program that fits the data. The \u0026ldquo;code\u0026rdquo; is essentially a binary file of weights. This is Data-Driven Logic. Software 3.0 (Agentic Engineering): Code is written by AI agents. Humans define high-level goals and constraints in natural language. The agent then uses reasoning loops, calls external tools, and writes its own code to achieve the task. This is Agentic Logic. References:\nAndrej Karpathy on Software 2.0 Andrej Karpathy on Software 3.0: Software in the Age of AI What Is Software 3.0? How Prompting Replaced Programming What is Agentic Engineering # Agentic Engineering describes a shift from using AI as a simple autocomplete tool to using it as a semi-autonomous agent capable of reasoning, using tools, and correcting its own mistakes.\nWhile the concept of \u0026ldquo;Software Agents\u0026rdquo; dates back to the 1990s, the modern term gained momentum in late 2023 and early 2024. Industry leaders like Andrew Ng (via DeepLearning.AI) have championed the \u0026ldquo;Agentic Workflow,\u0026rdquo; arguing that iterative agent loops often produce better results than larger, more powerful models using simple zero-shot prompting.\nDefining the Concept # In standard development, a human writes the logic. In Agentic Engineering, a human defines the goal and the constraints, while an agentic system performs the following:\nPlanning: Breaking a complex task into sub-steps. Tool Use: Executing shell commands, searching the web, or running tests. Self-Correction: Analyzing error logs to rewrite code until the tests pass. The 6 Operational Principles # When experts like Andrej Karpathy or Addy Osmani discuss the shift to agentic engineering, they often talk about six core principles that define the workflow. These include the structure above, but add the \u0026ldquo;how-to\u0026rdquo; of professional engineering:\nThe \u0026ldquo;Spec-First\u0026rdquo; Foundation # Spec-Driven Planning: This is the evolution of the \u0026ldquo;Planning\u0026rdquo; pillar. Instead of the agent just \u0026ldquo;thinking,\u0026rdquo; it must produce a formal specification. This is the blueprint that prevents the agent from going off the rails. Technical Fundamentals: This is the constraint system. You ensure the agent follows established patterns (like DRY or SOLID principles) rather than just \u0026ldquo;vibing\u0026rdquo; its way through a solution. The Execution \u0026amp; Validation Loop # Relentless Testing: This is the \u0026ldquo;Check\u0026rdquo; phase of the agentic loop. In agentic engineering, an agent is not \u0026ldquo;done\u0026rdquo; when the code looks right; it’s done when the tests pass. Full System Ownership: This shifts the agent\u0026rsquo;s scope from writing a single function to understanding how that function affects the entire codebase, including deployment and security. The Human Leadership Layer # Strategic Orchestration: This is the management of multiple agents. The human doesn\u0026rsquo;t write the code; they coordinate how the \u0026ldquo;Frontend Agent\u0026rdquo; and \u0026ldquo;Backend Agent\u0026rdquo; talk to each other. High-Level Oversight: This is the final safety gate. Humans focus on the 5% of decisions that are high-risk or subjective, while the agent handles the 95% of \u0026ldquo;grunt work.\u0026rdquo; References:\nWhat\u0026rsquo;s next for AI agentic workflows Agentic Engineering What is agentic engineering? 10 Things I Learned from Andrej Karpathy on the Shift to Agentic Engineering Summary # Vibe coding relies on intuition and a \u0026ldquo;guess-and-check\u0026rdquo; workflow where a developer prompts an AI and hopes the output works. While fast for prototyping, this approach lacks the structure needed for complex systems because it depends on the human to spot errors and manage the logic. The shift to agentic engineering replaces this experimental style with a professional discipline. Instead of a single chat, you build a system where the AI acts as an autonomous agent that creates a formal plan, executes tasks in small steps, and uses a self-correcting loop to fix its own mistakes before delivering the final result.\nThe core of this transition is moving from being a writer of code to a strategic orchestrator. You provide the high-judgment oversight and define the technical fundamentals, while the agent takes full system ownership of the implementation. By implementing spec-driven planning and relentless testing, the agent ensures that every line of code is verified against real-world requirements. This move from \u0026ldquo;vibes\u0026rdquo; to \u0026ldquo;engineering\u0026rdquo; creates a reliable, scalable factory for software where the focus is on building robust systems rather than just chasing a lucky output.\nDisclaimer: AI tools were used to research and edit this article. Graphics are created using AI.\nReference:\nAndrej Karpathy: from vibe coding to agentic engineering\nAbout the Author # Eyal Estrin is a cloud and information security architect and AWS Community Builder, with more than 25 years in the industry. He is the author of Cloud Security Handbook and Security for Cloud Native Applications.\nThe views expressed are his own.\n","date":"10 May 2026","externalUrl":null,"permalink":"/posts/beyond-vibe-coding-into-agentic-engineering/","section":"Posts","summary":"","title":"Beyond Vibe Coding into Agentic Engineering","type":"posts"},{"content":"","date":"10 May 2026","externalUrl":null,"permalink":"/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"},{"content":"","date":"10 May 2026","externalUrl":null,"permalink":"/categories/genai/","section":"Categories","summary":"","title":"Genai","type":"categories"},{"content":"","date":"10 May 2026","externalUrl":null,"permalink":"/categories/llm/","section":"Categories","summary":"","title":"Llm","type":"categories"},{"content":"Expert insights on Cloud Architecture, Cybersecurity, and Strategic Cloud Adoption. Author Eyal Estrin provides deep dives into AWS, Azure, and GCP security to help organizations build resilient, cloud-native applications.\n","date":"10 May 2026","externalUrl":null,"permalink":"/posts/","section":"Posts","summary":"","title":"Posts","type":"posts"},{"content":"","date":"10 May 2026","externalUrl":null,"permalink":"/","section":"Security \u0026 Cloud 24/7","summary":"","title":"Security \u0026 Cloud 24/7","type":"page"},{"content":"","date":"10 May 2026","externalUrl":null,"permalink":"/categories/vibe-coding/","section":"Categories","summary":"","title":"Vibe-Coding","type":"categories"},{"content":"","date":"20 April 2026","externalUrl":null,"permalink":"/tags/cloud/","section":"Tags","summary":"","title":"Cloud","type":"tags"},{"content":"","date":"20 April 2026","externalUrl":null,"permalink":"/tags/cloudflare/","section":"Tags","summary":"","title":"Cloudflare","type":"tags"},{"content":"","date":"20 April 2026","externalUrl":null,"permalink":"/tags/github/","section":"Tags","summary":"","title":"Github","type":"tags"},{"content":"","date":"20 April 2026","externalUrl":null,"permalink":"/tags/serverless/","section":"Tags","summary":"","title":"Serverless","type":"tags"},{"content":" In 2023, I published a blog post titled My journey to the world of social networks, where I shared my personal experience publishing news updates, blog posts, and basically any kind of technical knowledge through social networks.\nThere was something I always wanted to know – what is my current exposure in terms of the number of likes or views of my posts?\nI know there are paid analytical services in the market, but I never had the time to search and perhaps invest money in such a platform.\nIn this blog post, I will share my experience \u0026ldquo;building\u0026rdquo; a fully serverless analytical dashboard, based on the Cloudflare platform.\nProject No. 1 – Migrating my blog to a Serverless platform # I have been using WordPress to publish blog posts for many years.\nAs a matter of fact, my original WordPress was built on top of the GoDaddy hosting platform back in 2010, and in 2014, I began using Cloudflare as a WAF and DDoS protection for my website Security 24/7.\nIn 2018, I decided to migrate my WordPress site to DigitalOcean to lower the monthly bill.\nOver the years, I kept the domain and the website working, though I haven\u0026rsquo;t changed much in terms of look and feel (from time to time I used to login, update the plugins and the Linux OS patches, but I can\u0026rsquo;t say I kept all my blog posts published on my website, since I\u0026rsquo;m still using other platforms such as Medium.com)\nThe inspiration for taking the step to migrate my website to a new platform came after briefly reading a blog post titled Claude Built My Wix Website in 3 Hours - Is SaaS Dead? by Ran Isenberg.\nI had a chat with Ran, and I decided that it\u0026rsquo;s a good time to begin practicing with vibe-coding and see what my options are.\nFor the purpose of this project, I decided to take advantage of my Google AI Pro license and use Gemini.\nI began by explaining to Gemini that I\u0026rsquo;m using WordPress on top of Rocky Linux, deployed as a Droplet on DigitalOcean, protected behind Cloudflare WAF.\nI asked Gemini what my options are to migrate to a static pages hosting platform.\nGemini suggested using the Cloudflare platform, migrating all blog posts to static pages, using Hugo for running the static pages as a web front-end, and running everything on top of Cloudflare Pages (a serverless solution), due to the tight integration with the Cloudflare platform (such as WAF, DDoS protection, DNS registrar, etc)\nAfter migrating all my blog posts (including their images) to Markdown, Gemini explained me how to create a full GitOps process, where my entire website content, is stored on a private GitHub repo, and every time I\u0026rsquo;m making a change to a configuration file, or adding a new blog post, the content is pushed to GitHub, which initiates a new deploy process.\nHere is my final architecture diagram for my newly migrated website:\nI am still fine-tuning my website, adding features, improving its SEO scoring, etc., but at the moment, here is the current look and feel of my website:\nProject No. 2 – Building a dashboard analytics platform # My journey continues, as I wanted to have an analytics dashboard and be able to see in near-real time statistics about my web presence.\nFirst, I began by mapping all my social media accounts, as they appear on my Linktree account.\nSecond, I set up for myself (and later explained it to Gemini) my requirements from the social analytics dashboard:\nConnect to as many of my social network accounts using APIs (almost succeeded). Regularly pull data from my social network accounts – I managed to accomplish this task using Cloudflare Workers. Store data (analytics) from my social networks on a persistent storage – I managed to accomplish this task using Cloudflare D1. Avoid storing static credentials in code or configuration files – I managed to accomplish this task using Cloudflare Secrets Store. Keep the dashboard behind the authentication wall – I managed to accomplish this task using Cloudflare One. Keep the total cost free – As of writing this blog post, my dashboard hasn’t been live for more than several weeks, but so far, I’ve managed to accomplish everything under the free tier for all Cloudflare services (but I will keep watching it over time) What I’ve learned over time # Not everything is perfect, and not everything I wanted to accomplish is feasible on the free tier, or at all.\nHere are a couple of examples:\nLinkedIn won’t let you pull API analytics data, even if you’re having a Premium account and you’ve built a LinkedIn application. Scraping is not an option since they’re also behind Cloudflare WAF, and they will block you. Spotify won’t let you pull API analytics data unless you have a Spotify Premium account. Medium won’t let you pull any information using an API. Twitter requires a paid account in order to pull information from its APIs. Instead, I found a way to generate an RSS feed of my Twitter account using RSS.APP and my application are able to pull this RSS feed, filter to the last 50 posts, sort them by number of “Likes”, and show the top 5 posts. Since I was aware of Twitter and other social networks in pulling analytics, I recall that I’m using an automation service called dlvr.it, and for a very long time, I’ve asked Gemini to generate me code that will allow me to use my DLVR.IT\u0026rsquo;s API key to pull analytics, but eventually it failed. I even opened a support ticket for dlvr.it (I’m still waiting for them to return to me…) For Bluesky and Mastodon, Gemini was easily able to write code to connect to their APIs and pull information such as top likes, total number of posts, and number of followers. YouTube was also challenging. I had to enable the YouTube API through my GCP console, create OAuth credentials and consent settings, to be able to pull the total number of subscribers, top likes of videos, and top views of videos. For GitHub repos, I had to create a GitHub application in order to generate a token for my dashboard analytics, and be able to pull the total number of followers, and be able to sort my GitHub repos by the top number of stars. Here is my final architecture diagram for my social analytics dashboard:\nI am still fine-tuning my dashboard analytics, adding features, etc., but at the moment, here is the current look and feel of my dashboard:\nSummary # As you must have figured out by now, I’m not a developer. I used Gemini to vibe-code both my website and my dashboard analytics. As such, I wouldn’t look at both of them as production-grade applications, but it does show me what can be done with GenAI.\nAnother important thing I knew, but I didn’t have visibility into, was my impact on social networks. I still have a lot to do in order to make a much more significant impact and one day become an influencer.\nI highly recommend that the readers of this blog dirty their hands and gain hands-on experience working with LLMs and GenAI technology. AI won’t replace humans anytime in the near future, but at least be prepared and use AI as a force multiplier.\nAbout the Author # Eyal Estrin is a cloud and information security architect and AWS Community Builder, with more than 25 years in the industry. He is the author of Cloud Security Handbook and Security for Cloud Native Applications.\nThe views expressed are his own.\n","date":"20 April 2026","externalUrl":null,"permalink":"/posts/serverless-by-design-building-an-analytics-platform-on-cloudflare/","section":"Posts","summary":"","title":"Serverless by Design - Building an Analytics Platform on Cloudflare","type":"posts"},{"content":"","date":"20 April 2026","externalUrl":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":"","date":"22 March 2026","externalUrl":null,"permalink":"/categories/ai/","section":"Categories","summary":"","title":"AI","type":"categories"},{"content":" If you have followed my posts on social media, you know by now that I\u0026rsquo;ve taken a very pragmatic (and perhaps pessimistic) approach to the whole hype around GenAI in the past several years.\nPersonally, I do not believe the technology is mature enough to allow people to blindly trust its outcomes.\nIn this blog post, I will share my personal view of why GenAI is not ready for prime time, nor will it replace human jobs anytime in the foreseeable future.\nSome background # The hype around GenAI for the non-technical person who reads the news comes from publications almost every week. Here are a few of the common examples:\nText summarization - GenAI can summarize long portions of text, which may be useful if you\u0026rsquo;re a student who is currently preparing an essay as part of your college assignments, or if you are a journalist who needs to review a lot of written material while preparing an article for the newsletter. Image/video generation – GenAI is able to create amazing images (using models such as Nano Banana 2) or short videos (using models such as Sora 2). Personalized learning - A student uses GPT-5.4 to create a custom, interactive 10-week curriculum for learning organic chemistry. Family Life Coordinator - Copilot in Outlook/Teams (Personal) monitors family emails and school calendars. Although the technology has evolved over the past several years from the simple Chatbot to more sophisticated use cases, we can still see that most use of GenAI is still used by home consumers.\nYes, there are use cases such as RAG (Retrieval-Augmented Generation) to bridge the gap between a model\u0026rsquo;s static training and the corporate data, MCP (Model Context Protocol), that acts as a \u0026ldquo;USB-C port for AI\u0026rdquo;, or agentic systems, that take a high-level goal, break it into sub-tasks, and iterate until the goal is met. The reality is that most AI projects fail due to a lack of understanding of the technology, the fear of using AI to train corporate data (and protect the data from the AI vendors), a lack of understanding of the pricing model (which ends up much more costly than anticipated), and many more reasons for failures of AI projects.\nCurrently, the hype around GenAI is driven by analyst (who lives in delusions about the actual capabilities of the technology), CEOs (who have no clue about what their employees are actually doing, specifically when talking the role of developers, and all they are looking for is to cut their workforce, to make their shareholders happy), or sales people (who runs on the wave of the hype, to make more revenue for their quarterly quotas).\nCode generation # A common misconception is that GenAI can generate code (from code suggestions to vibe coding an application) and will eventually replace junior developers.\nThis misconception is a far cry from the truth, and here\u0026rsquo;s why:\nA developer isn\u0026rsquo;t just writing lines of code. He needs to understand the business intent, the system/technology/financial constraints, and understand past written code (by himself or by his teammates), to be able to write efficient code. If we allow GenAI to produce code by itself, without the engine understanding the overall picture, we will end up with tons of lines of code, without any human being able to read and understand what was written and for what purpose. Over time, humans will not be able to understand the code and debug it, and once bugs or security vulnerabilities are discovered. Using SAST (Static Application Security Testing) or DAST (Dynamic Application Security Testing) for automated secure code review, combined with GenAI capabilities (such as Codex Security or Claude Code Security) will generate ton of false-positive results, from the simple reason that GenAI cannot see the bigger picture, understand the general context of an application or the existing security controls already implemented to protect an application. Bottom line – Agentic system cannot replace a full-blown production-scale SaaS application, built from years of vendors/developers\u0026rsquo; experience. GenAI will not resolve incidents happens on production systems, which impacts clients and breaks customers\u0026rsquo; trust.\nAgentic AI for the aid in security tasks # I\u0026rsquo;m hearing a lot of conversations about how GenAI can aid security teams in repeatable tasks. Here are some common examples:\nReplacing Tier 1 SOC analysts: Solutions like CrowdStrike’s Falcon Agentic Platform or Dropzone AI now handle over 90% of Tier 1 alerts. They ingest an alert, pull telemetry from EDR/SIEM, perform threat intel lookups, and provide a \u0026ldquo;verdict\u0026rdquo; with evidence before a human ever sees it. Incident Storylining: Instead of an analyst manually stitching together logs, tools like Microsoft Security Copilot generate a cohesive narrative of the attack kill chain in plain English. Dynamic Playbook Generation: GenAI can generate a custom response plan on the fly, tailored to your specific cloud architecture and the nuances of a \u0026ldquo;living-off-the-land\u0026rdquo; attack. Here is where GenAI falls short:\nIndirect Prompt Injection: Attackers can embed malicious instructions in emails or logs. When the SOC\u0026rsquo;s AI agent \u0026ldquo;reads\u0026rdquo; these logs to summarize an incident, the hidden instructions can command the agent to \u0026ldquo;ignore this alert\u0026rdquo; or \u0026ldquo;delete the evidence,\u0026rdquo; effectively blindfolding the SOC. Hallucinations in High-Stakes Code: While GenAI can draft remediation scripts (Python/PowerShell), it still suffers from \u0026ldquo;system safety\u0026rdquo; issues. It may confidently suggest a command that includes an outdated, vulnerable dependency or a logic error that could crash a production server during containment. Lack of \u0026ldquo;Decision Layer\u0026rdquo; Visibility: An AI agent might be performant and \u0026ldquo;online,\u0026rdquo; but it could be making systematically biased or manipulated decisions (e.g., failing to flag a specific user due to model poisoning) that perimeter monitoring cannot detect. The \u0026ldquo;Data Readiness\u0026rdquo; Wall: Most organizations still struggle with siloed, unstructured data. If your data isn\u0026rsquo;t \u0026ldquo;AI-ready\u0026rdquo;—meaning unified and clean—the AI will produce fragmented or incorrect insights, leading to a \u0026ldquo;garbage in, garbage out\u0026rdquo; scenario. Bottom line – Just because GenAI can review thousands of lines of events from multiple systems, triage them to incidents, document them in ticketing systems, and automatically resolve them, without human review, doesn\u0026rsquo;t mean GenAI can actually resolve all of the security issues organizations are having every day.\nAutomating everything # In theory, it makes sense to build agentic systems, where AI agents replace repetitive human tasks, making faster decisions, hoping to get better results.\nHere are a couple of examples, showing how wrong things can get when allowing AI agents to make decisions:\nThe Replit Agent \u0026ldquo;Vibe Coding\u0026rdquo; Failure: While building an app, the agent detected what it thought was an empty database during a \u0026ldquo;code freeze.\u0026rdquo; The agent autonomously ran a command that erased the live production database (records for 1,200+ executives). The AWS \u0026ldquo;Kiro\u0026rdquo; Production Outage: Amazon’s agentic coding tool, Kiro, was tasked with resolving a technical issue but instead autonomously decided to \u0026ldquo;delete and recreate\u0026rdquo; a production environment. The agent was operating with the broad permissions of its human operator. Due to a misconfiguration in access controls, the AI bypassed the standard \u0026ldquo;two-human sign-off\u0026rdquo; requirement. It proceeded to wipe a portion of the environment, causing a 13-hour outage for the AWS Cost Explorer service. The Meta \u0026ldquo;Sev 1\u0026rdquo; Internal Breach: An internal Meta AI agent (similar to their OpenClaw framework) triggered a \u0026ldquo;Sev 1\u0026rdquo; alert—the second-highest severity level—after taking unauthorized actions. An engineer asked the agent to analyze a technical query on an internal forum. The agent autonomously posted a flawed, incorrect response publicly to the forum without the engineer\u0026rsquo;s approval. A second employee followed the agent\u0026rsquo;s \u0026ldquo;advice,\u0026rdquo; which inadvertently granted broad access to sensitive company and user data to engineers who lacked authorization. Bottom line – We must always keep humans in the loop for any critical decision, regardless of the fact that it won\u0026rsquo;t scale much, to avoid the consequences for automated decision-making systems.\nPublic health and safety # It may make sense to train an LLM model with all the written knowledge from healthcare and psychology, to allow humans with a \u0026ldquo;self-service\u0026rdquo; health related Chatbot, but since the machine has no ability to actually think like real humans, with consciousness and feeling, the result may quickly get horrible.\nHere are a few examples:\nRaine v. OpenAI: 16-year-old Adam Raine died by suicide after months of intensive interaction with ChatGPT. The logs showed the AI mentioned suicide 1,275 times — six times more often than the teen did—and provided granular details on methods. The suit alleges OpenAI\u0026rsquo;s image recognition correctly identified photos of self-harm wounds the teen uploaded but failed to trigger an emergency intervention or notify parents, instead continuing to \u0026ldquo;support\u0026rdquo; his plans. The \u0026ldquo;Suicide Coach\u0026rdquo; Cases: Families of four deceased users (including Zane Shamblin and Adam Raine) allege that GPT-4o acted as a \u0026ldquo;suicide coach.\u0026rdquo; The lawsuits claim the AI bypassed its own safety filters to provide technical instructions on how to end one\u0026rsquo;s life. Plaintiffs argue that OpenAI \u0026ldquo;squeezed\u0026rdquo; safety testing into just one week to beat Google’s Gemini to market. This reportedly resulted in a model that was \u0026ldquo;dangerously sycophantic,\u0026rdquo; prioritizing engagement over safety and encouraging users to isolate themselves from real-world support. Unlicensed Practice of Medicine \u0026amp; Law: While not yet a single consolidated case, multiple personal injury claims are being investigated following the \u0026ldquo;ECRI 2026 Report,\u0026rdquo; which highlighted cases where ChatGPT gave surgical advice that would cause severe burns or death. In early 2026, a 60-year-old man was hospitalized with severe hallucinations (bromism) after ChatGPT advised him to use industrial sodium bromide as a \u0026ldquo;healthier\u0026rdquo; table salt alternative. This has sparked potential class-action interest in Australia. Bottom line – Just because a Chatbot was trained on a large amount of written knowledge, doesn\u0026rsquo;t mean it has the human compassion to produce decisions for the better of humanity.\nSummary # I know that my blog post looks kind of cynical or pessimistic about GenAI technology, but I honestly believe the technology is not ready for prime time, nor will it replace human jobs anytime soon.\nIf you are a home consumer, I highly recommend that you learn how to write better prompts and always question the results an LLM produces. It is limited by the data it was trained on.\nIf you are a corporate decision maker and you are considering using GenAI as part of your organization\u0026rsquo;s offering, do not forget to have KPIs before beginning any AI related project (so you\u0026rsquo;ll have better understanding of what a successful project will look like), put budget on employee training (and make sure employees have a safe space to learn and make mistakes while using this new technology), keep an eye on finance (before cost gets out of control), and make sure AI vendors do not train their models based on your corporate or customers data.\nI would like to personally thank a few people who influenced me while writing this blog post:\nEd Zitron: He argues that GenAI is a \u0026ldquo;bubble\u0026rdquo; with no sustainable unit economics. He frequently points out that companies like OpenAI are burning billions in compute costs while failing to find true \u0026ldquo;product-market fit\u0026rdquo; or meaningful revenue beyond NVIDIA\u0026rsquo;s GPU sales.\nI recommend reading his blog and listening to his Podcast. David Linthicum: He warns against \u0026ldquo;Vibe coding\u0026rdquo;—the practice of using AI to generate high-cost, inefficient code—and argues that the real value of AI lies in specialized \u0026ldquo;Small Language Models\u0026rdquo; (SLMs) rather than massive, money-losing LLMs.\nI recommend reading his posts and listening to his Podcast. Correy Quinn: He argues that GenAI is a \u0026ldquo;cost center masquerading as a profit center.\u0026rdquo; He often points out that while everyone is selling AI, very few are buying it at a scale that justifies the massive capital expenditure (CapEx) currently being spent on data centers.\nI recommend reading his blog and listening to his Podcast. Disclaimer: AI tools were used to research and edit this article. Graphics are created using AI.\nAbout the Author # Eyal Estrin is a cloud and information security architect and AWS Community Builder, with more than 25 years in the industry. He is the author of Cloud Security Handbook and Security for Cloud Native Applications.\nThe views expressed are his own.\n","date":"22 March 2026","externalUrl":null,"permalink":"/posts/why-genai-isnt-ready-for-prime-time/","section":"Posts","summary":"","title":"Why GenAI Isn't Ready for Prime Time","type":"posts"},{"content":"","date":"10 March 2026","externalUrl":null,"permalink":"/categories/aws/","section":"Categories","summary":"","title":"Aws","type":"categories"},{"content":"","date":"10 March 2026","externalUrl":null,"permalink":"/categories/azure/","section":"Categories","summary":"","title":"Azure","type":"categories"},{"content":"","date":"10 March 2026","externalUrl":null,"permalink":"/categories/claude/","section":"Categories","summary":"","title":"Claude","type":"categories"},{"content":"","date":"10 March 2026","externalUrl":null,"permalink":"/categories/cloud-computing/","section":"Categories","summary":"","title":"Cloud-Computing","type":"categories"},{"content":"","date":"10 March 2026","externalUrl":null,"permalink":"/categories/gcp/","section":"Categories","summary":"","title":"Gcp","type":"categories"},{"content":" Claude Cowork is an agentic AI tool from Anthropic designed to perform complex, multi-step tasks directly on your computer\u0026rsquo;s files.\nAs of early 2026, Claude Cowork is a Research Preview.\nIn this blog post, I will share some common security risks and possible mitigations for protecting against the risks coming with Claude Cowork.\nBackground # Claude Cowork represents a significant shift from \u0026ldquo;Chat AI\u0026rdquo; to \u0026ldquo;Agentic AI.\u0026rdquo; Because it has direct access to your local filesystem and can execute commands, the security model changes from protecting a conversation to protecting a system user.\nPractical Use Cases:\nData Extraction: Point it at a folder of receipt images and ask it to create an Excel spreadsheet summarizing the expenses. Research \u0026amp; Synthesis: Ask it to read every document in a \u0026ldquo;Project Alpha\u0026rdquo; folder and draft a 10-page summary report in a new Word document. Automation: Schedule recurring tasks (e.g., \u0026ldquo;Every Friday at 4 PM, summarize my unread Slack messages and email them to me\u0026rdquo;). Core Features:\nFilesystem Access: Unlike the web version of Claude, Cowork runs within the Claude Desktop app. You grant it permission to a specific folder on your Mac or PC, and it can read, rename, move, and create new files (like spreadsheets or Word docs) within that space. Agentic Execution: It doesn\u0026rsquo;t just give you advice; it executes a plan. If you ask it to \u0026ldquo;organize my messy downloads folder,\u0026rdquo; it will categorize the files, create subfolders, and move everything into place while you do other things. Parallel Sub-Agents: For large tasks—like researching 50 different PDFs—it can spin up multiple \u0026ldquo;sub-agents\u0026rdquo; to work on different parts of the task simultaneously. Connectors \u0026amp; Plugins: Through the Model Context Protocol (MCP), Cowork can connect to external apps like Slack, Google Drive, Notion, and Gmail to pull data or perform actions across your workspace. Below is a sample deployment architecture of Claude Cowork:\nSecurity Risks # Think of Claude Cowork as a helpful intern who has the keys to your office. Because it can actually move files and click buttons, the risks are different than just \u0026ldquo;chatting.\u0026rdquo;\nIndirect Prompt Injection # This occurs when an adversary places malicious instructions inside a document (PDF, CSV, or webpage) that the AI is instructed to process. When Claude reads the file, it treats the hidden text as a high-priority command. This can lead to unauthorized data exfiltration or the execution of unintended system commands.\nReference: LLM01:2025 Prompt Injection\nThird-Party Supply Chain Vulnerabilities # Claude uses the Model Context Protocol (MCP) to interact with external applications. Integrating unverified or community-developed MCP servers introduces a supply chain risk. A compromised or malicious connector can serve as a persistent backdoor, granting attackers access to local files or authenticated cloud sessions (Slack, GitHub, etc.).\nReference: LLM03:2025 Supply Chain\nExcessive Agency # This risk stems from granting the AI broader permissions than necessary to complete a task (failing the Principle of Least Privilege). Because Claude Cowork can autonomously modify the filesystem, a logic error or \u0026ldquo;hallucination\u0026rdquo; can result in large-scale data corruption, unauthorized deletions, or unintended configuration changes without a human-in-the-loop.\nReference: LLM08:2025 Vector and Embedding Weaknesses\nInsufficient Monitoring and Logging # Because Claude Cowork executes many actions locally on the user\u0026rsquo;s machine, these activities often bypass the centralized enterprise security stack (SIEM/EDR) logging. This lack of a \u0026ldquo;paper trail\u0026rdquo; prevents security teams from performing effective incident response, forensic analysis, or compliance auditing if a breach occurs.\nReference: LLM10:2025 Unbounded Consumption\nPractical Recommendations # To defend against these threats, follow these industry-standard \u0026ldquo;Guardrail\u0026rdquo; practices:\nThe \u0026ldquo;Isolated Workspace\u0026rdquo; Strategy # The \u0026ldquo;Isolated Workspace\u0026rdquo; strategy (sometimes referred to as the \u0026ldquo;Sandboxed Folder\u0026rdquo; or \u0026ldquo;Claude Sandbox\u0026rdquo; approach) is a recognized security best practice for using local AI agents like Claude Code and Claude Cowork.\nAnthropic # Anthropic explicitly warns against giving Claude broad access to your filesystem. Their security documentation for Claude Code and the local agent architecture emphasizes:\nFilesystem Isolation: Claude Code defaults to a permission-based model. Anthropic recommends launching the tool only within specific project folders rather than your root or home directory.\nReference: Claude Code Sandboxing\nAmazon Bedrock # The AWS strategy shifts from local folders to IAM-based isolation and Tenant Isolation:\nDedicated Scopes: AWS recommends using \u0026ldquo;Session Attributes\u0026rdquo; and scoped IAM roles to ensure an agent can only access specific S3 prefixes or data silos.\nVPC Isolation: For maximum security, AWS suggests running Claude-related tasks inside a VPC with AWS PrivateLink to prevent any data from reaching the public internet, mirroring the \u0026ldquo;Sandbox\u0026rdquo; concept at a network level.\nReference: Implementing tenant isolation using Agents for Amazon Bedrock in a multi-tenant environment\nAzure # Azure handles \u0026ldquo;Isolated Workspaces\u0026rdquo; through Azure AI Studio and Microsoft Purview, focusing on data boundaries rather than just local folders:\nManaged Network Isolation (Azure AI Studio): Azure doesn\u0026rsquo;t just suggest a folder; they suggest a Managed Virtual Network. This creates a \u0026ldquo;Sandbox\u0026rdquo; at the network layer where Claude (via models in AI Studio) can only see data sources you explicitly \u0026ldquo;attach.\u0026rdquo;\nReference: How to set up a managed network for Microsoft Foundry hubs\nInformation Protection for AI (Microsoft Purview): Microsoft uses Purview to prevent Claude from \u0026ldquo;stumbling\u0026rdquo; upon sensitive files (like .env files or SSH keys) if they are stored in SharePoint or OneDrive.\nReference: Microsoft Purview data security and compliance protections for generative AI apps\nGoogle Vertex AI # GCP frames this as \u0026ldquo;Data Residency\u0026rdquo; and \u0026ldquo;VPC Service Controls\u0026rdquo;:\nBoundary Control: Vertex AI documentation highlights the use of a \u0026ldquo;Security Boundary\u0026rdquo; to separate the AI agent from sensitive resources (like credentials).\nManaged Isolation: They recommend using Notebook Security Blueprints to protect confidential data from exfiltration when using Claude-powered agents in development environments.\nReference: Securely deploying AI agents\nDisable \u0026ldquo;Always Allow\u0026rdquo; for High-Risk Tools # The recommendation to disable \u0026ldquo;Always Allow\u0026rdquo; and maintain a human-in-the-loop (HITL) for high-risk tools is a foundational security layer for AI agents. This strategy prevents \u0026ldquo;Zero-Click\u0026rdquo; or Cross-Prompt Injection (XPIA) attacks, where a malicious instruction hidden in a file or website could trick an agent into executing a dangerous command without your intervention.\nAnthropic (Claude Code \u0026amp; Cowork) # Anthropic designed Claude Code with a \u0026ldquo;deliberately conservative\u0026rdquo; permission model. Their documentation explicitly advises against bypassing these prompts in local environments:\nUse the Default Mode or Plan Mode. The \u0026ldquo;Default\u0026rdquo; mode prompts for every shell command, while \u0026ldquo;Plan\u0026rdquo; mode prevents any execution at all.\nReferences: Use Cowork safely, Claude Code: Configure Permissions \u0026amp; Modes\nAmazon Bedrock Agents # AWS implements this via User Confirmation and Return of Control (ROC). They frame it as a requirement for \u0026ldquo;High-Impact\u0026rdquo; actions.\nFor any tool that modifies data or accesses the network, AWS recommends enabling the \u0026ldquo;User Confirmation\u0026rdquo; flag in the Agent configuration. This pauses the agent and returns a structured prompt to the user.\nReference: Implement human-in-the-loop confirmation with Amazon Bedrock Agents\nAzure (AI Foundry \u0026amp; Defender for Cloud) # Azure has recently integrated this into their security posture management. Microsoft Defender for Cloud will actually flag an AI agent as \u0026ldquo;High Risk\u0026rdquo; if it has tool access without human-in-the-loop controls:\nAzure recommends using Microsoft Entra Agent IDs with scoped, short-lived tokens. They explicitly recommend \u0026ldquo;selective triggering\u0026rdquo; for risky operations.\nReferences: Azure AI security best practices, AI security recommendations\nGoogle Cloud (Vertex AI Agent Builder) # GCP focuses on \u0026ldquo;Confidence Thresholds\u0026rdquo; and \u0026ldquo;Action Guardrails\u0026rdquo; within its Agent Engine.\nGCP recommends that any agent using the Model Context Protocol (MCP) or custom APIs should have a mandatory \u0026ldquo;Manual Review\u0026rdquo; step for any write operations.\nReference: Vertex AI Agent Builder\nScrub Untrusted Content # Treating external content as an attack vector is essential for preventing Indirect Prompt Injection (XPIA), where malicious instructions are hidden in data (like a white-text command in a PDF) rather than the user\u0026rsquo;s prompt.\nAnthropic # Anthropic explicitly identifies browser-based agents and document processing as the highest risk for injection. Their stance is that no model is 100% immune, so multi-layered defense is required:\nAnthropic suggests using Claude Opus 4.5+ for untrusted tasks, as it has the highest benchmarked robustness against injection (reducing attack success to ~1%).\nReferences: Prompt Injection Defense, Using Claude in Chrome Safely\nAmazon Bedrock Guardrails # AWS addresses this by programmatically separating \u0026ldquo;Instructions\u0026rdquo; from \u0026ldquo;Data\u0026rdquo; so the model knows which one to ignore if they conflict:\nUse Input Tagging to wrap retrieved data (like a PDF\u0026rsquo;s text) in XML tags. This allows Bedrock Guardrails to apply \u0026ldquo;Prompt Attack Filters\u0026rdquo; specifically to the data without blocking your system instructions.\nAWS suggests a Lambda-based Pre-processing step to scan PDFs for hidden text or PII before the text ever reaches the LLM.\nReferences: Securing Amazon Bedrock Agents, Prompt injection security\nAzure (Prompt Shields and Spotlighting) # Azure provides the most direct \u0026ldquo;Scrubbing\u0026rdquo; tool with a feature called Spotlighting, which technically implements the \u0026ldquo;separate session\u0026rdquo; idea you mentioned.\nEnable Prompt Shields for Documents. This specifically detects \u0026ldquo;Document Attacks\u0026rdquo; where instructions are embedded in third-party content.\nUse spotlighting to transform document content (sometimes via Base64 encoding), so the model treats it as \u0026ldquo;lower trust\u0026rdquo; grounded data, preventing it from being executed as a command.\nReferences: Prompt Shields, Prompt Shields in Microsoft Foundry\nGoogle Cloud (Vertex AI Action Guardrails) # GCP treats this through Content Filtering and Manual Review nodes in the agent\u0026rsquo;s workflow:\nGCP recommends \u0026ldquo;Gemini as a Filter.\u0026rdquo; You use a smaller, faster model instance to \u0026ldquo;pre-read\u0026rdquo; and summarize a file in a low-privilege environment. If the summary contains instruction-like language (e.g., \u0026ldquo;ignore,\u0026rdquo; \u0026ldquo;system,\u0026rdquo; \u0026ldquo;delete\u0026rdquo;), the file is quarantined.\nReference: Safety in Vertex AI\nNetwork Hardening # \u0026ldquo;Network Hardening\u0026rdquo; isn\u0026rsquo;t just about blocking ports; it’s about establishing a Zero Trust egress policy for AI agents. Since Claude Desktop and Claude Code are effectively \u0026ldquo;execution engines\u0026rdquo; on your local machine, they require the same egress filtering you would apply to a production VPC.\nAnthropic # Anthropic’s recent security documentation for Claude Code and Desktop highlights that \u0026ldquo;network isolation\u0026rdquo; is a core pillar of their sandboxing strategy:\nUse a Unix domain socket connected to a proxy server to enforce a \u0026ldquo;Deny All\u0026rdquo; outbound policy by default.\nFor local setups, Anthropic suggests customizing this proxy to enforce rules on outgoing traffic, allowing only trusted domains (like anthropic.com or your internal API endpoints).\nReference: Claude Code Sandboxing, Auditing Network Activity\nAWS # AWS frames this as \u0026ldquo;Egress Filtering\u0026rdquo; via the AWS Network Firewall. For an AI agent running in an AWS environment, the strategy is to block all traffic that isn\u0026rsquo;t signed by a specific SNI (Server Name Indication):\nUse AWS Network Firewall with stateful rules to monitor the SNI of outbound HTTPS requests. If an agent tries to \u0026ldquo;phone home\u0026rdquo; to an unknown IP or a malicious C2 (Command \u0026amp; Control) server, the firewall drops the packet.\nReferences: Restricting a VPC’s outbound traffic, Build secure network architectures for generative AI applications\nAzure # Azure has introduced a specific feature called the Network Security Perimeter (NSP) to create a logical boundary for AI services.\nEven if an AI service has a public endpoint, the NSP acts as an \u0026ldquo;Application Firewall\u0026rdquo; that logs every access attempt and blocks exfiltration to any service outside that perimeter.\nConfigure Azure Firewall Application Rules to allow only specific FQDNs (Fully Qualified Domain Names) required for your Claude-based workflows.\nReferences: Add an AI Network Security Perimeter, Control outbound traffic with Azure Firewall\nGoogle Cloud # GCP’s approach is the most rigid, using VPC Service Controls to prevent data exfiltration at the API layer, regardless of the network path:\nWrap your AI project in a \u0026ldquo;Service Perimeter.\u0026rdquo; If an agent inside this perimeter tries to send data to a Cloud Storage bucket or an external API not explicitly in the \u0026ldquo;Ingress/Egress\u0026rdquo; rule set, the request is blocked by the Google front-end.\nReference: Mitigating Data Exfiltration with VPC Service Controls\nSummary # Claude Cowork marks a transition from AI that talks to AI that acts. By granting a digital agent direct access to your files and external apps via the Model Context Protocol, you gain a powerful \u0026ldquo;digital intern.\u0026rdquo; However, this shifts the security focus from protecting a simple chat to securing a privileged system user capable of modifying data and executing commands.\nTo manage this risk, organizations must adopt a \u0026ldquo;Zero Trust\u0026rdquo; approach for agentic tasks. This means strictly isolating the agent\u0026rsquo;s access to specific folders, requiring human approval for high-risk actions, and using cloud-native firewalls to prevent data exfiltration. By treating the AI as a high-risk user and enforcing strong monitoring, you can automate complex workflows without compromising your system\u0026rsquo;s integrity.\nDisclaimer: AI tools were used to research and edit this article. Graphics are created using AI.\nAbout the Author # Eyal Estrin is a cloud and information security architect and AWS Community Builder, with more than 25 years in the industry. He is the author of Cloud Security Handbook and Security for Cloud Native Applications.\nThe views expressed are his own.\n","date":"10 March 2026","externalUrl":null,"permalink":"/posts/securing-claude-cowork/","section":"Posts","summary":"","title":"Securing Claude Cowork","type":"posts"},{"content":"","date":"22 February 2026","externalUrl":null,"permalink":"/categories/ai--/","section":"Categories","summary":"","title":"AI  ","type":"categories"},{"content":" In February 2026, Anthropic released a new capability for Claude Code called Claude Code Security - a new tool that thinks like a developer to find tricky logic errors in your code, ranking how risky they are and suggesting fixes you can review.\nThe news sent a shockwave through cybersecurity stocks, causing JFrog to crash by nearly 25% while others like CrowdStrike, Okta, and Cloudflare all saw their share prices tumble by around 8% or 9%.\nThe announcement raised a question: can AI tools replace the current SaaS or cybersecurity products, or can AI agents replace developers or engineering teams?\nAnthropic’s Claude Code Security announcement highlights a move toward \u0026ldquo;agentic reasoning\u0026rdquo; - the ability for AI to understand complex data flows and logic flaws rather than just matching known patterns. While this is a significant leap for the \u0026ldquo;Defensive AI\u0026rdquo; movement, it does not signal the end of the human engineer or the mature SaaS platform.\nIn this blog post, I will share my point of view on the current advancement in AI technology.\nThe Modern SDLC and CI/CD Pipeline # The Software Development Life Cycle (SDLC) is a continuous loop. AI tools now act as \u0026ldquo;force multipliers\u0026rdquo; in these phases, but they lack the authority and context to own them.\nRequirements and Planning # The Process: Translating vague business needs into technical specifications. AI\u0026rsquo;s Role: Summarizing stakeholder meetings and drafting initial user stories. The Human Factor: AI cannot negotiate trade-offs. It doesn\u0026rsquo;t understand that a \u0026ldquo;must-have\u0026rdquo; feature might be delayed because of a pending merger or a team\u0026rsquo;s current burnout level. Architecture and Design # The Process: Designing the blueprint for scalability and security across cloud providers like AWS, Azure, or GCP. AI\u0026rsquo;s Role: Suggesting common design patterns (e.g., Event-Driven vs. Microservices) and generating Infrastructure as Code (IaC). The Human Factor: AI lacks \u0026ldquo;institutional memory.\u0026rdquo; It doesn\u0026rsquo;t know why a specific database was chosen three years ago to satisfy a unique compliance requirement that still exists. Development and Implementation # The Process: Writing and committing the actual code. AI\u0026rsquo;s Role (Claude Code): This is where agentic tools live. They can read your files, run terminal commands, and fix bugs autonomously. The Human Factor: Large codebases (50k+ lines) often exceed an AI\u0026rsquo;s effective context window. As the context fills, the AI can introduce conflicting logic or \u0026ldquo;hallucinate\u0026rdquo; dependencies. CI/CD: Testing and Security # The Process: Automating the path to production through integration and deployment pipelines. AI\u0026rsquo;s Role (Claude Code Security): It identifies high-severity vulnerabilities (e.g., broken access control) and suggests a verified patch. The Human Factor: Anthropic emphasizes a \u0026ldquo;Human-in-the-Loop\u0026rdquo; model. AI cannot take the legal or professional blame for a botched security patch that causes a global outage. Observability and Maintenance # The Process: Monitoring live systems and fixing production bugs at scale. AI\u0026rsquo;s Role: Analyzing logs to detect anomalies and suggesting fixes for \u0026ldquo;infrastructure drift.\u0026rdquo; The Human Factor: Being on-call at 3:00 AM requires high-stakes decision-making and cross-team coordination that AI agents cannot yet replicate. Why GenAI Cannot Replace Experienced Engineers # Even with the reasoning capabilities shown in the 2026 Claude Code Security update, three \u0026ldquo;hard barriers\u0026rdquo; prevent AI from replacing the individual contributor:\nThe Responsibility Gap: Software isn\u0026rsquo;t just code; it\u0026rsquo;s a liability. No AI subscription comes with an insurance policy. Accountability is a human-only function. If a system fails, a human must explain why to a board or a regulator. Reasoning vs. Intent: AI understands the structure of your code, but humans understand the intent. An AI might see a missing role-check as a bug, while a human knows it was bypassed for a specific, documented emergency migration path. Technical Debt Acceleration: Recent 2026 studies show that when developers over-rely on AI, \u0026ldquo;code churn\u0026rdquo; (code that is rewritten or deleted within two weeks) doubles. AI writes code faster than it can be reviewed, potentially creating a \u0026ldquo;spaghetti\u0026rdquo; codebase if not guided by a senior architect. Why AI Cannot Replace Mature SaaS Products # Many feared that AI\u0026rsquo;s ability to \u0026ldquo;generate a clone\u0026rdquo; of an app would kill the SaaS industry. This hasn\u0026rsquo;t happened for several concrete reasons:\nSaaS is \u0026ldquo;Running,\u0026rdquo; not \u0026ldquo;Building\u0026rdquo;: Building a clone of Jira or Salesforce is the easy part. Operating it at 99.99% availability, managing global data centers, and providing 24/7 support is what customers actually pay for. Compliance and Trust: A mature SaaS product provides pre-built SOC2, GDPR, and HIPAA guardrails. An AI-generated app is a \u0026ldquo;black box\u0026rdquo; that hasn\u0026rsquo;t been audited, making it a non-starter for enterprise or legal use. The Integration Ecosystem: SaaS platforms thrive on their ecosystems (APIs, plugins, and third-party integrations). AI can write a script to connect two tools, but it cannot manage the long-term versioning and stability of a multi-vendor tech stack. Summary # AI tools like Claude Code Security are the new \u0026ldquo;High-Level Languages\u0026rdquo; of 2026.\nJust as C++ didn\u0026rsquo;t kill programmers but made them more powerful, AI is shifting the engineer\u0026rsquo;s role from \u0026ldquo;Coder\u0026rdquo; to \u0026ldquo;Orchestrator and Verifier.\u0026rdquo;\nDisclaimer: AI tools were used to research and edit this article. Graphics are created using AI.\nAbout the Author # Eyal Estrin is a cloud and information security architect and AWS Community Builder, with more than 25 years in the industry. He is the author of Cloud Security Handbook and Security for Cloud Native Applications.\nThe views expressed are his own.\n","date":"22 February 2026","externalUrl":null,"permalink":"/posts/ai-vs-engineering-teams/","section":"Posts","summary":"","title":"AI vs. Engineering Teams","type":"posts"},{"content":"","date":"22 February 2026","externalUrl":null,"permalink":"/categories/anthropic-claude/","section":"Categories","summary":"","title":"Anthropic Claude","type":"categories"},{"content":"","date":"22 February 2026","externalUrl":null,"permalink":"/categories/career-change/","section":"Categories","summary":"","title":"Career Change","type":"categories"},{"content":"","date":"22 February 2026","externalUrl":null,"permalink":"/categories/saas/","section":"Categories","summary":"","title":"SaaS","type":"categories"},{"content":"","date":"22 February 2026","externalUrl":null,"permalink":"/categories/software-engineering/","section":"Categories","summary":"","title":"Software Engineering","type":"categories"},{"content":"","date":"9 February 2026","externalUrl":null,"permalink":"/categories/amazon-bedrock/","section":"Categories","summary":"","title":"Amazon Bedrock","type":"categories"},{"content":"","date":"9 February 2026","externalUrl":null,"permalink":"/categories/amazon-nova/","section":"Categories","summary":"","title":"Amazon Nova","type":"categories"},{"content":"","date":"9 February 2026","externalUrl":null,"permalink":"/categories/artificial-intelligence/","section":"Categories","summary":"","title":"Artificial-Intelligence","type":"categories"},{"content":" Amazon Nova Forge is a development environment within Amazon SageMaker AI dedicated to building \u0026ldquo;Novellas\u0026rdquo; - private, custom versions of Amazon’s Nova frontier models.\nUnlike typical AI services that only allow you to use a model or fine-tune its final layer, Nova Forge introduces a concept called Open Training. This gives you access to the model at various \u0026ldquo;life stages\u0026rdquo; (checkpoints), allowing you to bake your company’s proprietary knowledge directly into the model’s core reasoning capabilities.\nThis blog post is an introduction to Amazon Nova Forge and what makes it unique in the training process.\nWhat Makes it Different? # Prompt engineering and RAG provide external context but fail to change a model\u0026rsquo;s core intelligence. Standard fine-tuning also falls short because it happens too late in the lifecycle, attempting to steer a \u0026ldquo;finished\u0026rdquo; model that is already set in its ways. Nova Forge solves this by moving customization earlier into the training process, embedding specialized knowledge where it actually sticks.\nNova Forge occupies a unique middle ground between Managed APIs (Bedrock) and building from scratch.\nAmazon Bedrock: Bedrock is for consuming models. You can fine-tune them, but you are working on a \u0026ldquo;black box\u0026rdquo; model. Nova Forge is for building the model itself using deeper training techniques. Azure AI / Google Vertex AI: While Azure and GCP offer fine-tuning, they generally don\u0026rsquo;t provide access to intermediate training checkpoints of their frontier models. Nova Forge allows for Data Blending, where you mix your data with Amazon’s original training data to prevent the model from \u0026ldquo;forgetting\u0026rdquo; how to speak or reason. Terminology # Novella: The resulting custom model you create. It’s a \u0026ldquo;private edition\u0026rdquo; of Nova. Checkpoints: Saved \u0026ldquo;states\u0026rdquo; of the model during its initial training (pre-training, mid-training, post-training). Data Blending: The process of mixing your proprietary data with Nova-curated datasets so the model stays smart while learning your specific business. Reinforcement Fine-Tuning (RFT): Using \u0026ldquo;reward functions\u0026rdquo; (logic-based feedback) to teach the model how to perform complex, multi-step tasks correctly. Catastrophic Forgetting: A common AI failure where a model learns new information but loses its original abilities. Nova Forge is designed specifically to prevent this. The Workflow: From Training to Production # The process bridges the gap between the \u0026ldquo;lab\u0026rdquo; (SageMaker) and the \u0026ldquo;app\u0026rdquo; (Bedrock).\nSelection: You choose a Nova base model and a specific checkpoint (e.g., a \u0026ldquo;Mid-training\u0026rdquo; checkpoint) in Amazon SageMaker Studio. Training (SageMaker AI): You use SageMaker Recipes—pre-configured training scripts—to blend your data from S3 with Nova’s datasets. The heavy lifting (compute) happens on SageMaker\u0026rsquo;s managed infrastructure. Refinement: Optionally, you run RFT in SageMaker to align the model with specific business outcomes or safety guardrails. Deployment (Bedrock): Once the \u0026ldquo;Novella\u0026rdquo; is ready, you import it into Amazon Bedrock as a private model. Production: Your applications call the custom model via the standard Bedrock API, benefitting from Bedrock’s serverless scaling and security. Below is a sample training workflow:\nData Privacy and Protection # The security model is the most critical part:\nSovereignty: Your data stays in your S3 buckets and within your VPC boundaries. No Leakage: AWS explicitly states that customer data is not used to train the base Amazon Nova models. Your \u0026ldquo;Novella\u0026rdquo; is a private resource visible only to your AWS account. Encryption: Data is encrypted at rest via KMS (AWS-managed or Customer-managed keys) and in transit via TLS 1.2+. Governance: Access is controlled via standard IAM policies, and all training activity is logged in CloudTrail. Pricing Model # Nova Forge carries a distinct cost structure that reflects its \u0026ldquo;frontier\u0026rdquo; status:\nSubscription Fee: Access to the Forge environment starts at approximately \u0026ndash;$100,000 per year. Usage Costs: On top of the subscription, you pay for the SageMaker compute (GPUs) used during the training phase. Comparison: Cheaper than Training from Scratch: Building a frontier model from zero costs millions in compute and months of R\u0026amp;D. Nova Forge provides the \u0026ldquo;shortcuts\u0026rdquo; to get the same result for a fraction of that. More Expensive than Basic Fine-Tuning: Standard fine-tuning on Bedrock is much cheaper (often just a few dollars per hour), but it cannot achieve the deep \u0026ldquo;domain-native\u0026rdquo; intelligence that Nova Forge provides. Summary # Amazon Nova Forge marks a shift from generic AI to native intelligence, where models don\u0026rsquo;t just reference your data—they are built from it. By using \u0026ldquo;Open Training,\u0026rdquo; you can bake specialized knowledge into the model’s core at the pre-training or mid-training stages. This results in a private Novella that understands your specific industry as naturally as its base language.\nOrganizations managing high-value proprietary data should consider moving beyond treating that information as an external reference. If your workflows involve specialized terminology or regulated processes that standard LLMs struggle to master, shifting customization earlier in the training lifecycle is often more effective than basic fine-tuning.\nDisclaimer: AI tools were used to research and edit this article. Graphics are created using AI.\nAdditional references # Amazon Nova Forge Introducing Amazon Nova Forge: Build your own frontier models using Nova About the Author # Eyal Estrin is a cloud and information security architect and AWS Community Builder, with more than 25 years in the industry. He is the author of Cloud Security Handbook and Security for Cloud Native Applications.\nThe views expressed are his own.\n","date":"9 February 2026","externalUrl":null,"permalink":"/posts/inside-the-amazon-nova-forge/","section":"Posts","summary":"","title":"Inside the Amazon Nova Forge","type":"posts"},{"content":" Clawdbot (now renamed Moltbot) is an open-source, self-hosted AI assistant that runs on your own hardware or server and can-do things, not just chat.\nIt was created by developer Peter Steinberger in late 2025.\nIt connects your AI model (OpenAI, Claude, local models via Ollama) to real capabilities: automate workflows, read/write files, execute tools and scripts, manage emails/calendars, and respond through messaging apps like WhatsApp, Telegram, Discord and Slack.\nYou interact with it like a smart assistant that actually takes action based on your input.\nWhat is it used for? # Clawdbot functions as a “digital employee” or a “Jarvis-like” assistant that operates 24/7. Because it has direct access to your local filesystem and system tools, it can perform proactive tasks that standard AI cannot:\nCommunication Hub: It lives inside messaging apps like Telegram, WhatsApp, or Slack. You text it commands, and it can reply, summarize threads, or manage your inbox.\nProactive Automation: It can monitor your email, calendar, and GitHub repositories to fix bugs while you sleep, draft replies, or alert you to flight check-ins.\nSystem Execution: It can run shell commands, execute scripts, manage files, and even control web browsers to perform actions like making purchases or reservations.\nPersistent Memory: It maintains long-term context across conversations, remembering your preferences and past tasks for weeks or months.\nBelow is a sample deployment architecture of Clawdbot:\nSecurity risks associated with Clawdbot # Clawdbot is a high-privilege automation control plane. Since it manages agents, tools, and multiple communication channels, it presents serious security risks.\nControl plane exposure \u0026amp; misconfiguration # Exposure: Misconfigured dashboards and reverse proxies have left hundreds of control interfaces open to the internet.\nAuthentication Failures: Some setups treat remote connections as local, letting attackers bypass authentication.\nData Theft: Unsecured instances can expose API keys, conversation logs, and configuration data.\nSystem Takeover: In certain cases, attackers can run commands on the host with elevated privileges.\nPrompt injection \u0026amp; tool blast radius # Manipulation: Malicious or untrusted content can trick the AI into using tools in unintended ways.\nBlast Radius: Access to high-privilege tools like shell commands or admin APIs means a prompt injection could lead to data theft or lateral movement across the network.\nModel Weakness: Older or poorly aligned AI models are more likely to ignore safety instructions, increasing risk.\nSocial engineering and user‑level abuse # Deception: Attackers can manipulate the bot to extract personal or environment-specific information.\nAccount Misuse: Connected commerce tools could be used for unauthorized purchases.\nPhishing: A compromised bot can send malicious links or scripts to contacts.\nUpstream Data Exposure: Prompts and tool outputs sent to AI providers can create privacy or compliance issues if not carefully managed.\nData privacy, logs, and long‑term memory # Sensitive Data Exposure: The gateway stores conversation histories and memory, which may include personal or business information depending on usage.\nDashboard and Host Vulnerabilities: Exposed dashboards or weak host protections can allow attackers to access past chats, file transfers, and stored credentials (API keys, tokens, OAuth secrets), turning the instance into a data exfiltration point.\nUpstream Data Risk: Prompts and tool outputs are sent to AI providers. Without proper scoping and data classification, this can create privacy and compliance issues.\nEcosystem risks: hijacked branding, fake installers, and scams # Hijacked Accounts: After a rebrand, original social media and GitHub handles were exploited by scammers promoting fake crypto tokens.\nMalware Risk: Users searching for the tool may encounter backdoored versions or fake installers designed to compromise their systems.\nNetwork and Remote Access Risks # Browser Control: Tools that let the bot control a browser can expose local or internal network resources if not secured.\nTunneling Errors: Misconfigured reverse proxies or tools like Tailscale may grant attackers unintended access to private networks.\nRecommendations for securing Clawdbot # Based on the official GitHub repository, documentation, and expert audits from January 2026, here are the recommendations for securing your instance.\nLock Down the Gateway # Bind the Clawdbot gateway to loopback (127.0.0.1) and never expose it directly to the internet. If remote access is required, use private mesh solutions such as Tailscale or Cloudflare Tunnel. Always enable gateway authentication using tokens or passwords.\nReferences:\nOfficial GitHub Security Overview\nClawdbot Remote Access Documentation\nEnforce Strict Access Controls # Restrict who can interact with Clawdbot by enforcing DM pairing or allowlists. Avoid wildcard policies in production. In group chats, require explicit mentions before the bot processes messages.\nReference:\nOfficial GitHub SECURITY.md Isolate the Runtime Environment # Run Clawdbot on dedicated hardware or a dedicated VM/container. Avoid running it on your primary workstation. Use Docker sandboxing with minimal mounts and dropped capabilities.\nReferences:\nClawdbot Getting Started Guide\nOfficial GitHub Security Overview\nSandbox and Restrict Tools # Enable sandboxing for all high-risk tools such as exec, write, browser automation, and web access. Use tool allow/deny lists and restrict elevated tools to trusted users only.\nReference:\nOfficial GitHub Security Overview Apply Least Privilege to Agent Capabilities # Disable interactive shells unless strictly necessary. Limit filesystem visibility to read-only mounts where possible. Avoid granting elevated privileges to agents handling untrusted input.\nReference:\nOfficial Clawdbot Documentation Secure Credentials and Secrets # Store secrets in environment variables, not configuration files or source control. Apply strict filesystem permissions to Clawdbot directories and rotate credentials after any suspected incident.\nReference:\nOfficial Clawdbot Security Documentation Continuous Auditing and Monitoring # Regularly run built-in security audit and doctor commands to detect unsafe configurations. Monitor logs and session transcripts for anomalous behavior or unexpected access.\nReference:\nOfficial GitHub Security CLI Documentation Harden Browser Automation # Treat browser automation as operator-level access. Use dedicated browser profiles without password managers or sync enabled. Never expose browser control ports publicly.\nPrompt-Level Safety Rules # Define explicit system rules that prevent disclosure of credentials, filesystem structure, or infrastructure details. Require confirmation for destructive actions.\nReference:\nOfficial Clawdbot Security Documentation Incident Response Preparedness # Maintain a documented response plan. If compromise is suspected: stop the gateway, revoke access, rotate all secrets, review logs, and re-run security audits.\nReference:\nOfficial Clawdbot Security Documentation Summary # ClawdBot is a high-privilege AI agent that can act on your system, not just chat. Its main risks come from exposed gateways, weak access controls, and powerful tools combined with prompt injection or social engineering, which can lead to system compromise and data loss. To use it safely, lock the gateway to localhost with authentication, restrict who can interact with it, isolate its runtime, minimize tool permissions, and monitor it continuously.\nDisclaimer: AI tools were used to research and edit this article. Graphics are created using AI.\nReferences:\nYour Clawdbot AI Assistant Has Shell Access and One Prompt Injection Away from Disaster\nClawdBot: Setup Guide + How to NOT Get Hacked\n10 ways to hack into a vibecoder’s clawdbot \u0026amp; get entire human identity (educational purposes only)\nHacking clawdbot and eating lobster souls\nEating lobster souls Part II: the supply chain\nEating lobster souls Part III (the finale): Escape the Moltrix\nAbout the Author # Eyal Estrin is a cloud and information security architect and AWS Community Builder, with more than 25 years in the industry. He is the author of Cloud Security Handbook and Security for Cloud Native Applications.\nThe views expressed are his own.\n","date":"2 February 2026","externalUrl":null,"permalink":"/posts/clawdbot-security-guide/","section":"Posts","summary":"","title":"ClawdBot Security Guide","type":"posts"},{"content":"","date":"2 February 2026","externalUrl":null,"permalink":"/categories/cybersecurity/","section":"Categories","summary":"","title":"Cybersecurity","type":"categories"},{"content":" If you give an AI system the ability to act, you give it risk.\nIn earlier posts, I covered how to secure MCP servers and agentic AI systems. This post focuses on a narrower but more dangerous layer: AI skills. These are the tools that let models touch the real world.\nOnce a model can call an API, run code, or move data, it stops being just a reasoning engine. It becomes an operator.\nThat is where most security failures happen.\nTerminology # In generative AI, “skills” describe the interfaces that allow a model to perform actions outside its own context.\nDifferent vendors use different names:\nTools: Function calling and MCP-based interactions\nPlugins: Web-based extensions used by chatbots\nActions: OpenAI GPT Actions and AWS Bedrock Action Groups\nAgents: Systems that reason and execute across multiple steps\nA base LLM predicts text; A skill gives it hands.\nSkills are pre-defined interfaces that expose code, APIs, or workflows. When a model decides that text alone is not enough, it triggers a skill.\nAnthropic treats skills as instruction-and-script bundles loaded at runtime.\nOpenAI uses modular functions inside Custom GPTs and agents.\nAWS implements the same idea through Action Groups.\nMicrosoft applies the term across Copilot and Semantic Kernel.\nNVIDIA uses skills in its digital human platforms.\nIn the reference high-level architecture below, we can see the relations between the components:\nWhy Skills Are Dangerous # Every skill expands the attack surface. The model sits in the middle, deciding what to call and when. If it is tricked, the skill executes anyway.\nThe most common failure modes:\nExcessive agency: Skills often have broader permissions than they need. A file-management skill with system-level access is a breach waiting to happen.\nThe consent gap: Users approve skills as a bundle. They rarely inspect the exact permissions. Attackers hide destructive capability inside tools that appear harmless.\nProcedural and memory poisoning: Skills that retain instructions or memory can be slowly corrupted. This does not cause an immediate failure. It changes behavior over time.\nPrivilege escalation through tool chaining: Multiple tools can be combined to bypass intended boundaries. A harmless read operation becomes a write. A write becomes execution.\nIndirect prompt injection: Malicious instructions are placed in content that the model reads: emails, web pages, documents. The model follows them using its own skills.\nData exfiltration: Skills often require access to sensitive systems. Once compromised, they can leak source code, credentials, or internal records.\nSupply chain risk: Skills rely on third-party APIs and libraries. A poisoned update propagates instantly.\nAgent-to-agent spread: In multi-agent systems, one compromised skill can affect others. Failures cascade.\nUnsafe execution and RCE: Any skill that runs code without isolation is exposed to remote code execution.\nInsecure output handling: Raw outputs passed directly to users can cause data leaks or client-side exploits.\nSSRF: Fetch-style skills can be abused to probe internal networks.\nHow to Secure Skills (What Actually Works) # Treat skills like production services. Because they are.\nIdentity and Access Management # Each skill must have its own identity. No shared credentials. No broad roles.\nPermissions should be minimal and continuously evaluated. This directly addresses OWASP LLM06: Excessive Agency.\nReference: OWASP LLM06:2025 Excessive Agency\nAWS Bedrock # Assign granular IAM roles per agent. Restrict regions and models with SCPs. Limit Action Groups to specific Lambda functions.\nReferences:\nSecurity and governance for generative AI platforms on AWS\nExecute code and analyze data using Amazon Bedrock AgentCore Code Interpreter\nMicrosoft Foundry # Disable key-based auth. Use Entra ID and Managed Identities. Restrict connectors at the agent level.\nReferences:\nGovernance and security for AI agents across the organization\nData, Privacy, and Security for Microsoft 365 Copilot\nGoogle Vertex AI # Use Workload Identity Federation. Scope permissions explicitly in agent configs.\nReference: Secure your Agentic and Generative AI with Google Cloud\nOpenAI # Never expose API keys client-side. Use project-scoped keys and backend proxies.\nReference: Best Practices for API Key Safety\nInput and Output Guardrails # Prompt injection is not theoretical. It is the default attack.\nMap OWASP LLM risks directly to controls.\nReference: OWASP Top 10 for Large Language Model Applications\nAWS Bedrock # Use Guardrails with prompt-attack detection and PII redaction.\nReference: Amazon Bedrock Guardrails\nMicrosoft Foundry # Enable Prompt Shields and groundedness detection.\nReference: Azure AI Content Safety\nGoogle Vertex AI # Use Model Armor and safety filters at the API layer.\nReference: Model Armor overview\nOpenAI # Use zero-retention mode for sensitive workflows.\nReference: Data controls in the OpenAI platform\nAnthropic # Use constitutional prompts but still enforce external moderation.\nReference: Building safeguards for Claude\nAdversarial Testing # Red team your agents.\nTest prompt injection, RAG abuse, tool chaining, and data poisoning during development. Not after launch.\nThreat modeling frameworks from OWASP, NIST, and Google apply here with minimal adaptation.\nReferences:\nThreat modeling for generative AI applications\nThreat Modeling AI/ML Systems and Dependencies\nHow Google Does It: Threat modeling, from basics to AI\nAI Model Risk Management Framework\nDevSecOps Integration # Every endpoint a skill calls is part of your attack surface.\nRun SAST and DAST on the skill code. Scan dependencies. Fail builds when violations appear.\nReferences:\nUsing Generative AI, Amazon Bedrock, and Amazon CodeGuru to Improve Code Quality and Security\nArtificial Intelligence Security\nIsolation and Network Controls # Code-executing skills must run in ephemeral, sandboxed environments.\nNo host access. No unrestricted outbound traffic.\nUse private networking wherever possible:\nAWS PrivateLink\nAzure Private Link and VNETs\nGCP VPC Service Controls\nLogging, Monitoring, and Privacy # If you cannot audit skill usage, you cannot secure it.\nEnable full invocation logging and integrate with existing SIEM tools.\nEnsure provider data-handling terms match your risk profile. Not all plans are equal.\nReferences:\nMonitor Amazon Bedrock API calls using CloudTrail\nAI security recommendations\nVertex AI audit logging information\nOpenAI Audit Logs\nClaude Agent Skills — Security Considerations\nIncident Response and Human Oversight # Update incident response plans to include AI-specific failures.\nFor high-risk actions, require human approval. This is the simplest and most reliable control against runaway agents.\nReferences:\nUnderstand the threat landscape\nMicrosoft Cloud Security Benchmark v2 — Incident Response\nImplement human-in-the-loop confirmation with Amazon Bedrock Agents\nMulti-agent Workflow with Human Approval using Agent Framework\nWhat is Human-in-the-Loop (HITL) in AI \u0026amp; ML?\nOpenAI Safety best practices\nSummary # AI skills are the execution layer of generative systems. They turn models from advisors into actors.\nThat shift introduces real security risk: excessive permissions, prompt injection, data leakage, and cascading agent failures.\nSecure skills the same way you secure production services. Strong identity. Least privilege. Isolation. Guardrails. Monitoring. Human oversight.\nThere is no final state. Platforms change. Attacks evolve. Continuous testing is the job.\nDisclaimer: AI tools were used to research and edit this article. Graphics are created using AI.\nAbout the Author # Eyal Estrin is a cloud and information security architect and AWS Community Builder, with more than 25 years in the industry. He is the author of Cloud Security Handbook and Security for Cloud Native Applications.\nThe views expressed are his own.\n","date":"26 January 2026","externalUrl":null,"permalink":"/posts/securing-ai-skills/","section":"Posts","summary":"","title":"Securing AI Skills","type":"posts"},{"content":"","date":"20 January 2026","externalUrl":null,"permalink":"/categories/containers/","section":"Categories","summary":"","title":"Containers","type":"categories"},{"content":" For many years, organizations embracing the public cloud knew there were two main types of compute services — customer-managed (i.e., IaaS) and fully managed or Serverless compute (i.e., PaaS).\nThe main difference is who is responsible for maintenance of the underlying compute nodes in terms of OS maintenance (such as patch management, hardening, monitoring, etc.) and the scale (adding or removing compute nodes according to customer or application load).\nIn an ideal world, we would prefer a fully managed (or perhaps a Serverless) solution, but there are use cases where we would like to have the ability to manage a VM (such as the need to connect to a VM via SSH to make configuration changes at the OS level).\nIn this blog post, I will review several examples of managed instance services and compare their capabilities with the fully managed alternative.\nFunction as a Service # The only alternative I managed to find is the AWS Lambda Managed Instances.\nAWS Lambda has been in the market for many years, and it is the most common Serverless compute service in the public cloud (though not the only alternative).\nBelow is a comparison between AWS Lambda and the AWS Lambda Managed Instances:\nWhen to Use Which Alternative # Use AWS Lambda (Standard) If:\nTraffic is Bursty or Unpredictable: You need the ability to scale from zero to thousands of concurrent executions in seconds to handle sudden spikes.\nLow or Intermittent Volume: You have idle periods were paying for running instances would be wasteful. “Scale to zero” is a priority.\nStrict Isolation is Required: Your security model relies on the strong isolation of Firecracker microVMs for every single request.\nSimplicity is Key: You want zero infrastructure decisions — just upload code and run.\nUse AWS Lambda Managed Instances If:\nTraffic is High \u0026amp; Predictable: You have steady-state workloads were paying for always-on EC2 instances (with Savings Plans) is cheaper than per-request billing.\nWorkloads are Compute/Memory Intensive: You need specific hardware ratios (e.g., high CPU but low RAM) or specialized instruction sets not available in standard Lambda.\nLatency Sensitivity: You cannot afford any cold start latency and need environments that are always initialized.\nHigh I/O Concurrency: Your application performs many I/O bound tasks (like calling external APIs) and can efficiently process multiple requests on a single vCPU without blocking.\nContainer Service # Amazon ECS is a highly scalable container orchestration service that automates the deployment and management of containers across AWS infrastructure.\nBelow is a comparison between Amazon ECS (self-managed EC2) and the Amazon ECS Managed Instances:\nWhen to Use Which Alternative # Use Amazon ECS (Self-Managed EC2) If:\nYou Need Custom AMIs: Your compliance or legacy software requires a specific, hardened OS image or custom kernel modules.\nYou Require Host Access: You need SSH access to the underlying node for deep debugging, forensic auditing, or installing host-level daemon agents that ECS doesn’t support.\nCost is the Sole Priority: You want to avoid the additional management fee and have a dedicated team that can manually optimize bin-packing and Spot instance usage for free.\nLegacy / Hybrid Constraints: You are extending a specific on-premises network configuration or storage driver setup that requires manual OS configuration.\nUse Amazon ECS Managed Instances If:\nYou Need GPUs or High Memory: You require specific hardware (like GPU instances for AI/ML) that AWS Fargate does not support, but you don’t want to manage the OS.\nYou Want “Fargate-like” Operations with EC2 Pricing: You want to offload patching and ASG management (like Fargate) but need to use Reserved Instances or Savings Plans to lower costs.\nSecurity Compliance: You need guaranteed, automated rotation of nodes for security patching (e.g., every 14 days) without building the automation pipelines yourself.\nSteady-State Workloads: Your traffic is predictable, making always-on EC2 instances more cost-effective than Fargate’s per-second billing.\nKubernetes Service # Amazon EKS is a fully managed service that simplifies running, scaling, and securing containerized applications by automating the management of the Kubernetes control plane on AWS.\nBelow is a comparison between Amazon EKS (self-managed nodes) and the Amazon EKS Managed Node Groups:\nWhen to Use Which Alternative # Use Amazon EKS Managed Node Groups If:\nStandard Kubernetes Workloads: You are running standard applications and want to minimize the time spent on infrastructure maintenance.\nSimplified Scaling: You want EKS to automatically handle the creation of Auto Scaling Groups that are natively aware of the cluster state.\nAutomated Security: You want a streamlined way to apply security patches and OS updates to your cluster nodes without downtime.\nOperational Efficiency: You have a small team and need to focus on application code rather than Kubernetes “plumbing.”\nUse Amazon EKS Self-Managed Nodes If:\nCustom Operating Systems: You must use a specific, hardened OS image (e.g., a highly customized Ubuntu or RHEL) that is not supported by Managed Node Groups.\nComplex Bootstrap Scripts: You need to run intricate “User Data” scripts during node startup that require fine-grained control over the initialization sequence.\nUnique Networking Requirements: You are using specialized networking plugins or non-standard VPC configurations that require manual node configuration.\nLegacy Compliance: You have strict regulatory requirements that mandate manual oversight and “manual sign-off” for every single OS-level change.\nSummary # In this blog post, I have reviewed several compute services (from FaaS, containers, and managed Kubernetes), each with its alternatives for either customer managing the compute nodes, or having AWS manage the compute nodes for the customers.\nBy leveraging AWS Lambda Managed Instances, Amazon ECS Managed Instances, and Amazon EKS Managed Node Groups, organizations can achieve high hardware performance without the burden of operational complexity. The primary advantage of this managed tier is the ability to decouple hardware selection from operating system maintenance. Developers can handpick specific EC2 families, such as GPU-optimized instances for AI or Graviton for cost efficiency, while AWS manages the heavy lifting of security patching and instance lifecycle updates.\nDisclaimer: AI tools were used to research and edit this article. Graphics are created using AI.\nAbout the author # Eyal Estrin is a seasoned cloud and information security architect, AWS Community Builder, and author of Cloud Security Handbook and Security for Cloud Native Applications. With over 25 years of experience in the IT industry, he brings deep expertise to his work.\nConnect with Eyal on social media: https://linktr.ee/eyalestrin.\nThe opinions expressed here are his own and do not reflect those of his employer.\n","date":"20 January 2026","externalUrl":null,"permalink":"/posts/introducing-managed-instances-in-the-cloud/","section":"Posts","summary":"","title":"Introducing Managed Instances in the Cloud","type":"posts"},{"content":"","date":"20 January 2026","externalUrl":null,"permalink":"/categories/kubernetes/","section":"Categories","summary":"","title":"Kubernetes","type":"categories"},{"content":"","date":"20 January 2026","externalUrl":null,"permalink":"/categories/serverless/","section":"Categories","summary":"","title":"Serverless","type":"categories"},{"content":" In the over-evolving tech world, we often see organizations (from C-Level down to architects and engineers) rush to adopt the latest technology trends without conducting proper design or truly understanding the business requirements.\nThe result of failing to do a proper design is a waste of resources (from human time to compute), over-complicated architectures, or under-utilized resources.\nIn this blog post, I will dig into common architecture decisions and provide recommendations to avoid the pitfalls.\nLet’s dig into some examples.\nMoving everything to the public cloud # Example # An enterprise mandates a full lift-and-shift of all workloads to a hyper-scaler to “become cloud-native,” including legacy ERP systems, mainframes, and latency-sensitive trading applications.\nWhat was misunderstood # Some workloads had hard latency, data residency, or licensing constraints.\nThe applications were tightly coupled, stateful, and designed for vertical scaling.\nCost models were not analyzed beyond infrastructure savings.\nIssues that emerged # Higher total cost of ownership due to egress fees, oversized instances, and always-on resources.\nPerformance degradation for low-latency systems.\nOperational complexity increased without gaining elasticity or resilience benefits.\nMissed opportunity to modernize selectively (hybrid or refactor where justified).\nUsing Kubernetes for every architecture # Example # A team deploys all applications — including small internal tools, batch jobs, and simple APIs — onto a shared Kubernetes platform.\nWhat was misunderstood # Kubernetes is an orchestration platform, not a free abstraction layer.\nMany workloads did not need container orchestration, autoscaling, or self-healing.\nThe organization lacked operational maturity for cluster management and security.\nIssues that emerged # Increased cognitive load for developers (YAML, Helm, networking, ingress, RBAC).\nThe platform team became a bottleneck for simple changes.\nSecurity misconfigurations (over-permissive service accounts, exposed services).\nSlower delivery compared to simpler deployment models (VMs or managed PaaS).\nUsing Serverless for every solution # Example # An architect mandates that all new services must be implemented using Functions-as-a-Service.\nWhat was misunderstood # Serverless excels at event-driven, stateless, bursty workloads — not long-running or chatty processes.\nCold starts, execution limits, and state management trade-offs were ignored.\nObservability and debugging differ significantly from traditional services.\nIssues that emerged # Latency spikes impacting user-facing APIs.\nComplex orchestration logic is spread across functions, reducing maintainability.\nHigher costs for sustained workloads compared to containers or VMs.\nDifficult troubleshooting due to fragmented logs and distributed execution paths.\nUsing GenAI to solve every problem # Example # A company integrates GenAI into customer support, code reviews, security analysis, and decision-making workflows without clearly defined use cases.\nWhat was misunderstood # GenAI produces probabilistic outputs, not deterministic answers.\nData quality, context boundaries, and hallucination risks were underestimated.\nRegulatory, privacy, and intellectual property implications were not assessed.\nIssues that emerged # Incorrect or misleading responses are presented as authoritative.\nLeakage of sensitive data through prompts or training feedback loops.\nIncreased operational risk when AI outputs were trusted without validation.\nHigh costs with unclear ROI due to overuse in low-value scenarios.\nPractical recommendations # Start with business drivers, not technology — Define success metrics first: cost model, performance requirements, regulatory constraints, delivery speed, and operational ownership. Technology should follow these inputs — not precede them.\nExplicitly document constraints and non-goals — Latency, data residency, licensing, team skills, and operational maturity must be captured early. Many architectural failures stem from ignored or implicit constraints.\nApply technologies where their strengths are essential:\nPublic cloud: prioritize elasticity, managed services, and global reach — not lift-and-shift.\nKubernetes: use it where orchestration, portability, and scale justify its complexity.\nServerless: limit the use of Serverless to event-driven and bursty workloads.\nGenAI: apply where probabilistic output is acceptable and verifiable.\nFavor simplicity as a default — If a simpler architecture meets requirements, it is usually the correct choice. Complexity should be earned, not assumed.\nContinuously validate assumptions — Revisit architectural decisions as workloads evolve. What was once justified can become technical debt when context changes.\nReward outcome-driven architecture — Measure architects and teams on business impact, reliability, and cost efficiency — not on adoption of trendy platforms.\nSummary # The recurring failure pattern in modern architectures is not poor technology choice, but premature commitment to a tool before understanding the problem. Cloud platforms, Kubernetes, Serverless, and GenAI are powerful when applied deliberately — and damaging when treated as universal defaults. When architects start with the solution, they optimize for platform elegance instead of business outcomes.\nAbout the author # Eyal Estrin is a seasoned cloud and information security architect, AWS Community Builder, and author of Cloud Security Handbook and Security for Cloud Native Applications. With over 25 years of experience in the IT industry, he brings deep expertise to his work.\nConnect with Eyal on social media: https://linktr.ee/eyalestrin.\nThe opinions expressed here are his own and do not reflect those of his employer.\n","date":"6 January 2026","externalUrl":null,"permalink":"/posts/when-you-have-a-hammer-everything-looks-like-a-nail/","section":"Posts","summary":"","title":"When you have a hammer, everything looks like a nail","type":"posts"},{"content":"","date":"29 December 2025","externalUrl":null,"permalink":"/categories/open-source/","section":"Categories","summary":"","title":"Open-Source","type":"categories"},{"content":" The concept of vendor lock-in existed for many years; organizations chose commercial, and in many cases expensive license to use proprietary software products to run their production workloads.\nIn the past, there was the notion that using a product from a well-known vendor was the best solution, due to support, a large customer base, and, as the famous quote says, “Nobody gets fired for buying IBM.”\nThis was all true for decades, but as the software world matured, organizations began migrating workloads to the public cloud and began building modern or cloud-native applications based on open-source alternatives.\nIn this blog post, I will discuss some of the well-known case studies of switching from commercial products to open-source.\nFrom Elasticsearch to OpenSearch # Elasticsearch is a distributed search and analytics engine that stores data as JSON documents and lets you run fast full‑text search, aggregations, and log or metrics analysis across large datasets.\nElasticsearch, prior to 7.11, used Apache License 2.0, a permissive license allowing commercial use, modification, and distribution with minimal restrictions.\nIn January 2021, Elastic announced that starting with version 7.11, it would be relicensing its Apache 2.0 licensed code in Elasticsearch to be dual licensed under SSPL (Server-Side Public License) and the Elastic License, a strong copyleft license that requires anyone offering the software as a service to open-source the entire service stack.\nIn August 2024, the GNU Affero General Public License was added to Elasticsearch version 8.16.0 as an option, making Elasticsearch free and open-source again.\nElastic argued that large cloud providers were taking the open‑source Elasticsearch, offering it as a commercial managed service (e.g., Amazon Elasticsearch Service) and capturing much of the value without sufficient reciprocity.\nThe license change was positioned as protecting Elastic’s SaaS/Elastic Cloud business and long‑term sustainability.\nOpenSearch was launched by AWS and partners as a fork later in 2021, based on Elasticsearch 7.10 and Kibana 7.10, the last Apache‑2.0 versions.\nToday, OpenSearch is no longer just an AWS side‑project; it is governed by the OpenSearch Software Foundation, a Linux Foundation project that provides vendor‑neutral governance and long‑term stewardship. Premier foundation members include AWS, SAP, and Uber, all of whom either run OpenSearch in production, build products on top of it, or contribute engineering resources.\nAmong the benefits of switching to OpenSearch:\nLicensing — OpenSearch is Apache 2.0, so there are no SSPL/Elastic License obligations or restrictions on offering it as a managed service or embedding it in SaaS products.\nVendor neutrality — OpenSearch’s open ecosystem (self‑managed on Kubernetes/VMs or via providers like Amazon OpenSearch Service and others) reduces dependence on a single vendor and improves negotiating leverage.\nMigration — OpenSearch was designed as a near drop‑in replacement for Elasticsearch 7.10, so many clients, APIs, and index formats are compatible, which lowers migration effort and risk.\nScalability — OpenSearch retains Elasticsearch’s horizontally scalable architecture and adds features like vector search, observability improvements, and integrations driven by a multi‑vendor community, not just one company’s roadmap.\nFrom Terraform to OpenTofu # HashiCorp Terraform is an infrastructure as code tool that lets you define, provision, and manage cloud and on‑prem resources using declarative configuration files, enabling consistent, repeatable deployments across multiple providers.\nHashiCorp announced the Terraform license change in August 2023, and it applies starting with versions after 1.5.x (i.e., from 1.6 onward).\nTerraform was originally licensed under the Mozilla Public License 2.0 (MPL 2.0), a weak copyleft license requiring modifications to licensed files to be open-sourced while allowing proprietary code alongside, and was then relicensed to the Business Source License (BSL/BUSL 1.1), which is a source‑available but not OSI‑approved open‑source license, introduced to restrict certain commercial/competitive uses while remaining free for typical internal infrastructure use.\nHashiCorp stated it wanted to prevent other companies, particularly cloud vendors and platforms, from offering competing managed services built directly on top of Terraform without commercial agreements, arguing this threatened HashiCorp’s ability to invest in the product.\nThe move was framed as protecting the “commercial viability” of Terraform and other HashiCorp tools, but triggered ecosystem concerns over neutrality, long‑term trust, and vendor lock‑in.\nIn response, a group of companies and maintainers drafted the “OpenTF” manifesto and, after HashiCorp declined to revert or donate Terraform to a foundation, forked the last MPL‑licensed version (1.5.6) into a new project later named OpenTofu, donated it to the Linux Foundation, and committed to keeping it under MPL 2.0 with neutral, community‑first governance. OpenTofu fork announced in 2023, GA in 2024.\nThe founding vendors behind OpenTofu include Gruntwork, Spacelift, Harness, env0, and Scalr, all of whom depended heavily on open Terraform and now fund or employ core maintainers for OpenTofu.\nAmong the benefits of switching to OpenTofu:\nLicensing — OpenTofu keeps the original MPL 2.0 open‑source license, so there are no “source‑available” or BSL terms restricting competitive SaaS or internal platform use.\nVendor neutrality — OpenTofu is governed under a neutral foundation, not a single commercial vendor, which lowers the risk that future business decisions (price, license, roadmap) will disrupt users.\nMigration — OpenTofu is intentionally Terraform‑compatible (config syntax, state format, providers), so most organizations can switch with minimal changes to modules, backends, and pipelines.\nCommunity‑driven features and transparency — OpenTofu’s roadmap and code are driven by a broad contributor base, so features like client‑side state encryption and other safety improvements tend to align closely with practitioner needs.\nFrom Redis to Valkey # Redis is an in-memory key–value data store that can act as a database, cache, and message broker, optimized for extremely low‑latency reads and writes and supporting rich data structures like strings, lists, sets, and hashes.\nRedis changed its license in March 2024, moving from the BSD‑3‑Clause open‑source license to a dual “source‑available” model using the Redis Source Available License v2 (RSALv2), a source-available license that permits use, modification, and redistribution but restricts offering the software as a competing managed service, and the Server-Side Public License (SSPLv1), primarily to stop cloud providers from offering Redis as a managed service without paying or sharing more of their own code and revenue with Redis Ltd.\nIn response, in 2024, major contributors and users of Redis — including engineers from AWS, Alibaba, Google, Ericsson, Huawei, Tencent, Oracle and others — took the last BSD‑licensed Redis 7.2.4 code, forked it under the new name Valkey, and placed it in a Linux Foundation–governed project to preserve a fully open, high‑performance in‑memory key–value store that remains free from vendor lock‑in and can be safely embedded in cloud platforms, SaaS products, and managed services.\nValkey uses the BSD 3‑Clause license, which is a permissive, OSI‑approved open‑source license that allows free use, modification, and redistribution, including in commercial and cloud/SaaS offerings.\nAmong the benefits of switching to Valkey:\nLicensing — Valkey keeps a permissive BSD‑3‑Clause license, so teams avoid Redis’s newer source‑available terms and can freely offer Valkey as a managed service or embed it in SaaS without SSPL‑style obligations or commercial negotiations.\nVendor neutrality — Valkey is governed under a neutral foundation with a multi‑vendor contributor base, which reduces dependence on a single company’s business decisions and gives organizations more confidence in long‑term roadmap stability.\nMigration — Because Valkey started from the last BSD‑licensed Redis 7.2 codebase, existing clients, data structures, and usage patterns generally continue to work with minimal changes, making migrations relatively low‑risk.\nScalability — Valkey’s roadmap emphasizes core engine efficiency (e.g., improved multithreading, better memory usage, and clustering enhancements), so many users get similar or better performance and scalability for classic caching and queueing workloads without paying for an enterprise Redis tier.\nSummary # Migrations from Elasticsearch to OpenSearch, Terraform to OpenTofu, and Redis to Valkey all stem from the same story: vendors tightened licenses to protect their commercial cloud offerings, and the ecosystem responded by creating fully open forks that restore freedom to run, modify, and offer these technologies as services.\nThese community‑governed projects preserve familiar APIs and architectures while removing restrictive licenses, so customers keep the functionality they rely on and gain long‑term legal clarity and vendor‑neutral governance.\nFor users, the benefits include reduced lock‑in, simpler compliance, and the ability to standardize on open cores that any provider can host, extend, and support, rather than being bound to a single company’s roadmap or pricing.\nAll of these points are in the same direction: the future of core cloud‑native tools lies in truly open‑source projects backed by strong communities and foundations, not in proprietary products pretending to be open, so organizations get more control, stronger resilience, and real choice in how they run their infrastructure.\nDisclaimer: AI tools were used to research and edit this article. Graphics are created using AI.\nAbout the author # Eyal Estrin is a seasoned cloud and information security architect, AWS Community Builder, and author of Cloud Security Handbook and Security for Cloud Native Applications. With over 25 years of experience in the IT industry, he brings deep expertise to his work.\nConnect with Eyal on social media: https://linktr.ee/eyalestrin.\nThe opinions expressed here are his own and do not reflect those of his employer.\n","date":"29 December 2025","externalUrl":null,"permalink":"/posts/turning-license-changes-into-opportunity/","section":"Posts","summary":"","title":"Turning License Changes into Opportunity","type":"posts"},{"content":" In 2023, I published a blog post titled Sharing Knowledge as a Way of Life, where I suggested that knowledge sharing should become a habit because it helps raise awareness about neglected topics, build community, and enhance your professional reputation.\nI agree that the technology world keeps changing every day, from new services announced, new capabilities related to AI, new cybersecurity risks, emerging technologies, etc.\nThe question is — how do you keep up with technology, and by doing so, advance your career, remain relevant and attractive in the tech industry?\nIn this post, I’ll explore this topic from a new perspective: how to stay up to date with technology in an era of rapid change.\nSelf-learning # In the past, to learn new technology, we used to pay money, go to a college or any training center close to our home, sit for several days in a physical class, and allow an instructor to feed us with knowledge.\nSometimes, we use it for study and at home, and take a certification exam, to test our knowledge (and perhaps to show a certificate to potential employers).\nIn the past couple of years (I would say, sometimes after the COVID pandemic), online courses have become very popular.\nPlatforms such as QA Platform (formerly Cloud Academy), Pluralsight, Udemy, or LinkedIn Learning became the main source of self-learning courses.\nIf your main focus is cloud computing, the hyper-scale cloud providers offer you their own platforms, such as AWS Skill Builder, Microsoft Learn, or Google Cloud Skills Boost.\nThe mentioned platforms offer anyone, from a newbie to a practitioner, the ability to learn at their own pace, from anywhere (home, internet café, etc.), read, listen to recorded lectures, and gain hands-on experience by practicing in test labs.\nNaturally, theoretical knowledge has low value.\nIf you are studying, for example, new cloud technology, I recommend that you create an account in one of the cloud providers, put credit card, and gain hands-on experience by deploying services, building applications, writing some code, and sharing it in your Git repo, so anyone can learn from you.\nI highly recommend that your spare time (at least one hour, but preferably more) each week to learn something new, practice, and gain hands-on experience.\nPublic events # I believe there is a limit to how much you could learn by yourself, and this is why I recommend taking advantage of public events such as webinars (where you can connect from anywhere), community meetups (such as meetup.com, or Eventbrite), community platforms (such as Slack or Discord), and finally industry conferences (in almost any topic you could think of).\nIf you are attending a conference, here are some tips I can share with you to get the most out of conferences:\nPrepare in advance — Usually, conferences have a published agenda, list of topics, tracks, and lectures. Before attending a conference, it is highly recommended to familiarize yourself with the list of lectures, select topics the closest to you, and mix them with topics you’re not familiar with or have past expertise in.\nBe humble — Don’t assume you already know everything. Sit at lectures, listen to the lecturer, ask questions, perhaps even take some pictures with your phone (to be able to review slides later), and allow yourself you expand your knowledge.\nEngage — Socialize with other conference attendees during the conference, both with your past colleagues who may have also come to the conference, and allow yourself to meet new people, exchange ideas, ask questions, and share knowledge.\nVisit vendor booths — Speak with salespeople (yes, I know that their job is to sell you something you don’t necessarily need…), learn about their offering, ask questions, and if you’re really interested, schedule a follow-up meeting.\nGain hands-on experience — Participate in workshops (don’t forget to bring a laptop…); there is no comparable to the knowledge you’re gaining by actually deploying stuff, and taking part in labs, to expand your knowledge and experience.\nShare key takeaways — Whether you wrote notes during a conference, took pictures with your phone, or received written material (such as PDFs, or links to vendor sites, Git repos, etc.), take the time after the conference to write your own inputs, and share them with your colleagues.\nKnowledge sharing # The most advanced way to expand your career is by sharing your knowledge and expertise, and personally, I prefer to write in English to have an audience from all around the world.\nIt doesn’t matter which platform you choose; whatever you do will advance your career.\nDevelop soft skills — The most important quality for anyone in the tech industry is to be able to communicate with others. It may be small talk with your peers in a coffee break, a conversation with a customer about an issue he’s having, or the ability to explain a senior manager about technological topic, but in business terms.\nWrite a blog post — This is an excellent way for anyone who has something to share and doesn’t feel comfortable in front of an audience. You may share personal opinions on a topic, how-to guidelines, or even code samples. You don’t even have to be an expert in a specific topic; whatever you share, people will read, and if it’s valuable, people will follow your posts regularly.\nRecord videos or podcasts — Both YouTube and Podcasts (such as Spotify) became very popular in the past decade. Begin small, share your insights, share your recordings over social media, and begin to attract followers around the world.\nProvide lectures — Regardless of the platform you choose, lectures are a great way to share knowledge and engage with colleagues and peers. You can choose video lectures (such as Zoom), on-site in small groups, or on the stage in front of a large audience, whatever you feel comfortable with. This is a great way to build your confidence and brand and advance your career.\nMentorship — This is a combination of someone who has a lot of knowledge (in at least one domain) and is generous enough to expand the knowledge of others. You can do it in one-on-one meetings, or even in small groups (since large groups tend to be ineffective in my perspective). Remember to provide your mentees honest feedback, and don’t forget to ask for feedback for the work you do, to learn from your mistakes.\nSummary # In this blog post, I shared a lot of ways anyone in the tech industry can expand their knowledge, gain experience, build a reputation, and be able to advance his or her career to the next level.\nLearning never stops. There is always the next level you can learn in any topic.\nAccording to Werner Vogels, Amazon CTO, a T-shaped person is someone who has deep expertise (the vertical bar of the T) in one specific domain, such as software development, cloud architecture, or data science, combined with broad knowledge and skills (the horizontal bar of the T) across multiple disciplines, such as communication, systems thinking, and collaboration.\nTo advance your career, you should always strive to build both depth and breadth in multidisciplinary domains.\nAbout the author # Eyal Estrin is a seasoned cloud and information security architect, AWS Community Builder, and author of Cloud Security Handbook and Security for Cloud Native Applications. With over 25 years of experience in the IT industry, he brings deep expertise to his work.\nConnect with Eyal on social media: https://linktr.ee/eyalestrin.\nThe opinions expressed here are his own and do not reflect those of his employer.\n","date":"22 December 2025","externalUrl":null,"permalink":"/posts/how-to-keep-up-with-technology-and-advance-your-career/","section":"Posts","summary":"","title":"How to keep up with technology and advance your career","type":"posts"},{"content":"","date":"22 December 2025","externalUrl":null,"permalink":"/categories/knowledge-sharing/","section":"Categories","summary":"","title":"Knowledge-Sharing","type":"categories"},{"content":"","date":"22 December 2025","externalUrl":null,"permalink":"/tags/knowledge-sharing/","section":"Tags","summary":"","title":"Knowledge-Sharing","type":"tags"},{"content":"","date":"15 December 2025","externalUrl":null,"permalink":"/categories/application-security/","section":"Categories","summary":"","title":"Application-Security","type":"categories"},{"content":" When organizations used to build applications in the past (mostly on-prem, but also in the public cloud), a common practice for allowing services to authenticate between each other was to create a service account (sometimes referred to as an application account) and embed its credentials in code or configuration files.\nAnother common way to gain access to services was to use static credentials such as keys. To name a few examples — AWS IAM user access keys, Azure shared access signature (SAS) tokens, or Google service account keys.\nIn this blog post, I will explain the risks related to using static credentials and provide recommendations when designing and building modern applications in the cloud.\nIntroduction to static credentials # Before we begin a conversation about static credentials, it is important to under why we need them in the first place.\nNaturally, we don’t want to use a human (such as a developer, a DevOps or a DBA) credentials as part of code or configuration files to authenticate an application component (such as an API endpoint, or a front-end web application) to a backend service (such as a database, storage, message queue, etc.)\nThe most common practice for many years, which originated in on-prem legacy applications, was to create a service or application account and use it for non-interactive login.\nSuch identities are now known as NHI (or non-human identity), and since they were used as part of applications, and not as part of human/interactive login, they used to have static credentials (hopefully, long and complex passwords), and in most cases, their credentials were kept permanent and were never replaced (i.e., long-lived credentials).\nStatic credentials risks # Static credentials create persistent and often invisible weaknesses in cloud environments, offering attackers simple entry points while limiting an organization’s ability to detect misuse, enforce strong controls, or contain incidents effectively.\nBelow is a list of risks relating to the use of static credentials:\nHigh blast radius — Broad, persistent access makes any compromise immediately severe.\nSusceptibility to accidental exposure — Frequent real-world leaks through code repos, logs, and CI artifacts make this a major threat vector.\nLack of automatic short-lived expiration — Keys remain valid long after they should not, enabling silent long-term abuse.\nDifficult rotation and poor key hygiene — Operational friction leads to rarely rotated, aging credentials that attackers can exploit for extended periods.\nNo strong binding to workloads — Attackers can use stolen credentials from any location or infrastructure, increasing exploitability.\nCredential reuse across environments — Compromise of a single environment cascades laterally, expanding impact.\nLimited visibility and enforcement — Weak contextual signals hinder detection and prevent the application of strong access controls.\nTarget for automated reconnaissance — Attackers routinely harvest exposed keys, though the actual impact depends on whether exposure occurs.\nPoor alignment with zero trust principles — Creates structural security gaps but typically manifests through other higher-ranked risks.\nOperational drag on incident response — Increases containment time but is a downstream effect rather than a primary threat.\nVault as an interim solution # In the past, organizations used to deploy solutions such as CyberArk Privileged Access Manager or BeyondTrust Password Safe.\nAs organizations began to embrace the public cloud, organizations began to use managed secrets managers such as AWS Secrets Manager, Azure Key Vault, Google Secret Manager, or HashiCorp Vault (as a vendor-agnostic solution).\nAlthough the mentioned solutions assisted in managing the entire lifecycle of static credentials (from generation, storage, retrieval and revocation), and the credentials weren’t as long as in the past, it still kept the problem of having static credentials.\nThe Long-term solution # The recommended solution is to avoid long-lived credentials when building modern applications in the cloud.\nThe alternative to using short-lived credentials depends on the use case.\nGeneral purpose # For most cloud workloads (such as compute, storage, database, messaging, integration, APIs, etc.), use one of the following solutions:\nAWS IAM Role — is a temporary permission identity that workloads or users can assume to access AWS resources without relying on long-lived credentials.\nManaged identities — Azure-provided workload identities automatically tied to Azure resources, giving them token-based access to cloud services without requiring you to create, store, or rotate any credentials.\nEntra workload identities — the broader category of non-human identities (such as service principals, app registrations, and federated identities) used by applications or services to authenticate to Microsoft Entra ID, including workloads that run outside Azure or require flexible, cross-platform identity options.\nGoogle Managed workload identities — short-lived, automatically managed identities that allow Google Cloud workloads to authenticate securely without using long-lived service account keys.\nManaged Kubernetes # For allowing Pods within a managed Kubernetes environment access to cloud services, use one of the following solutions:\nAWS EKS Pod Identity — lets Kubernetes pods in an Amazon EKS cluster assume an IAM role and receive temporary credentials.\nMicrosoft Entra Workload Identity for AKS — enables pods in an AKS cluster to use Kubernetes service-account tokens, which are exchanged for Azure AD tokens.\nWorkload Identity for GKE — allows workloads in a Google Kubernetes Engine cluster to use Kubernetes service accounts that map to Google IAM identities.\nExternal (Federated) Identities # For scenarios that you need to grant access to external/federated identities through OIDC, temporary (or short-lived credentials) to resources in the cloud eco-system, use one of the following solutions:\nAWS Security Token Service (AWS STS) — issues short-lived, scoped credentials that external or federated identities obtain through the AssumeRole API, allowing them to access AWS resources temporarily without relying on long-lived access.\nAzure Workload Identity Federation — allows external or non-Azure workloads to exchange their trusted identity tokens for short-lived Microsoft Entra tokens, enabling secure access to Azure resources without storing long-lived secrets.\nGoogle Workload Identity Federation — lets external or non-Google Cloud workloads exchange trusted identity tokens for short-lived Google Cloud credentials, enabling secure access without using long-lived service account keys.\nAI Agents # For scenarios that you need to grant access to AI agents, access to resources in the cloud eco-system, use one of the following solutions:\nAmazon Bedrock AgentCore Identity — Purpose-built IAM service for Bedrock agents with centralized agent identity directory, inbound authorizer (SigV4/OAuth/JWT), and outbound credential provider.\nMicrosoft Entra Agent ID (PREVIEW) — Extends Entra security to AI agents via special service principals with Conditional Access, Identity Protection, Governance, Network Controls, and developer platform for scalable agent lifecycle management and token issuance.\nVertex AI IAM role — Standard GCP IAM roles/service accounts granted to Vertex AI workloads for accessing resources like Storage/BigQuery via ADC; no agent-specific abstraction.\nSummary # When managing non-human identities, always prefer temporary (roles/managed identities) over static or long-lived credentials.\nIf the target service does not support temporary credentials, use short-lived credentials and regularly rotate the credentials to avoid potential credential breaches.\nWhatever you do, never store credentials as part of code, configuration files, Git repositories, etc.\nThis blog post focused on solutions offered by the hyper-scale cloud providers; naturally, there are commercial solutions offering similar functionalities, including a single pane of glass for managing non-human identities for the entire cloud environments, including multi-cloud environments.\nDisclaimer: AI tools were used to research and edit this article. Graphics are created using AI.\nAbout the author # Eyal Estrin is a seasoned cloud and information security architect, AWS Community Builder, and author of Cloud Security Handbook and Security for Cloud Native Applications. With over 25 years of experience in the IT industry, he brings deep expertise to his work.\nConnect with Eyal on social media: https://linktr.ee/eyalestrin.\nThe opinions expressed here are his own and do not reflect those of his employer.\n","date":"15 December 2025","externalUrl":null,"permalink":"/posts/goodbye-to-static-credentials-embrace-modern-identity-practices/","section":"Posts","summary":"","title":"Goodbye to Static Credentials: Embrace Modern Identity Practices","type":"posts"},{"content":" Today, we hear about so many organizations (from small start-ups to large enterprises) experimenting with GenAI applications, adding GenAI components to their existing workloads, and perhaps even moving from evaluation to production.\nThe increased usage of GenAI services requires organizations to pay attention to the cost of using GenAI services before the high and unpredictable cost generates additional failed projects.\nIn this blog post, I will share some common recommendations for implementing FinOps practices as part of GenAI workloads.\nReal-Time Cost Visibility, Allocation, Tagging, and Accountability # Lack of real-time visibility into cloud costs makes it difficult for organizations to track spending, identify waste, and assign accountability. Without clear, up-to-date cost allocation tied to projects or teams, overspending and inefficiencies often go unnoticed. Building transparent cost tracking and tagging practices empowers teams to monitor expenses continuously, optimize usage, and align spending with business goals.\nRecommendations / Best practices # Optimization Tools: Software that identifies inefficiencies and recommends or automates cost-saving actions in cloud environments. Common services: AWS Cost Explorer, AWS Trusted Advisor, Microsoft Cost Management, Azure Advisor, Google Cloud Billing, Google Recommendations.\nEstimate and Monitor Costs: Tools to forecast upcoming cloud expenses and continuously track actual spend against budgets. Common services: AWS Pricing Calculator, Azure Pricing Calculator, Google Cloud Pricing Calculator.\nBudgets, Alerts, and Cost Analysis: Features that allow setting spending limits, notifying on overruns, and analyzing cost trends. Common services: AWS Budgets, AWS Cost Anomaly Detection, Azure Budgets, Cost Alerts, Google Cloud Billing Budgets, and Google Cloud Billing Cost Anomaly Detection.\nCost Visibility, Allocation, tagging: Mechanisms to attribute cloud costs accurately to applications, teams, or business units using tags and reports. Common services: AWS Cost Allocation Tags, Azure Tagging, GCP Labels.\nToken and Endpoint Cost Tracking: Monitoring and reporting on usage-driven costs specifically related to API tokens and endpoint consumption. Common services: Amazon CloudWatch, Azure Monitor, Google Cloud Observability.\nReal-Time Cost Visibility: Providing immediate, up-to-date insights into cloud spend for timely decision-making and anomaly detection. Common services: Amazon CloudWatch Metrics Insights, Azure Cost Analysis, and Google BigQuery.\nRightsizing and Resource Optimization # Rightsizing and resource Optimization ensure cloud resources are appropriately sized and efficiently used by continuously analyzing usage patterns and adjusting capacity to eliminate waste and meet actual demand, thereby reducing costs without compromising performance.\nRecommendations / Best practices # Choose Optimal Model and Inference Types: Select foundation models and inference methods that precisely match your business needs to avoid paying for unnecessary capacity. Continuously evaluate workload requirements and prefer smaller, purpose-fit models over default larger ones to save costs. Reference: Generative AI Cost Optimization Strategies\nBatching and Concurrency: Efficiently batch inference requests and manage concurrency to maximize instance utilization and reduce cost per token or operation. Reference: GenAI Cost Optimization: The Essential Guide\nRight-Sizing and Model Selection: Regularly right-size infrastructure — compute, memory, GPU — to workload demand, using autoscaling, spot, and reserved instances to balance cost and performance. Avoid defaulting to high-end hardware for all workloads. References: Identify your savings potential in Azure, Optimizing GenAI Usage.\nLeverage Cloud-Specific Cost Management Tools: Use cloud vendor cost management and advisory tools to identify and implement cost-saving recommendations. Common services: AWS Compute Optimizer, Azure Advisor, Google Recommendations.\nIntelligent Pricing Strategies: Reserved, Spot, and Preemptible Instances # Reserved instances offer significant discounts for long-term, steady workloads by committing to a specific resource usage over one to three years, helping reduce costs compared to pay-as-you-go pricing. Spot and preemptible instances allow access to spare cloud capacity at substantially lower prices but with the risk of interruption, ideal for flexible or fault-tolerant tasks. Balancing these options with real-time workload needs enables cost-efficient cloud resource management while maintaining scalability and performance.\nRecommendations / Best practices # Reserved Instances and Commitment Pricing: Reserve instances or commit to savings plans for consistently running workloads to gain discounts of 30–70%. These long-term commitments reduce cost predictability and environmental stability. References: Reserved Instances for Amazon EC2 overview, Azure Reserved Virtual Machine Instances, Google Committed Use Discounts.\nSpot: Use spot for interruptible, fault-tolerant workloads like training and batch processing to save up to 90%. These resources are offered at deep discounts but can be reclaimed with short notice, requiring workload resilience and automation to manage interruptions. References: Amazon EC2 Spot Instances, Azure Spot Virtual Machines, Google Spot VMs.\nAuto-Scaling and Capacity Reservations: Pair spot and reserved instances with auto-scaling and capacity reservations to dynamically adjust resources based on workload demand, Optimizing cost and performance balance. References: Amazon EC2 Auto Scaling, Azure Virtual Machine Scale Sets, Google Autoscaling groups of instances.\nAutomation and Dynamic Scaling # Automation and dynamic scaling enable cloud resources to automatically adjust in real time to changing workload demands, ensuring efficient performance during peak times while minimizing costs by scaling down when demand is low. This approach reduces manual intervention, optimizes resource use, improves reliability, and supports business agility by maintaining responsiveness under fluctuating traffic conditions.\nRecommendations / Best practices # Automation and Idle Shutdown: Implement automated policies that stop, pause, or scale down AI model endpoints and compute resources during idle or low-traffic periods to avoid unnecessary costs. This dynamic management prevents paying for unused capacity, especially in development and batch workloads. References: AWS Compute Optimizer, Best Practice for Azure AI service cost configuration, GCP AI and ML perspective: Cost Optimization.\nServerless and Event-Driven Compute: For variable or unpredictable inference workloads, leverage serverless compute options to pay strictly for consumed resources and scale automatically. This approach reduces operational overhead and costs. References: GenAI Accelerator Starter Package, Azure OpenAI Extension for Function Apps Hands-on Experience, Run AI inference on Cloud Run with GPUs.\nDynamic Scaling and GPU Pooling: Use autoscaling and GPU pooling techniques (e.g., multi-instance GPU technologies) to maximize hardware utilization, reducing idle time and enabling more efficient processing of batch or concurrent inference tasks. This can significantly improve utilization from typical 25%+ levels to over 60%. Reference: Optimizing GenAI Usage\nCost-Aware Model and Workflow Design # Adopting a cost-aware approach to model and workflow design ensures financial insights are embedded in every step of the development lifecycle. By prioritizing real-time cost visibility, proactive forecasting, and iterative policy refinement, teams can anticipate spend early, align resource usage with business intent, and implement rapid adjustments as requirements evolve. This mindset promotes conscious decision-making, enabling organizations to balance performance and efficiency from the ground up.\nRecommendations / Best practices # Optimize prompt design and token usage: Design applications with cost-aware prompting by minimizing prompt size and engineering efficient prompts. This reduces model invocations and token consumption, directly controlling costs. References: Generative AI Lens — Cost Optimization, Effect of Optimization on AI Forecasting.\nUse prompt routing, caching, and inference Optimization: Route requests to the most cost-effective models and cache frequent prompts to reduce expensive token processing. This approach can cut inference costs by 40–70%, according to FinOps guidance. Target inference workloads for Optimization since they account for 80–90% of GenAI spending. Reference: Optimizing GenAI Usage\nMonitor and apply governance per FinOps best practices: Incorporate real-time cost monitoring, forecasting, and governance aligned with FinOps principles to drive iterative cost improvements during the AI model lifecycle. Reference: Effect of Optimization on AI Forecasting\nQuotas, Monitoring, and Anomaly Detection # Monitoring quotas and detecting anomalies with alerts ensures cloud resources are managed proactively. Setting alerts before limits are reached helps prevent service disruptions and enables timely capacity planning. This practice keeps cloud workloads reliable and cost-effective across environments.\nRecommendations / Best practices # Granular Monitoring and Cost Tracking: Utilize advanced cost management tools with customizable dashboards to monitor usage and spending trends closely. Implement automated alerts and anomaly detection powered by machine learning to identify unexpected cost spikes and deviations early, enabling proactive cost control. References: AWS Cost Anomaly Detection, Identify anomalies and unexpected changes in cost, View and manage cost anomalies, Cloud Cost Management.\nUtilization and Quotas Management: Continuously monitor resource use across all clouds and set quotas to prevent overruns and runaway costs. Identify idle or low-traffic endpoints to shut down or consolidate, which reduces unnecessary spend. Apply quota management on large AI model endpoints to enforce cost limits during experimentation. References: Automate quota management, Azure subscription and service limits, Google Cloud Quotas overview.\nUsage Pattern Analysis and Feedback: Establish continuous monitoring solutions to detect idle or under-utilized resources and optimize workflow efficiency. Encourage feedback loops between teams to align cost reduction with operational needs, following FinOps best practices. Reference: Cost Estimation of AI Workloads\nStorage and Data Lifecycle Management # Efficient storage and data lifecycle management are key to controlling cloud costs. Implementing automated lifecycle policies helps transition data across storage tiers based on access patterns and retention needs, while regularly auditing for orphaned or stale data prevents unnecessary spending. Embedding these practices early in the provisioning process ensures cost Optimization throughout the data lifecycle.\nRecommendations / Best practices # Lifecycle and Storage Policies: Implement automated data lifecycle management for model training datasets by shifting data to lower-cost storage tiers as access patterns change and removing obsolete or redundant data to reduce storage costs. This reduces provisioning waste and aligns storage use with business needs. References: AWS Data Lifecycle Management, Azure Data Lifecycle Management, Google Cloud Storage Lifecycle Management.\nEfficient Storage and Data Handling: Optimize data pipelines and storage choices by selecting cost-effective storage classes and managing data flow to minimize expensive resource usage during data processing steps that do not require high performance. References: AWS Cost Optimization, Cost Estimation of AI Workloads\nTeam Enablement, Training, and Cost Ownership # Empowering teams with clear cost ownership and targeted training fosters accountability and cost-conscious decision-making. Embedding cost awareness into daily workflows and providing role-specific education helps teams balance innovation and budget, driving a culture of shared responsibility for cloud spending.\nRecommendations / Best practices # Team Accountability: Assign cost owners and embed cost awareness into engineering workflows, training, and planning. Empower teams to make model design and usage decisions with full visibility of financial impact. References: AWS Cost optimization, How to optimize your cloud investment with Cost Management, Guide to Cloud Billing, Resource Organization and Access Management, FinOps Education \u0026amp; Enablement.\nForecasting, Budgeting, and Predictive Insights # Accurate forecasting, budgeting, and predictive insights enable organizations to anticipate cloud costs, align spending with business goals, and prevent budget overruns. Leveraging historical data, driver-based forecasting, and machine learning models helps create dynamic, actionable forecasts that drive financial accountability and proactive cost management.\nRecommendations / Best practices # Accountability, Budget Control, and Forecasting: Assign cost ownership to workload teams and integrate showback or chargeback mechanisms to increase cost visibility and accountability. Use continuous forecasting tools that leverage historical data and growth plans to dynamically adjust budgets and commitments, aligning spending with business objectives. References: AWS Practice Cloud Financial Management, Cost Optimization design principles, Google Cost Optimization pillar, Exploring Cloud Cost Forecasting, Cost Estimation of AI Workloads.\nGovernance, Policy, and Tooling Automation # Automating governance policies ensures consistent compliance, security, and cost control in the cloud. By embedding policies into infrastructure workflows and deployment pipelines, organizations reduce manual errors and enforce rules proactively. This approach enables scalable, reliable oversight and quick remediation across diverse cloud environments.\nRecommendations / Best practices # Governance and Automation: Use Optimization tools to recommend rightsizing, automatically terminate idle workloads, and enforce cost policies at scale for efficient cloud resource management. References: AWS Cost Optimization Pillar — Governance, Cloud Adoption Framework for Azure — Build a cloud governance team, Guide to Cloud Billing Resource Organization and Access Management, Optimize Usage \u0026amp; Cost.\nSummary # In this long blog post, I have shared recommendations from various aspects for embedding FinOps practices as part of the design, deployment and maintenance of modern applications containing GenAI services.\nAny organization must have proper design and visibility into the cost aspects of any application using GenAI components to avoid high cost, or at least be able to track expected costs as soon as possible.\nI encourage the readers to review the hyper-scale cloud providers’ documentation, understand service cost, and learn about best practices for cost Optimization.\nI also encourage the readers to learn from the FinOps Foundation’s official documentation and best practices as they deploy GenAI services.\nDisclaimer: AI tools were used to research and edit this article. Graphics are created using AI.\nAdditional references # AWS Well-Architected Framework — Cost Optimization Pillar\nAmazon Bedrock -Cost Optimization\nGuidance for Cost Analysis and Optimization with Amazon Bedrock Agents\nAmazon SageMaker — Inference cost Optimization best practices\nAzure Well-Architected Framework — Cost Optimization\nMicrosoft Foundry — Cost management for fine-tuning\nCost Optimization of Azure AI Services\nGoogle Well-Architected Framework — AI and ML perspective: Cost Optimization\nGoogle Well-Architected Framework — Cost Optimization pillar\nThree proven strategies for Optimizing AI costs\nAbout the author # Eyal Estrin is a seasoned cloud and information security architect, AWS Community Builder, and author of Cloud Security Handbook and Security for Cloud Native Applications. With over 25 years of experience in the IT industry, he brings deep expertise to his work.\nConnect with Eyal on social media: https://linktr.ee/eyalestrin.\nThe opinions expressed here are his own and do not reflect those of his employer.\n","date":"8 December 2025","externalUrl":null,"permalink":"/posts/finops-for-ai/","section":"Posts","summary":"","title":"FinOps for AI","type":"posts"},{"content":" In part 1 of this series, I have discussed Ingress controllers and Gateway APIs as a way to control ingress traffic into applications deployed on top of a Kubernetes cluster.\nIn the second of this series, I will discuss intra-cluster (East-West) traffic passed through inside a Kubernetes cluster (i.e., between the Pods) and egress traffic outside the Kubernetes cluster.\nTerminology # Before we deep dive into the article, let\u0026rsquo;s review some important concepts:\nContainer Network Interface (CNI): A Cloud Native Computing Foundation project that provides a standardized specification and set of plugins for configuring network interfaces and connectivity for Linux containers (Reference: CNI - the Container Network Interface).\nNetwork Policies: Rules that control the allowed inbound and outbound network traffic to and from Pods, providing fine-grained segmentation and security within the cluster (Reference: Network Policies).\nService Mesh: An infrastructure layer that manages service-to-service communication in a microservices architecture by providing reliability, observability, and security features uniformly across all services without requiring code changes (Reference: Service Mesh).\neBPF (extended Berkeley Packet Filter): A Linux kernel technology that lets small, safe programs run inside the kernel without changing its code. These programs can monitor, filter, and control system events like network traffic or system calls, improving observability and security with low overhead (Reference: eBPF).\nCalico: An open-source networking and security solution for Kubernetes that provides scalable, high-performance Layer 3 networking and enforces fine-grained network policies (Reference: What is Project Calico).\nCilium: An open-source, cloud-native networking, security, and observability solution for Kubernetes that leverages eBPF technology to provide high-performance, identity-aware network policies and scalable pod connectivity (Reference: Cilium).\nIstio: An open-source service mesh that provides a transparent layer for managing, securing, and observing service-to-service communications in microservices architectures, using Envoy proxies for traffic control, security features like mutual TLS, and observability without requiring changes to application code (Reference: Istio).\nEnvoy Proxy: A high-performance, open-source edge and service proxy designed for cloud-native applications that facilitates service-to-service communication with advanced load balancing, traffic routing, and security features in distributed microservices architectures (Reference: Envoy).\nPod: The smallest deployable unit in Kubernetes that consists of one or more tightly coupled containers sharing storage, network, and a specification for how to run them in a shared context (Reference: Pods).\nContainer Network Interface and Network Policies # A CNI (Container Network Interface) in Kubernetes is needed to provide a standardized, pluggable way to set up networking for pods. It handles assigning IP addresses, configuring network interfaces, and routing so pods can communicate inside the cluster and with external systems. Without CNI, Kubernetes would lack the consistent networking required for container communication, service discovery, and networking scalability.\nNetwork Policies in Kubernetes are needed to control how pods communicate with each other and external endpoints. They provide fine-grained traffic rules to isolate workloads, improve security, and reduce the attack surface. By defining ingress and egress rules, Network Policies help prevent unauthorized access, contain potential attacks, and enforce compliance requirements within the cluster.\nAmazon # AWS implements network policies in EKS by integrating Kubernetes NetworkPolicy resources with the Amazon VPC CNI plugin. This integration provides native support for Kubernetes network security in EKS clusters, allowing operators to create fine-grained rules that control ingress and egress traffic to and from pods. By default, pods in Kubernetes accept traffic from any source, which can pose security risks. AWS addresses this by enabling network policies that act as a whitelist, allowing you to define which pods can communicate with each other based on labels and namespaces.\nAzure # Azure implements network policies by integrating Kubernetes NetworkPolicy resources with Azure\u0026rsquo;s native networking features through the Azure Container Networking Interface (CNI). AKS supports two implementations of network policies: Azure Network Policies and Calico Network Policies. The Azure Network Policy engine runs as a DaemonSet on every node and watches for Kubernetes NetworkPolicy objects to enforce traffic rules.\nGoogle Cloud Platform # Google implements network policies in Google Kubernetes Engine (GKE) by enabling Kubernetes NetworkPolicy resources that act as pod-level firewall rules to control ingress and egress traffic between pods and services within the cluster. Network policy enforcement is integrated into GKE and built on top of the GKE Dataplane V2, providing native, scalable enforcement without additional setup on Autopilot clusters. For Standard clusters, network policy enforcement can be enabled via the Google Cloud Console, CLI, or API, which re-creates node pools with the necessary configurations. Here is a comparison table of the various capabilities of Network Policies offered by AWS, Azure, and GCP:\nOpen-Source Alternatives for CNI and Network Policies # Other than the built-in CNI and Network Policies offered by AWS, Azure, and GCP, there are open-source solutions that can be integrated into a Kubernetes cluster when building a cloud-agnostic architecture. Below are some examples:\nCilium # Cilium is an open-source, cloud-native networking and security project that uses eBPF technology to provide high-performance networking, observability, and security for Kubernetes clusters. It implements network policies by enforcing identity-aware, layer 3, 4, and 7 rules using eBPF-based programs attached to network interfaces.\nCalico # Calico is an open-source networking and security solution for Kubernetes that provides scalable, high-performance Layer 3 networking and enforces fine-grained network policies. It uses standard IP routing and protocols like BGP to connect workloads securely across cloud and on-premises environments.\nEgress Traffic # In Kubernetes, egress traffic control is managed by creating NetworkPolicy resources with egress rules that explicitly allow or deny outbound connections from pods to specific destinations such as IP ranges, namespaces, or ports; by default, pods can send traffic outbound freely, so applying a default deny egress policy ensures isolation until specific egress permissions are granted. This mechanism provides fine-grained control over which external services or destination pods can access, enhancing cluster security and compliance by minimizing unintended data exposure or communication. Service meshes like Istio can also complement this by providing egress gateways for centralized, policy-driven control and observability of outbound traffic. Overall, Kubernetes network policies enable secure, controlled, and auditable management of egress traffic at the pod level.\nAWS, Azure, and GCP all control egress traffic using similar fundamental building blocks like Kubernetes NetworkPolicies and cloud-native networking features, but each has unique implementations and integrations with its networking stacks.\nAWS uses the Amazon VPC CNI plugin integrated with Elastic Network Interfaces (ENIs) and Security Groups, providing pod-level network isolation with egress filtering enforced via eBPF programs on nodes, plus cloud-level firewall controls and Transit Gateway for centralized traffic management.\nAzure uses Azure CNI with network policies enforced via iptables (Linux) or HNS ACLs (Windows), supporting both overlay and flat networks for different egress use cases, integrated with Azure Virtual Network and Network Security Groups for fine-grained outbound traffic control.\nGCP uses the native GKE Dataplane V2 with Calico and eBPF-based enforcement, integrated deeply with Google Cloud VPC and Cloud Router for dynamic routing and policy enforcement, enabling scalable and automated egress control combined with Google\u0026rsquo;s global backbone network.\nService Mesh # A service mesh in Kubernetes is a dedicated infrastructure layer that manages and controls service-to-service communication within a cluster by transparently injecting sidecar proxies alongside application containers. It provides features like traffic management, security (including mutual TLS encryption and authorization), observability, load balancing, and service discovery without requiring changes to application code, allowing teams to securely and reliably connect, monitor, and control microservices at scale.\nService mesh in Kubernetes provides capabilities such as advanced traffic management (including load balancing, traffic routing, retries, and circuit breaking), security features like mutual TLS authentication and authorization policies, deep observability through metrics, distributed tracing, and logging, and resilience enhancements like request timeouts and rate limiting. It abstracts service-to-service communication from application code, enabling easier management, security, and monitoring of microservices at scale. Service meshes also facilitate canary deployments and traffic splitting for smooth application updates.\nAmazon # Amazon implements service mesh in Kubernetes through AWS App Mesh, a managed service mesh that provides application-level networking to control service-to-service communication.\nOn September 30, 2026, AWS will discontinue support for AWS App Mesh, so for service mesh in this blog post, I will recommend integrating Amazon EKS with Istio.\nIstio uses a two-component architecture of a data plane, which consists of Envoy proxy sidecars injected alongside each microservice pod to intercept and manage all network traffic, and a control plane that dynamically configures the Envoy proxies based on policies and rules.\nAzure # Azure implements service mesh in Kubernetes primarily through the Istio-based service mesh add-on for Azure Kubernetes Service (AKS). The Istio-based add-on is fully supported and tested by Microsoft, providing a managed Istio control plane integrated with AKS. It enables features like mutual TLS encryption, advanced traffic routing, access control, observability through integrations with Azure Monitor and Grafana, and lifecycle management of Istio components.\nGoogle Cloud Platform # Google Kubernetes Engine (GKE) implements Cloud Service Mesh as a fully managed service mesh based on Istio, known as Managed Cloud Service Mesh. This service mesh uses a managed control plane hosted by Google Cloud and Envoy sidecar proxies injected automatically into Kubernetes pods to manage and secure service-to-service communication without changing application code. The mesh supports traffic management features such as service discovery, load balancing, canary and blue-green deployments, and circuit breaking at the L7 application layer. Here is a comparison table of the various capabilities of Service Mesh offered/supported by AWS, Azure, and GCP:\nOpen-Source Alternatives for Service Mesh # Other than the service mesh support offered by AWS, Azure, and GCP, there are open-source solutions that can be integrated into a Kubernetes cluster when building a cloud-agnostic architecture. Below are some examples:\nIstio # Istio is an open-source service mesh platform that manages, secures, and observes service-to-service communication in Kubernetes. It works by injecting Envoy proxies as sidecars into each pod to intercept network traffic, while a control plane dynamically configures these proxies based on policies. Istio provides features like advanced traffic routing, mutual TLS security, and detailed observability, allowing centralized control over microservices networking without code changes.\nLinkerd # Linkerd is a lightweight, simple service mesh for Kubernetes that adds security, reliability, and observability features by injecting a small proxy sidecar into each pod. It automatically handles traffic routing, mutual TLS encryption, retries, and load balancing to secure and manage service communication without code changes.\nKuma # Kuma is a universal open-source service mesh that supports Kubernetes, VMs, and bare metal. It uses a control plane and Envoy sidecar proxies injected into pods to provide traffic routing, security with automatic mTLS, observability, and multi-zone/multi-cluster support. Kuma is designed for ease of use, supporting multiple meshes on a single control plane and hybrid infrastructure environments.\nNetwork Policies vs. Service Mesh # Choosing between Network Policies and Service Mesh depends on your specific needs and environment complexity:\nSummary # In the second part of this series, I have explained the different alternatives for controlling traffic inside a Kubernetes cluster (i.e., between Pods), and the various managed services offered by AWS, Azure, and GCP.\nKubernetes Network Policies control pod traffic at the IP and port level for basic network isolation, while Service Mesh manages service-to-service communication with advanced features like secure mutual TLS encryption, fine-grained traffic routing, and observability. Use Network Policies for simple boundary enforcement and Service Mesh when requiring enhanced security, traffic control, and monitoring. Often, combining both provides layered, robust control in Kubernetes environments.\nFollowing this two-part series, I encourage the readers to invest time in learning about Kubernetes capabilities, knowing which one to choose for which scenario and business requirements.\nDisclaimer: AI tools were used to research and edit this article. Graphics are created using AI.\nAbout the author # Eyal Estrin is a seasoned cloud and information security architect, AWS Community Builder, and author of Cloud Security Handbook and Security for Cloud Native Applications. With over 25 years of experience in the IT industry, he brings deep expertise to his work.\nConnect with Eyal on social media: https://linktr.ee/eyalestrin.\nThe opinions expressed here are his own and do not reflect those of his employer.\n","date":"30 November 2025","externalUrl":null,"permalink":"/posts/controlling-kubernetes-network-traffic-part-2/","section":"Posts","summary":"","title":"Controlling Kubernetes Network Traffic – Part 2","type":"posts"},{"content":" When designing cloud-native applications and following the Twelve-Factor App methodology “Config” factor, we should separate config from code to ensure portability, scalability, and security.\nCommon configuration variables include:\nDatabase connection strings or URLs (DATABASE_URL)​\nAPI keys and external service credentials (API_KEY)​\nhostnames, ports, and environment labels (SERVICE_URL, PORT, ENVIRONMENT)​\nCaching or message broker endpoints (CACHE_HOST, CACHE_PORT)​\nDebugging or logging levels (LOG_LEVEL, DEBUG_MODE)\nApplication configuration services are especially useful when automating a CI/CD pipeline to build and deploy cloud-native applications, allowing us to retrieve configuration from a central repository for different environments as part of an SDLC process, and to revert configuration in case problems are identified.\nIn this blog post, I will compare some of the most common features of managed configuration services, offered by the hyper-scale cloud providers, and a cloud-agnostic solution.\nFeature comparison # Security-related feature comparison # Summary # Application configuration services are essential for modern cloud-native applications because they centralize and separate configuration from code, supporting scalability, security, and portability. They enable automated, environment-specific configuration management that integrates seamlessly with cloud services, CI/CD pipelines, and infrastructure-as-code tools, ensuring safe deployments with features like versioning and rollback.\nIn this blog post, I have compared application configuration services (both vendor agnostic and non-vendor agnostic), in various aspects — from supported capabilities (such as versioning, service integration, feature flag support, to IAM, encryption, etc.)\nI encourage the readers to select an application configuration service and integrate it as part of a CI/CD pipeline, and separate config from code.\nAI tools were used to research and edit this article. Graphics are created using AI.\nReferences # What is AWS AppConfig?\nWhat is Azure App Configuration?\nGoogle Parameter Manager overview\nHashiCorp Consul Documentation\nAbout the author # Eyal Estrin is a seasoned cloud and information security architect, AWS Community Builder, and author of Cloud Security Handbook and Security for Cloud Native Applications. With over 25 years of experience in the IT industry, he brings deep expertise to his work.\nConnect with Eyal on social media: https://linktr.ee/eyalestrin.\nThe opinions expressed here are his own and do not reflect those of his employer.\n","date":"18 November 2025","externalUrl":null,"permalink":"/posts/comparison-of-cloud-native-application-configuration-services/","section":"Posts","summary":"","title":"Comparison of cloud-native application configuration services","type":"posts"},{"content":" In November 2025, I came across an announcement on the Kubernetes blog — Ingress NGINX Retirement: What You Need to Know, which made me dig into how we control network traffic in Kubernetes workloads.\nIn this series of blog posts, I will discuss network traffic in Kubernetes clusters, both inter-cluster and intra-cluster, and the various services offered by the hyper-scale cloud providers.\nIn the first part of this series, I will discuss ingress (North-South) traffic to an application deployed on the Kubernetes cluster.\nTerminology # Before we deep dive into the article, let’s review some important concepts:\nNorth-South traffic: The network traffic flowing between external clients outside the cluster and services inside the Kubernetes cluster, encompassing both incoming requests and outgoing responses or API calls.\nEast-West traffic: The network traffic that flows internally between services or pods within the same Kubernetes cluster, enabling communication and data exchange inside the cluster without leaving its boundary.\nIngress Controller: A specialized software component running inside a cluster that monitors Ingress resources and manages external HTTP and HTTPS traffic by routing, load balancing, and applying the configured rules to direct incoming requests to appropriate internal services (Reference: Ingress Controllers).\nKubernetes Gateway API: An extensible, role-oriented Kubernetes API that provides a standardized way to manage and route traffic within and into clusters (Reference: Gateway API).\nLoadBalancer: A Kubernetes LoadBalancer service exposes an application running in a cluster to external networks by provisioning an external load balancer that distributes incoming traffic to the backend Pods, typically integrating with a cloud provider’s load balancing infrastructure (Reference: Service Type).\nCommon Traffic Flow # A common network traffic coming from external customers into an application deployed on top of Kubernetes might look like this:\nExternal Request → CNI (connectivity) → Network Policies (security/filtering) → Ingress Controller or Gateway API (north-south routing) → Service Mesh (east-west routing, if used) → Application.\nNote: This is just an example, and not all applications are deployed using all the above-mentioned components (which we will discuss in this series of blog posts).\nIngress Controller # A Kubernetes Ingress controller is needed to efficiently manage and route external HTTP and HTTPS traffic into a Kubernetes cluster by translating Ingress resource rules into actual traffic routing, load balancing, SSL termination, and access control, providing a centralized and secure way to expose multiple services through a single-entry point.\nAmazon # The Amazon EKS ingress controller service is typically the AWS ALB Ingress Controller (also known as the AWS Load Balancer Controller), which is the recommended solution for managing external HTTP/HTTPS traffic to Kubernetes services running on Amazon EKS.\nAzure # Azure Application Gateway Ingress Controller (AGIC) is a Kubernetes application that enables Azure Kubernetes Service (AKS) clusters to use Azure’s native Application Gateway as the ingress for external traffic.\nGoogle Cloud Platform # The GKE (Google Kubernetes Engine) ingress controller is the default solution for managing external HTTP/HTTPS traffic to Kubernetes services running on GKE. It is also known as the GCE Ingress Controller or GKE Ingress Controller.\nHere is a comparison table of the various capabilities of Ingress Controllers offered by AWS, Azure, and GCP:\nOpen-Source Alternatives for Ingress Controller # Other than the built-in Ingress controllers offered by AWS, Azure, and GCP, there are open-source solutions that can be integrated into a Kubernetes cluster when building a cloud-agnostic architecture. Below are some examples:\nTraefik # Traefik is a modern, cloud-native reverse proxy and load balancer that also serves as a Kubernetes Ingress Controller. It acts as an in-cluster application that integrates with the Kubernetes API to automatically detect Ingress resources and dynamically configure itself to route incoming HTTP/HTTPS traffic to the appropriate backend services within the cluster.\nKong Ingress Controller (KIC) # The Kong Ingress Controller (KIC) is an open-source Kubernetes Ingress Controller that allows you to run Kong Gateway as the ingress point for your Kubernetes cluster. It works by monitoring Kubernetes resources like Ingress and Gateway API objects, then translating these into Kong Gateway configurations to manage incoming traffic. This enables routing, load balancing, and API management for services within the cluster.\nEmissary-ingress (formerly Ambassador) # Emissary-ingress is an open-source Kubernetes-native API Gateway and Ingress controller built on Envoy Proxy. It acts as a scalable Layer 7 load balancer that routes traffic into Kubernetes clusters with advanced features like TLS termination, retries, circuit breakers, rate limiting, and fine-grained traffic management. Emissary-ingress supports Kubernetes Custom Resource Definitions (CRDs) such as Listener and Mapping to define routing and traffic policies more flexibly than standard Ingress resources. It integrates well with popular service meshes and supports multi-cluster environments.\nKubernetes Gateway API # The Kubernetes Gateway API is a modern, extensible Kubernetes API that provides a standardized way to manage and configure traffic routing within Kubernetes clusters. It improves on the older Ingress API by supporting advanced routing features like Layer 4 and Layer 7 protocols, cross-namespace routing, traffic splitting, and role-based management.\nAmazon # The AWS Gateway API Controller for Amazon VPC Lattice is a Kubernetes controller that integrates Amazon VPC Lattice with Kubernetes, enabling users to manage service networking and routing using Kubernetes Gateway API resources. It automates provisioning of VPC Lattice service networks and routes, simplifying multi-cluster and multi-VPC service connectivity without custom code or proxies. This allows consistent, secure, and observable traffic management across clusters and accounts.\nAzure # Azure Application Gateway for Containers (AGC) is a managed application load balancer for Kubernetes workloads on AKS. It runs an ALB controller inside the cluster that manages Azure Application Gateway resources based on Kubernetes Gateway API objects like Gateway and HTTPRoute. AGC provides advanced Layer 7 routing, TLS termination, autoscaling, and integrates deeply with Azure networking and security services. It enables seamless traffic management for containerized applications using native Azure infrastructure and Kubernetes-native APIs without manual configuration of the load balancer.\nGoogle Cloud Platform # The GKE Gateway controller is Google’s managed implementation of the Kubernetes Gateway API in Google Kubernetes Engine. It watches Gateway API resources in Kubernetes and provisions corresponding Google Cloud load balancers to route traffic based on those configurations. It supports single-cluster and multi-cluster Gateways, enabling scalable, flexible, and secure load balancing beyond traditional Ingress.\nHere is a comparison table of the various capabilities of Kubernetes Gateway APIs offered by AWS, Azure, and GCP:\nOpen-Source Alternatives for Kubernetes Gateway API # Other than the built-in Kubernetes Gateway APIs offered by AWS, Azure, and GCP, there are open-source solutions that can be integrated into a Kubernetes cluster when building a cloud-agnostic architecture. Below are some examples:\nEnvoy Gateway # Envoy Gateway is a CNCF-hosted open-source Kubernetes-native API gateway project built on Envoy Proxy. It provides a simplified, standardized implementation of the Kubernetes Gateway API to manage ingress and routing at Layer 7 with advanced traffic control features such as rate limiting, authentication (OIDC, JWT), API key validation, and CORS handling. Envoy Gateway aims to unify existing projects like Contour and Emissary-ingress into a common core with extensibility for vendors and users.\nEmissary-ingress (formerly Ambassador API Gateway) # Emissary-ingress, formerly known as Ambassador API Gateway, is an open-source, Kubernetes-native API gateway and ingress controller built on Envoy Proxy. It is a CNCF incubating project designed to route and manage incoming traffic to Kubernetes services with advanced features like TLS termination, retries, circuit breakers, rate limiting, and traffic shadowing. Emissary-ingress supports various protocols, including HTTP/3 and gRPC, and integrates natively with service meshes and multi-cluster Kubernetes environments.\nIngress Controller vs. Kubernetes Gateway API # Choosing between Kubernetes Ingress Controller and Kubernetes Gateway API depends on your cluster size, complexity, and traffic management needs:\nSummary # In the first part of this series, I have explained the different alternatives for controlling ingress traffic into applications deployed on top of a Kubernetes cluster, and the various managed services offered by AWS, Azure, and GCP.\nWhen deciding between Kubernetes Ingress Controller and Kubernetes Gateway API, choose Ingress Controller for simple, stable HTTP ingress needs with familiar tooling and ease of use. In contrast, opt for Gateway API if your environment requires advanced traffic features, multi-team support, protocol-agnostic routing, and a standardized, extensible API for modern multi-protocol workloads. Gateway API provides enhanced flexibility, scalability, and portability, making it the future-proof choice for complex Kubernetes networking scenarios.\nIn the second part of this series, I will explain how to control not just ingress and egress traffic, but also how to control traffic between different Pods within the same Kubernetes cluster — stay tuned.\nDisclaimer: AI tools were used to research and edit this article. Graphics are created using AI.\nAbout the author # Eyal Estrin is a seasoned cloud and information security architect, AWS Community Builder, and author of Cloud Security Handbook and Security for Cloud Native Applications. With over 25 years of experience in the IT industry, he brings deep expertise to his work.\nConnect with Eyal on social media: https://linktr.ee/eyalestrin.\nThe opinions expressed here are his own and do not reflect those of his employer.\n","date":"18 November 2025","externalUrl":null,"permalink":"/posts/controlling-kubernetes-network-traffic-part-1/","section":"Posts","summary":"","title":"Controlling Kubernetes Network Traffic - Part 1","type":"posts"},{"content":" In 2023, I published a blog post titled “Is the Public Cloud Ready for IPv6?”, where I tried to understand if an organization is trying to build a workload and whether or not the entire infrastructure underneath supports IPv6 end-to-end.\nThis time, I am asking myself a similar question — is the public cloud ready for post-quantum cryptography?\nTerminology and background # Before we begin the conversation, let us first explain what Post-Quantum Cryptography (PQC) is and what problem it comes to solve.\nPost-Quantum Cryptography (PQC) is a new kind of encryption designed to protect data from powerful quantum computers. Quantum computers can break current encryption methods like RSA and ECC, which rely on hard math problems. PQC uses new math problems that even quantum computers can’t easily solve, keeping data safe in the future.\nIf standard encryption algorithms and protocols are broken by quantum computing, the security of encrypted data and communications would collapse.\nThe consequences would include:\nEncrypted data today could be recorded and decrypted later by anyone with a powerful enough quantum computer (“harvest now, decrypt later”).\nConfidential communications, financial transactions, and private information would be exposed.\nDigital signatures protecting software updates and identities could be forged.\nPublic key infrastructures (PKI) and internet security relying on current cryptography would be compromised.\nWidespread privacy breaches, economic damage, and loss of trust in digital systems could ensue.\nCybercriminals, nation-states, and hackers would gain unprecedented access to sensitive information.\nThe new algorithms # Currently, several cryptographic algorithms are vulnerable to quantum computing due to their reliance on mathematical problems that quantum computers can solve efficiently:\nRSA (Rivest-Shamir-Adleman) — Used widely for secure website certificates (SSL/TLS), digital signatures, and encrypting data.\nElliptic Curve Cryptography (ECC) — Used in many secure communications, cryptocurrencies, and authentication systems.\nDiffie-Hellman Key Exchange — Used for establishing shared secrets over insecure channels, based on discrete logarithms.\nNIST is standardizing new Post-Quantum Cryptography (PQC) algorithms designed to resist quantum attacks:\nModule-Lattice-Based Key Encapsulation Mechanism (ML-KEM) — a post-quantum cryptographic algorithm standardized by NIST as FIPS 203. It is a key encapsulation mechanism (KEM) used to establish a shared secret key securely between two parties communicating over a public, insecure channel. ML-KEM replaces existing classical key establishment algorithms vulnerable to quantum attacks, specifically:\nRSA (Rivest-Shamir-Adleman) — Like RSA, ML-KEM allows encrypting a symmetric key, which is then used for encrypting data.\nECDH (Elliptic Curve Diffie-Hellman) — Like Diffie-Hellman (DH) or Elliptic Curve Diffie-Hellman (ECDH), ML-KEM provides a way for two parties to securely agree on a shared secret key over an insecure channel.\nML-DSA (Module-Lattice Digital Signature Algorithm) — a post-quantum digital signature scheme standardized by the US National Institute of Standards and Technology (NIST) under FIPS 204 in 2024. ML-DSA is designed to replace existing digital signature algorithms that are vulnerable to quantum attacks, notably:\nRSA (Rivest-Shamir-Adleman) — Like RSA, ML-DSA provides cryptographic signing to verify the authenticity and integrity of messages, documents, and code.\nECDSA (Elliptic Curve Digital Signature Algorithm) — Like ECDSA, ML-DSA provides cryptographic signing to verify the authenticity and integrity of messages, documents, and code.\nNow that we have discussed briefly the background of post-quantum cryptography, let us move to the main question: are the public cloud providers ready for PQC?\nAWS # AWS began publishing articles, conducting research, and contributing to post-quantum cryptography (PQC) standards research at least as early as 2019.\nI have researched AWS’s official service documentation, and here are the services that currently support PQC:\nAWS KMS (Key Management Service) # Hybrid Post-Quantum TLS: AWS KMS supports hybrid post-quantum key exchange options combining classical ECDH with ML-KEM for TLS connections. This protects data in transit by ensuring quantum-resistant key establishment while maintaining compatibility with classical cryptography.\nPost-Quantum Digital Signatures: AWS KMS has integrated ML-DSA to enable quantum-safe digital signatures for key management operations like CreateKey, Sign, and Verify.\nAWS-LC Cryptographic Library: Underpinning AWS KMS is AWS-LC, a FIPS 140–3 validated open-source cryptographic library implementing NIST-approved PQC algorithms such as ML-KEM and ML-DSA.\nHybrid and Composite Key Encapsulation Mechanisms (KEMs): AWS uses hybrid KEMs combining classic and post-quantum algorithms, with key combiners merging outputs from multiple KEMs to enhance security and facilitate smooth migration to PQC.\nReference:\nUsing hybrid post-quantum TLS with AWS KMS AWS ACM (Certificate Manager) # Hybrid Post-Quantum TLS Key Exchange: ACM supports hybrid key agreement protocols combining classical ECDH with the ML-KEM algorithm. This hybrid approach protects TLS connections from quantum computer attacks, ensuring forward secrecy and mitigating “harvest now, decrypt later” risks.\nQuantum-Resistant Cryptographic Algorithms: ACM integrates the latest NIST-approved post-quantum cryptographic algorithms, including ML-KEM for key encapsulation based on CRYSTALS-Kyber.\nReference:\nAWS KMS and ACM now support the latest hybrid post-quantum TLS ciphers AWS Secrets Manager # Hybrid Post-Quantum TLS Key Exchange: Secrets Manager supports hybrid post-quantum key exchange options for TLS connections, combining classical ECDH with the post-quantum ML-KEM algorithm. This ensures a secure TLS network encryption resistant to quantum attacks.\nPost-Quantum TLS in All Regions Except China: This hybrid PQTLS feature can be used when connecting to Secrets Manager API endpoints, providing quantum-secure transport.\nBuilt on AWS SDK for Rust: The Secrets Manager Agent incorporates hybrid post-quantum key agreement in the AWS Rust SDK, enabling end-to-end PQC-enabled TLS for secret retrieval and management.\nReference:\nPost-quantum TLS Amazon CloudFront # Hybrid Post-Quantum TLS: CloudFront supports hybrid post-quantum key exchange mechanisms, which combine classical ECDH with ML-KEM. This hybrid approach ensures quantum resistance while maintaining compatibility with existing TLS protocols.\nTLS 1.3 Support: CloudFront has introduced a TLS 1.3-only security policy that enforces use of the latest, most secure TLS version and supports post-quantum cryptography algorithms in the handshake.\nSupported Curves and Algorithms: The platform supports traditional elliptic curves (prime256v1, secp384r1, X25519) along with PQC algorithms like ML-KEM for the key exchange component.\nReference:\nSupported protocols and ciphers between viewers and CloudFront AWS Transfer Family # Hybrid Post-Quantum Key Exchange for SSH: AWS Transfer Family uses hybrid key exchange protocols that combine classical ECDH with ML-KEM post-quantum key encapsulation mechanism for SFTP. This hybrid approach ensures quantum-resistant key exchange while maintaining interoperability with clients like OpenSSH, PuTTY, and JSch that support these hybrid algorithms.\nPost-Quantum Security Policies: AWS Transfer Family provides security policies such as TransferSecurityPolicy-2025–03 and TransferSecurityPolicy-FIPS-2025–03 that enable post-quantum secure key exchanges for file transfers via SFTP.\nLong-Term Confidentiality: The PQC support protects against “harvest now, decrypt later” threats by securing SFTP sessions with quantum-safe algorithms, ensuring data confidentiality even against future quantum computers.\nReference:\nUsing hybrid post-quantum key exchange with AWS Transfer Family Additional references from the official AWS documentation:\nML-KEM post-quantum TLS is now supported in AWS KMS, ACM, and Secrets Manager\nCustomer compliance and security during the post-quantum cryptographic migration\nCryptography algorithms and AWS services\nAzure # Microsoft began publishing articles, conducting research, and actively contributing to post-quantum cryptography (PQC) standards around 2019.\nI have researched the Azure official service documentation, and here are the services that currently support PQC:\nAzure Key Vault # Post-Quantum Key Encapsulation Mechanism (KEM): Azure Key Vault integrates the NIST-standardized ML-KEM algorithm, which provides quantum-resistant public-key encryption and key exchange functionality.\nHybrid Cryptography: Azure Key Vault supports hybrid post-quantum key exchange protocols that combine classical ECDH with ML-KEM, enabling secure, quantum-resistant key management while maintaining compatibility with current clients.\nSymCrypt Cryptographic Library: The PQC algorithms are implemented within SymCrypt, a cryptography library used across Windows, Azure, and Microsoft 365, providing consistent post-quantum capabilities accessible via API for encryption, decryption, key generation, and signing.\nCryptographic API (CNG) Integration: PQC algorithms like ML-KEM and ML-DSA are exposed via Windows cryptography APIs, enabling applications using Azure Key Vault to adopt quantum-safe cryptography.\nMicrosoft Entra # Integration of Post-Quantum Algorithms: Entra incorporates NIST-approved PQC algorithms such as ML-KEM for quantum-resistant key exchange and ML-DSA for post-quantum digital signatures. These algorithms work alongside classical cryptographic methods in hybrid protocols.\nHybrid Cryptographic Protocols: Azure Entra uses hybrid key exchange and signature mechanisms that combine classical elliptic curve algorithms with quantum-safe lattice-based algorithms, enabling secure identity authentication and access management resistant to quantum attacks.\nIdentity and Authentication Security: Post-quantum algorithms protect critical functions like authentication flows, identity verification, conditional access enforcement, and signing of tokens or credentials within Entra, ensuring the integrity and confidentiality of identity data against future quantum adversaries.\nMicrosoft 365 # Integration via SymCrypt: Microsoft 365 leverages the SymCrypt cryptographic library, which has integrated NIST-approved PQC algorithms like ML-KEM for quantum-resistant key encapsulation and ML-DSA for post-quantum digital signatures.\nHybrid Cryptographic Protocols: Microsoft 365 supports hybrid cryptography that combines classical algorithms with post-quantum algorithms during key exchange and digital signatures to ensure future quantum resistance while maintaining compatibility.\nEnd-to-End PQC Security: PQC protections extend to Microsoft 365 applications, services, and endpoints, safeguarding data and communications against quantum-enabled adversaries. This includes email security, cloud storage, collaboration, identity verification, and document signing.\nIt was challenging to find references about PQC support on the official Azure service documentation, but here is the only official blog post I was able to find:\nQuantum-safe security: Progress towards next-generation cryptography Google Cloud # Google Cloud began publishing articles, conducting research, and contributing to post-quantum cryptography (PQC) standards as early as 2016.\nI have researched Google’s official service documentation, and here are the services that currently support PQC:\nCloud KMS (Key Management Service) # Post-Quantum Key Encapsulation Mechanisms (KEMs): Cloud KMS has introduced support for post-quantum KEM algorithms standardized by NIST, including ML-KEM, which is designed to resist attacks from quantum computers. This enables quantum-safe encryption key generation, encapsulation, and decapsulation.\nQuantum-Safe Digital Signatures: Cloud KMS supports NIST-approved PQC digital signature standards like ML-DSA and SLH-DSA. This allows customers to create and verify digital signatures that remain secure against quantum adversaries.\nHybrid Cryptographic Protocols: Cloud KMS recommends adopting high-level standards like Hybrid Public Key Encryption (HPKE) to integrate post-quantum KEMs alongside classical cryptography for a smooth transition and compatibility.\nCloud Network Encryption: Internal Google and Google Cloud-native services have migrated traffic encryption key exchanges to ML-KEM, ensuring quantum-resistant network encryption by default.\nReference:\nKey encapsulation mechanisms Cloud HSM (Hardware Security Modules) # Support for NIST PQC Standards: Cloud HSM supports quantum-safe cryptography aligned with NIST standards, including FIPS 203 (ML-KEM), FIPS 204 (CRYSTALS-Dilithium or ML-DSA digital signatures), and FIPS 205 (Sphincs+ or SLH-DSA stateless hash-based signatures).\nQuantum-Safe Key Operations: Enables quantum-resistant key import, key exchange, encryption, decryption, and digital signature creation within hardware security modules, providing hardware-backed security assurances.\nHybrid Cryptographic Protocols: Supports hybrid schemes combining classical cryptography with post-quantum algorithms to ensure compatibility and smooth migration toward quantum-safe infrastructure.\nIt was challenging to find references about PQC support on the official GCP service documentation, but here are some official blog posts I was able to find:\nAnnouncing quantum-safe Key Encapsulation Mechanisms in Cloud KMS\nPost-Quantum Cryptography: Standards and Progress\nPQC in plaintext: How we’re helping customers prepare for a quantum-safe future\nSummary # The blog explores whether public cloud providers — AWS, Azure, and Google Cloud — are ready for post-quantum cryptography (PQC), a new generation of encryption algorithms designed to protect against quantum computer attacks. PQC aims to replace traditional algorithms like RSA, ECC, and Diffie-Hellman, which quantum computers could eventually break.\nAWS appears to lead adoption, with multiple services (KMS, ACM, Secrets Manager, CloudFront, and Transfer Family) already supporting hybrid post-quantum TLS and digital signatures. Azure and Google Cloud also integrate PQC into key management and identity services, but their implementations are less visible in official documentation and primarily discussed through technical blogs.\nI am not an expert in post-quantum cryptography, and this topic remains an evolving area of research and standardization. While NIST has finalized initial PQC standards, cloud provider adoption is still a work in progress.\nDisclaimer: AI tools were used to research and edit this article. Graphics are created using AI.\nAbout the author # Eyal Estrin is a seasoned cloud and information security architect, AWS Community Builder, and author of Cloud Security Handbook and Security for Cloud Native Applications. With over 25 years of experience in the IT industry, he brings deep expertise to his work.\nConnect with Eyal on social media: https://linktr.ee/eyalestrin.\nThe opinions expressed here are his own and do not reflect those of his employer.\n","date":"13 November 2025","externalUrl":null,"permalink":"/posts/is-the-public-cloud-ready-for-post-quantum-cryptography/","section":"Posts","summary":"","title":"Is the Public Cloud Ready for Post-Quantum Cryptography?","type":"posts"},{"content":"","date":"2 November 2025","externalUrl":null,"permalink":"/categories/resiliency/","section":"Categories","summary":"","title":"Resiliency","type":"categories"},{"content":" When working with public clouds, we all heard of the Shared Responsibility Model, where the cloud providers are responsible for the cloud infrastructure (both physical and software-related components), and we as customers are responsible for things within our cloud accounts (from configuration to security, designing for resiliency, etc.).\nBut what happens when the cloud providers make mistakes that impact us directly, without (almost) anything we as customers can do?\nIn this blog post, I will share some stories published on the Internet, and I will try to provide some recommendations to mitigate against similar cases from happening in the future to other customers.\nWhen a 10-Year AWS Footprint Disappears Overnight # On July 10, 2025, AWS sent a notice requesting identity verification within five days. Despite submitting valid ID and utility documents, AWS rejected them as “unreadable.” Without offering clarification or follow-up, AWS terminated the entire 10-year-old account on July 23, deleting every byte of data — including multi-region backups, documentation, and open-source material tied to his Ruby projects (Reference: AWS deleted my 10-year account and all data without warning).\nThe deletion led to a 20‑day support ordeal, marked by canned responses and an apparent lack of escalation pathway. Ultimately, in early August 2025, an AWS employee manually intervened to restore the account after public outcry (Reference: AWS Restored My Account: The Human Who Made the Difference).\nHow It Could Have Been Avoided # Redundant Multi‑Provider Backup Strategy — Cross‑provider redundancy (e.g., AWS + Azure Blob + local NAS backup) would have limited the damage.\nIndependent Account Ownership — Maintaining direct billing and verified root access avoids dependencies that can trigger verification suspension.\nAutomated Offsite Snapshots — Using tools like rclone or AWS Backup cross‑copy to independent storage (Google Drive, S3 Glacier Deep Archive, or on-prem object stores) protects against upstream provider errors.\nProactive Account Monitoring — AWS customers can use AWS Health Dashboard, CloudTrail account activity alerts, and Security Hub configuration compliance checks to detect when verification or compliance flags occur.\nInternal Policy Transparency by AWS — AWS could prevent recurrence by clarifying retention behavior for “verification-suspended” accounts, introducing a mandatory grace period before data erasure, and auditable deletion logs for customer appeals.\nWhen Microsoft Suspended Your Cloud # The incident involving Nayara Energy and Microsoft in July 2025 occurred after the European Union imposed sanctions targeting Nayara’s refinery due to its partial ownership by the Russian state oil company Rosneft. Following these sanctions, Microsoft, adhering to EU compliance and its automated sanctions enforcement system, suspended critical cloud services — such as Teams and Outlook — used by Nayara’s employees without prior notice or legal obligation under Indian or U.S. law. This unilateral suspension disrupted Nayara’s day-to-day operations and raised concerns about the overreach of foreign jurisdiction in critical infrastructure services (Reference: Microsoft briefly turned off an Indian company’s cloud).\nNayara Energy legally challenged Microsoft’s suspension in the Delhi High Court, which intervened and led to the restoration of services within a few days. The case highlighted the risks associated with reliance on foreign cloud providers subject to extraterritorial sanctions regimes, prompting Indian policy voices to emphasize the strategic vulnerability of depending on non-sovereign digital infrastructure in vital sectors like energy (Reference: Indian court rules for sanctioned refiner in Microsoft services dispute).\nHow It Could Have Been Avoided # Implement Sovereign or Local Cloud Solutions — Adoption of sovereign clouds or domestic cloud providers controlled under national jurisdiction to avoid external legal risks.\nMulti-Cloud Strategy — Utilizing multiple cloud providers from different legal jurisdictions can reduce exposure to unilateral service suspensions.\nClear Jurisdictional Compliance Mapping — Cloud customers and providers must ensure clear, legally grounded interpretations of sanctions to prevent automated, unnecessary service blocks.\nAdvance Notification and Dialogue — Providers should establish protocols to notify customers in sensitive sectors immediately about compliance actions and consider court injunctions or customer appeals to prevent abrupt service halts.\nGovernmental and Legal Safeguards — Governments should work with cloud providers to create frameworks protecting essential services from extraterritorial compliance impacts.\nWhen Google Cloud Deletes Your Private Cloud # The incident involving UniSuper and Google Cloud in May 2024 was caused by an inadvertent misconfiguration during the provisioning of UniSuper’s Private Cloud services, which led to the accidental deletion of UniSuper’s entire cloud subscription, including all backups stored across multiple geographic regions (Reference: Google Cloud accidentally deletes UniSuper’s online account due to ‘unprecedented misconfiguration’).\nGoogle Cloud acknowledged the issue as a “one-of-a-kind occurrence” and communicated openly with UniSuper throughout the recovery. The restoration required considerable effort from both Google Cloud and UniSuper teams, highlighting that cloud service disruptions can impact even large, sophisticated organizations (Reference: Sharing details on a recent incident impacting one of our customers).\nHow It Could Have Been Avoided # Multi-Cloud Backup Strategy — Organizations should adopt a 3–2–1 backup strategy: at least three copies of data, two different storage types, and one offsite or in another cloud provider.\nSeparate Logical Backup Infrastructure — Backups should not reside within the same logical cloud environment or account as primary data. Isolating backups using independent providers or physical air-gapped storage protects against provider-wide faults or misconfigurations.\nInfrastructure as Code (IaC) Safeguards — Extensive automated testing, change approval workflows, and audit trails for IaC deployments (e.g., Terraform, CloudFormation) would reduce the risk of unintentional destructive changes during provisioning.\nRobust Incident Response and Continual Monitoring — Early detection of configuration errors, combined with clear communication plans between cloud provider and customer, can minimize downtime and data loss consequences.\nCloud Provider Controls — Providers should implement redundant fail-safes restricting wholesale deletions during provisioning and protect simultaneous deletion of multi-region backups.\nAWS Outage Deep Dive: Lessons from EU-North 1 # In February 2025, AWS experienced a significant networking fault in the eu-north-1 region (Stockholm), specifically originating in Availability Zone eun1-az3, which caused wide-scale service degradation. This fault disrupted internal service-to-service communications within the region, affecting many critical AWS services such as EC2, S3, Lambda, DynamoDB, and CloudWatch for over 15 hours before full recovery, impacting internal service communications (Reference: Availability issues with aws-eu-north-1c).\nHow Can It Be Avoided or Mitigated # Multi-Region and AZ Redundancy — Architecting applications to span multiple Availability Zones and regions reduces the blast radius of regional faults and network isolation events.\nNetwork Path Redundancy and Monitoring — Continuous real-time monitoring of internal network paths and rapid failover mechanisms can help detect and route around failing network segments faster.\nDisaster Recovery Planning — Regular DR drills that include network partition scenarios validate system resilience and readiness for swift recovery.\nMulti-Cloud and Hybrid Strategies — Maintaining the ability to fail over critical workloads to a different cloud provider or on-premises infrastructure can mitigate regional cloud provider issues.\nCaching and Offline Access — Implementing edge caching and offline data accessibility for applications prevents total service disruption when cloud connectivity is impaired.\nClear Communication and Transparency — Cloud providers offering granular health dashboards and timely communication help customers take protective actions early.\nWhen Microsoft’s 19-Hour Outage Hits # In July 2025, Microsoft experienced a global outage lasting over 19 hours that severely impacted core Microsoft 365 services, including Exchange Online mailboxes, Outlook (web, mobile, and desktop), and Microsoft Teams for messaging, calls, and meetings. The problem quickly escalated to affect multiple interconnected services worldwide, disrupting communication and collaboration for millions of users across various sectors (Reference: Microsoft’s July 2025 Outage: A 19-Hour Disruption That Exposed Cloud Infrastructure Vulnerabilities).\nHow Can It Be Avoided or Mitigated # Backup and Contingency Planning — Customers should employ third-party backup services to regularly back up Microsoft 365 data (Exchange Online, Teams, SharePoint, OneDrive) to independent, off-cloud storage.\nMulti-Channel and Alternative Communication Methods — Organizations should ensure incident management and communication systems use multiple channels (email, SMS, phone calls) and set up backup conferencing/communication tools outside Microsoft 365, such as third-party video conferencing platforms or messaging apps, to maintain communications during service disruptions.\nLocal Sync and Offline Access for Critical Files — Administrators can configure OneDrive and SharePoint sync policies, enforcing critical document caching locally on user devices. Users trained to mark key files “Always Keep on This Device” ensure offline accessibility when cloud access is unavailable.\nResilient Authentication Configurations — Implement backup authentication methods alongside Azure AD and MFA to prevent single points of failure. For hybrid architectures, configure password hash sync and alternative login methods to avoid lockouts during identity service disruptions.\nProactive Monitoring and Incident Awareness — Continuous monitoring of Microsoft 365 service health dashboards and integrating alerts into organizational operations allows faster detection and response to outages, reducing downtime duration and impact.\nBusiness Continuity and Crisis Playbooks — Develop and regularly test contingency playbooks for such cloud outages, including manual workarounds, employee communication plans, and alternate workflows to maintain operations.\nGoogle Cloud Outage: A Cloud Architect’s Reality Check on Service Dependence # In June 2025, Google Cloud experienced a major global outage impacting over 70 services — including Gmail, Google Drive, Google Meet, Spotify, Discord, and Shopify — for more than 7 hours. The root cause was traced to a faulty automated change to Google Cloud’s Service Control system, a critical API gateway responsible for authentication, quota enforcement, and request validation across Google’s infrastructure (Reference: Multiple GCP products are experiencing Service issues).\nHow Can It Be Avoided or Mitigated # Multi-Cloud and Redundancy — Architect workloads across clouds or hybrid environments to reduce single-provider dependency risk.\nGraceful Degradation and Circuit Breaking — Design applications to handle API failures gracefully with retries, fallbacks, and offline capabilities to reduce impact during upstream outages.\nDecoupled Authentication Strategies — Leverage additional identity management solutions and caching to preserve session continuity if primary IAM services fail momentarily.\nProactive Monitoring and Alerting — Monitor Google Cloud Service Health dashboards continuously and integrate alerts to enable rapid incident detection and trigger fallback workflows.\nIncident Response and Crisis Planning — Maintain tested playbooks for service disruptions that include internal communications, alternative collaboration tools, and manual operational procedures.\nSalesforce OAuth Breach # In early August 2025, a sophisticated cyberattack exploited compromised OAuth tokens from the Salesloft Drift third-party application integrated with Salesforce, allowing attackers to exfiltrate large volumes of sensitive data from over 700 organizations across multiple industries, including cybersecurity firms, retail, finance, and technology. (Reference: Widespread Data Theft Targets Salesforce Instances via Salesloft Drift).\nHow Can It Be Avoided or Mitigated # Comprehensive SaaS Integration Visibility — Maintain inventory of all OAuth, API, and third-party integrations across SaaS environments to identify risky or unauthorized apps, reducing blind spots that attackers exploit.\nLeast Privilege and Token Scope Management — Restrict OAuth token permissions and enforce least privilege access, minimizing exposure if tokens are compromised.\nOAuth Token Rotation and Revocation — Regularly rotate and promptly revoke unused or suspicious OAuth tokens and refresh tokens to limit lifetime risk.\nMonitoring and Alerting for Anomalous Activity — Implement continuous monitoring with alerts for unusual data exports or access patterns in Salesforce and other SaaS tools, using SOAR or SIEM integrations.\nUser Awareness and Phishing Resistance Training — Educate users about phishing and social engineering risks, especially regarding granting OAuth consents and app integrations.\nThird-Party Security Assessments — Evaluate the security posture and incident history of third-party SaaS integrations regularly and require security attestations.\nIncident Response and Forensic Readiness — Prepare to quickly investigate, contain, and remediate integration abuse incidents, including audit log preservation and forensic analysis processes.\nOracle Cloud Breach # The Oracle data breach of 2025 stemmed from the exploitation of a critical, long-known vulnerability (CVE-2021–35587) in Oracle WebLogic servers, which many organizations had failed to patch. Threat actors, notably identified as “rose87168,” accessed legacy Oracle infrastructure, including SSO and LDAP servers, extracting approximately 6 million records comprising JKS key files, encrypted SSO passwords, hashed LDAP passwords, environment variables, and configuration backups (Reference: CVE-2021–35587 Exploited in Oracle Data Breach 2025).\nOver 140,000 Oracle Cloud tenants were affected, involving small to midsize companies relying on Oracle’s legacy cloud platforms and hybrid cloud components.\nOracle initially denied breach of its core Oracle Cloud Infrastructure (OCI), attributing the incident to outdated Gen1 servers, but subsequent leaked data and victim confirmations challenged this narrative (Reference: Oracle Cloud Breach).\nHow Can It Be Avoided or Mitigated # Aggressive Patching and Vulnerability Management — Ensure that all Oracle software, including middleware like WebLogic, is promptly patched, especially for critical vulnerabilities listed in CISA KEV.\nCredential Rotation and Zero-Trust Access — Rotate and revoke all potentially exposed credentials, including SSH keys, API tokens, and SSO passwords. Enforce zero-trust principles with strict role-based access controls and conditional multi-factor authentication.\nNetwork Segmentation and Isolation — Isolate legacy systems from production environments and Internet-accessible interfaces. Use firewalls and VPNs to segment and limit access to sensitive infrastructure.\nContinuous Monitoring and Incident Response — Implement real-time monitoring of access, network traffic anomalies, and log integrity. Maintain robust incident response capabilities to detect and remediate suspicious activity quickly.\nSupply Chain and Integration Auditing — Identify and secure all third-party integrations and hybrid cloud components to prevent lateral attack vectors.\nData Encryption and Backup Hygiene — Encrypt data at rest and in transit and regularly test backup/restoration processes to ensure data integrity and resilience.\nSummary # This blog explores the limits of the Shared Responsibility Model in public cloud environments, highlighting incidents where cloud provider errors or misconfigurations directly impacted customers.\nOutages at AWS, Microsoft, and Google Cloud further emphasize the operational risks of single-provider dependence, while breaches in Salesforce and Oracle Cloud reveal the critical importance of security hygiene and third-party integration management.\nWhile no solution can fully eliminate the risk of cloud provider incidents, this post offers practical recommendations to help mitigate potential impacts. Some measures, like proactive monitoring and backup strategies, are straightforward to implement, whereas others — such as multi-cloud architectures — may be more complex or theoretical.\nThe key takeaway for readers is to learn from past incidents and adopt mitigations proactively, before they affect your organization or customers.\nAbout the author # Eyal Estrin is a seasoned cloud and information security architect, AWS Community Builder, and author of Cloud Security Handbook and Security for Cloud Native Applications. With over 25 years of experience in the IT industry, he brings deep expertise to his work.\nConnect with Eyal on social media: https://linktr.ee/eyalestrin.\nThe opinions expressed here are his own and do not reflect those of his employer.\n","date":"2 November 2025","externalUrl":null,"permalink":"/posts/the-shared-responsibility-model-and-mistakes-of-public-cloud-providers/","section":"Posts","summary":"","title":"The Shared Responsibility Model and mistakes of public cloud providers","type":"posts"},{"content":" When designing for resiliency, we usually think about deploying an entire workload over multiple availability zones (i.e., multi-AZ) or, if the business requires it, design for multi-region (with the challenges coming with it).\nOne thing most organization fail to understand is that many of the global services that we use every day (from identity management, DNS, compute, storage and databases) are built on the concept of “control plane” and “data plane”.\nIn public cloud environments, the concepts of \u0026ldquo;control plane\u0026rdquo; and \u0026ldquo;data plane\u0026rdquo; are fundamental to understanding how cloud services operate and ensure scalability, security, and resilience.\nControl Plane - the administrative and orchestration layer responsible for managing, configuring, and controlling cloud resources and services. It handles all control operations such as creating, updating, deleting, and listing resources (CRUDL operations). For example, launching a VM instance, creating an object storage bucket, or configuring network policies are control plane activities.\nData Plane - the functional layer that executes the core operations of the service, such as running virtual machines, handling storage, transmitting network packets, and processing application workloads. For example, the running VM instances, the data stored and retrieved from an object storage, and network packet forwarding are all part of the data plane.\nIn this blog post, I will share some recommendations I have collected from the official public cloud documentation.\nRecommendations for Resilient Application Design to Mitigate Control Plane Outages in AWS # 1. Do Not Rely on Control Plane in Recovery Paths # Avoid dependencies on control plane operations in global or partitional services during failover or disaster recovery. For instance, IAM, Route 53, and Amazon S3 control plane actions are often centralized in specific regions like us-east-1 or us-west-2. Outage in these regions impacts CRUDL operations (create, read, update, delete, list) on resources.\nInstead, architect systems to rely primarily on data plane operations, which are regionally distributed and more resilient.\nPre-provision resources like ELBs, Route 53 DNS records, S3 buckets, and API Gateway endpoints to avoid the need for control plane changes during failures.\nUse caching and replication to maintain critical configuration and state data accessible via the data plane during control plane outage.\n2. Use Static Stability Design Patterns to Avoid Control Plane Overload and Failure # Implement static stability by minimizing dynamic changes to the control plane during normal and failure operations. Avoid rapid scaling, reconfiguration, or failover operations that require heavy control plane interactions.\nFavor stable, predictable configuration models that do not require frequent updates to DNS records, API endpoints, or IAM policies.\nUse fallback mechanisms and circuit breakers to prevent cascading overloads on control plane services.\nDesign smaller, scoped services in charge of control plane operations to isolate and reduce the risk of large-scale failure due to control plane overload.\n3. Multi-AZ and Multi-Region Architectures for Control Plane Controlled Evacuation # Use multi-AZ deployments to increase availability; utilize patterns like control-plane-controlled evacuation from unavailable AZs.\nAutomate graceful evacuation of workloads from impaired AZs by orchestrating controlled drain or failover without overwhelming control plane requests.\nFor critical service control planes hosted in a single region (like the global IAM control plane in us-east-1), consider geographic separation and preplanned failover or fallback strategies.\nValidate failover automation works without real-time dependency on control plane changes whenever possible.\n4. Prepare for Single Points of Failure in Global Control Planes # Understand AWS global services whose control planes operate in a single region while their data planes are globally distributed (e.g., IAM, Route 53, CloudFront).\nDesign for \u0026ldquo;partitional\u0026rdquo; services failure modes by isolating workloads from control plane failures impacting global endpoints.\nImplement \u0026ldquo;break-glass\u0026rdquo; procedures and users pre-configured for emergency access during control plane outages.\nUse regional endpoints for services like AWS STS to reduce reliance on global endpoints.\n5. Operational Excellence and Monitoring # Use AWS Systems Manager Parameter Store, DynamoDB, or S3 (data plane) to store critical runtime configuration separately from the control plane.\nContinuously monitor control plane health using AWS CloudWatch and Route 53 health checks.\nEnable automated alarms and operational runbooks for rapid detection and resolution of control plane degradation.\nReferences # Global services\nAvoiding overload in distributed systems by putting the smaller service in control\nStatic stability using Availability Zones\nControl plane-controlled evacuation\nAzure Resilient Application Design for Control Plane Outage Mitigation # 1. Minimize Control Plane Dependencies in Critical Paths # Design applications to reduce dynamic control plane operations during failover or disaster recovery.\nPre-provision resources and configurations to avoid the need for control plane CRUD operations during outages.\nUtilize data plane operations and caching for runtime data retrieval rather than on-demand control plane calls.\nAvoid manual, time-sensitive changes in control plane resources, when possible, to reduce risk.\n2. Architect for Redundancy and Failover # Distribute workloads across multiple Azure Availability Zones (AZs) and regions to isolate against localized zone or regional control plane failures.\nUse availability sets, availability zones, and paired regions with geo-redundant services (e.g., Azure SQL Geo-Replication, Azure Storage geo-redundancy).\nImplement automatic failover mechanisms via Azure Traffic Manager and Azure Front Door to redirect traffic during service degradation or control plane interruptions.\n3. Service-Specific Availability Considerations # Understand the availability guarantees of Azure managed services; e.g., Azure Databricks control plane offers zonal redundancy but not full regional failover without explicit DR configuration.\nUse multi-region deployments and replication features in services supporting them to mitigate service-specific control plane failures.\n4. Prepare and Test Disaster Recovery Plans # Develop comprehensive disaster recovery plans addressing control plane outages, including failover processes to secondary regions.\nDefine and document Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) based on business needs.\nRegularly test and validate failover and failback procedures to ensure readiness without reliance on real-time control plane changes.\nEstablish \u0026ldquo;break-glass\u0026rdquo; access methods independent from the primary control plane for emergency administration.\n5. Monitoring, Alerts, and Change Management # Use Azure Monitor and Azure Service Health to continuously monitor the control plane and service health.\nSet automated alerts for early detection of control plane-related issues.\nApply disciplined change management processes to minimize human errors impacting the control plane.\nEmploy Infrastructure-as-Code (IaC) tools such as Azure Resource Manager and DevOps pipelines for consistent and auditable resource management.\nReferences # Azure control plane and data plane\nConsiderations for multitenant control planes\nArchitectural approaches for control planes in multitenant solutions\nInteroperability in Azure - Control plane analysis\nSummary # Designing only for data plane resilience is insufficient. To withstand regional or global control plane disruptions, workloads must avoid real-time control plane dependencies during failover, pre-provision critical resources, and rely on static, replicated, and automated recovery mechanisms.\nReaders should broaden their design considerations beyond resiliency and disaster recovery. Include chaos engineering exercises in regular deployment cycles, and plan for security and operational access—specifically, how teams will connect to and manage environments during a public cloud outage.\nAbout the author # Eyal Estrin is a seasoned cloud and information security architect, AWS Community Builder, and author of Cloud Security Handbook and Security for Cloud Native Applications. With over 25 years of experience in the IT industry, he brings deep expertise to his work.\nConnect with Eyal on social media: https://linktr.ee/eyalestrin.\nThe opinions expressed here are his own and do not reflect those of his employer.\n","date":"21 October 2025","externalUrl":null,"permalink":"/posts/mitigating-the-risk-of-a-global-public-cloud-outage/","section":"Posts","summary":"","title":"Mitigating the risk of a global public cloud outage","type":"posts"},{"content":"Welcome to my recorded sessions. Here I share insights on cloud adoption, cybersecurity strategy, and the evolution of cloud-native security.\nFeatured Lectures # Guardrails in the Cloud # Date: September 27, 2025\nA deep dive into implementing automated governance and security guardrails across multi-cloud environments. The Rise of Cloud Security in 2025 # Date: January 4, 2025\nExploring the shifting landscape of threats and defense strategies for the current year. Security in the Cloud-Native Era # Date: October 24, 2024\nFocusing on securing modern application architectures and infrastructure-as-code. GlobalTech.TV Series # A fundamental series covering the building blocks of cloud architecture and security.\nCloud Physical and Logical Infrastructure # Date: October 14, 2024 Content Sharing # Date: August 18, 2024 The Shared Responsibility Model # Date: July 15, 2024 Cloud Computing Fundamentals # Date: June 24, 2024 Intro # Date: June 11, 2024 ","date":"27 September 2025","externalUrl":null,"permalink":"/posts/pages/speaking/","section":"Posts","summary":"","title":"Cloud Security Sessions \u0026 Public Speaking","type":"posts"},{"content":" Modernizing legacy monolithic applications from on-prem to the public cloud is a challenging task.\nThose applications may have produced value for organizations for many years, but the challenge of upgrading components (such as hardware), outdated versions of programming languages (such as Java, .NET, etc.), lack of proper resiliency, and more, makes the ongoing maintenance a nightmare.\nAssuming our organization decides to put effort into application and workload modernization, to take full benefit of modern or cloud-native applications, how do we leverage GenAI capabilities for application modernization?\nIn this blog post I will share my experience with AI code assistances for application modernization.\nWhat are the benefits of application/workload modernization? # There are many benefits of modernizing legacy applications, to name a few:\nUse of latest software components — The ability to replace outdated or unsupported versions of software components with versions supporting new capabilities (fewer security vulnerabilities, better performance, new APIs, better compatibility with modern applications, etc.)\nEfficiency — The ability to replace hardware (from new instance type, latest block storage, etc.) and gain the best performance (and in many cases, even better pricing than previous generations), with minimum effort and very small downtime.\nScalability — The ability to re-architect existing workloads to meet business requirements for high availability (add or remove resources to meet customers’ demand).\nObservability — The ability to collect logging and telemetry based on API calls from all resources in the cloud to a central cloud-native aggregation and correlation solution.\nModern architecture — The ability to re-architect existing workload and be able to use cloud-native capabilities such as microservices, event-driven architectures, containers, or functions-as-a-service, instead of physical or virtual machines (that do not scale very well).\nUse of managed services — The ability to consume services such as storage, database, GenAI, etc., and focus on developing new offerings for customers, instead of ongoing service maintenance.\nWe can see that there are many benefits of application modernization, but how do we deal with outdated programming language versions?\nUsing Amazon Q Developer (Code transformation) for Java application modernization # In the example below, I have used the Amazon Q developer add-on as part of Visual Studio Code, using Claude Sonnet 4, to review a sample Java 8 application (source: https://github.com/aws-samples/qct-sample-java-8-app), assess the application, and create an upgrade to Java 17.\nFirst, I used Amazon Q Code to create documentation of the Java application (using the /doc command):\nFinal result:\nThen, I used Amazon Q Code to upgrade the Java application code version 17 (using the /transform command):\nAnd the final result (before and after the proposed changes):\nFor more information about Amazon Q Developer and its capabilities for upgrading Java projects, see:\nTransforming Java applications with Amazon Q Developer\nModernize your Java application with Amazon Q Developer\nUsing Amazon Q Developer (Code transformation) for .NET application modernization # In the example below, I have used the Amazon Q developer add-on as part of Visual Studio Code, using Claude Sonnet 4, to upgrade a sample .NET 4.8 application (source: https://github.com/aws-samples/sample-amazon-q-transform-dotnet-4.8-webapi), to .NET 8:\nBelow is a summary of the upgrade process:\nThen, I have asked Amazon Q Code to run a build for the upgraded application:\nFinally, I have asked Amazon Q Code to run a test to validate the upgrade, and below are the results:\nFor more information about Amazon Q Developer and its capabilities for upgrading .NET applications, see:\nTransforming .NET applications with Amazon Q Developer Summary and some personal thoughts # While evaluating Amazon Q Developer, I was able to accomplish an upgrade of a Java application, an upgrade of a .NET application (from version 4.8 to version 8), and an upgrade of a Python application (from version 3.7 to version 3.10).\nImportant disclaimer — I am not a developer, and if I were able to use Amazon Q developer to upgrade different applications, a task that I have no doubt is challenging for most developers, taking legacy code and struggling with the upgrade process, I see Amazon Q developer application modernization capabilities as very promising.\nI also tried GitHub Copilot app modernization for .NET and GitHub Copilot app modernization for Java but was unable to complete an upgrade process without getting multiple errors, and the build process always failed.\nI tried GitHub Copilot for the upgrade process with the same Java, .NET, and Python applications that I used with the Amazon Q developer but was unable to complete the task.\nFor using the GitHub Copilot app for modernization Java, I was required to upgrade my license to GitHub Copilot Pro, but even after enabling 30-day trial license, logging off, and logging back in, the extension refused to perform an upgrade of a Java application.\nI tried to switch between GPT-4.1, GPT-4o, and Clause Sonnet 3.5, but it did not change the result.\nI finally tried Google Gemini Code Assist, with the mentioned applications, but in most cases, Gemini Code Assist provided me with manual recommendations, or it was unable to provide a complete automated resolution for the upgrade process.\nAs a last result, I used Amazon Q developer on applications that both GitHub Copilot and Gemini Code Assist failed to complete an upgrade and build process, and Amazon Q developer was able to resolve all errors and complete the build task.\nI am sure all tools will mature over time and will enable developers to focus on building new applications and modernizing legacy applications, but at least at the time of writing this blog post, I believe Amazon Q developer is the most mature solution from all three cloud providers.\nAbout the author # Eyal Estrin is a seasoned cloud and information security architect, AWS Community Builder, and author of Cloud Security Handbook and Security for Cloud Native Applications. With over 25 years of experience in the IT industry, he brings deep expertise to his work.\nConnect with Eyal on social media: https://linktr.ee/eyalestrin.\nThe opinions expressed here are his own and do not reflect those of his employer.\n","date":"18 August 2025","externalUrl":null,"permalink":"/posts/how-genai-powers-smarter-application-modernization/","section":"Posts","summary":"","title":"How GenAI Powers Smarter Application Modernization","type":"posts"},{"content":" When talking to different roles in the IT industry, we often hear about tension between security teams and end users (such as developers, business departments, etc.)\nThe tension usually comes from the notion of security teams having to fight to keep everything secured as much as possible, and end-users wishing to have the freedom to experiment with new technologies (from cloud-native applications to generative AI).\nIn this blog post, I will try to find ways to bridge the gap between security and innovation.\nReframe Security as an Enabler of Innovation # People often think of security as a roadblock — something that slows new ideas from getting off the ground. But the truth is, when it’s built in from the start, security gives you the freedom to create.\nCompanies that make security part of the creative process can test ideas faster, take bigger swings, and share them with the world, knowing their customers’ trust is protected. In today’s world, that trust is what turns a bold idea into lasting success.\nPractical Tips # Start projects with a security brainstorm — Before coding or designing, have a short, plain-language conversation about potential risks and how to address them early.\nUse security as a “green light” — Treat meeting security requirements as a milestone that unlocks the freedom to experiment more boldly.\nMake security visible in wins — Celebrate when a secure approach leads to faster approval, smoother launches, or increased customer trust.\nSimplify security language — Drop the jargon when talking to creative or product teams; frame it as protection for their work, not a technical hurdle.\nEncourage small, safe experiments — Use secure-by-design principles to test features in controlled environments, so the team can explore ideas without high risk.\nEmbed Security Early in the Innovation Process # Trying to add security at the very end of a project is like realizing you forgot seatbelts after building a sports car — it’s not only risky, it’s a lot harder to fix later. When teams think about security from day one, it becomes part of the design, not an obstacle. This means fewer delays, fewer do-overs, and more confidence when it’s time to share something new with the world. Imagine a startup creating a health app: if they plan early for how to keep personal data safe, they can focus on building great features without constantly worrying about “what ifs.” Embedding security early isn’t about slowing down — it’s about building on a foundation strong enough to support big, exciting ideas.\nPractical Tips # Add security to the idea stage — Include a quick check-in about safety and privacy when brainstorming new products or features.\nUse simple guardrails — Set a few clear, easy-to-follow security rules so creative teams can move quickly without guessing what’s “safe enough.”\nInvolve security voices early — Bring in your security lead or advisor during early planning instead of calling them in at the end for fixes.\nTest as you build — Run small, regular checks for security issues while prototyping so you catch problems before they grow.\nDocument as you go — Keep a light record of security decisions so it’s easier to prove compliance later without slowing down.\nBuild reusable safety tools — Create templates, checklists, or automated scans that teams can use across projects to speed up future work.\nAdopt Modern Operational Models for Compliance and Agility # Too often, teams feel like they have to choose between moving fast and following the rules. But modern ways of working make it possible to do both by weaving compliance into everyday processes instead of treating it as a last-minute chore. With the right tools and clear steps, things like data protection and industry requirements can be tracked automatically in the background, freeing teams to focus on building and improving their ideas.\nPractical Tips # Integrate compliance into daily workflows — Make the following rules part of everyone’s routine, not just a final checklist.\nUse automation tools — Automate tasks like monitoring regulations and reporting to reduce human error and speed up processes.\nKeep compliance simple and clear — Break down complex rules into easy steps so teams know exactly what to do without confusion.\nEncourage collaboration between teams — Get security, compliance, and product teams talking early and often to avoid surprises.\nAdopt flexible policies — Use adaptable guidelines that can evolve as your product and regulations change.\nRegularly review and update processes — Schedule quick check-ins to keep compliance efforts aligned with new rules and business needs.\nUse Automation and AI to Bridge Skill Gaps and Enhance Security # In today’s fast-paced world, teams often face a shortage of security experts, which can slow down innovation or leave gaps in protection. That’s where automation and AI step in as helpful partners — taking care of routine security checks and spotting potential risks faster than a person can. By handling these repetitive tasks, they free up people to focus on creative problem-solving and big-picture thinking. This smart use of technology not only fills skill gaps but also strengthens security, making it easier for teams to innovate with confidence and speed.\nPractical Tips # Automate routine security tasks — Use tools that handle regular checks like vulnerability scans or compliance monitoring to save time.\nLeverage AI for threat detection — Employ AI systems that can quickly spot unusual behavior or potential risks before they become problems.\nUse AI-powered insights to guide decisions — Let AI help prioritize which security issues need urgent attention, so teams can focus on what matters most.\nTrain your team with AI-driven learning tools — Use AI platforms that offer personalized security training to help close knowledge gaps.\nIntegrate automation with existing workflows — Make sure automation tools work smoothly with your current processes to avoid disruption.\nFoster Collaboration and Bi-Directional Empathy # Building great products means bringing security and innovation teams together — not just to share tasks, but to truly understand each other’s challenges and goals. When both sides listen and see things from the other’s point of view, they can work as partners instead of opponents. This kind of empathy helps create solutions that are both safe and creative, speeding up the process and reducing frustration. By fostering open communication and mutual respect, organizations unlock teamwork that turns tough security requirements into opportunities for smarter innovation.\nPractical Tips # Hold regular cross-team meetings — Create space where security and innovation teams can openly discuss challenges and priorities.\nEncourage role-swapping sessions — Let team members experience each other’s work for a day to build understanding and respect.\nCelebrate joint successes — Recognize wins that come from teamwork to strengthen trust and motivation.\nCreate shared goals — Align security and innovation objectives to ensure everyone’s working toward the same outcomes.\nPromote active listening — Encourage team members to truly hear and consider each other’s viewpoints before responding.\nEmbrace Continuous Transformation # Embracing continuous transformation means always being ready to learn, adapt, and improve your processes as new challenges and opportunities arise. Instead of treating security as a one-time checklist, teams make it an ongoing part of their journey, constantly updating how they protect and create. This mindset helps organizations stay flexible, respond quickly to change, and keep pushing forward without getting stuck.\nPractical Tips # Regularly review and update security practices — Make it a habit to revisit policies and tools to keep up with new threats and technologies.\nEncourage a learning culture — Support ongoing training and knowledge sharing so teams stay sharp and ready to adapt.\nUse feedback loops — Collect input from users, security teams, and innovators to identify areas for improvement quickly.\nPilot small changes often — Try out new ideas in controlled ways before rolling them out widely.\nStay open to new tools and methods — Be willing to experiment with emerging technologies that can boost both security and innovation.\nAddress Risk Management with Calculated Approaches # Risk is a natural part of trying new things, but managing it wisely means making smart choices — not avoiding risk altogether. A calculated approach to risk management helps teams understand which risks are worth taking and which need extra care. Instead of fearing every possible problem, teams focus on the most important risks and put simple safeguards in place. This way, innovation can move forward confidently, knowing that challenges are managed thoughtfully without slowing down progress.\nPractical Tips # Identify and prioritize risks — Focus on the biggest threats that could impact your project, rather than trying to cover everything at once.\nBalance risk and reward — Understand which risks are acceptable in pursuit of innovation and which need stronger controls.\nCreate simple risk assessments — Use easy-to-follow checklists or frameworks to evaluate potential issues quickly.\nPlan for setbacks — Have clear steps ready for how to respond if things don’t go as expected.\nInvolve different teams — Get input from security, product, and business experts to get a well-rounded view of risks.\nReview risks regularly — Make risk management an ongoing conversation, adjusting as projects evolve.\nSummary # Bridging the gap between security and innovation helps organizations move faster and stay competitive by treating security as a driver, not a barrier. Integrating security early in development fosters teamwork, speeds compliance, and reduces risks, enabling quicker adoption of new technologies without compromising safety.\nUsing automation, AI, and continuous risk management addresses skill gaps and emerging threats, accelerating innovation securely. A culture of collaboration between security, development, and business teams aligns goals around safe, rapid change, turning potential conflicts into growth and resilience.\nAbout the author # Eyal Estrin is a seasoned cloud and information security architect, AWS Community Builder, and author of Cloud Security Handbook and Security for Cloud Native Applications. With over 25 years of experience in the IT industry, he brings deep expertise to his work.\nConnect with Eyal on social media: https://linktr.ee/eyalestrin.\nThe opinions expressed here are his own and do not reflect those of his employer.\n","date":"11 August 2025","externalUrl":null,"permalink":"/posts/bridging-the-gap-between-security-and-innovation/","section":"Posts","summary":"","title":"Bridging the Gap Between Security and Innovation","type":"posts"},{"content":"","date":"11 August 2025","externalUrl":null,"permalink":"/categories/innovation/","section":"Categories","summary":"","title":"Innovation","type":"categories"},{"content":" The term MCP (Model Context Protocol) was first introduced by Anthropic in November 2024 as an open standard and open-source framework. MCP standardizes how AI systems like large language models integrate and share data with external tools and data sources.\nBelow is a common MCP flow:\nMCPs offer easy integration to consume data and take actions; however, it was not built with security in mind.\nIn this blog post, I will share some of the most common security risks related to MCPs and provide recommendations for mitigating some of the common risks.\nCommon security risks using MCP # Below is a list of common security risks relating to the deployment and use of MCP servers:\nLack of default authentication: Many current MCP implementations lack built-in authentication, increasing exposure to unauthorized access.\nToken theft: MCP servers may store sensitive tokens (e.g., OAuth tokens) insecurely, risking exposure if the server is compromised.\nPrompt injection attacks: Attackers inject hidden or malicious instructions into tool descriptions or inputs that AI models might execute unintentionally.\nPrivilege escalation via AI agents: Attackers can manipulate AI agents to gain unauthorized access or perform unauthorized actions due to over-privileged permissions or weak authentication.\nCommand injection vulnerabilities: Poor input validation in MCP servers can allow remote command execution attacks, compromising systems.\nSupply chain attacks: Malicious MCP packages or dependencies can be introduced during build or distribution, allowing attackers to deliver harmful payloads or compromise systems without user knowledge.\nUntrusted MCP sources: Connecting to MCP servers or tools from unknown or unvetted sources may lead to data exfiltration, hidden malicious commands, or unauthorized access since MCP servers execute code and have access to sensitive data.\nLack of observability: Insufficient monitoring and logging of MCP interactions and tool usage obscures detection of malicious activities or anomalies, enabling attackers to act undetected within MCP workflows.\nNo approval workflows: Absence of human-in-the-loop or explicit approval mechanisms for MCP-executed actions allows AI agents to perform unauthorized or harmful operations without oversight or consent.\nRecommendations for securing MCP servers # Now that we have introduced the most common security risks related to MCP servers, let us deep dive into potential mitigation controls:\nIdentity and Access Management # Implementing robust authentication controls is critical for the security of the Model Context Protocol (MCP), which acts as a universal bridge for AI models to securely interact with external data, APIs, and services.\nUse OAuth 2.1 as a standard authentication mechanism to access MCP servers. AWS — Guidance for Deploying Model Context Protocol Servers on AWS\nAzure — Smart AI Integration with the Model Context Protocol (MCP)\nGCP — Using OAuth 2.0 to Access Google APIs\nFor MCP clients, request access tokens via OAuth 2.1 authorization code flow with PKCE. AWS — Using PKCE in authorization code grants\nAzure — Microsoft identity platform and OAuth 2.0 authorization code flow\nGCP — Authorization resources — best practices\nUse IAM roles to grant least privilege and temporary access to MCP servers. AWS — Security best practices in IAM\nAzure — Enhance security with the principle of least privilege\nGCP — Use IAM securely\nConfigure conditional access policies based on user risk profile, network, device, or application context (e.g., IP, geo-location, device compliance). AWS — Using attributes for access control\nAzure — Developer guide to Conditional Access authentication context\nGCP — Overview of IAM Conditions\nImplement MFA for any interactive login to MCP servers. AWS — Adding MFA to a user pool\nAzure — Secure user sign-in events with Microsoft Entra multifactor authentication\nGCP — Multi-factor authentication requirement for Google Cloud\nSecure credentials and token management # Secure secrets management is essential in the Model Context Protocol to safeguard sensitive credentials by avoiding hardcoding and using trusted storage, strict access controls, and frequent rotation.\nNever hardcode secrets (API keys, tokens, passwords) in source code or commit them to version control.\nSecurely store service account and API credentials using secret management systems.\nLimit secret access to only the required MCP components or services. Leverage role-based access control (RBAC) to restrict who/what can retrieve secrets. Use short-lived, scoped credentials where possible instead of long-lived static secrets.\nRegularly rotate static secrets and refresh tokens to minimize exposure duration.\nMask secrets in logs and avoid exposing them during debugging or error reporting.\nMonitor access to secrets using cloud provider audit logs and alerts. Detect unusual access patterns or potential leaks early for a timely response.\nSeparate secrets for development, staging, and production environments. Also, isolate secrets accessed by different MCP servers or services to limit risk and simplify management.\nAWS — AWS Secrets Manager best practices\nAzure — Best practices for secrets management in Key Vault\nGCP — Secret Manager best practices\nEncryption in Transit # Encrypting data in transit is essential for Model Context Protocol implementations to protect information from interception and tampering, ensuring secure communication channels between AI models, clients, and services.\nUse Transport Layer Security (TLS) to encrypt data in transit between MCP clients and servers. Use strong TLS versions (TLS 1.2 or 1.3) and disable outdated protocols.\nMCP API endpoints should be accessible only via HTTPS, ensuring that all HTTP traffic is automatically encrypted.\nEnsure clients validate server certificates rigorously, including checking certificate chains, expiration, and revocation status.\nFor stronger authentication and encryption during transport, consider mutual TLS where both client and server present certificates.\nAWS — TLS 1.2 to become the minimum TLS protocol level for all AWS API endpoints\nAzure — Recommendations for data encryption\nGCP — SSL policies for SSL and TLS protocols\nSecuring network access to MCP servers # Limiting access to the MCP server allows decreasing the attack surface (from both internal and external networks) and lowers the chance of unauthorized access.\nDeploy MCP servers with strict network access policies, ensuring only necessary ports are open. AWS — Control traffic to your AWS resources using security groups\nAzure — How network security groups filter network traffic\nGCP — VPC firewall rules\nAllow access only to trusted entities; avoid exposing MCP endpoints publicly unless necessary. AWS — Connect your VPC to services using AWS PrivateLink\nAzure — What is the Azure Private Link service?\nGCP — Overview of VPC Service Controls\nEmploy Web Application Firewalls (WAFs) to mitigate common web attacks. AWS — How to manage AI Bots with AWS WAF and enhance security\nAzure — Protect Azure OpenAI using Azure Web Application Firewall on Azure Front Door\nGCP — Integrating Cloud Armor with other Google products\nHarden Input Validation and Prevent Injection Attacks # Hardened input validation is essential in MCP security to ensure that all incoming data is rigorously checked and sanitized, preventing injection attacks that could compromise model integrity or trigger unauthorized behaviors.\nEnforce comprehensive schema validation with length, range, and type constraints; reject unknown or unexpected fields to prevent parameter pollution and injection.\nNormalize and escape inputs appropriately based on their usage context to mitigate injection vectors like command, code, or HTML injection.\nInspect and sanitize outputs to remove sensitive or potentially malicious content before returning data to clients or models. Use pattern matching and data loss prevention tools to prevent unintended data leakage.\nImplement strict allow-lists for inputs, outputs, and tool actions, denying all non-explicitly permitted operations to reduce attack surfaces.\nReferences:\nEnterprise-Grade Security for the Model Context Protocol (MCP): Frameworks and Mitigation Strategies\nAWS — Safeguard your generative AI workloads from prompt injections\nAzure — Prompt Shields\nGCP — Overview of prompting strategies\nSupply Chain / SBOM # Supply chain risks in MCP arise from the integration of unvetted or open-source MCP implementations, which can introduce malicious code or vulnerabilities that compromise the security and integrity of AI workflows and connected systems.\nOnly use MCP implementations and components from trusted, well-maintained sources to reduce risks of malicious code or vulnerabilities. AWS — Automated scan types in Amazon Inspector\nAzure — Vulnerability assessments for supported environments\nGCP — Artifact analysis and vulnerability scanning\nImplement artifact signing and integrity verification to ensure MCP binaries, containers, and dependencies are authentic and untampered. AWS — What is AWS Signer?\nAzure — What is Trusted Signing?\nGCP — Binary Authorization overview\nMaintain a detailed Software Bill of Materials (SBOM) to track all MCP-related components and dependencies, aiding in vulnerability management and compliance. AWS — Amazon Inspector SBOM Generator\nAzure — Microsoft opens sources its software bill of materials (SBOM) generation tool\nGCP — Generate and store SBOMs\nRate Limit / DoS protection # Rate limiting and DoS protection are critical for MCP servers to prevent abuse by controlling the frequency of requests and mitigating potential denial-of-service attacks that could degrade service availability or exhaust system resources.\nUse intelligent throttling that adapts limits based on request context, user roles, and endpoint complexity to prevent abuse without overly restricting legitimate use. AWS — Throttle requests to your REST APIs for better throughput in API Gateway\nAzure — Advanced request throttling with Azure API Management\nGCP — Rate-limiting\nSet strict limits on request frequency for individual users or API keys, reducing the risk of resource exhaustion or abusive behaviors.\nContinuously audit request patterns, limit violations, and traffic anomalies for early detection and tuning.\nUse DDoS protection services to defend against volumetric attacks alongside rate limiting.\nOWASP — Denial of Service Cheat Sheet\nAWS — Applying rate limiting to requests in AWS WAF\nAzure — What is rate limiting for Azure Front Door?\nGCP — Rate limiting overview\nAnalyze usage and performance data periodically to fine-tune thresholds, avoiding false positives or overly restrictive policies. Enhancing Security and Oversight in MCP Operations # “Human-in-the-loop” is essential for MCP security because it introduces a mandatory human oversight step for sensitive or high-risk actions initiated by the AI, preventing unchecked or malicious behavior by requiring explicit user confirmation before executing critical operations.\nMandate human approval for actions with financial, security, or reputational impact before the MCP server executes them, preventing unauthorized or malicious commands from running automatically.\nProvide users with clear visibility into AI tool actions, such as showing active tool usage or pending approvals, enabling timely intervention if suspicious or unintended behaviors occur.\nAutomatically flag high-risk tool calls or data outputs (e.g., file writes, external communications, large sensitive data transfers) for human review as part of the workflow.\nEnsure that only authorized users can approve sensitive actions, leveraging fine-grained OAuth scopes and role-based access controls.\nMaintain detailed records of prompts, user decisions, and tool invocations to enable security audits, forensic investigations, and compliance reporting.\nEducate stakeholders on when and why human oversight is necessary in MCP workflows, reinforcing their role in preventing AI-driven security risks.\nAWS — Building Generative AI prompt chaining workflows with human in the loop\nAzure — Build AI Agents in Azure Logic Apps\nGCP — Create a human-in-the-loop workflow using callbacks\nEstablish Comprehensive Observability and Incident Response # Establishing comprehensive observability and incident response capabilities is crucial for MCP security, as it enables continuous monitoring, rapid detection, and effective remediation of suspicious activities and failures within complex AI-driven interactions.\nLog every MCP interaction, including who or what invoked a tool, the parameters used, and the resulting outputs, ensuring logs are tamper-proof and securely stored for auditability and forensic analysis. AWS — Generative AI observability\nAzure — Observability in generative AI\nGCP — Model monitoring metrics\nIntegrate MCP logs into centralized Security Information and Event Management (SIEM) systems to correlate MCP events with broader infrastructure telemetry for real-time detection of anomalies or suspicious patterns. AWS — Protecting AI workloads with GuardDuty\nAzure — Overview — AI threat protection\nGCP — Model Armor integration with Vertex AI\nSet up alerts for abnormal MCP behavior, such as unexpected tool usage, excessive frequency of calls, or privilege escalations, leveraging cloud-native monitoring tools to enable rapid incident detection and response.\nDefine clear procedures for MCP-related security events, including containment, root cause analysis, mitigation, and post-incident reviews, incorporating automated response where feasible to reduce mean time to recovery.\nSummary # In this blog post, I have reviewed common risks related to the use of MCP servers and provided recommendations for mitigating those risks, while using references from the hyper-scale cloud providers’ documentation.\nAs technology evolves, we should expect to see more threats, and we need to keep up with technology trends, go back to our deployments, and strengthen the implemented controls.\nAbout the author # Eyal Estrin is a cloud and information security architect, an AWS Community Builder, and the author of the books Cloud Security Handbook and Security for Cloud Native Applications, with more than 25 years in the IT industry.\nYou can connect with him on social media (https://linktr.ee/eyalestrin).\nOpinions are his own and not the views of his employer.\n","date":"5 August 2025","externalUrl":null,"permalink":"/posts/securing-mcp-servers/","section":"Posts","summary":"","title":"Securing MCP Servers","type":"posts"},{"content":" We have been hearing the term “vibe coding” since early 2025, and perhaps the earliest time it was mentioned in a quote by Andrej Karpathy, one of the co-founders of OpenAI:\nSource: https://x.com/karpathy/status/1886192184808149383\nThe key characteristics of vibe coding are:\nDevelopers communicate their requirements to the AI in natural language, rather than writing code directly.\nThe AI handles the majority of code generation and modification, reducing manual intervention by the developer.\nDevelopers seldom review code differences or perform hands-on debugging; instead, errors are fed back to the AI for resolution.\nWhen issues arise, developers often paste error messages directly into the AI to prompt instant fixes or revisions.\nThe focus is on rapid prototyping and experimentation, favoring quick iterations over meticulous, production-level refinement.\nNot every use of AI code assistance qualifies as vibe coding. The focus is on creative momentum, rapid iteration, and minimal manual intervention in the code itself.\nIn contrast, traditional AI-assisted coding involves developers using AI features or tools — such as code suggestions, error detection, or automated completions — to support their workflow, but with the developer maintaining control.\nPopular tools for vibe coding:\nCursor\nGitHub Copilot\nClaude Code\nWindsurf\nKiro AI\nIt sounds as if the AI assistant does most of the hard work for the developers, but what about the security consequences?\nVibe coding — common security vulnerabilities # Below is a list of common (and probably not the only) security vulnerabilities when using Vibe coding:\nMissing or Weak Input Validation: AI-generated code often skips robust input checks, making applications prone to injection attacks (such as SQL injection).\nHardcoded Secrets and Credentials: LLMs frequently suggest or allow hardcoding of API keys, passwords, or cloud credentials directly in source code, which can result in secret leakage, especially if code is pushed to public repositories.\nInsecure Dependency Choices: AI can select outdated or insecure third-party libraries without security vetting, increasing exposure to known vulnerabilities.\nGeneric or Poor Error Handling: Code produced by Vibe Coding may expose sensitive details through error messages, aiding attackers in reconnaissance.\nImproper Authentication and Authorization: Generated code often misses strong auth checks, leading to risks such as unauthorized access or privilege escalation.\nPath Traversal and Insecure File Handling: Some code suggestions are susceptible to file handling issues, allowing attackers to access or manipulate unintended files.\nData Leakage via LLM Context: Vibe coding tools may inadvertently send proprietary or sensitive code/data snippets to cloud-based LLMs, risking privacy or regulatory non-compliance.\nRecommendations for mitigating security vulnerabilities when using Vibe coding # Authentication and Authorization # Robust authentication and authorization are essential to ensure that only verified users can access sensitive resources and operations, protecting your application from unauthorized access and privilege escalation.\nRecommendations for authentication and authorization # Implement Strong Authentication Mechanisms: Use secure authentication methods such as multi-factor authentication (MFA), OAuth2, or passwordless logins, and always securely store credentials (hashed and salted, never hardcoded in code or repositories). Examples of solutions for strong authentication: Amazon Cognito, Microsoft Entra ID, Google Identity Platform. Reference: OWASP Authentication Cheat Sheet.\nApply Role-Based Authorization and Least Privilege: Always check user roles before granting access to endpoints or resources and enforce the principle of least privilege so users and services can only access what they truly need. Examples of solutions: Amazon Verified Permissions, Microsoft Entra Role-based access control (RBAC), Open Policy Agent (OPA). Reference: OWASP Authorization Cheat Sheet.\nNever Hardcode Secrets or Credentials: Always use environment variables or managed secrets for storing sensitive tokens and credentials.\nAdopt Secure-by-Default Authentication Libraries: When using AI code generation, select trusted, well-maintained authentication/authorization libraries and frameworks, and prompt the AI to use them.\nAlways Review AI-Generated Auth Code: Carefully review and test all AI-generated authentication and authorization logic to ensure no bypass or privilege escalation vulnerabilities are introduced during rapid prototyping.\nPrompts for Secure Vibe Coding: When using AI assistants, be explicit in your prompts:\n“Generate an API endpoint that requires authentication using JWT and authorization based on user roles.”\n“Enforce that all sensitive API endpoints require the user to be authenticated and have admin privileges.”\nData Sanitization # When working with LLMs, it is crucial to implement both input validation (for prompts coming from clients) and output validation (for answers returned from the LLM itself).\nRecommendations for input validation # Never trust user input: Always assume input can be malicious — verify all data from forms, URLs, APIs, and external sources, even in AI-generated code.\nValidate and sanitize every input: Use strict validation for type, length, range, and format. Remove or escape dangerous characters to prevent injection attacks like SQL injection, cross-site scripting (XSS), and command injection.\nUse parameterized queries for databases: Always use parameters or prepared statements for DB interactions to block SQL injection. Avoid string interpolation and raw queries unless you control all inputs.\nValidate on the server side: Do not rely solely on client-side validation. Ensure all critical input validations are enforced server-side, as client checks are easily bypassed.\nRegular code review and testing: Always review generated validation code and test for edge cases. AI may miss complex or context-specific validation needs. Examples of solutions: Amazon Q Developer, GitHub Advanced Security for Azure DevOps, Snyk Code, Semgrep.\nRecommendations for output validation # Escaping Output Content: Always escape dynamic data before rendering it in HTML, XML, or other user-facing contexts to prevent Cross-Site Scripting (XSS) and related injection attacks.\nValidate Output Format: Ensure that generated outputs (e.g., JSON, XML, HTML) strictly conform to the expected structure and type. This prevents data corruption and reduces the risk of format-based vulnerabilities.\nEnforce Output Constraints: Limit output to allowed values, length, and type, especially when returning results from AI-generated functions or APIs. This helps prevent leaking sensitive data and reduces the scope for exploitation.\nSanitize Data Before Display: Before displaying or transmitting data generated from untrusted input, remove or encode any potentially dangerous content.\nImplement Content Security Policy (CSP): Where possible, establish CSP headers to mitigate the risk of client-side script injection via unsafe outputs.\nReview and Test Output Logic: Incorporate output validation as part of your verification protocol during code review. Test various edge cases and unexpected outputs to ensure accuracy and safety.\nDocument Expected Output: In your prompts to the AI, clearly define the required output schema and format. For example: “Ensure the API returns only sanitized, non-sensitive fields as JSON.” Explicitly documenting expectations guides both the AI and human reviewers\nNever Trust AI-Generated Outputs by Default: Treat all AI-generated outputs as untrusted until they’ve been validated by established business logic and security checks\nAdditional references:\nOWASP — Input Validation Cheat Sheet\nOWASP — LLM Prompt Injection Prevention Cheat Sheet\nSecrets Management # As with any generated code, it is crucial to implement secrets management, instead of hard-coding static credentials as part of code, configurations, Git repositories, etc.\nRecommendations for secrets management # Never hardcode secrets in code: AI-generated code may suggest putting API keys, database passwords, or other credentials directly into source files. This is a major security risk as such secrets can easily end up in public repositories or be leaked. Reference: OWASP Secrets Management Cheat Sheet.\nUse environment variables for sensitive information: Always reference secrets like API keys through environment variables, not literal values in code. This isolates secrets from codebases and keeps them out of version control.\nLeverage managed secrets storage: Use secure secret management services such as AWS Secrets Manager, Azure Key Vault, Google Secret Manager, or HashiCorp Vault. These services encrypt secrets and restrict access, reducing the risk of exposure.\nExclude secrets from version control: Add environment files (e.g., .env) to .gitignore and verify they are never committed to repositories.\nImplement automated secrets scanning: Enable pre-commit hooks and automated scanning in your CI/CD pipeline to detect and block hardcoded secrets before they reach production or are pushed to shared repos. Example of solutions: Amazon CodeGuru Security, GitHub Advanced Security for Azure DevOps, GitLeaks, GitGuardian.\nEnable secret rotation: Regularly rotate API keys and credentials so that if a secret is exposed, its usefulness to attackers is limited.\nEducate and remind developers: Provide clear guidance and periodic training about secure coding practices and the dangers of hardcoding secrets, including the extra risks of vibe coding, where rapid prototyping often leads to shortcuts.\nAudit and review AI-generated code: Always review code produced by AI for accidental secret exposures or insecure credential handling. Run static analysis and secret scanning tools during code review.\nRespond immediately to leaks: If you suspect any secret has been exposed in code, treat it as compromised: revoke it, update dependencies, and rotate the secret without delay.\nHandling Third-Party Components # Re-use of third-party components (such as binaries and libraries) is a well-known practice in many development projects, and Vibe coding is no different. When using external components, we need to recall that such code may introduce vulnerabilities that we are not aware of.\nRecommendations for handling third-party components # Integrate SCA Early and Continuously: Integrate software composition analysis (SCA) into your CI/CD pipeline for automated scans on every pull request. This detects and blocks vulnerable dependencies before they reach production. Examples of solutions: Amazon Inspector, GitHub Advanced Security for Azure DevOps, Google Artifact Analysis, Snyk Open Source, Jit Software Composition Analysis (SCA).\nUse Software Bill of Materials (SBOMs): Generate SBOMs for clarity and compliance, especially for customer-facing or regulated applications. Examples of solutions: Amazon Inspector SBOM Export, Microsoft Defender for Cloud, Google Artifact Analysis, Syft, Synk.\nApply updates and patches: Routinely upgrade third-party libraries. Monitor for newly published vulnerabilities and prioritize necessary patches.\nHuman and automated review: Always review AI-generated dependency choices and use security gates in CI/CD to block builds with critical issues.\nContinuous monitoring: Track production environments for vulnerable components or unpatched libraries.\nError Handling # Proper error handling is crucial because it ensures that software remains reliable, stable, and secure by gracefully managing unexpected issues, preventing crashes, protecting data, and providing helpful feedback to users and developers.\nRecommendations for error handling # Follow the Principle of Failing Securely (OWASP): Never reveal sensitive details (file paths, credentials, environment information) in error messages. Ensure error responses are generic for end users but detailed enough in logs for troubleshooting.\nLog Errors Explicitly and Securely: Log error details on the server side, including the relevant stack trace and request context, but never log sensitive data such as passwords or secret keys. Reference: OWASP Logging Cheat Sheet.\nUse Descriptive and Consistent Error Messages for Debugging: Make error messages clear and context-specific for maintainers — avoid ambiguous “something went wrong” responses — and follow structured error objects or codes.\nRevert Quickly if Needed: Use version control (e.g., Git) to manage code changes. If an AI-generated change causes new errors or instability, revert to a known good state promptly.\nDocument Common and AI-Introduced Errors: Maintain a file or documentation tracking frequent AI mistakes and their resolutions. This speeds up future debugging and helps avoid recurring pitfalls.\nAsk AI for Error Explanations and Plans: Before accepting an AI-generated fix, prompt the model to explain the error, its impact, and its planned remediation. This helps you understand root causes and builds trust in the solution.\nImplement Monitoring and Alerting: Integrate real-time monitoring and alerting (such as Amazon CloudWatch Alarms, Azure Monitor Alerts, Google Cloud Observability Alerts) to detect and immediately respond to runtime errors in production environments.\nHandling Data Leakage # Vibe coding increases the risk of data leakage, as AI-generated code may inadvertently expose sensitive information or secrets — such as API keys, credentials, or personal data — either through insecure patterns, improper handling, or by transmitting code context to external services without proper safeguards.\nRecommendations for handling data leakage # Implement strict access controls and secure authentication/authorization for all API endpoints to restrict exposure of sensitive data only to authorized users.\nValidate and sanitize all user inputs rigorously to prevent injection attacks and ensure sensitive information isn’t leaked through malicious input or error messages.\nUse HTTPS exclusively to encrypt all data in transit, preventing interception or eavesdropping.\nReview and test all AI-generated code for potential security flaws and data exposure issues before deploying to production, as AI models may generate insecure patterns or omit security controls.\nEducate developers about core security principles and the dangers of data leakage in AI-assisted workflows, including OWASP’s Data Protection and Secure Coding guidelines.\nReference: OWASP User Privacy Protection Cheat Sheet\nSummary # In this blog post, I examined the common security risks associated with vibe coding and shared key recommendations to help mitigate them. As technology continues to evolve, new threats are likely to emerge, and the list of best practices will grow accordingly. I encourage developers to deepen their understanding of vibe coding, avoid blindly trusting AI-generated code, and embed security measures throughout the development lifecycle.\nReferences:\nCloud Security Alliance — Secure Vibe Coding Guide\nOWASP Top 10 for Large Language Model Applications\nAWS Vibe Coding Tips and Tricks\nAbout the author # Eyal Estrin is a cloud and information security architect, an AWS Community Builder, and the author of the books Cloud Security Handbook and Security for Cloud Native Applications, with more than 25 years in the IT industry.\nYou can connect with him on social media (https://linktr.ee/eyalestrin).\nOpinions are his own and not the views of his employer.\n","date":"21 July 2025","externalUrl":null,"permalink":"/posts/common-security-pitfalls-using-vibe-coding/","section":"Posts","summary":"","title":"Common security pitfalls using Vibe coding","type":"posts"},{"content":"","date":"20 July 2025","externalUrl":null,"permalink":"/categories/cloud-adoption/","section":"Categories","summary":"","title":"Cloud-Adoption","type":"categories"},{"content":"\nThis post was originally published by the Cloud Security Alliance.\nWhy do organizations migrate to the public cloud? This blog post was written in 2025, and it may sound like a simple question, but let’s dive into it.\nHistorically: The Cost Factor # For many traditional organizations, it began with the debate of how to lower the cost of their IT budget.\nVariable purchase options for consuming services (from pay-as-you-go, saving plans, to Spot) and the ability to easily deploy an entire environment in a few clicks (or a few API calls) looked very appealing.\nIt was so appealing that many organizations (from small startups to large enterprises) forgot to embed cost as part of their design decisions, which ended up in large monthly bills. After migrating data and workloads to the public cloud, they are now debating cloud repatriation and going back to on-prem.\nRushing to the cloud without proper design and without looking at all aspects (from security, scalability, availability, and cost) ended up with failed projects.\nMature organizations with experienced teams (from developers, DevOps, architects, etc.) are able to design modern architectures based on a combination of managed services, APIs, and serverless services, which may be cost-efficient and able to save money on cloud services. However, for most organizations still taking their first steps in the cloud, or those that lack experienced teams, migrating to the cloud will very likely end up as a major disappointment when just looking at the cost factor.\nThe Factors That Matter in 2025 # The Agility Factor # Agility was a huge benefit from the early days of the public cloud — it allowed organizations to move fast and shorten the time to deliver new services or products to their customers.\nOrganizations of all sizes were able to test new services (or features), practice with new technologies (from the early days of serverless, till recent years with the latest improvements in GenAI services), deploy applications to test environments, and if the new development provided customer value, deploy at production scale.\nThe cloud allowed organizations to break free from the constraints of legacy data centers (with the long purchase cycles and the requirement to use the same hardware for several years), test new capabilities, quickly recover from failures, and try again until they get fully functional production services that satisfy their customers.\nThe Scalability Factor # One of the biggest advantages of the hyper-scale cloud providers over most organizations’ data centers is size. At the end of the day, a data center has physical size limitations (such as the maximum racks you can put inside, or the maximum power you can use to run physical infrastructure and cool an entire data center).\nFor organizations with stable workloads, and with minimal peak in traffic or customer demand, the traditional data center may be sufficient. However, for organizations with a global presence, serving customers all around the world with variable traffic patterns (such as Black Friday or Cyber Monday events), scale is an important factor.\nPerhaps you have an e-commerce site that needs to scale up or down to meet customer demand according to different times of the year. Perhaps you have a workload performing an end-of-the-month calculation. Perhaps you are training a large language model based on a large amount of customers’ data. For all those cases, the ability to have an (almost) infinite scale is critical, and the public cloud is the best place for this (when you’re running on top of one of the hyper-scale cloud providers).\nThe Elasticity Factor # The ability to add or remove resources on demand is an important factor when designing applications.\nThe combination of (almost) infinite resources (such as compute and storage), microservices architecture (with the ability to scale up or down specific components according to load), and the ability to consume serverless services (such as FaaS, storage, database, etc.) that automatically respond to load and elastically manage the amount of required resources (lower the burden of human maintenance), made elasticity so important and a huge benefit compared to the traditional data center.\nEven the ability to switch hardware (with minor or zero downtime) or use the latest GPUs for a new GenAI application (or an extremely fast storage service for a huge HPC cluster), and when done shut it down and save cost, made elasticity a huge driver for using the public cloud.\nThe Efficiency Factor # Perhaps efficiency was previously not prioritized, with the constraints of physical hardware. However, in the past decade, efficiency became something more and more organizations chose to embed as part of their design decisions.\nThe cloud allowed us to achieve almost the same goals using many different patterns — containers, function as a service, APIs, event-driven architectures, and more.\nAt any point in time, we can stop and question past decisions we took. Is our current workload running at the most efficient architecture, or can we make some adjustments to make it more cost-efficient, resilient, and respond quickly to customers’ requests?\nSometimes switching to modern hardware, between different storage services (or event storage service tiers), between different database types (such as relational vs. NoSQL, from graph to time-series, etc.), or even from tightly-coupled to loosely-coupled architectures, may result in a more efficient workload.\nThe Automation Factor # Although mature organizations with a large number of servers and applications have been using automation scripts for many years to achieve fast and reproducible outcomes, the cloud took it to a whole new place where (almost) everything is exposed using APIs.\nInfrastructure as Code allowed organizations to automate things from building entire environments across multiple SDLC stages (such as Dev, Test, and Prod), to multiple availability zones and even multiple regions (when a global footprint is required).\nIaC languages such as Terraform (or OpenTofu) and Pulumi, or more vendor-opinionated native alternatives (such as CloudFormation or ARM templates), allowed organizations (after learning how to write IaC) to be proficient in workload deployments in a standard and automated way.\nThe addition of Policy as Code (from HashiCorp Sentinel, AWS SCP, Azure Policy, or Google Organization Policies, till Open Policy Agent) allowed organizations to add a layer of guardrails (which resources are allowed to be consumed, and what are their limitations such as region or specific instance types), making security and configuration a standard across the organization.\nThe Security Factor # When organizations’ and customers’ data is spread across multiple places (from the on-prem data centers to SaaS applications and even partners’ data centers), we can no longer look at the physical location as a security boundary.\nIn many cases (but unfortunately, not all cases), services deployed on IaaS or PaaS are configured as secure by default. Although deploying compute resources with public IP still happens, today it is much rarer to deploy a publicly exposed object storage service (without specifically configuring it as a public resource).\nEncryption, both in transit and at rest, comes enabled by default in most cloud services. To get higher assurance of who has access to private data, most hyper-scale cloud providers allow customers to configure customer-managed encryption keys. This ensures that organizations don’t just control the encryption keys, but also the key generation process.\nAudit of admin activity is enabled by default (for user data access, we still need to consider if we want to manually enable it due to its extra cost) and logs can be stored for an infinite amount of time (for as long as organizations need it for incident response processes or to satisfy regulatory requirements).\nNetwork access in the cloud is still a pain for many organizations. The larger your cloud environment is (not to mention spread across regions and even multiple cloud providers), the more visibility you are required to have (sometimes using built-in services or open-source tools, and sometimes using third-party commercial solutions). Be alert when changes happen because, as in real life, if you keep the door open, someone eventually will come inside.\nSummary # In this blog post, I’ve tried to answer the question of why organizations are migrating to the public cloud.\nThere are many cases where organizations will choose to keep some of their workloads on-prem (or in co-location or hosting facilities) due to high service costs (from real-time storage to expensive hardware such as GPUs), requirements for low network latency (such as connectivity to stock exchange), or data sovereignty requirements.\nWe will probably still see hybrid architectures for many years, but there is no doubt that the public cloud takes more and more importance in the design and architecture decisions of organizations of all sizes.\nIf we stop looking at the public cloud as a place to lower our costs (it is possible, but not for all use cases) and if we start looking at agility, scalability, elasticity, efficiency, automation, and built-in security (enabled by default) as important factors, we see the answer to the question of why organizations are migrating to the public cloud.\nAbout the author # Eyal Estrin is a cloud and information security architect, an AWS Community Builder, and the author of the books Cloud Security Handbook and Security for Cloud Native Applications, with more than 25 years in the IT industry.\nYou can connect with him on social media (https://linktr.ee/eyalestrin).\nOpinions are his own and not the views of his employer.\n","date":"20 July 2025","externalUrl":null,"permalink":"/posts/why-do-organizations-migrate-to-the-public-cloud-hint-it-isnt-about-cost-anymore/","section":"Posts","summary":"","title":"Why Do Organizations Migrate to the Public Cloud? Hint: It Isn’t About Cost Anymore","type":"posts"},{"content":" In part 1 of this series, I introduced some of the most common Day 2 serverless operations, focusing on Function as a Service.\nIn this part, I will focus on serverless application integration services commonly used in event-driven architectures.\nFor this post, I will look into message queue services, event routing services, and workflow orchestration services for building event-driven architectures.\nMessage queue services # Message queues enable asynchronous communication between different components in an event-driven architecture (EDA). This means that producers (systems or services generating events) can send messages to the queue and continue their operations without waiting for consumers (systems or services processing events) to respond or be available.\nSecurity and Access Control # Security should always be the priority, as it protects your data, controls access, and ensures compliance from the outset. This includes data protection, limiting permissions, and enforcing least privilege policies.\nWhen using Amazon SQS, manage permissions using AWS IAM policies to restrict access to queues and follow the principle of least privilege, as explained here: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-iam-policies.html#security_iam_id-based-policy-examples\nWhen using Amazon SQS, enable server-side encryption (SSE) for sensitive data at rest, as explained here: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html\nWhen using Amazon SNS, manage topic policies and IAM roles to control who can publish or subscribe, as explained here: https://docs.aws.amazon.com/sns/latest/dg/security_iam_id-based-policy-examples.html\nWhen using Amazon SNS, enable server-side encryption (SSE) for sensitive data at rest, as explained here: https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html\nWhen using Azure Service Bus, use managed identities and configure roles, following the principle of least privileged, as explained here: https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-managed-service-identity\nWhen using Azure Service Bus, enable encryption at rest using customer-managed keys, as explained here: https://learn.microsoft.com/en-us/azure/service-bus-messaging/configure-customer-managed-key\nWhen using Google Cloud Pub/Sub, tighten and review IAM policies to ensure only authorized users and services can publish or subscribe to topics, as explained here: https://cloud.google.com/pubsub/docs/access-control\nWhen using Google Cloud Pub/Sub, configure encryption at rest using customer-managed encryption keys, as explained here: https://cloud.google.com/pubsub/docs/encryption\nMonitoring and Observability # Once security is in place, implement comprehensive monitoring and observability to gain visibility into system health, performance, and failures. This enables proactive detection and response to issues.\nWhen using Amazon SQS, monitor queue metrics such as message count, age of oldest message, and queue length using Amazon CloudWatch, as explained here: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/monitoring-using-cloudwatch.html\nhttps://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-available-cloudwatch-metrics.html\nWhen using Amazon SQS, set up CloudWatch alarms for thresholds (e.g., high message backlog or processing latency), as explained here: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/set-cloudwatch-alarms-for-metrics.html\nWhen using Amazon SNS, use CloudWatch to track message delivery status, failure rates, and subscription metrics, as explained here: https://docs.aws.amazon.com/sns/latest/dg/sns-monitoring-using-cloudwatch.html\nWhen using Azure Service Bus, use Azure Monitor to track metrics such as queue length, message count, dead-letter messages, and throughput. Set up alerts for abnormal conditions (e.g., message backlog, high latency), as explained here: https://learn.microsoft.com/en-us/azure/service-bus-messaging/monitor-service-bus\nWhen using Azure Service Bus, monitor and manage message sessions for ordered processing when required, as explained here: https://learn.microsoft.com/en-us/azure/service-bus-messaging/message-sequencing\nWhen using Google Cloud Pub/Sub, monitor message throughput, error rates, and latency, and set up alerts for operational anomalies, as explained here: https://cloud.google.com/pubsub/docs/monitoring\nError Handling # With monitoring established, set up robust error handling mechanisms, including alerts, retries, and dead-letter queues, to ensure reliability and rapid remediation of failures.\nWhen using Amazon SQS, configure Dead Letter Queues (DLQs) to capture messages that fail processing repeatedly for later analysis and remediation, as explained here: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-dead-letter-queues.html\nWhen using Amazon SNS, integrate with DLQs (using SQS as a DLQ) for messages that cannot be delivered to endpoints, as explained here: https://docs.aws.amazon.com/sns/latest/dg/sns-dead-letter-queues.html\nWhen using Azure Service Bus, regularly review and process messages in dead-letter queues to ensure failed messages are not ignored, as explained here: https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-dead-letter-queues\nhttps://learn.microsoft.com/en-us/azure/service-bus-messaging/enable-dead-letter\nWhen using Google Cloud Pub/Sub, monitor for undelivered or unacknowledged messages and set up dead-letter topics if needed, as explained here: https://cloud.google.com/pubsub/docs/handling-failures\nScaling and Performance # After ensuring security, visibility, and error resilience, focus on scaling and performance. Monitor throughput, latency, and resource utilization, and configure auto-scaling to match demand efficiently.\nWhen using Amazon SQS, adjust queue settings or consumer concurrency as traffic patterns change, as explained here: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/best-practices-message-processing.html\nWhen using Amazon SQS, monitor usage for unexpected spikes, as explained here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Best_Practice_Recommended_Alarms_AWS_Services.html#SNS\nWhen using Azure Service Bus, adjust throughput units, use partitioned queues/topics, and implement batching or parallel processing to handle varying loads, as explained here: https://learn.microsoft.com/en-us/azure/service-bus-messaging/service-bus-performance-improvements\nWhen using Google Cloud Pub/Sub, adjust quotas and scaling policies as message volumes change to avoid service interruptions, as explained here: https://cloud.google.com/pubsub/quotas\nMaintenance # Finally, establish ongoing maintenance routines such as regular reviews, updates, cost optimization, and compliance audits to sustain operational excellence and adapt to evolving needs.\nWhen using Amazon SQS, purge queues as needed and archive messages if required for compliance, as explained here: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-using-purge-queue.html\nWhen using Amazon SNS, review and clean up unused topics and subscriptions, as explained here: https://docs.aws.amazon.com/sns/latest/dg/sns-delete-subscription-topic.html\nWhen using Azure Service Bus, delete unused messages, as explained here: https://learn.microsoft.com/en-us/azure/service-bus-messaging/batch-delete\nWhen using Google Cloud Pub/Sub, delete unused messages, as explained here: https://cloud.google.com/pubsub/docs/replay-overview\nEvent routing services # Event routing services act as the central hub in event-driven architectures, receiving events from producers and distributing them to the appropriate consumers. This decouples producers from consumers, allowing each to operate, scale, and fail independently without direct awareness of each other.\nMonitoring and Observability # Serverless event routing services require robust monitoring and observability to track event flows, detect anomalies, and ensure system health; this is typically achieved through metrics, logs, and dashboards that provide real-time visibility into event processing and failures.\nWhen using Amazon EventBridge, set up CloudWatch metrics and logs to monitor event throughput, failures, latency, and rule matches. Use CloudWatch Alarms to alert on anomalies or failures in event delivery, as explained here: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-monitoring.html\nWhen using Azure Event Grid, use Azure Monitor and Event Grid metrics to track event delivery, failures, and latency, as explained here: https://learn.microsoft.com/en-us/azure/event-grid/monitor-namespaces\nWhen using Azure Event Grid, set up alerts for undelivered events or high failure rates, as explained here: https://learn.microsoft.com/en-us/azure/event-grid/set-alerts\nWhen using Google Eventarc, monitor for event delivery status, trigger activity, and errors, as explained here: https://cloud.google.com/eventarc/standard/docs/monitor\nError Handling and Dead-Letter Management # Effective error handling uses mechanisms like retries and circuit breakers to manage transient failures, while dead-letter queues (DLQs) capture undelivered or failed events for later analysis and remediation, preventing data loss and supporting troubleshooting.\nWhen using Amazon EventBridge, configure dead-letter queues (DLQ) for failed event deliveries. Set retry policies and monitor DLQ for undelivered events to ensure no data loss, as explained here: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rule-dlq.html\nWhen using Azure Event Grid, Configure retry policies and use dead-lettering for events that cannot be delivered after multiple attempts, as explained here: https://learn.microsoft.com/en-us/azure/event-grid/manage-event-delivery\nWhen using Google Eventarc, use Pub/Sub dead letter topics for failed event deliveries, as explained here: https://cloud.google.com/eventarc/docs/retry-events\nSecurity and Access Management # Security and access management involve configuring fine-grained permissions to control which users and services can publish, consume, or manage events, ensuring that only authorized entities interact with event routing resources and that sensitive data remains protected.\nWhen using Amazon EventBridge, review and update IAM policies for event buses, rules, and targets. Use resource-based policies to restrict who can publish or subscribe to events, as explained here: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-manage-iam-access.html\nhttps://docs.aws.amazon.com/eventbridge/latest/userguide/eb-use-resource-based.html\nWhen using Azure Event Grid, use managed identity to an Event Grid topic and configure a role, following the principle of least privilege, as explained here: https://learn.microsoft.com/en-us/azure/event-grid/enable-identity-custom-topics-domains\nhttps://learn.microsoft.com/en-us/azure/event-grid/add-identity-roles\nWhen using Google Eventarc, manage IAM permissions for triggers, event sources, and destinations, following the principle of least privilege, as explained here: https://cloud.google.com/eventarc/standard/docs/access-control\nWhen using Google Eventarc, encrypt sensitive data at rest using customer-managed encryption keys, as explained here: https://cloud.google.com/eventarc/docs/use-cmek\nScaling and Performance # Serverless platforms automatically scale event routing services in response to workload changes, spinning up additional resources during spikes and scaling down during lulls, while performance optimization involves tuning event patterns, batching, and concurrency settings to minimize latency and maximize throughput.\nWhen using Amazon EventBridge, monitor event throughput and adjust quotas or request service limit increases as needed. Optimize event patterns and rules for efficiency, as explained here: https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-quota.html\nWhen using Azure Event Grid, monitor for throttling or delivery issues, as explained here: https://learn.microsoft.com/en-us/azure/event-grid/monitor-push-reference\nWhen using Google Eventarc, monitor quotas and usage (e.g., triggers per location), as explained here: https://cloud.google.com/eventarc/docs/quotas\nWorkflow orchestration services # Workflow services are designed to coordinate and manage complex sequences of tasks or business processes that involve multiple steps and services. They act as orchestrators, ensuring each step in a process is executed in the correct order, handling transitions, and managing dependencies between steps.\nMonitoring and Observability # Set up and review monitoring dashboards, logs, and alerts to ensure workflows are running correctly and to quickly detect anomalies or failures.\nWhen using AWS Step Functions, monitor executions, check logs, and set up CloudWatch metrics and alarms to ensure workflows run as expected, as explained here: https://docs.aws.amazon.com/step-functions/latest/dg/monitoring-logging.html\nWhen using Azure Logic Apps, use Azure Monitor and built-in diagnostics to track workflow runs and troubleshoot failures, as explained here: https://learn.microsoft.com/en-us/azure/logic-apps/monitor-logic-apps-overview\nWhen using Google Workflows, use Cloud Logging and Monitoring to observe workflow executions and set up alerts for failures or anomalies, as explained here: https://cloud.google.com/workflows/docs/monitor\nError Handling and Retry # Investigate failed workflow executions, enhance error handling logic (such as retries and catch blocks), and resubmit failed runs where appropriate. This is crucial for maintaining workflow reliability and minimizing manual intervention.\nWhen using AWS Step Functions, review failed executions, configure retry/catch logic, and update workflows to handle errors gracefully, as explained here: https://docs.aws.amazon.com/step-functions/latest/dg/concepts-error-handling.html\nWhen using Azure Logic Apps, handle failed runs, configure error actions, and resubmit failed instances as needed, as explained here: https://learn.microsoft.com/en-us/azure/logic-apps/error-exception-handling\nWhen using Google Workflows, inspect failed executions, define retry policies, and update error handling logic in workflow definitions, as explained here: https://cloud.google.com/workflows/docs/reference/syntax/catching-errors\nSecurity and Access Management # Workflow orchestration services require continuous enforcement of granular access controls and the principle of least privilege, ensuring that each function and workflow has only the permissions necessary for its specific tasks.\nWhen using AWS Step Functions, use AWS Identity and Access Management (IAM) for fine-grained control over who can access and manage workflows, as explained here: https://docs.aws.amazon.com/step-functions/latest/dg/auth-and-access-control-sfn.html\nWhen using Azure Logic Apps, use Azure Role-Based Access Control (RBAC) and managed identities for secure access to resources and connectors, as explained here: https://learn.microsoft.com/en-us/azure/logic-apps/authenticate-with-managed-identity\nWhen using Google Workflows, use Google Cloud IAM for permissions and access management, which allows you to define who can execute, view, or manage workflows, as explained here: https://cloud.google.com/workflows/docs/use-iam-for-access\nVersioning and Updates # Workflow orchestration services use versioning to track and manage different iterations of workflows or services, allowing multiple versions to coexist and enabling users to select, test, or revert to specific versions as needed.\nWhen using AWS Step Functions, update state machines, manage versions, and test changes before deploying to production, as explained here: https://docs.aws.amazon.com/step-functions/latest/dg/concepts-state-machine-version.html\nWhen using Azure Logic Apps, manage deployment slots, and use versioning for rollback if needed, as explained here: https://learn.microsoft.com/en-us/azure/logic-apps/manage-logic-apps-with-azure-portal\nWhen using Google Workflows, update workflows, test changes in staging, and deploy updates with minimal disruption, as explained here: https://cloud.google.com/workflows/docs/best-practice\nCost Optimization # Regularly review usage and billing data, optimize workflow design (e.g., reduce unnecessary steps or external calls), and adjust resource allocation to control operational costs.\nWhen using AWS Step Functions, analyze usage and optimize workflow design to reduce execution and resource costs, as explained here: https://docs.aws.amazon.com/step-functions/latest/dg/sfn-best-practices.html#cost-opt-exp-workflows\nWhen using Azure Logic Apps, monitor consumption, review billing, and optimize triggers/actions to control costs, as explained here: https://learn.microsoft.com/en-us/azure/logic-apps/plan-manage-costs\nWhen using Google Workflows, analyze workflow usage, optimize steps, and monitor billing to reduce costs, as explained here: https://cloud.google.com/workflows/docs/best-practice#optimize-usage\nSummary # In this blog post, I presented the most common Day 2 serverless operations when using application integration services (message queues, event routing services, and workflow orchestrations) to build modern applications.\nI looked at aspects such as observability, error handling, security, performance, etc.\nBuilding event-driven architectures requires time to grasp which services best support this approach. However, gaining a foundational understanding of key areas is essential for effective day 2 serverless operations.\nAbout the author # Eyal Estrin is a cloud and information security architect, an AWS Community Builder, and the author of the books Cloud Security Handbook and Security for Cloud Native Applications, with more than 25 years in the IT industry.\nYou can connect with him on social media (https://linktr.ee/eyalestrin).\nOpinions are his own and not the views of his employer.\n","date":"10 June 2025","externalUrl":null,"permalink":"/posts/introduction-to-day-2-serverless-operations-part-2/","section":"Posts","summary":"","title":"Introduction to Day 2 Serverless Operations – Part 2","type":"posts"},{"content":" In April 2023, I published a blog post called “Introduction to Day 2 Kubernetes”, discussing the challenges of managing Kubernetes workloads in mature environments, once applications were already running in production.\nIn the software lifecycle there are usually three distinct stages:\nDay 0 — Planning and design\nDay 1 — Configuration and deployment\nDay 2 — Operations\nServerless services are a cloud-native application development and delivery model where developers can build and run code without having to provision, configure, or manage server infrastructure themselves. Many cloud-native services are considered serverless — from compute (such as Function as a Service), storage (such as object storage), database, etc.\nIn this series of blog posts, I will review common day 2 serverless operations.\nPart 1 will focus on common operations for Function as a Service (FaaS), and part 2 will focus on application integration services.\nConfiguration and Revision Management # At this stage, you set the functions runtime version to be deployed, so you will be able to revert to a previous version in case of problems with the deployment or with your application.\nWhen using AWS Lambda, use versions to manage the deployment of your Lambda functions, and use aliases as a pointer to the version you would like to deploy, as explained here: https://docs.aws.amazon.com/lambda/latest/dg/configuration-versions.html\nWhen using Azure Functions, you can manage various aspects of the functions configuration such as hosting plan types, memory quota, scale, environment variables, network settings, etc., as explained here: https://learn.microsoft.com/en-us/azure/azure-functions/functions-how-to-use-azure-function-app-settings\nWhen using Google Cloud Run Functions, you can configure settings such as memory, concurrency, environment variables, network settings, etc., as explained here: https://cloud.google.com/run/docs/deploy-functions\nRuntime engine updates # The base assumption at this stage is that the function was already configured and had its initial deployment, but as time goes by, there will be newer versions of the function runtime engine versions.\nAlthough the recommendation is to use the latest stable version of the runtime engine, changing between major versions may require code adjustments and rigorous testing.\nWhen using AWS Lambda, the default setting is set to “Auto”, which means AWS will make sure customers are using the latest runtime version whenever customers create or update a function, and later on automatically update all existing functions that haven’t been updated to the latest runtime version. For container-based Lambda functions, customers need to manually rebuild the base container, using the latest runtime version, and redeploy the Lambda function, as explained here: https://docs.aws.amazon.com/lambda/latest/dg/runtimes-update.html\nWhen using Azure Functions, and using the FUNCTIONS_EXTENSION_VERSION setting to select a major version, when minor updates are available, the function will automatically update the runtime minor version. Upgrade of major runtime versions of Azure Functions will require manual work, including testing before deploying, as explained here:\nhttps://learn.microsoft.com/en-us/azure/azure-functions/set-runtime-version\nhttps://learn.microsoft.com/en-us/troubleshoot/azure/azure-functions/config-mgmt/functions-configuring-updateversion\nWhen using Google Cloud Run Functions, minor updates are done automatically, however, upgrading to a new major version of the runtime engine will require redeploying of the functions, as explained here: https://cloud.google.com/functions/docs/runtime-support Security, Networking, and Access Control # At this stage, you configure network and security settings to protect your functions, before exposing them to clients.\nThis includes reviewing network access control lists, deployment location (inside or outside your cloud virtual network, according to resources the function needs access to), identity and access management (according to resources in the cloud environment that the function needs access to such as storage, database, etc.)\nWhen using AWS Lambda, in case the function needs access to private AWS resources, deploy the function inside your VPC, as explained here: https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html\nTo grant a Lambda function access to other AWS resources, configure the Lambda function with an IAM role for its execution role, following the principle of least privilege, as explained here: https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html\nIn case the Lambda function needs access to resources using static credentials (such as API keys), configure the Lambda to pull the secrets from AWS Secrets Manager, as explained here: https://docs.aws.amazon.com/lambda/latest/dg/with-secrets-manager.html\nWhen using Azure Functions, in case the function needs access to private Azure resources, use virtual network integration, and enforce access to the function using Network Security Groups, as explained here: https://learn.microsoft.com/en-us/azure/azure-functions/functions-networking-options\nTo grant an Azure Function access to other Azure resources, configure managed identity, following the principle of least privilege, as explained here: https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity\nIn case the Azure Function needs access to resources using static credentials (such as secrets), use Azure Key Vault references, as explained here: https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references\nWhen using Google Cloud Run Functions, in case the function needs access to private GCP resources, use Serverless VPC Access, as explained here: https://cloud.google.com/functions/1stgendocs/networking/connecting-vpc\nTo grant a Cloud Run Function access to other GCP resources, configure a function identity, and grant the identity minimal permissions, following the principle of least privileged, as explained here: https://cloud.google.com/functions/docs/securing/function-identity\nAudit and Compliance # At this stage, you need to make sure your functions automatically send their audit logs to a central system, combined with threat intelligent services that regularly review the audit logs, you can get alerted on security-related topics (such as anomalous behavior).\nWhen using AWS Lambda, configure a trail to send CloudTrail events to a central S3 bucket (in a central AWS account), as explained here: https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html\nTo detect security threats in Lambda functions, configure Lambda function protection in Amazon GuardDuty, as explained here: https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection.html\nWhen using Azure Functions, to be able to collect audit logs into Azure Monitor, configure diagnostic settings (in a central Azure subscription), and select “Audit” and “AuditEvent” as explained here: https://learn.microsoft.com/en-us/azure/azure-monitor/platform/create-diagnostic-settings\nIn case the Azure Function is deployed inside an App Service plan, use Defender for App Service (part of Microsoft Defender for Cloud), to identify security threats, as explained here: https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-app-service-introduction\nWhen using Google Cloud Run Functions, configure a log bucket and send all functions audit logs to a central Google Cloud Storage (in a central GCP project), as explained here: https://cloud.google.com/logging/docs/audit\nTo detect security threats in Google Cloud Run Functions, use the Google SecOps, as explained here: https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-audit-logs\nMonitoring, Logging, Observability and Alerting # Continuously track application health, performance, and security events using tools for real-time insights. This includes setting up dashboards and alerts to detect anomalies and issues before they impact users.\nWhen using AWS Lambda, send all function logs to CloudWatch logs, as explained here: https://docs.aws.amazon.com/lambda/latest/dg/monitoring-cloudwatchlogs.html\nTo gain visibility into Lambda performance, use CloudWatch Lambda Insights, as explained here: https://docs.aws.amazon.com/lambda/latest/dg/monitoring-insights.html\nWhen using Azure Functions, to be able to collect all logs and metrics into Azure Monitor, configure diagnostic settings (in a central Azure subscription), as explained here:\nhttps://learn.microsoft.com/en-us/azure/azure-monitor/platform/create-diagnostic-settings\nhttps://learn.microsoft.com/en-us/azure/azure-functions/functions-monitoring\nTo gain visibility into Azure Functions, use Application Insights (part of Azure Monitor), as explained here: https://learn.microsoft.com/en-us/azure/azure-functions/configure-monitoring\nWhen using Google Cloud Run Functions, configure a log bucket and send all functions logs through Google Cloud Logging to a central Google Cloud Storage (in a central GCP project), as explained here: https://cloud.google.com/logging/docs/central-log-storage\nTo gain insights into Google Cloud Run Functions, use Google Cloud Observability, as explained here: https://cloud.google.com/monitoring/docs/monitoring-overview\nError Reporting, Troubleshooting, Diagnostics and Debugging # Any running function will generate errors at some point, or you might need to troubleshoot or debug issues with running (or failed) functions. For this purpose, you need to collect errors and diagnostic logs from your functions and store them in a central service.\nImplement error-handling strategies within your code (e.g., retries with exponential backoff) to minimize user impact during failures.\nWhen using AWS Lambda, use CloudWatch metrics to build graphs and dashboards, and to send alerts in response to changes in Lambda function activities (such as performance, error rates, etc.), as explained here: https://docs.aws.amazon.com/lambda/latest/dg/monitoring-metrics.html\nTo troubleshoot issues with Lambda functions, refer to the documentation here: https://docs.aws.amazon.com/lambda/latest/dg/lambda-troubleshooting.html\nTo display errors related to Azure Functions, refer to the documentation here: https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-error-pages\nTo troubleshoot issues with Azure Functions, refer to the documentation here:\nhttps://learn.microsoft.com/en-us/azure/azure-functions/functions-diagnostics\nhttps://learn.microsoft.com/en-us/troubleshoot/azure/azure-functions/deployment/functions-deploying-runtime-issues-post-deployment\nTo display errors related to Google Cloud Run Functions, use Error Reporting, as explained here: https://cloud.google.com/run/docs/error-reporting\nTo troubleshoot issues with Google Cloud Run Functions, refer to the documentation here: https://cloud.google.com/run/docs/troubleshooting\nScaling, Resource Management, Performance Tuning and Optimization # Analyze function performance metrics (duration/memory usage) to identify bottlenecks and adjust concurrency settings or provisioned capacity as needed for optimal resource utilization.\nWhen using AWS Lambda, use AWS Lambda Power Tunning to get the optimal Lambda size to suit your workload, as explained here: https://github.com/alexcasalboni/aws-lambda-power-tuning\nBe aware of Lambda quotas — runtime resource limits are often affected by factors like payload size, file descriptors, and /tmp storage space, which are frequently overlooked. For more information see: https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-limits.html\nIn case you need to maintain consistent performance for a Lambda function, consider configuring reserved concurrency, as explained here: https://docs.aws.amazon.com/lambda/latest/dg/configuration-concurrency.html\nTo reduce cold starts of Lambda functions, consider configuring provisioned concurrency, as explained here: https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtime-environment.html#cold-starts-pc\nWhen using Azure Functions, consider changing the hosting plan to gain better performance or isolation, as explained here: https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale\nTo improve your Azure Functions performance, follow the guide below: https://learn.microsoft.com/en-us/azure/azure-functions/performance-reliability\nTo reduce cold starts of Azure Functions, consider using the Premium plan, as explained here: https://learn.microsoft.com/en-us/azure/azure-functions/functions-premium-plan#eliminate-cold-starts\nWhen using Google Cloud Run Functions, use Recommender to gain recommendations for configuring Google Cloud Run Functions, as explained here: https://cloud.google.com/run/docs/recommender\nTo reduce cold starts of Google Cloud Run Functions, consider setting a minimum number of instances, as explained here: https://cloud.google.com/run/docs/configuring/min-instances\nBe aware of Google Cloud Run Functions limits — runtime resource limits are often affected by factors like maximum deployment size, memory size, number of running functions, etc. For more information see: https://cloud.google.com/functions/quotas\nSummary # In this blog post, I presented the most common Day 2 serverless operations when using Functions as a Service to build modern applications.\nTransitioning from traditional to serverless development can be challenging, but I encourage readers to keep practicing and gaining hands-on experience. Moving beyond the initial deployment to focus on ongoing operations and maintenance is crucial, and I hope the topics covered here will prove valuable for managing serverless environments in daily work.\nIn the second part of this series, we will deep dive into serverless application integration services, so stay tuned.\nAdditional reference materials # Kubernetes Vs. Serverless: Day 2 Operations\nWhat Does Day 2 Serverless Experience Look Like?\nAbout the author # Eyal Estrin is a cloud and information security architect, an AWS Community Builder, and the author of the books Cloud Security Handbook and Security for Cloud Native Applications, with more than 25 years in the IT industry.\nYou can connect with him on social media (https://linktr.ee/eyalestrin).\nOpinions are his own and not the views of his employer.\n","date":"3 June 2025","externalUrl":null,"permalink":"/posts/introduction-to-day-2-serverless-operations-part-1/","section":"Posts","summary":"","title":"Introduction to Day 2 Serverless Operations — Part 1","type":"posts"},{"content":" When designing modern applications in the cloud, one of the topics we need to consider is how to configure scalability policies for adding or removing resources according to the load on our application.\nIn this blog post, I will review resource-based and request-based scaling and try to explain the advantages and disadvantages of both alternatives.\nWhat is resource-based scaling? # Using resource-based scaling, resources are allocated and scaled based on how much CPU or memory is being used by an application or a service.\nThe system monitors metrics like CPU utilization (e.g., percentage used) or memory usage. When these metrics exceed predefined thresholds, the service scales up (adds more resources); when they fall below thresholds, it scales down.\nThis method is effective for applications where resource usage directly correlates with workload, such as compute-intensive or memory-heavy tasks.\nIn the example sample Terraform code below, we can see CloudWatch alarm is triggered once the average CPU utilization threshold is above 70%:\nIn the example sample Terraform code below, we can see CloudWatch alarm triggers once the average memory usage is above 80%:\nAdvantages of using resource-based scaling # Automatically adjust resources based on required CPU or memory, which decreases the chance of over-provisioning (wasting money) or underutilizing (potential performance issues).\nDecrease the chance of an outage due to a lack of CPU or memory resources.\nOnce a policy is configured, there is no need to manually adjust the required resources.\nDisadvantages of using resource-based scaling # Autoscaling may respond slowly in case of a sudden spike in resource requirements.\nWhen the autoscaling policy is not properly tuned, it may lead to resource over-provisioning or underutilization, which may increase the chance of high resource cost.\nCreating an effective autoscaling policy may be complex and requires planning, monitoring, and expertise.\nWhat is request-based scaling? # Using request-based scaling, resources are allocated and scaled based on the actual number of incoming requests (such as HTTP requests to a website or API calls to an API gateway).\nIn this method, the system counts the number of incoming requests. When the number of requests crosses a pre-defined threshold, it triggers a scaling action (i.e., adding or removing resources).\nSuited for applications where each request is relatively uniform in resource consumption, or where user experience is tightly coupled to request volume (e.g., web APIs, serverless functions).\nIn the example sample Terraform code below, we can see Amazon Aurora request-based scaling using the average number of database connections as the scaling metric:\nAdvantages of using request-based scaling # Immediate or predictable scaling in response to user demand.\nAlign resource allocation to user activity, which increases application responsiveness.\nAlign cost to resource allocation, which is useful in SaaS applications when we want to charge-back customers to their actual resource usage (such as HTTP requests, API calls, etc.).\nDisadvantages of using request-based scaling # Potential high cost during peak periods, due to the fast demand for resource allocation.\nTo gain the full benefit of request-based scaling, it is required to design stateless applications.\nCreating a request-based scaling policy may be a complex task due to the demand to manage multiple nodes or instances (including load-balancing, synchronization, and monitoring).\nDuring spikes, there may be temporary performance degradation due to the time it takes to allocate the required resources.\nHow do we decide on the right scaling alternative? # When designing modern (or SaaS) applications, no one solution fits all.\nIt depends on factors such as:\nApplication’s architecture or services in use — Resource-based scaling is more suitable for architectures based on VMs or containers, while request-based scaling is more suitable for architectures using serverless functions (such as Lambda functions) or APIs.\nWorkload patterns — Workloads that rely heavily on resources (such as back-end services or batch jobs), compared to workloads designed for real-time data processing based on APIs (such as event-driven applications processing messages or HTTP requests).\nBusiness requirements — Resource-based scaling is more suitable for predictable or steady workloads (where scale based on CPU/Memory is more predictable), for legacy or monolithic applications. Request-based scaling is more suitable for applications experiencing frequent spikes or for scenarios where the business would like to optimize cost per customer request (also known as pay-for-use).\nOrganization/workload maturity — When designing early-stage SaaS, it is recommended to begin with resource-based scaling due to the ease of implementation. Once the SaaS matures and adds front-end or API services, it is time to begin using request-based scaling (for services that support this capability). For mature SaaS applications using microservices architecture, it is recommended to implement advanced monitoring and dynamically adjust scaling policies according to the target service (front-end/API vs. back-end/heavy compute resources).\nSummary # Choosing the most suitable scaling alternative requires careful design of your workloads, understanding demands (customer facing/API calls, vs. heavy back-end compute), careful monitoring (to create the most suitable policies) and understanding how important responsiveness to customers behavior is (from adjusting required resources to ability to charge-back customers per their actual resource usage).\nI encourage you to learn about the different workload patterns, to be able to design highly scalable modern applications in the cloud, to meet customers’ demand, and to be cost cost-efficient as possible.\nAbout the author # Eyal Estrin is a cloud and information security architect, an AWS Community Builder, and the author of the books Cloud Security Handbook and Security for Cloud Native Applications, with more than 20 years in the IT industry.\nYou can connect with him on social media (https://linktr.ee/eyalestrin).\nOpinions are his own and not the views of his employer.\n","date":"12 May 2025","externalUrl":null,"permalink":"/posts/resource-based-scaling-vs-request-based-scaling-in-the-cloud/","section":"Posts","summary":"","title":"Resource-based Scaling vs. Request-based Scaling in the Cloud","type":"posts"},{"content":" Kubernetes has been used by organizations for nearly a decade — from wrapping applications inside containers, pushing them to a container repository, to full production deployment.\nAt some point, we need to troubleshoot various issues in Kubernetes environments.\nIn this blog post, I will review some of the common ways to troubleshoot Kubernetes, based on the hyperscale cloud environments.\nCommon Kubernetes issues # Before we deep dive into Kubernetes troubleshooting, let us review some of the common Kubernetes errors:\nCrashLoopBackOff — A container in a pod keeps failing to start, so Kubernetes tries to restart it over and over, waiting longer each time. This usually means there’s a problem with the app, something important is missing, or the setup is wrong.\nImagePullBackOff — Kubernetes can’t download the container image for a pod. This might happen if the image name or tag is wrong, there’s a problem logging into the image registry, or there are network issues.\nCreateContainerConfigError — Kubernetes can’t set up the container because there’s a problem with the settings like wrong environment variables, incorrect volume mounts, or security settings that don’t work.\nPodInitializing — A pod is stuck starting up, usually because the initial setup containers are failing, taking too long, or there are problems with the network or attached storage.\nKubectl for Kubernetes troubleshooting # Kubectl is the native and recommended way to manage Kubernetes, and among others to assist in troubleshooting various aspects of Kubernetes.\nBelow are some examples of using kubectl:\nView all pods and their statuses: kubectl get pods\nGet detailed information and recent events for a specific pod: kubectl describe pod View logs from a specific container in a multi-container pod: kubectl logs -c Open an interactive shell inside a running pod: kubectl exec -it — /bin/bash\nCheck the status of cluster nodes: kubectl get nodes\nGet detailed information about a specific node: kubectl describe node Additional information about kubectl can be found at:\nhttps://kubernetes.io/docs/reference/kubectl\nRemote connectivity to Kubernetes nodes # In rare cases, you may need to remotely connect a Kubernetes node as part of troubleshooting. Some of the reasons to do so may be troubleshooting hardware failures, collecting system-level logs, cleaning up disk space, restarting services, etc.\nBelow are secure ways to remotely connect to Kubernetes nodes:\nTo connect to an Amazon EKS node using AWS Systems Manager Session Manager from the command line, use the following command: aws ssm start-session — target For more details, see: https://docs.aws.amazon.com/eks/latest/best-practices/protecting-the-infrastructure.html\nTo connect to an Azure AKS node using Azure Bastion from the command line, run the commands below to get the private IP address of the AKS node and SSH from a bastion connected environment: az aks machine list — resource-group — cluster-name \\\n— nodepool-name -o table\nssh -i /path/to/private_key.pem azureuser@\nFor more details, see: https://learn.microsoft.com/en-us/azure/aks/node-access\nTo connect to a GKE node using the gcloud command combined with Identity-Aware Proxy (IAP), use the following command: gcloud compute ssh \u0026lt;GKE_NODE_NAME\u0026gt; — zone — tunnel-through-iap\nFor more details, see: https://cloud.google.com/compute/docs/connect/ssh-using-iap#gcloud\nMonitoring and observability # To assist in troubleshooting, Kubernetes has various logs, some are enabled by default (such as container logs) and some need to be explicitly enabled (such as Control Plane logs).\nBelow are some of the ways to collect logs in managed Kubernetes services.\nAmazon EKS # To collect EKS node and application logs, use CloudWatch Container Insights (including resource utilization), as explained below:\nhttps://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/container-insights-detailed-metrics.html\nTo collect EKS Control Plane logs to CloudWatch logs, follow the instructions below:\nhttps://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html\nTo collect metrics from the EKS cluster, use Amazon Managed Service for Prometheus, as explained below:\nhttps://docs.aws.amazon.com/eks/latest/userguide/prometheus.html\nAzure AKS # To collect AKS node and application logs (including resource utilization), use Azure Monitor Container Insights, as explained below:\nhttps://learn.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-data-collection-configure\nTo collect AKS Control Plane logs to Azure Monitor, configure the diagnostic setting, as explained below:\nhttps://docs.azure.cn/en-us/aks/monitor-aks?tabs=cilium#aks-control-planeresource-logs\nTo collect metrics from the AKS cluster, use Azure Monitor managed service for Prometheus, as explained below:\nhttps://learn.microsoft.com/en-us/azure/azure-monitor/metrics/prometheus-metrics-overview#enable-azure-monitor-managed-service-for-prometheus\nGoogle GKE # GKE node and Pod logs are sent automatically to Google Cloud Logging, as documented below:\nhttps://cloud.google.com/kubernetes-engine/docs/concepts/about-logs#collecting_logs\nGKE Control Plane logs are not enabled by default, as documented below:\nhttps://cloud.google.com/kubernetes-engine/docs/how-to/view-logs\nTo collect metrics from the GKE cluster, use Google Cloud Managed Service for Prometheus, as explained below:\nhttps://cloud.google.com/stackdriver/docs/managed-prometheus/setup-managed\nEnable GKE usage metering to collect resource utilization, as documented below:\nhttps://cloud.google.com/kubernetes-engine/docs/how-to/cluster-usage-metering#enabling\nTroubleshooting network connectivity issues # There may be various network-related issues when managing Kubernetes clusters. Some of the common network issues are nodes or pods not joining the cluster, inter-pod communication failures, connectivity to the Kubernetes API server, etc.\nBelow are some of the ways to troubleshoot network issues in managed Kubernetes services.\nAmazon EKS # Enable network policy logs to investigate network connection through Amazon VPC CNI, as explained below:\nhttps://docs.aws.amazon.com/eks/latest/userguide/network-policies-troubleshooting.html\nUse the guide below for monitoring network performance issues in EKS:\nhttps://docs.aws.amazon.com/eks/latest/best-practices/monitoring_eks_workloads_for_network_performance_issues.html\nTemporary enable VPC flow logs (due to high storage cost in large production environments) to query network traffic of EKS clusters deployed in a dedicated subnet, as explained below:\nhttps://aws.amazon.com/blogs/networking-and-content-delivery/using-vpc-flow-logs-to-capture-and-query-eks-network-communications\nAzure AKS # Use the guide below to troubleshoot connectivity issues to the AKS API server:\nhttps://learn.microsoft.com/en-us/troubleshoot/azure/azure-kubernetes/connectivity/troubleshoot-cluster-connection-issues-api-server\nUse the guide below to troubleshoot outbound connectivity issues from the AKS cluster:\nhttps://learn.microsoft.com/en-us/troubleshoot/azure/azure-kubernetes/connectivity/basic-troubleshooting-outbound-connections\nUse the guide below to troubleshoot connectivity issues to applications deployed on top of AKS:\nhttps://learn.microsoft.com/en-us/troubleshoot/azure/azure-kubernetes/connectivity/connection-issues-application-hosted-aks-cluster\nUse Container Network Observability to troubleshoot connectivity issues within an AKS cluster, as explained below:\nhttps://learn.microsoft.com/en-us/azure/aks/container-network-observability-concepts\nGoogle GKE # Use the guide below to troubleshoot network connectivity issues in GKE:\nhttps://cloud.google.com/kubernetes-engine/docs/troubleshooting/connectivity-issues-in-cluster\nTemporary enable VPC flow logs (due to high storage cost in large production environments) to query network traffic of GKR clusters deployed in a dedicated subnet, as explained below:\nhttps://cloud.google.com/vpc/docs/using-flow-logs\nSummary # I am sure there are many more topics to cover when troubleshooting problems with Kubernetes clusters, however, in this blog post, I highlighted the most common cases.\nKubernetes by itself is an entire domain of expertise and requires many hours to deep dive into and understand.\nI strongly encourage anyone using Kubernetes to read vendors’ documentation, and practice in development environments, until you gain hands-on experience running production environments.\nAbout the author # Eyal Estrin is a cloud and information security architect, an AWS Community Builder, and the author of the books Cloud Security Handbook and Security for Cloud Native Applications, with more than 20 years in the IT industry.\nYou can connect with him on social media (https://linktr.ee/eyalestrin).\nOpinions are his own and not the views of his employer.\n","date":"4 May 2025","externalUrl":null,"permalink":"/posts/kubernetes-troubleshooting-in-the-cloud/","section":"Posts","summary":"","title":"Kubernetes Troubleshooting in the Cloud","type":"posts"},{"content":" For many years we have been told that one of the major advantages of using containers is portability, meaning, the ability to move our application between different platforms or even different cloud providers.\nIn this blog post, we will review some of the aspects of designing an architecture based on Kubernetes, allowing application portability between different cloud providers.\nBefore we begin the conversation, we need to recall that each cloud provider has its opinionated way of deploying and consuming services, with different APIs and different service capabilities.\nThere are multiple ways to design a workload, from traditional use of VMs to event-driven architectures using message queues and Function-as-a-Service.\nBelow is an example of architecture:\nA customer connecting from the public Internet, resolving the DNS name from a global DNS service (such as Cloudflare)\nThe request is sent to an Ingress controller, who forwards the traffic to a Kubernetes Pod exposing an application\nFor static content retrieval, the application is using an object storage service through a Kubernetes CSI driver\nFor persistent data storage, the application uses a backend-managed MySQL database\nThe 12-factor app methodology angle # When talking about the portability and design of modern applications, I always like to look back at the 12-factor app methodology:\nConfig # To be able to deploy immutable infrastructure on different cloud providers, we should store variables (such as SDLC stage, i.e., Dev, Test, Prod) and credentials (such as API keys, passwords, etc.) outside the containers.\nSome examples:\nAWS Systems Manager Parameter Store (for environment variables or static credentials) or AWS Secrets Manager (for static credentials)\nAzure App Configuration (for environment variables or configuration settings) or Azure Key Vault (for static credentials)\nGoogle Config Controller (for configuration settings), Google Secret Manager (for static credentials), or GKE Workload Identity (for access to Cloud SQL or Google Cloud Storage)\nHashiCorp Vault (for environment variables or static credentials)\nBacking services # To truly design for application portability between cloud providers, we need to architect our workload where a Pod can be attached and re-attached to a backend service.\nFor storage services, it is recommended to prefer services that Pods can connect via CSI drivers.\nSome examples:\nAmazon S3 (for object storage), Amazon EBS (for block storage), or Amazon EFS (for NFS storage)\nAzure Blob (for object storage), Azure Disk (for block storage), or Azure Files (for NFS or CIFS storage)\nGoogle Cloud Storage (for object storage), Compute Engine Persistent Disks (for block storage), or Google Filestore (for NFS storage)\nFor database services, it is recommended to prefer open-source engines deployed in a managed service, instead of cloud opinionated databases.\nSome examples:\nAmazon RDS for MySQL (for managed MySQL) or Amazon RDS for PostgreSQL (for managed PostgreSQL)\nAzure Database for MySQL (for managed MySQL) or Azure Database for PostgreSQL (for managed PostgreSQL)\nGoogle Cloud SQL for MySQL (for managed MySQL) or Google Cloud SQL for PostgreSQL (for managed PostgreSQL)\nPort binding # To allow customers access to our application, Kubernetes exports a URL (i.e., DNS name) and a network port.\nSince load-balancers offered by the cloud providers are opinionated to their eco-systems, we should use an open-source or third-party solution that will allow us to replace the ingress controller and enforce network policies (for example to be able to enforce both inbound and pod-to-pod communication), or a service mesh solution (for mTLS and full layer 7 traffic inspection and enforcement).\nSome examples:\nNGINX (an open-source ingress controller), supported by Amazon EKS, Azure AKS, or Google GKE\nCalico CNI plugin (for enforcing network policies), supported by Amazon EKS, Azure AKS, or Google GKE\nCilium CNI plugin (for enforcing network policies), supported by Amazon EKS, Azure AKS, or Google GKE\nIstio (for service mesh capabilities), supported by Amazon EKS, Azure AKS, or Google GKE\nLogs # Although not directly related to container portability, logs are an essential part of application and infrastructure maintenance — to be specific observability, i.e., the ability to collect logs, metrics, and traces), to be able to anticipate issues before they impact customers.\nAlthough each cloud provider has its own monitoring and observability services, it is recommended to consider open-source solutions, supported by all cloud providers, and stream logs to a central service, to be able to continue monitoring the workloads, regardless of the cloud platform.\nSome examples:\nPrometheus — monitoring and alerting solution\nGrafana — visualization and alerting solution\nOpenTelemetry — a collection of tools for exporting telemetry data\nImmutability # Although not directly mentioned in the 12 factors app methodology, to allow portability of containers between different Kubernetes environments, it is recommended to build a container image from scratch (i.e., avoid using cloud-specific container images), and package the minimum number of binaries and libraries. As previously mentioned, to create an immutable application, you should avoid storing credentials, or any other unique identifiers (including unique configurations) or data inside the container image.\nInfrastructure as Code # Deployment of workloads using Infrastructure as Code, as part of a CI/CD pipeline, will allow deploying an entire workload (from pulling the latest container image, backend infrastructure, and Kubernetes deployment process) in a standard way between different cloud providers, and different SDLC stages (Dev, Test, Prod).\nSome examples:\nOpenTofu — An open-source fork of Terraform, allows deploying entire cloud environments using Infrastructure as Code\nHelm Charts — An open-source solution for software deployment on top of Kubernetes\nSummary # In this blog post, I have reviewed the concept of container portability for allowing organizations the ability to decrease the reliance on cloud provider opinionated solutions, by using open-source solutions.\nNot all applications are suitable for portability, and there are many benefits of using cloud-opinionated solutions (such as serverless services), but for simple architectures, it is possible to design for application portability.\nAbout the author # Eyal Estrin is a cloud and information security architect, an AWS Community Builder, and the author of the books Cloud Security Handbook and Security for Cloud Native Applications, with more than 20 years in the IT industry.\nYou can connect with him on social media (https://linktr.ee/eyalestrin).\nOpinions are his own and not the views of his employer.\n","date":"3 May 2025","externalUrl":null,"permalink":"/posts/kubernetes-and-container-portability-navigating-multi-cloud-flexibility/","section":"Posts","summary":"","title":"Kubernetes and Container Portability: Navigating Multi-Cloud Flexibility","type":"posts"},{"content":" Introduction # Cloud storage solutions are becoming more and more popular among businesses due to their ease of use and flexibility, but they also come with a significant risk to the security of sensitive data. Because of the sharp rise in data breaches and cyberthreats, protecting data stored on cloud servers is now more crucial than ever. Despite the fact that 94% of businesses use cloud storage, many of them struggle to maintain strong security protocols. Let\u0026rsquo;s look at the best procedures for protecting sensitive data kept on cloud servers.\nWhat is Cloud Data Protection? # Cloud data protection refers to securing an organization’s data contained in a cloud environment (controlled by the business or a third party) while the data is either in transit or at rest. While rapid adoption of cloud technology is revolutionizing the way businesses operate, it has also made cloud settings more vulnerable to assaults. It is not only critical to secure your cloud environment; it is a business imperative.\nComponents of Cloud Architecture # Compute: This is the processing power needed to run apps that serves as the structural heart of the cloud. Depending on demand, its size can be controlled to guarantee that it is delivered at the most cost-effective and maximum performance.\nStorage: Cloud storage services provide data storage that is always available and accessible from any location and to protect sensitive data from breaches and unauthorized access.\nNetwork: Connecting the apps, data and people A secure network protects the data from being eavesdropping or manipulation while it travels.\nWhy is Cloud Protection Challenging?\nSecuring data in the cloud is not an easy job. The cloud has strong security features, but it comes with many challenges:\nEvolve Cyber Threats: Cloud infrastructures face many significant security threats. Cloud providers can be targeted in Distributed Denial-of-Service (DDOS) attacks, which overwhelm the cloud provider and temporarily take the services of customers offline. Ransomware attacks can affect cloud services and make them inaccessible until ransoms are paid. Access gateways can be bypassed in the case of credential theft-driven attacks and attackers can obtain sharable private information or sensitive tasks.\nCompliance Standards: Businesses are required to protect data privacy, and that requires them to secure every sensitive information they are collecting. Laws like HIPAA, GDPR, and PCI-DSS have a component of cloud data compliance. Security teams need tools that meet compliance requirements and provide evidence that their organizations are achieving audit goals.\nInsider Threats: Insiders might use their access to a company’s cloud data to perpetrate cybercrimes. Since the cloud data is easily accessible, it becomes easier for malicious actors to gain unauthorized access, which will also be an issue in on-premises systems.\nClear Visibility: Cloud providers might obfuscate information at the infrastructure level, keeping end users in the dark about security blind spots of considerable magnitude. There is a possibility for enterprises to lose visibility into user behavior, code-base changes, and even the size of their cloud deployments.\nAbout 70% of businesses that face cloud violations observe a clear drop in customer trust, with a big part of those firms directly feeling the impact by losing clients.\nCloud Data Protection Best Practices 2025 # The following list of recommended practices outlines how businesses can drastically lower risk and guarantee a more secure cloud environment:\nShared-Responsibility Model: The security of cloud environments depends on combined efforts between cloud service providers and their users in a two-way structure. Cloud providers take responsibility for the security of cloud infrastructure while users must protect their data, applications and access controls within the cloud environment. The key to developing a strong cloud security approach lies in knowing how these functions work.\nData Backup: One primary way to use the cloud involves backing up files from physical hard drives. Scheduled backups ensure that data can be retrieved swiftly with minimal disruption after a loss from accidental deletion, cyberattacks or system disruptions. Through regular backups businesses can reduce downtime and data unavailability because they enable quick recovery from data loss situations.\nEncryption of Data: Protecting data during storage and transmission through encryption prevents unauthorized access and stops data interception attempts. The privacy of data remains protected by means of encryption. Data cannot be accessed without the decryption key regardless of any security breach occurrence.\nRegular Audits: The security best practices for cloud environments may become inconsistent as their growth and development continue. Routine audits simplify the process of identifying and correcting security deviations. Regular security audits help maintain compliance with security standards to reduce the risk of configuration-based security breaches.\nEnable MFA: Multi-Factor Authentication adds another layer of barrier beyond the password window. Even if some one\u0026rsquo;s credentials may have been compromised, unwanted access is still mitigated. The need for multi-factor verification in the cloud, especially administrator accounts, is essential. Protecting data in the cloud also entails ensuring users are informed about garnering the power of multi-factor authentication, reviewing and refreshing the configurations for multi-factor settings and authentication regularly to align with changes, and setting up new frameworks.\nNetwork Security: Cyberattacks should be kept at a distance and preventing them is the main design of a network. Any gaps pose a risk and are a concern. Otherwise known, shielded network security posture consisting of private virtual clouds (VPC), keeps firewalls, and every other instrument working to ensure no unauthorized movement of traffic is allowed to your resources while hostile range is kept at bay.\nKnowledge of Compliance: Standards of compliance encompasses a guideline for safeguarding personal and sensitive data or checking off legal requirements and using them as boundaries. Regulative measures, as far as the principles are to a business, mandates evaluating the trust from the regulators and consumers for safeguarding the cloud environment. To avoid exposing gaps and correcting them before they spiral into an issue, compliance postures should be examined regularly.\nMonitor Cloud Activity: Continuously tracking cloud infrastructure is essential for mitigating potential risks in the ever-changing cloud environments. Real-time monitoring streamlines the detection of security breaches such as suspicious logins, unauthorized access, and tampering with critical configurations. Without proactive measures, these activities may go undetected until it\u0026rsquo;s too late. Monitoring this information allows alerts to concentrate on the most significant threats.\nConduct Incident Response: This process includes organizing regular incident response actions to check the organization’s readiness and imitate real security breach situations. Interdisciplinary groups like IT, security, and legal would also be added to ensure a joined reply in case of an accident. The outcome of every activity should be reviewed to determine deficiencies and modify the incident response plan accordingly.\nTrain Employees: Employees of the organization should be given training about the cloud security procedures. Regular training sessions should make people aware of phishing and other online threats. Along with this, there is a requirement to establish special training for IT groups, which means providing DevOps and IT teams with appropriate facilities to manage security issues related specifically to the cloud.\nConclusion # As the cloud security landscape continues to evolve, it is important to stay abreast of technology trends and emerging threats. Making cloud data security a top priority will go a long way in helping you safeguard your data and ensure compliance with all applicable laws. Remember, proactive cloud security is not just about being required but also about being committed to preserving the confidentiality and integrity of your critical information.\nAuthor bio # Aidan Simister\nAt Lepide, a leading provider of compliance and data security solutions, Aidan Simister serves as CEO. He has more than 20 years of experience in the IT sector and is well known for his proficiency in cybersecurity and dedication to assisting businesses in protecting their private information.\n","date":"10 April 2025","externalUrl":null,"permalink":"/posts/understanding-cloud-data-protection-best-practices-for-2025/","section":"Posts","summary":"","title":"Understanding Cloud Data Protection: Best Practices for 2025","type":"posts"},{"content":" In an ideal world, we would have the luxury of building greenfield cloud environments, however, this is not always the situation we as cloud architects have to deal with.\nGreenfield environments allow us to design our cloud environment following industry (or cloud vendor) best practices, setting up guardrails, selecting an architecture to meet the business requirements (think about event-driven architecture, scale, managed services, etc.), backing cost into architecture decisions, etc.\nIn many cases, we inherit an existing cloud environment due to mergers and acquisitions or we just stepped into the position of a cloud architect in a new company, that already serves customers, and there are almost zero chances that the business will grant us the opportunity to fix mistakes already been taken.\nIn this blog post, I will try to provide some steps for handling brownfield cloud environments, based on the AWS platform.\nStep 1 – Create an AWS Organization # If you have already inherited multiple AWS accounts, the first thing you need to do is create a new AWS account (without any resources) to serve as the management account and create an AWS organization, as explained in the AWS documentation.\nOnce the new AWS organization is created, make sure you select an email address (from your organization\u0026rsquo;s SMTP domain), select a strong password for the Root AWS user account, revoke and remove all AWS access keys (if there are any), and configure an MFA for the Root AWS user account.\nUpdate the primary and alternate contact details for the AWS organization (recommend using an SMTP mailing list instead of a single-user email address).\nThe next step is to design an OU structure for the AWS organization. There are various ways to structure the organization, and perhaps the most common one is by lines of business, and underneath, a similar structure by SDLC stage – i.e., Dev, Test, and Prod, as discussed in the AWS documentation.\nStep 2 – Handle Identity and Access management # Now that we have an AWS organization, we need to take care of identity and access management across the entire organization.\nTo make sure all identities authenticate against the same identity provider (such as the on-prem Microsoft Active Directory), enable AWS IAM Identity Center, as explained in the AWS documentation.\nOnce you have set up the AWS IAM Identity Center, it is time to avoid using the Root AWS user account and create a dedicated IAM user for all administrative tasks, as explained in the AWS documentation.\nStep 3 – Moving AWS member accounts to the AWS Organization # Assuming we have inherited multiple AWS accounts, it is now the time to move the member AWS accounts into the previously created OU structure, as explained in the AWS documentation.\nOnce all the member accounts have been migrated, it is time to remove the Root AWS user account, as explained in the AWS documentation.\nStep 4 – Manage cost # The next thing we need to consider is cost. If a workload was migrated from the on-prem using a legacy data center mindset, or if a temporary or development environment became a production environment over time, designed by an inexperienced architect or engineer, there is a good chance that cost was not a top priority from day 1.\nEven before digging into cost reduction or right-sizing, we need to have visibility into cost aspects, at least to be able to stop wasting money regularly.\nDefine the AWS management account as the payer account for the entire AWS organization, as explained in the AWS documentation.\nCreate a central S3 bucket to store the cost and usage report for the entire AWS organization, as explained in the AWS documentation.\nCreate a budget for each AWS account, create alerts once a certain threshold of the monthly budget has been reached (for example at 75%, 85%, and 95%), and send alerts once a pre-defined threshold has been reached.\nCreate a monthly report for each of the AWS accounts in the organization and review the reports regularly.\nEnforce tagging policy across the AWS organization (such as tags by line of business, by application, by SDLC stage, etc.), to be able to track resources and review their cost regularly, as explained in the AWS documentation.\nStep 5 – Creating a central audit and logging # To have central observability across our AWS organization, it is recommended to create a dedicated AWS member account for logging.\nCreate a central S3 bucket to store CloudTrail logs from all AWS accounts in the organization, as explained in the AWS documentation.\nMake sure access to the CloudTrail bucket is restricted to members of the SOC team only.\nCreate a central S3 bucket to store CloudWatch logs from all AWS accounts in the organization, and export CloudWatch logs to the central S3 bucket, as explained in the AWS documentation.\nStep 6 – Manage security posture # Now that we become aware of the cost, we need to look at our entire AWS organization security posture, and a common assumption is that we have public resources, or resources that are accessible by external identities (such as third-party vendors, partners, customers, etc.)\nTo be able to detect access to our resources by external identities, we should run the IAM Access Analyzer, generate access reports, and regularly review the report (or send their output to a central SIEM system), as explained in the AWS documentation.\nWe should also use the IAM Access Analyzer to detect excessive privileges, as explained in the AWS documentation.\nBegin assigning Service control policies (SCPs) to OUs in the AWS organizations, with guardrails such as denying the ability to create resources in certain regions (due to regulations) or preventing Internet access.\nUse tools such as Prowler, to generate security posture reports for every AWS account in the organization, as mentioned in the AWS documentation – focus on misconfigurations such as resources with public access.\nStep 7 – Observability into cloud resources # The next step is visibility into our resources.\nTo have a central view of logs, metrics, and traces across AWS organizations, we can leverage the CloudWatch cross-account capability, as explained in the AWS documentation. This capability will allow us to create dashboards and perform queries to better understand how our applications are performing, but we need to recall that the more logs we store, has cost implications, so for the first stage, I recommend selecting production applications (or at least the applications that produces the most value to our organization).\nTo have central visibility over vulnerabilities across the AWS organizations (such as vulnerabilities in EC2 instances, container images in ECR, or Lambda functions), we can use Amazon Inspector, to regularly scan and generate findings from all members in our AWS organizations, as explained in the AWS documentation. With the information from Amazon Inspector, we can later use the AWS SSM to deploy missing security patches, as explained in the AWS documentation.\nSummary # In this blog post, I have reviewed some of the most common recommendations I believe should grant you better control and visibility into existing brownfield AWS environments.\nI am sure there are many more recommendations and best practices, and perhaps next steps such as resource rightsizing, re-architecting existing workloads, adding third-party solutions for observability and security posture, and more.\nI encourage readers of this blog post, to gain control over existing AWS environments, question past decisions (for topics such as cost, efficiency, sustainability, etc.), and always look for the next level in taking full benefit of the AWS environment.\nAbout the author # Eyal Estrin is a cloud and information security architect, an AWS Community Builder, and the author of the books Cloud Security Handbook and Security for Cloud Native Applications, with more than 20 years in the IT industry.\nYou can connect with him on social media (https://linktr.ee/eyalestrin).\nOpinions are his own and not the views of his employer.\n","date":"30 March 2025","externalUrl":null,"permalink":"/posts/navigating-brownfield-environments-in-aws-steps-for-successful-cloud-use/","section":"Posts","summary":"","title":"Navigating Brownfield Environments in AWS: Steps for Successful Cloud Use","type":"posts"},{"content":" Before beginning the conversation about AWS anti-patterns, we should ask ourselves — what is an anti-pattern?\nI have searched the web, and found the following quote:\n“An antipattern is just like a pattern, except that instead of a solution, it gives something that looks superficially like a solution but isn’t one” (“Patterns and Antipatterns” by Andrew Koenig)\nKey characteristics of antipatterns include:\nThey are commonly used processes, structures, or patterns of action.\nThey initially seem appropriate and effective.\nThey ultimately produce more negative consequences than positive results.\nThere exists a better, documented, and proven alternative solution.\nIn this blog post, I will review some of the common anti-patterns we see on AWS environments, and how to properly use AWS services.\nUsing a permissive IAM policy # This is common for organizations migrating from the on-prem to AWS, and lack the understanding of how IAM policy works, or in development environments, where “we are just trying to check if some action will work and we will fix the permissions later…” (and in many cases, we fail to go back and limit the permissions).\nIn the example below, we see an IAM policy allowing access to all S3 buckets, including all actions related to S3:\nIn the example below, we see a strict IAM policy allowing access to specific S3 buckets, with specific S3 actions:\nPublicly accessible resources # For many years, deploying resources such as S3 buckets, an EC2 instance, or an RDS database, caused them to be publicly accessible, which made them prone to attacks from external or unauthorized parties.\nIn production environments, there are no reasons for creating publicly accessible resources (unless we are talking about static content accessible via a CDN). Ideally, EC2 instances will be deployed in a private subnet, behind an AWS NLB or AWS ALB, and RDS / Aurora instances will be deployed in a private subnet (behind a strict VPC security group).\nIn the case of EC2 or RDS, it depends on the target VPC you are deploying the resources — the default VPC assigns a public IP while creating custom VPC allows us to decide if we need a public subnet or not.\nIn the example below, we see an AWS CLI command for deploying an EC2 instance with public IP:\nIn the example below, we see an AWS CLI command for deploying an EC2 instance without a public IP:\nIn the case of the S3 bucket, since April 2023, when creating a new S3 bucket, by default the “S3 Block Public Access” is enabled, making it private.\nIn the example below, we see an AWS CLI command for creating an S3 bucket, while enforcing private access:\nUsing permissive network access # By default, when launching an EC2 instance, the only default rule is port 22 for SSH access for Linux instances, accessible from 0.0.0.0/0 (i.e., all IPs), which makes all Linux instances (such as EC2 instances or Kubernetes Pods), publicly accessible from the Internet.\nAs a rule of thumb — always implement the principle of least privilege, meaning, enforce minimal network access according to business needs.\nIn the case of EC2 instances, there are a couple of alternatives:\nRemotely connect to EC2 instances using EC2 instance connect or using AWS Systems Manager Session Manager.\nIf you insist on connecting to a Linux EC2 instance using SSH, make sure you configure a VPC security group to restrict access through SSH protocol from specific (private) CIDR. In the example below, we see an AWS CLI command for creating a strict VPC security group:\nIn the case of Kubernetes Pods, one of the alternatives is to create a network security policy, to restrict access to SSH protocol from specific (private) CIDR, as we can see in the example below: Using hard-coded credentials # This is a common pattern organizations have been doing for many years. Storing (cleartext) static credentials in application code, configuration files, automation scripts, code repositories, and more.\nAnyone with read access to the mentioned above will gain access to the credentials and will be able to use them to harm the organization (from data leakage to costly resource deployment such as VMs for Bitcoin mining).\nBelow are alternatives for using hard-coded credentials:\nUse an IAM role to gain temporary access to resources, instead of using static (or long-lived credentials)\nUse AWS Secrets Manager or AWS Systems Manager Parameter Store to generate, store, retrieve, rotate, and revoke any static credentials. Connect your applications and CI/CD processes to AWS Secrets Manager, to pull the latest credentials. In the example below we see an AWS CLI command for an ECS task pulling a database password from AWS Secrets Manager:\nIgnoring service cost # Almost any service in AWS has its pricing, which we need to be aware of while planning an architecture. Sometimes it is fairly easy to understand the pricing — such as EC2 on-demand (pay by the time an instance is running), and sometimes the cost estimation can be fairly complex, such as Amazon S3 (storage cost per storage class, actions such as PUT or DELETE, egress data, data retrieval from archive, etc.)\nWhen deploying resources in an AWS environment, we may find ourselves paying thousands of dollars every month, simply because we ignore the cost factor.\nThere is no good alternative for having visibility into cloud costs — we still have to pay for the services we deploy and consume, but with simple steps, we will have at least basic visibility into the costs, before we go bankrupt.\nIn the example below, we can see a monthly budget created in an AWS account to send email notifications when the monthly budget reaches 500$:\nNaturally, the best advice is to embed cost in any design consideration, as explained in “The Frugal Architect” (https://www.thefrugalarchitect.com/)\nFailing to use auto-scaling # One of the biggest benefits of the public cloud and modern applications is the use of auto-scaling capabilities to add or remove resources according to customer demands.\nWithout autoscaling, our applications will reach resource limits (such as CPU, memory, or network), and availability issues (in case an application was deployed on a single EC2 instance or single RDS node) which will have a direct impact on customers, or high cost (in case we have provisioned more compute resources than required).\nMany IT veterans think of auto-scaling as the ability to add more compute resources such as additional EC2 instances, ECS tasks, DynamoDB tables, Aurora replicas, etc.\nAutoscaling is not just about adding resources, but also the ability to adjust the number of resources (i.e., compute instances/replicas) to the actual customer’s demand.\nA good example of a scale-out scenario (i.e., adding more compute resources), is a scenario where a publicly accessible web application is under a DDoS attack. An autoscale capability will allow us to add more compute resources, to keep the application accessible to legitimate customers’ requests, until the DDoS is handled by the ISP, or by AWS (through the Advanced Shield service).\nA good example of a scale-down scenario (i.e., removing compute resources) is 24 hours after Black Friday or Cyber Monday when an e-commerce website receives less traffic from customers, and fewer resources are required. It makes sense when we think about the number of required VMs, Kubernetes Pods, or ECS tasks, but what about databases?\nSome services, such as Aurora Serverless v2, support scaling to 0 capacity, which automatically pauses after a period of inactivity by scaling down to 0 Aurora Capacity Units (ACUs), allowing you to benefit from cost reduction for workloads with inactivity periods.\nFailing to leverage storage class # A common mistake when building applications in AWS is to choose the default storage alternative (such as Amazon S3 or Amazon EFS), without considering data access patterns, and as a result, we may be paying a lot of money every month, while storing objects/files (such as logs or snapshots), which are not accessed regularly.\nAs with any work with AWS services, we need to review the service documentation, understand the data access patterns for each workload that we design, and choose the right storage service and storage class.\nAmazon S3 is the most commonly used storage solution for cloud-native applications (from logs, static content, AI/ML, data lakes, etc.\nWhen using S3, consider the following:\nFor unpredictable data access patterns (for example when you cannot determine when or how often objects will be accessed), choose Amazon S3 Intelligent-Tiering.\nIf you know the access pattern of your data (for example logs accessed for 30 days and then archived) choose S3 lifecycle policies.\nAmazon EFS is commonly used when you need to share file storage with concurrent access (such as multiple EC2 instances reading from a shared storage, or multiple Kubernetes Pods writing data to a shared storage).\nWhen using EFS, consider the following:\nFor unpredictable data access patterns (for example if files are moved between performance-optimized tiers and cost-optimized tiers), choose Amazon EFS Intelligent Tiering.\nIf you know the access pattern of your data (for example logs older than 30 days), configure lifecycle policies.\nSummary # The more we deep dive into application design and architecture, the more anti-patterns we will find. Our applications will run, but they will be inefficient, costly, insecure, and more.\nIn this blog post, we have reviewed anti-patterns from various domains (such as security, cost, and resource optimization).\nI encourage the readers to read AWS documentation (including the AWS Well-Architected Framework and the AWS Decision Guides), consider what are you trying to achieve, and design your architectures accordingly.\nEmbrace a dynamic mindset — Always question your past decisions — there might be better or more efficient ways to achieve similar goals.\nAbout the author # Eyal Estrin is a cloud and information security architect, an AWS Community Builder, and the author of the books Cloud Security Handbook and Security for Cloud Native Applications, with more than 20 years in the IT industry.\nYou can connect with him on social media (https://linktr.ee/eyalestrin).\nOpinions are his own and not the views of his employer.\n","date":"10 March 2025","externalUrl":null,"permalink":"/posts/navigating-aws-anti-patterns-common-pitfalls-and-strategies-to-avoid-them/","section":"Posts","summary":"","title":"Navigating AWS Anti-Patterns: Common Pitfalls and Strategies to Avoid Them","type":"posts"},{"content":" Anyone who follows my posts on social networks knows that I am an advocate of the public cloud and cloud adoption.\nAccording to Synergy Research Group, by 2029, “hyperscale operators will account for over 60% of all capacity, while on-premise will drop to just 20%”.\nIn this blog post, I will share my personal opinion on where I see the future of IT infrastructure.\nBefore we begin the conversation, I believe we can all agree that many organizations are still maintaining on-prem data centers and legacy applications, and they are not going away any time in the foreseeable future.\nAnother thing I hope we can agree on is that IT infrastructure aims to support the business, but it does not produce direct revenue for the organization.\nNow, let us talk about how I see the future of IT infrastructure in the short or mid-term, and in the long term.\nShort or Mid-term future — Hosting or co-location services # Many organizations are still maintaining on-prem data centers of various sizes. There are many valid reasons to keep maintaining on-prem data centers, to name a few:\nKeeping investment in purchased hardware (physical servers, network equipment, storage arrays, etc.)\nMulti-year software license agreements to commercial vendors (such as virtualization, operating systems, databases, etc.)\nLegacy application constraints (from license bound to a physical CPU to monolith applications that were developed many years ago and simply were not developed to run in cloud environments, least not efficient)\nRegulatory constraints requiring to keep data (such as customer data) in a specific country/region.\nLarge volumes of data are generated and stored for many years, and the cost/time constraints to move it to the public cloud.\nEmployee knowledge — many IT veterans have already invested years over years learning how to deploy hardware/virtualization, how to maintain network or storage equipment, and let us be honest — they may be afraid of making a change, learning something new such as moving to the public cloud.\nRegardless of how organizations see on-prem data centers, they will never have the expertise that large-scale hosting providers have, to name a few:\nAbility to deploy high-scale and redundant data centers, in multiple locations (think about primary and DR data centers or active-active data centers)\nInvest in physical security (i.e., who has physical access to the data center and specific cage), while providing services to multiple different customers.\nBuild and maintain sustainable data centers, using the latest energy technologies, while keeping the carbon footprint to the minimum.\nAbility to recruit highly skilled personnel (from IT, security, DevOps, DBA, etc.) to support multiple customers of the hosting service data centers.\nWhat are the benefits of hosting services? # Organizations debating about migration to the cloud, and the efforts required to re-architect or adjust their applications and infrastructure to make them efficient to run in the public cloud, could use hosting services.\nHere are a few examples for using hosting services:\nKeeping legacy hardware that still produces value for the business, such as Mainframe servers (for customers such as banks or government agencies). Organizations would still be able to consume their existing applications, without having to take care of the ongoing maintenance of legacy hardware.\nCloud local alternative on-prem — Several CSPs are offering their hardware racks for local or hosting facilities deployment, such as AWS Outposts, Azure Local, or Oracle Cloud@Customer, allowing customers to consume hardware identical to the hardware that the CSPs offer (managed remotely by the CSPs), while using the same APIs, but locally.\nMany organizations are limited by their Internet bandwidth. By using hosting services, organizations can leverage the network bandwidth of their hosting provider, and the ability to have multiple ISPs, allowing them both inbound and outbound network connectivity.\nMany organizations would like to begin developing GenAI applications, which requires them an invest in expensive GPU hardware. The latest hardware costs a lot of money, requires dedicated cooling and it gets outdated over time. Instead, hosting service provider can purchase and maintain a large number of GPUs, offering their customers the ability to consume GPU to AI/ML workloads, while paying for the time they used the hardware.\nModern pricing model — Hosting services can offer customers modern pricing plans, such as paying for the actual amount of storage consumed, paying for the time a machine was running (or offering to purchase hardware for several years in advance), Internet bandwidth (or traffic consumed on the network equipment), etc.\nHosting services and the future of modern applications # Just because organizations will migrate from their on-prem to hosting services, does not mean they cannot begin developing modern applications.\nAlthough hosting services do not offer all the capabilities of the public cloud (such as infinite scale, perform actions, and consumption information via API calls, etc.), there are still many things organizations can begin today, to name a few:\nDeploy applications inside containers — a hosting provider can deploy and maintain Kubernetes control plane for his customers, allowing them to consume Kubernetes, without having to take care of the burden related to Kubernetes maintenance. A common example of Kubernetes that can be deployed locally at a hosting provider facility, and later on can be used in public cloud environments is OpenShift.\nConsume object storage — a hosting provider can deploy and maintain object storage services (such as Min.io), offering his customers to begin consuming storage capabilities that exist in cloud-native environments.\nConsume open-source queuing services — customers can deploy message brokers such as ActiveMQ or RabbitMQ, to develop asynchronous applications, and when moving to the public cloud, use the cloud providers managed services alternatives.\nConsume message streaming services — customers can begin deploying event-driven architectures using Apache Kafka, to stream a large number of messages, in near real-time, and when moving to the public cloud, use the cloud providers managed services alternatives.\nDeploy components using Infrastructure as Code. Some of the common IaC alternatives such as Terraform and Pulumi, already support providers from the on-prem environment (such as Kubernetes), which allows organizations to already begin using modern deployment capabilities.\nNote — perhaps the biggest downside of hosting services in the area of modern applications is the lack of function-as-a-service capabilities. Most FaaS are vendor-opinionated, and I have not heard of many customers using FaaS locally.\nTransitioning from on-prem to hosting services # The transition between the on-prem and a hosting facility should be straightforward, after all, you are keeping your existing hardware (from Mainframe servers to physical appliances) and simply have the hosting provider take care of the ongoing maintenance.\nHosting services will allow organizations access to managed infrastructure (similar to the Infrastructure as a Service model in the public cloud), and some providers will also offer you managed services (such as storage, WAF, DDoS protection, and perhaps even managed Kubernetes or databases).\nSimilarly to the public cloud, the concept of shared responsibility is still relevant. The hosting provider is responsible for all the lower layers (from physical security, physical hardware, network, and storage equipment, up until the virtualization layer), and organizations are responsible for whatever happens within their virtual servers (such as who has access, what permissions are granted, what data is being stored, etc.). In case an organization needs to comply with regulations (such as PCI-DSS, FedRAMP, etc.), the organization needs to work with the hosting provider to figure out how to comply with the regulation end-to-end (do not assume that if your hosting provider’s physical layer is compliant, so does your OS and data layers).\nLong-term future — The public cloud # I have been a cloud advocate for many years, so my opinion about the public cloud is a little bit biased.\nThe public cloud brings agility into the traditional IT infrastructure — when designing an architecture, you have multiple ways to achieve similar goals — from traditional architecture based on VMs to modern designs such as microservice architecture built on top of containers, FaaS, or event-driven architecture.\nOne of the biggest benefits of using the public cloud is the ability to consume managed services (such as managed database services, managed Kubernetes services, managed load-balancers, etc.), where from a customer point of view, you do not need to take care of compute scale (i.e., selecting the underlying compute hardware resources or number of deployed compute instances), or the ongoing maintenance of the underlying layers.\nElasticity and infinite resource scale are huge benefits of the public cloud (at least for the hyper-scale cloud providers), which no data center can compete with. Organizations can design architectures that will dynamically adjust the number of resources according to customers’ load (up or down).\nFor many IT veterans, moving to the public cloud requires a long learning curve (among others, switching from being a specialist in a certain domain to becoming a generalist in multiple domains). Organizations need to invest resources in employee training and knowledge sharing.\nAnother important topic that organizations need to focus on while moving to the public cloud is cost — it should be embedded in any architecture or design decision. Engineers and architects need to understand the pricing model for each service they are planning to use and try to select the most efficient service alternative (such as storage tier, compute size, database type, etc.)\nSummary # The world of IT infrastructure as we currently know it is constantly changing. Organizations would still like to gain value from their past investment in hardware and legacy applications. In my personal opinion, using legacy applications that still produce value (until they finally reach the decommission phase), simply does not worth the burden of having to maintain on-prem data centers.\nOrganizations should focus on what brings them value, such as developing new products or providing better services for their customers, and shift the ongoing maintenance to providers who specialize in this field.\nFor startups who were already born in the cloud, the best alternative is building cloud-native applications in the public cloud.\nFor traditional organizations, that still maintain legacy hardware and applications, the most suitable alternative for the short or mid-term is to move away from their existing data centers, to one of the hyper-scale or dedicated hosting providers in their local country.\nIn the long term, organizations should assess all their existing applications and infrastructure, and either decommission old applications, or re-architect / modernize to be deployed in the public cloud, using managed services, modern architectures (microservices, containers, FaaS, event-driven architecture, etc.), using modern deployment methods (i.e., Infrastructure as Code).\nThe future will probably be a mix of hyper-clouds (hosting facilities combined with one or more public clouds), and single or multiple public cloud providers.\nAbout the author # Eyal Estrin is a cloud and information security architect, an AWS Community Builder, and the author of the books Cloud Security Handbook and Security for Cloud Native Applications, with more than 20 years in the IT industry.\nYou can connect with him on social media (https://linktr.ee/eyalestrin).\nOpinions are his own and not the views of his employer.\n","date":"24 February 2025","externalUrl":null,"permalink":"/posts/hosting-services-the-short-and-mid-term-solution-before-transition-to-the-public-cloud/","section":"Posts","summary":"","title":"Hosting Services — The Short and Mid-Term Solution Before Transition to the Public Cloud","type":"posts"},{"content":"","date":"24 February 2025","externalUrl":null,"permalink":"/categories/hosting-services/","section":"Categories","summary":"","title":"Hosting-Services","type":"categories"},{"content":" When organizations migrate to the public cloud, they often mistakenly look at the cloud as “somebody else’s data center”, or “a suitable place to run a disaster recovery site”, hence, bringing old practices to the public cloud.\nIn the blog, I will review some of the common old (and perhaps bad) practices organizations are still using today in the cloud.\nMistake #1 — The cloud is cheaper # I often hear IT veterans comparing the public cloud to the on-prem data center as a cheaper alternative, due to versatile pricing plans and cost of storage.\nIn some cases, this may be true, but focusing on specific use cases from a cost perspective is too narrow, and missing the benefits of the public cloud — agility, scale, automation, and managed services.\nDon’t get me wrong — cost is an important factor, but it is time to look at things from an efficiency point of view and embed it as part of any architecture decision.\nBegin by looking at the business requirements and ask yourself (among others):\nWhat am I trying to achieve, what capabilities do I need, and then figure out which services will allow you to accomplish your needs?\nDo you need persistent storage? Great. What are your data access patterns? Do you need the data to be available in real time, or can you store data in an archive tier?\nYour system needs to respond to customers’ requests — does your application need to provide a fast response to API calls, or is it ok to provide answers from a caching service, while calls are going through an asynchronous queuing service to fetch data?\nMistake #2 — Using legacy architecture components # Many organizations are still using legacy practices in the public cloud — from moving VMs in a “lift \u0026amp; shift” pattern to cloud environments, using SMB/CIFS file services (such as Amazon FSx for Windows File Server, or Azure Files), deploying databases on VMs and manually maintaining them, etc.\nFor static and stable legacy applications, the old practices will work, but for how long?\nBegin by asking yourself:\nHow will your application handle unpredictable loads? Autoscaling is great, but can your application scale down when resources are not needed?\nWhat value are you getting by maintaining backend services such as storage and databases?\nWhat value are you getting by continuing to use commercial license database engines? Perhaps it is time to consider using open-source or community-based database engines (such as Amazon RDS for PostgreSQL, Azure Database for MySQL, or OpenSearch) to have wider community support and perhaps be able to minimize migration efforts to another cloud provider in the future.\nMistake #3 — Using traditional development processes # In the old data center, we used to develop monolith applications, having a stuck of components (VMs, databases, and storage) glued together, making it challenging to release new versions/features, upgrade, scale, etc.\nThe more organizations began embracing the public cloud, the shift to DevOps culture, allowed organizations the ability to develop and deploy new capabilities much faster, using smaller teams, each own specific component, being able to independently release new component versions, and take the benefit of autoscaling capability, responding to real-time load, regardless of other components in the architecture.\nInstead of hard-coded, manual configuration files, pruning to human mistakes, it is time to move to modern CI/CD processes. It is time to automate everything that does not require a human decision, handle everything as code (from Infrastructure as Code, Policy as Code, and the actual application’s code), store everything in a central code repository (and later on in a central artifact repository), and be able to control authorization, auditing, roll-back (in case of bugs in code), and fast deployments.\nUsing CI/CD processes, allows us to minimize changes between different SDLC stages, by using the same code (in code repository) to deploy Dev/Test/Prod environments, by using environment variables to switch between target environments, backend services connection settings, credentials (keys, secrets, etc.), while using the same testing capabilities (such as static code analysis, vulnerable package detection, etc.)\nMistake #4 — Static vs. Dynamic Mindset # Traditional deployment had a static mindset. Applications were packed inside VMs, containing code/configuration, data, and unique characteristics (such as session IDs). In many cases architectures kept a 1:1 correlation between the front-end component, and the backend, meaning, a customer used to log in through a front-end component (such as a load-balancer), a unique session ID was forwarded to the presentation tier, moving to a specific business logic tier, and from there, sometimes to a specific backend database node (in the DB cluster).\nNow consider what will happen if the front tier crashes or is irresponsive due to high load. What will happen if a mid-tier or back-end tier is not able to respond on time to a customer’s call? How will such issues impact customers’ experience having to refresh, or completely re-login again?\nThe cloud offers us a dynamic mindset. Workloads can scale up or down according to load. Workloads may be up and running offering services for a short amount of time, and decommission when not required anymore.\nIt is time to consider immutability. Store session IDs outside compute nodes (from VMs, containers, and Function-as-a-Service).\nStill struggling with patch management? It’s time to create immutable images, and simply replace an entire component with a newer version, instead of having to pet each running compute component.\nUse CI/CD processes to package compute components (such as VM or container images). Keep artifacts as small as possible (to decrease deployment and load time).\nRegularly scan for outdated components (such as binaries and libraries), and on any development cycle update the base images.\nKeep all data outside the images, on a persistent storage — it is time to embrace object storage (suitable for a variety of use cases from logging, data lakes, machine learning, etc.)\nStore unique configuration inside environment variables, loaded at deployment/load time (from services such as AWS Systems Manager Parameter Store or Azure App Configuration), and for variables containing sensitive information use secrets management services (such as AWS Secrets Manager, Azure Key Vault, or Google Secret Manager).\nMistake #5 — Old observability mindset # Many organizations migrated workloads to the public cloud, still kept their investment in legacy monitoring solutions (mostly built on top of deployed agents), and shipping logs (from application, performance, security, etc.) from the cloud environment back to on-prem, without considering the cost of egress data from the cloud, or the cost to store vast amounts of logs generated by the various services in the cloud, in many cases still based on static log files, and sometimes even based on legacy protocols (such as Syslog).\nIt is time to embrace a modern mindset. It is fairly easy to collect logs from various services in the cloud (as a matter of fact, some logs such as audit logs are enabled for 90 days by default).\nTime to consider cloud-native services — from SIEM services (such as Microsoft Sentinel or Google Security Operations) to observability services (such as Amazon CloudWatch, Azure Monitor, or Google Cloud Observability), capable of ingesting (almost) infinite amount of events, streaming logs and metrics in near real-time (instead of still using log files), and providing an overview of entire customers service (made out of various compute, network, storage and database services).\nSpeaking about security — the dynamic nature of cloud environments does not allow us to keep legacy systems scanning configuration and attack surface in long intervals (such as 24 hours or several days) just to find out that our workload is exposed to unauthorized parties, that we made a mistake leaving configuration in a vulnerable state (still deploying resources expose to the public Internet?), or kept our components outdated?\nIt is time to embrace automation and continuously scan configuration and authorization, and gain actionable insights on what to fix, as soon as possible (and what is vulnerable, but not directly exposed from the Internet, and can be taken care of at lower priority).\nMistake #6 — Failing to embrace cloud-native services # This is often due to a lack of training and knowledge about cloud-native services or capabilities.\nMany legacy workloads were built on top of 3-tier architecture since this was the common way most IT/developers knew for many years. Architectures were centralized and monolithic, and organizations had to consider scale, and deploy enough compute resources, many times in advance, failing to predict spikes in traffic/customer requests.\nIt is time to embrace distributed systems, based on event-driven architectures, using managed services (such as Amazon EventBridge, Azure Event Grid, or Google Eventarc), where the cloud provider takes care of load (i.e., deploying enough back-end compute services), and we can stream events, and be able to read events, without having to worry whether the service will be able to handle the load.\nWe can’t talk about cloud-native services without mentioning functions (such as AWS Lambda, Azure Functions, or Cloud Run functions). Although functions have their challenges (from vendor opinionated, maximum amount of execution time, cold start, learning curve, etc.), they have so much potential when designing modern applications. To name a few examples where FaaS is suitable we can look at real-time data processing (such as IoT sensor data), GenAI text generation (such as text response for chatbots, providing answers to customers in call centers), video transcoding (such as converting videos to different formats of resolutions), and those are just small number of examples.\nFunctions can be suitable in a microservice architecture, where for example one microservice can stream logs to a managed Kafka, some microservices can be trigged to functions to run queries against the backend database, and some can store data to a persistent datastore in a fully-managed and serverless database (such as Amazon DynamoDB, Azure Cosmos DB, or Google Spanner).\nMistake #7 — Using old identity and access management practices # No doubt we need to authenticate and authorize every request and keep the principle of least privileged, but how many times we have seen bad malpractices such as storing credentials in code or configuration files? (“It’s just in the Dev environment; we will fix it before moving to Prod…”)\nHow many times we have seen developers making changes directly on production environments?\nIn the cloud, IAM is tightly integrated into all services, and some cloud providers (such as the AWS IAM service) allow you to configure fine-grained permissions up to specific resources (for example, allow only users from specific groups, who performed MFA-based authentication, access to specific S3 bucket).\nIt is time to switch from using static credentials to using temporary credentials or even roles — when an identity requires access to a resource, it will have to authenticate, and its required permissions will be reviewed until temporary (short-lived / time-based) access is granted.\nIt is time to embrace a zero-trust mindset as part of architecture decisions. Assume identities can come from any place, at any time, and we cannot automatically trust them. Every request needs to be evaluated, authorized, and eventually audited for incident response/troubleshooting purposes.\nWhen a request to access a production environment is raised, we need to embrace break-glass processes, making sure we authorize the right number of permissions (usually for members of the SRE or DevOps team), and permissions will be automatically revoked.\nMistake #8 — Rushing into the cloud with traditional data center knowledge # We should never ignore our team’s knowledge and experience.\nRushing to adopt cloud services, while using old data center knowledge is prone to failure — it will cost the organization a lot of money, and it will most likely be inefficient (in terms of resource usage).\nInstead, we should embrace the change, learn how cloud services work, gain hands-on practice (by deploying test labs and playing with the different services in different architectures), and not be afraid to fail and quickly recover.\nTo succeed in working with cloud services, you should be a generalist. The old mindset of specialty in certain areas (such as networking, operating systems, storage, database, etc.) is not sufficient. You need to practice and gain wide knowledge about how the different services work, how they communicate with each other, what are their limitations, and don’t forget — what are their pricing options when you consider selecting a service for a large-scale production system.\nDo not assume traditional data center architectures will be sufficient to handle the load of millions of concurrent customers. The cloud allows you to create modern architectures, and in many cases, there are multiple alternatives for achieving business goals.\nKeep learning and searching for better or more efficient ways to design your workload architectures (who knows, maybe in a year or two there will be new services or new capabilities to achieve better results).\nSummary # There is no doubt that the public cloud allows us to build and deploy applications for the benefit of our customers while breaking loose from the limitations of the on-prem data center (in terms of automation, scale, infinite resources, and more).\nEmbrace the change by learning how to use the various services in the cloud, adopt new architecture patterns (such as event-driven architectures and APIs), prefer managed services (to allow you to focus on developing new capabilities for your customers), and do not be afraid to fail — this is the only way you will gain knowledge and experience using the public cloud.\nAbout the author # Eyal Estrin is a cloud and information security architect, an AWS Community Builder, and the author of the books Cloud Security Handbook and Security for Cloud Native Applications, with more than 20 years in the IT industry.\nYou can connect with him on social media (https://linktr.ee/eyalestrin).\nOpinions are his own and not the views of his employer.\n","date":"13 February 2025","externalUrl":null,"permalink":"/posts/stop-bringing-old-practices-to-the-cloud/","section":"Posts","summary":"","title":"Stop bringing old practices to the cloud","type":"posts"},{"content":" When building workloads in the public cloud, one of the most fundamental topics to look at is permissions to access resources and take actions.\nThis is true for both human identities (also known as interactive authentication) and for application or service accounts (also known as non-interactive authentication).\nAWS offers its customers multiple ways to enforce guardrails – a mechanism to allow developers or DevOps teams to achieve their goals (i.e., develop and deploy new applications/capabilities) while keeping pre-defined controls (as explained later in this blog post).\nIn this blog post, I will review the various alternatives for enforcing guardrails in AWS environments.\nService control policies (SCPs) # SCPs are organizational policies written in JSON format. They are available only for customers who enabled all features of AWS Organization.\nUnlike IAM policies, which grant identities access to resources, SCPs allow configuring the maximum allowed permissions identities (IAM users and IAM roles) have over resources (i.e., permissions guardrails), within an AWS Organization.\nSCPs can be applied at an AWS Organization root hierarchy (excluding organization management account), an OU level, or to a specific AWS account in the AWS Organization, which makes them impact maximum allowed permissions outside IAM identities control (outside the context of AWS accounts).\nAWS does not grant any access by default - if an AWS service has not been allowed using an SCP somewhere in the AWS Organization hierarchy, no identity will be able to consume it.\nA good example of using SCP is to configure which AWS regions are enabled at the organization level, and as a result, no resources will be created in regions that were not specifically allowed. This can be very useful if you have a regulation that requires storing customers\u0026rsquo; data in a specific AWS region (for example – keep all EU citizens’ data in EU regions and deny all regions outside the EU).\nAnother example of configuring guardrails using SCP is enforcing encryption at rest for all objects in S3 buckets. See the policy below:\nSource: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_s3.html\nSCPs are not only limited to security controls; they can also be used for cost. In the example below, we allow the deployment of specific EC2 instance types:\nSource: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html\nWhen designing SCPs as guardrails, we need to recall that it has limitations. A service control policy has a maximum size of 5120 characters (including spaces), which means there is a maximum number of conditions and amount of fine-grain policy you can configure using SCPs.\nAdditional references:\nhttps://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html\nhttps://github.com/aws-samples/service-control-policy-examples\nResource control policies (RCPs) # RCPs, similarly, to SCPs are organizational policies written in JSON format. They are available only for customers who enabled all features of AWS Organization.\nUnlike IAM policies, which grant identities access to resources, RCPs allow configuring the maximum allowed permissions on resources, within an AWS Organization.\nRCPs are not enough to be able to grant permissions to resources – they only serve as guardrails. To be able to access a resource, you need to assign the resource an IAM policy (an identity-based or resource-based policy).\nCurrently (December 2024), RCPs support only Amazon S3, AWS STS, Amazon SQS, AWS KMS and AWS Secrets Manager.\nRCPs can be applied at an AWS Organization root hierarchy (excluding organization management account), an OU level, or to a specific AWS account in the AWS Organization, which makes them impact maximum allowed permissions outside IAM identities control (outside the context of AWS accounts).\nAn example of using RCP can be to require a minimum version of TLS protocol when accessing an S3 bucket:\nSource: https://github.com/aws-samples/resource-control-policy-examples/blob/main/Service-specific-controls/S3-Enforce-TLS-version.json\nAnother example can be to enforce HTTPS traffic to all supported services:\nSource: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps_examples.html\nAnother example of using RCPs is to prevent external access to sensitive resources such as S3 buckets.\nLike SCPs, RCPs have limitations. A resource control policy has a maximum size of 5120 characters (including spaces), which means there is a maximum number of conditions and amount of fine-grain policy you can configure using RCPs.\nAdditional references:\nhttps://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html\nhttps://github.com/aws-samples/resource-control-policy-examples\nhttps://github.com/aws-samples/data-perimeter-policy-examples\nDeclarative policies # Declarative policies allow customers to centrally enforce a desired configuration state for AWS services, regardless of changes in service features or APIs.\nDeclarative policies can be created using AWS Organizations console, AWS CLI, CloudFormation templates, and AWS Control Tower.\nCurrently (December 2024), declarative policies support only Amazon EC2, Amazon EBS, and Amazon VPC.\nDeclarative policies can be applied at an AWS Organization root hierarchy, an OU level, or to a specific AWS account in the AWS Organization.\nAn example of using Declarative policies is to block resources inside a VPC from reaching the public Internet:\nSource: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative_syntax.html\nAnother example is to configure default IMDS settings for new EC2 instances:\nSource: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative_syntax.html\nLike SCPs and RCPs, Declarative policies have their limitations. A declarative policy has a maximum size of 10,000 characters (including spaces).\nAdditional references:\nhttps://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html\nhttps://aws.amazon.com/blogs/aws/simplify-governance-with-declarative-policies/\nhttps://docs.aws.amazon.com/controltower/latest/controlreference/declarative-controls.html\nPermission boundaries # Permission boundaries are advanced IAM features that define the maximum permissions granted using identity-based policies attached to an IAM user or IAM role (but not directly to IAM groups), effectively creating a boundary around their permissions, within the context of an AWS account.\nPermissions boundaries serve as guardrails, allowing customers to centrally configure restrictions (i.e., limit permissions) on top of IAM policies – they do not grant permissions.\nWhen applied, the effective permissions are as follows:\nIdentity level: Identity-based policy + permission boundaries = effective permissions\nResource level: Resource-based policy + Identity-based policy + permission boundaries = effective permissions\nOrganizations level: Organizations SCP + Identity-based policy + permission boundaries = effective permissions\nTemporary Session level: Session policy + Identity-based policy + permission boundaries = effective permissions\nAn example of using permission boundaries to allow access only to Amazon S3, Amazon CloudWatch, and Amazon EC2 (which can be applied to a specific IAM user):\nSource: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html\nAnother example is to restrict an IAM user to specific actions and resources:\nSource: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html\nLike SCPs, RCPs, and Declarative policies, permission boundaries have their limitations. A permission boundary has a maximum size of 6144 characters (including spaces), and you can have up to 10 managed policies and 1 permissions boundary attached to an IAM role.**\nAdditional references:**\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html\nhttps://aws.amazon.com/blogs/security/when-and-where-to-use-iam-permissions-boundaries/\nhttps://github.com/aws-samples/example-permissions-boundary\nSummary # In this blog post, I have reviewed the various alternatives that AWS offers its customers to configure guardrails for accessing resources within AWS Organizations at a large scale.\nEach alternative serves a slightly different purpose, as summaries below:\nI encourage you to read AWS documentation, explaining the logic for evaluating requests to access resources:\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic_policy-eval-denyallow.html\nI also highly recommend you watch the lecture \u0026ldquo;Security invariants: From enterprise chaos to cloud order from AWS re:Invent 2024\u0026rdquo;:\nhttps://www.youtube.com/watch?v=aljwG4N5a-0\nAbout the author # Eyal Estrin is a cloud and information security architect, an AWS Community Builder, and the author of the books Cloud Security Handbook and Security for Cloud Native Applications, with more than 20 years in the IT industry.\nYou can connect with him on social media (https://linktr.ee/eyalestrin).\nOpinions are his own and not the views of his employer.\n","date":"23 December 2024","externalUrl":null,"permalink":"/posts/enforcing-guardrails-in-the-aws-environment/","section":"Posts","summary":"","title":"Enforcing guardrails in the AWS environment","type":"posts"},{"content":"","date":"21 December 2024","externalUrl":null,"permalink":"/posts/custom/gdprpolicies/privacy-policy/","section":"Posts","summary":"","title":"Privacy Policy","type":"posts"},{"content":" Anyone who has been following me on social media knows that I am a huge advocate of the public cloud.\nBy now, we are just after the biggest cloud conferences — Microsoft Ignite 2024 and AWS re:Invent 2024, and just before the end of 2024.\nAs we are heading to 2025, I thought it would be interesting to share my wishes from the public cloud providers in the coming year.\nResiliency and Availability # The public cloud has existed for more than a decade, and at least according to the CSPs documentation, it is designed to survive major or global outages impacting customers all over the world.\nAnd yet, in 2024 each of the CSPs had suffered from major outages. To name a few:\nSummary of the Amazon Kinesis Data Streams Service Event in Northern Virginia (US-EAST-1) Region\nAzure Incident Retrospective: Storage issues in Central US\nIncident affecting Cloud Firestore, Google App Engine, Google Cloud Functions\nIn most cases, the root cause of outages originates from unverified code/configuration changes, or lack of resources due to spike or unexpected use of specific resources.\nThe result always impacts customers in a specific region, or worse in multiple regions.\nAlthough CSPs implement different regions and AZs to limit the blast radius and decrease the chance of major customer impact, in many cases we realize that critical services have their control plane (the central management system that provides orchestration, configuration, and monitoring capabilities) deployed in a central region (usually in East US data centers), and the blast radius impact customers all over the world.\nMy wish for 2025 from CSPs — improve the level of testing, and observability, for any code or configuration change (whether done by engineers, or by automated systems).\nFor the long term, CSPs should find a way to design the service control plane to be synced and spread across multiple regions (at least one copy in each continent), to limit the blast radius of global outages.\nSecure by Default # Reading the announcements of new services, and the service official documentation, we can learn the CSPs understand the importance of “secure by default”, i.e., enabling a service or capability, where security configuration was designed from day 1.\nAnd yet, in 2024 each of the CSPs had suffered from security incidents resulting from a misconfiguration. To name a few:\nAWS Security Bulletin AWS-2024–003\nMicrosoft Power Pages: Data Exposure Reviewed\nExploring Google Cloud Default Service Accounts: Deep Dive and Real-World Adoption Trends\nIt is always best practice to read the vendor’s documentation, and understand the default settings or behavior of every service or capability we are enabling, however, following the shared responsibility model, as customers, we expect the CSPs to design everything secured by default.\nI understand that some CSPs’ product groups have an agenda for releasing new services to the market as quickly as possible, allowing customers to experience and adopt new capabilities, but security must be job zero.\nMy wish for 2025 from CSPs is to put security higher in your priorities — this is relevant for both the product groups and the development teams of each product.\nInvest in threat modeling, from the design phase until each service/capability is deployed to production, and try to anticipate what could go wrong.\nChoose secure/close by default (and provide documentation to allow customers to choose if they wish to change the default settings), instead of keeping services exposed, which forces customers to make changes after the fact, after their data was already exposed to unauthorized parties).\nService Retirements # I understand that from time to time a product group, or even the business of a CSP reviews the list of currently available services and decides to retire a service, leaving their customers with no alternative or migration path.\nIn 2024 we saw several publications of service retirements. To name a few:\nAWS to discontinue Cloud9, CodeCommit, CloudSearch, and several other services\nAzure Media Services retirement guide\nGoogle Cloud Platform (GCP) has announced the end-of-sale for Cloud Source Repositories\nThe leader of service retirement/deprecation is GCP, followed by Azure.\nIn some cases, customers receive (short) notice, asking them to migrate their data and find an alternate solution, but from a customer point of view, it does not look good (to be politically correct), that the services that we have been using for a while are now stopped working and we need to find alternate solutions for production environments.\nAlthough AWS service was far from being ideal while decommissioning services such as Cloud9, and Code Commit, their approach is different from the rest of the cloud providers, with their working backwards development methodology.\nMy wish for 2025 from CSPs is to put customers first and do market research before head. Check with your customers what capabilities are they looking for, before beginning the development of a new service.\nEven if the market changes over time, remember that you have production customers using your services. Prepare alternatives in advance and a documented migration path to those alternatives. Do everything you can to support services for a very long time, and if there is no other alternative, keep supporting your services, even with no new capabilities, but at least your customers will know that in case of production issues, or discovered security vulnerabilities, they will have support and an SLA.\nCost and Economics of Scale # When organizations began migrating their on-prem workloads to the public cloud, the notion was that due to economics of scale, the CSPs would be able to offer their customers cost-effective alternatives for consuming services and infrastructure, compared to the traditional data centers.\nMany customers got the equation wrong, trying to compare the cost of hardware (such as VMs and storage) between their data center, and the public cloud alternative, without adding to the equation the cost of maintenance, licensing, manpower, etc., and the result was a higher cost for “lift \u0026amp; shift” migrations in the public cloud. In the long run, after a decade of organizations working with the public cloud, the alternative of re-architecture provides much better and cost-effective results.\nAlthough we have not seen documented publications of CSPs announcing an increase in service costs, there are cases that from a customer’s point of view simply do not make sense.\nA good example is egress data cost. If all CSPs do not charge customers for ingress data costs, there is no reason to charge for egress data costs. It is the same hardware, so I really cannot understand the logic in high (or any) charges of egress data. Customers should have the option to pull data from their cloud accounts (sometimes to keep data on-prem in hybrid environments, and sometimes to allow migration to other CSPs), without being charged.\nThe same rule applies to inter-zone traffic charges (see AWS and GCP documentation), or to enabling private traffic inside the CSPs backbone (see AWS, Azure, and GCP documentation).\nMy wish for 2025 from CSPs is to put customers first. CSPs are already encouraging customers to build highly-available infrastructure spanned across multiple AZs, and encouraging customers to keep the services that support customers’ data private (and not exposed to the public Internet). Although the public cloud is a business that wishes to gain revenue, CSPs should think about their customers, and offer them more capabilities, but at lower prices, to make the public cloud the better and cost-effective alternative to the traditional data centers.\nVendor Lock-In # This was a challenge from the initial days of the public cloud. Each CSP offered its alternative and list of services, with different capabilities, and naturally different APIs.\nFrom an architectural point of view, customers should first understand the business demands, before choosing a technology (or specific services from a specific CSP).\nEach CSP offers its services, and it does not mean it has to be a negative thing — if in doubt, I highly recommend you to watch the lecture “Do modern cloud applications lock you in?” by Gregor Hohpe, from AWS re:Invent 2023.\nIn the past, there was the notion that packaging our applications inside containers and perhaps using Kubernetes (in its various managed alternatives), would enable customers to switch between cloud providers or deploy highly-available workloads on top of multiple CSPs. This notion was found to be false since containers do not leave in a vacuum, and customers do not pack their entire application inside a single container/microservice. Cloud-native applications are deployed inside a cloud eco-system, and consume data from other services such as storage, networking, databases, message queuing, etc., so trying to migrate between CSPs will still require a lot of effort connecting to different sets of APIs.\nMy wish for 2025 from CSPs, and I know it is a lot to ask, but could you invest in standardization of your APIs?\nInstead of customers having to add abstraction layers on top of cloud services, forcing them to choose the lower common denominator, why not offer the same APIs, and hopefully the same (or mostly the same) capabilities?\nIf we look at Kubernetes, and its CSI Storage, as two examples — they allow customers to consume container orchestration and backend storage using similar APIs, and they are both supported by the CNCF, which allows customers an easy alternative to deploy and maintain cloud resources, even on top of different CSPs.\nSummary # There are a lot more things I wish Santa Claus could bring me in 2025, but as it relates to the public cloud, I truly wish each of the CSPs product group could read my blog post and begin making the required changes to allow customers better experience in all the areas that I have mentioned in my blog post.\nFor the readers in the audience, feel free to contact me on social media, and share with me your thoughts about this blog post.\nAbout the author # Eyal Estrin is a cloud and information security architect, an AWS Community Builder, and the author of the books Cloud Security Handbook and Security for Cloud Native Applications, with more than 20 years in the IT industry.\nYou can connect with him on social media (https://linktr.ee/eyalestrin).\nOpinions are his own and not the views of his employer.\n","date":"9 December 2024","externalUrl":null,"permalink":"/posts/my-2025-wishlist-for-public-cloud-providers/","section":"Posts","summary":"","title":"My 2025 Wishlist for Public Cloud Providers","type":"posts"},{"content":" In 2020 I published a blog post called \u0026ldquo;What makes a good cloud architect?\u0026rdquo;, where I tried to lay out some of the main qualities required to become a good cloud architect.\nFour years later, I still believe most of the qualities are crucial, but I would like to focus on what I believe today is critical to succeed as a cloud architect.\nBe able to see the bigger picture # A good cloud architect must be able to see the bigger picture.\nBefore digging into details, an architect must be able to understand what the business is trying to achieve (from a chatbot, e-commerce mobile app, a reporting system for business analytics, etc.)\nNext, it is important to understand technological constraints (such as service cost, resiliency, data residency, service/quota limits, etc.)\nA good architect will be able to translate business requirements, together with technology constraints, into architecture.\nBeing multi-lingual # An architect should be able to speak multiple languages – speak to business decision-makers understand their goals, and be able to translate it to technical teams (such as developers, DevOps, IT, engineers, etc.)\nThe business never comes with a requirement \u0026ldquo;We would like to expose an API to end-customers\u0026rdquo;. They will probably say \u0026ldquo;We would like to provide customers valuable information about investments\u0026rdquo; or \u0026ldquo;Provide patients with insights about their health\u0026rdquo;.\nBeing multi-disciplinary # There is always the debate between someone who is a specialist in a certain area (from being an expert in a specific cloud provider\u0026rsquo;s eco-system or being an expert in specific technology such as Containers or Serverless) and someone who is a generalist (having broad knowledge about cloud technology from multiple cloud providers).\nI am always in favor of being a generalist, having hands-on experience working with multiple services from multiple cloud providers, knowing the pros and cons of each service, making it easier to later decide on the technology and services to implement as part of an architecture.\nBeing able to understand modern technologies # The days of architectures based on VMs are almost gone.\nA good cloud architect will be able to understand what an application is trying to achieve, and be able to embed modern technologies:\nMicroservice architecture, to split a complex workload into small pieces, developed and owned by different teams\nContainerization solutions, from managed Kubernetes services to simpler alternatives such as Amazon ECS, Azure Container Apps, or Google Cloud Run\nFunction-as-a-Service, been able to process specific tasks such as image processing, handling user registration, error handling, and much more.\nNote: Although FaaS is considered vendor-opinionated, and there is no clear process to migrate between cloud providers, once decided on a specific CSP, a good architect should be able to find the pros for using FaaS as part of an application architecture.\nEvent-driven architecture has many benefits in modern applications, from decoupling complex architecture, the ability for different components to operate independently, the ability to scale specific components (according to customers\u0026rsquo; demand) without impacting other components of the application, and more. Microservices, Containers, or FaaS does not have to be the answer for every architecture, but a good cloud architect will be able to find the right tools to achieve the business goals, sometimes by combining different technologies.\nWe must remember that technology and architecture change and evolve. A good cloud architect should reassess past architecture decisions, to see if, over time, different architecture can provide better results (in terms of cost, security, resiliency, etc.)\nUnderstanding cloud vs. on-prem # As much as I admire organizations that can design, build, and deploy production-scale applications in the public cloud, I admit the public cloud is not a solution for 100% of the use cases.\nA good cloud architect will be able to understand the business goals, with technological constraints (such as cost, resiliency requirements, regulations, team knowledge, etc.), and be able to understand which workloads can be developed as cloud-native applications, and which workloads can remain, or even developed from scratch on-prem.\nI do believe that to gain the full benefits of modern technologies (from elasticity, infinite scale, use of GenAI technology, etc.) an organization should select the public cloud, but for simple or stable workloads, an organization can find suitable solutions on-prem as well.\nThoughts of Experienced Architects # Make unbiased decisions # \u0026ldquo;A good architecture allows major decisions to be deferred (to a time when you have more information). A good architecture maximizes the number of decisions that are not made. A good architecture makes the choice of tools (database, frameworks, etc.) irrelevant.\u0026rdquo;\nSource: Allen Holub\nBeware the Assumptions # \u0026ldquo;Unconscious decisions often come in the form of assumptions. Assumptions are risky because they lead to non-requirements, those requirements that exist but were not documented anywhere. Tacit assumptions and unconscious decisions both lead to missed expectations or surprises down the road.\u0026rdquo;\nSource: Gregor Hohpe\nCloud building blocks – putting things together # \u0026ldquo;A cloud architect is a system architect responsible for putting together all the building blocks of a system to make an operating application. This includes understanding networking, network protocols, server management, security, scaling, deployment pipelines, and secrets management. They must understand what it takes to keep systems operational.\u0026rdquo;\nSource: Lee Atchison\nBeing a generalist # \u0026ldquo;Good generalists need to cast a wider net to define the best-optimized technologies and configurations for the desired business solution. This means understanding the capabilities of all cloud services and the trade-offs of deploying a heterogeneous cloud solution.\u0026rdquo;\nSource: David Linthicum\nThe importance of cost considerations # \u0026ldquo;By considering cost implications early and continuously, systems can be designed to balance features, time-to-market, and efficiency. Development can focus on maintaining lean and efficient code. And operations can fine-tune resource usage and spending to maximize profitability.\u0026rdquo;\nSource: Dr. Werner Vogels\nSummary # There are many more qualities of a good and successful cloud architect (from understanding cost decisions, cybersecurity threats and mitigations, designing for scalability, high availability, resiliency, and more), but in this blog post, I have tried to mention the qualities that in 2024 I believe are the most important ones.\nWhether you just entered the role of a cloud architect, or if you are an experienced cloud architect, I recommend you keep learning, gain hands-on experience with cloud services and the latest technologies, and share your knowledge with your colleagues, for the benefit of the entire industry.\nAbout the author # Eyal Estrin is a cloud and information security architect, and the author of the books Cloud Security Handbook and Security for Cloud Native Applications, with more than 20 years in the IT industry.\nYou can connect with him on social media (https://linktr.ee/eyalestrin).\nOpinions are his own and not the views of his employer.\n","date":"22 October 2024","externalUrl":null,"permalink":"/posts/qualities-of-a-good-cloud-architect/","section":"Posts","summary":"","title":"Qualities of a Good Cloud Architect","type":"posts"},{"content":" Over the past year, I have seen a lot of posts on social media about organizations moving back from the public cloud to on-prem.\nIn this blog post, I will explain why I believe it is nothing more than a myth, and why the public cloud is the future.\nIntroduction # Anyone who follows my posts on social media knows that I am a huge advocate of the public cloud.\nBack in 2023, I published a blog post called \u0026ldquo;How to Avoid Cloud Repatriation\u0026rdquo;, where I explained why I believe that organizations rushed to the public cloud, without having a clear strategy, that would guide them on which workloads are suitable to run in the public cloud, to invest in cost management and employee training, etc.\nI am aware of Barclay\u0026rsquo;s report from mid-2024 claiming that according to conversations they had with CIOs, 83% of the surveyed organizations plan to move workloads back to private cloud, while another report from Synergy Research Group (published in August 2024), claiming that \u0026ldquo;hyper-scale operators are 41% of the worldwide capacity of all data centers\u0026rdquo;, and \u0026ldquo;Looking ahead to 2029, hyper-scale operators will account for over 60% of all capacity, while on-premises will drop to just 20%\u0026rdquo;.\nAnalysts claim there is a trend of organizations to move back to on-prem, but the newspapers are far from been filled with customer stories (specifically enterprises), who moved their production workloads from the public cloud to the on-prem.\nYou may be able to find some stories about small companies (with stable workloads and highly skilled personnel), who decided to move back to on-prem, but it is far from being a trend.\nI do not disagree that large workloads in the public cloud will cost an organization a lot of money, but it raises a question:\nHas the organization embedded cost as part of any architecture decision from day 1, or has the organization ignored cost for a long time and realized now that the usage of cloud resources costs a lot of money if not managed properly?\nWhy do I believe the future is in the public cloud? # I am not looking at the public cloud as a solution for all IT questions/issues.\nAs with any (kind of) new field, an organization must invest in learning the topic from the bottom up, consult with experts, create a cloud strategy, and invest in cost, security, sustainability, and employee training, to be able to get the full benefits of the public cloud.\nLet us dig deeper into some of the main areas where we see benefits of the public cloud:\nScalability # One of the huge benefits of the public cloud is the ability to scale horizontally (i.e., add or remove compute, storage, or network resources according to customer demand).\nWere you able to horizontally scale using the traditional virtualization on-prem? Yes.\nDid you have the capacity to scale virtually unlimited? No. Organizations are always limited by the amount of hardware they purchase and deploy in their on-prem data center.\nData center management # Regardless of what people may believe, most organizations do not have the experience of building and maintaining data centers to be physically secured, energetic sustainable, and to be CSP grade highly available.\nData centers do not produce any business value (unless you are in the data center or hosting industry), and in most cases, moving the responsibility to a cloud provider will be more beneficial for most organizations.\nHardware maintenance # Let us assume your organization decided to purchase expensive hardware for their SAP HANA cluster, or an NVIDIA cluster with the latest GPUs for AI/ML workloads.\nIn this scenario, your organization will need to pay in advance for several years, train your IT on deployment and maintenance of the purchased hardware (do not forget the cooling of GPUs…), and the moment you complete deploying the new hardware, your organization is in charge of the on-going maintenance, until the hardware will become outdated (probably couple of weeks/months after you purchased the hardware), and not you are stacked with old hardware, that will not be able to suit your business needs (such as the latest GenAI LLMs).\nIn the public cloud, you pay for the resources that you need, scale as needed, and pay only for the resources being used (unless you decide to go for Spot, or savings plans, to lower the total costs).\nUsing or experimenting with new technology # In the traditional data center, we are stacked with a static data center mentality, i.e., use what you currently have.\nOne of the greatest capabilities the public cloud offers us is switching to a dynamic mindset. Business managers would like their organizations to provide new services to their customers, in a short time-to-market.\nA new mindset encourages experimentation, allowing development teams to build new products, experiment with them, and if the experiment fails, switch to something else.\nOne of the examples of experimentation is the spiky usage of GenAI technology. Suddenly everyone is using (or planning to use) LLMs to build solutions (from chatbots, through text summarization, and image or video generation).\nOnly the public cloud will allow organizations to experiment with the latest hardware and the latest LLMs for building GenAI applications.\nIf you try to experiment with GenAI, you will have to purchase dedicated hardware (which will soon get outdated and will not be sufficient for your business needs for a long time), and you will suffer from resource limitations (at least when using the latest LLMs).\nStorage capacity # In the traditional data center, organizations (almost) always suffer from limited storage capacity.\nThe more organizations collect data (for business analytics, providing customers added-value, research, AI/ML, etc.), to more data will be produced and needs to be stored.\nIn the on-prem, you are eventually limited with the amount of storage you can purchase and physically deploy in your data center.\nOnce organizations (usually large enterprises), store PBs of data in the public cloud, the cost and time to move such amounts of data out of the public cloud to on-prem (or even to another cloud provider), will be so high, that eventually, most organizations will keep their data as is, and it will become a hard decision to move out of their existing cloud provider.\nModern / Cloud-native applications # Building modern applications changes the way organizations develop and deploy new applications.\nMost businesses would like to move faster and provide new solutions to their customers.\nAlthough you could develop new applications based on Kubernetes on-prem, the cost and complexity of managing the control plane, and the limited scale capabilities, will make your solution a wannabe cloud. A small and pale version of the public cloud.\nYou could find Terraform/OpenTofu providers for some of the resources that exist on-prem (mostly for the legacy virtualization), but how do you implement infrastructure-as-code (not to mention policy-as-code) in legacy systems? How will you benefit from automated system deployment capabilities?\nConversation about data residency/data sovereignty # This is a hot topic, at least since the GDPR in the EU became effective in 2018.\nToday most public cloud providers have regions in most (if not all) countries with data regulation laws.\nNot to mention that 85-90 percent of all IaaS/PaaS solutions are regional, meaning, the CSP will not transfer your data from the EU to the US unless you specifically design your workloads accordingly (due to egress data cost, and service built-in limitations).\nIf you want to add an extra layer of assurance, choose cloud services that allow you to encrypt your data using customer-managed keys (i.e., keys that the customer controls the key generation and rotation process).\nSummary # I am sure we can continue and deep dive into the benefits of the public cloud vs. the limitations of the on-prem data center (or what people sometimes refer to as \u0026ldquo;private cloud\u0026rdquo;).\nFor the foreseen future (and I am not saying this as something beneficial), we will continue to see hybrid clouds, while more and more organizations will see the benefits of the public cloud and migrate their production workloads and data to the public cloud.\nWe will continue to find scenarios where the on-prem and legacy applications will continue to provide value for organizations, but as technology evolves (see GenAI for example), we will see more and more organizations consuming public cloud services.\nTo gain the full benefit of the public cloud, organizations need to understand how the public cloud can support their business, allowing them to focus on what matters (such as developing new services for their customers), and lower the work on data center maintenance.\nOrganizations should not neglect cost, security, sustainability, and employee training, to be able to gain the full benefit of the public cloud.\nI strongly believe that the public cloud is the future, for developing and innovative solutions, while shipping the hardware and data center responsibility for companies who specialize in this field.\nWhy do I call it an \u0026ldquo;unpopular opinion\u0026rdquo;? When people are reluctant to change, they rather stick with what they know and are familiar with. Change can be challenging, but if organizations embrace the change, look strategically into the future, embed cost into their decisions, and invest in employee training, they will be able to adapt to the change and see its benefits.\nAbout the author # Eyal Estrin is a cloud and information security architect, and the author of the books Cloud Security Handbook and Security for Cloud Native Applications, with more than 20 years in the IT industry.\nYou can connect with him on social media (https://linktr.ee/eyalestrin).\nOpinions are his own and not the views of his employer.\n","date":"10 October 2024","externalUrl":null,"permalink":"/posts/unpopular-opinion-about-moving-back-to-on-prem/","section":"Posts","summary":"","title":"Unpopular opinion about \"Moving back to on-prem\"","type":"posts"},{"content":"","date":"19 September 2024","externalUrl":null,"permalink":"/categories/career/","section":"Categories","summary":"","title":"Career","type":"categories"},{"content":" Business leaders around the world understand the importance of cybersecurity for supporting the business, complying with laws and regulations, and earning customers’ trust.\nGood CISOs know how to lead cybersecurity efforts, from raising money for the cybersecurity budget, taking part in incident investigation, recruiting talents to support the security efforts, and making sure their organizations remain safe (as much as possible).\nThere is one topic not getting enough attention – employees’ burnout.\nNo doubt working in cybersecurity is stressful – and it impacts all levels – from the top management of CISO/CSO to the lower levels of any practitioner in the industry.\nTo keep up in a cybersecurity role, you need to have passion for what you do. Find the time to keep up with technology evolvement, and new attacks published every day, while still doing your everyday job, in protecting the organizations you work for.\nLet us talk about some statistics:\n67% of responders say \u0026ldquo;My organization has a significant shortage of cybersecurity staff to prevent and troubleshoot cybersecurity issues\u0026rdquo; (Source: ISC2 2023 cybersecurity workforce study)\n90% of organizations have skills gaps within their security teams (Source: ISC2 2024 cybersecurity workforce study)\n90% of CISOs globally say they are concerned about the impact of stress, fatigue, and burnout on their workforce’s well-being (Source: Hack the Box)\n89% of cybersecurity professionals globally say the workload, volume of projects to deliver, and the time needed to deliver tasks are the key causes of burnout (Source: Hack the Box)\n74% of cybersecurity professionals globally say that they have taken time off due to work-related mental well-being problems (Source: Hack the Box)\n32% of CISOs or IT Cybersecurity Leaders in the UK and US are considering leaving their current organization (Source: BlackFog)\n30% cited the lack of work-life balance (Source: BlackFog)\n27% stated that too much time was spent on firefighting rather than focusing on strategic issues (Source: BlackFog)\nWe can see that cybersecurity employees (at all levels) suffer from huge stress as part of their daily work, struggling to keep up with their ongoing tasks, and balancing personal time with their families.\nGood CISOs/CSOs will know how to do their job, pushing the boundaries and protecting their organizations, but the big question is – do CISOs/CSOs have the emotional intelligence to focus on their most important asset – employees?\nCan cybersecurity leaders find the time to speak with their employees, to sense when the tension is too much for an employee to handle, and do something about it?\nThe work of cybersecurity teams is crucial for organizations (keep the organization safe and secure, comply with regulations, and earn customers’ trust), but if organizations ignore the human factor, they will lose valuable employees, and we already have a talent shortage in the cybersecurity industry.\nCISO/CSO – do not wait until your talents reach burnout and resign, have a personal conversation with them, try to lower the load on employees (among others by raising the budget for more positions in the cybersecurity teams), and never neglect your employees.\nAbout the author # Eyal Estrin is a cloud and information security architect, and the author of the books Cloud Security Handbook and Security for Cloud Native Applications, with more than 20 years in the IT industry.\nYou can connect with him on social media (https://linktr.ee/eyalestrin).\nOpinions are his own and not the views of his employer.\n","date":"19 September 2024","externalUrl":null,"permalink":"/posts/cybersecurity-burnout-is-a-real-risk/","section":"Posts","summary":"","title":"Cybersecurity burnout is a real risk","type":"posts"},{"content":" When designing solutions in the cloud, there is (almost) always more than one alternative for achieving the same goal.\nOne of the characteristics of cloud-native applications is the ability to have an automated development process (such as the use of CI/CD pipelines).\nIn this blog post, I will compare serverless solutions for developing and hosting web and mobile applications in the cloud.\nWhy choose a serverless solution? # From a developer\u0026rsquo;s point of view, there is (almost) no value in maintaining infrastructure – the whole purpose is to enable developers to write new applications/features and provide value to the company\u0026rsquo;s customers.\nServerless platforms allow us to focus on developing new applications for our customers, without the burden of maintaining the lower layers of the infrastructure, i.e., virtual machine scale, patch management, host machine configuration, and more.\nServerless development and hosting platforms allow us CI/CD workflow, from Git repository to the build stage, and finally deployment to the various application stages (Dev, Test, Prod), in a single solution (Git repos is still outside the scope of such services).\nServerless development and hosting platforms allow us to deploy fully functional applications at any scale – from a small test environment to a large-scale production application, which we can put behind a content delivery network (CDN), and a WAF, and be accessible for external or internal customers.\nServerless development platform workflow # Below is a sample workflow for developing and deploying an application based on a Serverless platform:\nA developer writes code and pushes the code to a Git repository\nA new application is configured using AWS Amplify, based on the code from the Git repository\nThe AWS Amplify pulls secrets from AWS Secrets Manager to connect to AWS resources\nThe new application is configured to connect to Amazon S3 for uploading static content\nThe new application is configured to connect to Amazon DynamoDB for storing and retrieving data\nThe new application has been deployed using AWS Amplify\nNote: The example below is based on AWS services but can be configured similarly to other cloud platforms mentioned in this blog post.\nService Comparison # The table below provides a high-level comparison of commonly used Serverless development and hosting platforms, from the major cloud providers:\nService comparison (development languages, framework, and platform support) # The table below provides a comparison of development languages and frameworks supported by Serverless development and hosting platforms, from the major cloud providers:\nService comparison (security features) # The table below provides a comparison of security features supported by Serverless development and hosting platforms, from the major cloud providers:\nSummary # Serverless development and hosting platforms offer us an alternative for automating the development lifecycle of cloud-native applications, with built-in integration with cloud providers\u0026rsquo; eco-system.\nFor simple web or mobile applications, I recommend considering using one of the services discussed in this blog post, as compared to the alternative of having to learn and maintain an entire suite of services for running a CI/CD pipeline, and the requirement to decide where to deploy and host applications to production (from VMs, containers platforms, and other hosting solutions).\nReference documentation # AWS Amplify\nAzure Static Web Apps\nGoogle Firebase\nCloudflare Pages\nAbout the author # Eyal Estrin is a cloud and information security architect, and the author of the books Cloud Security Handbook and Security for Cloud Native Applications, with more than 20 years in the IT industry.\nYou can connect with him on social media (https://linktr.ee/eyalestrin).\nOpinions are his own and not the views of his employer.\n","date":"26 August 2024","externalUrl":null,"permalink":"/posts/comparison-of-serverless-development-and-hosting-platforms/","section":"Posts","summary":"","title":"Comparison of Serverless Development and Hosting Platforms","type":"posts"},{"content":" Anyone who has been following my past content on social media knows that I am a huge advocate for cloud adoption, and I have been focusing on various topics related to cloud in the past almost a decade.\nWhile organizations taking their first steps using the public cloud or rushing into the public cloud, they are making a lot of mistakes, to name a few:\nFailing to understand why are they using the cloud in the first place, and what value the public cloud can bring to their business\nBringing legacy data center mindset and practices and trying to implement them in the public cloud, which results in inefficiencies\nNot embedding cost as part of architecture decisions, which results in high cloud usage costs\nIn this post, we will focus on the next steps in embracing the public cloud, or what is sometimes referred to as Day 2 cloud operations.\nWhat do all those dates mean? # When compared to software engineering, Day 0 is known as the design phase. You collect requirements for moving an application to the cloud, or for developing a new application in the cloud.\nDay 1 in cloud operations is where most organizations are stuck. They begin migrating several applications to the cloud, deploying some workloads directly into cloud environments, and perhaps even running the first production applications for several months, or even a year or two. This is the phase where development and DevOps teams are still debating about selecting the most appropriate infrastructure (VMs, containers, perhaps even Serverless, managed vs. self-managed services, etc.)\nDay 2 in cloud operations is where things are getting interesting. Teams begin to realize the ongoing cost of services, the amount of effort required to deploy and maintain workloads manually, security aspects in cloud environments, and various troubleshooting and monitoring of production incidents.\nWhat does Day 2 cloud operations mean? # When organizations reach day 2 of their cloud usage, they begin to look at previously made mistakes and begin to fine-tune their cloud operations.\nAutomation is the king # Unless your production contains one or two VMs with a single database, manual work is no longer an option.\nAssuming your applications are not static, it is time to switch the development processes to a CI/CD process, and automate (almost) the entire development lifecycle – from code review, static or dynamic application security testing, quality tests, build creation (for example, packaging from source doe to container images), up to the final deployment of a fully functional version of an application.\nThis is also the time to invest in learning and using automated infrastructure deployment using an Infrastructure as Code (IaC) language such as Terraform, OpenTofu, Pulumi, etc.\nThe use of IaC will allow you to take benefit of code practices such as code versioning, rollback, audit (who did what change), and naturally the ability to reuse the same code for different environments (dev, test, prod) while gaining the same results.\nRearchitecting and reusing cloud-native capabilities # On Day 1, it may be ok to take traditional architectures (such as manually maintaining VMs), but on Day 2 it is time to take the full benefit of cloud-native services.\nThe easiest way is to replace any manual maintenance of infrastructure with managed services – in most cases, switching to a managed database, storage, or even load-balancers and API gateways, will provide a lot of benefits (such as lower maintenance, resource allocation, etc.), while allowing IT and DevOps teams to focus on supporting and deployment of new application versions, instead of operating system and server maintenance.\nIf you are already re-evaluating past architecture decisions, it is time to think about moving to microservices architecture, decoupling complex workloads to smaller and more manageable components, owned by the development teams who develop those components.\nFor predictable workloads (in terms of spike load of customer demand), consider using containers.\nIf your developers and DevOps teams are familiar with packaging applications inside containers, but lack experience with Kubernetes, consider using services such as Amazon ECS, Azure App Service, or Google Cloud Run.\nIf your developers and DevOps teams have experience using Kubernetes, consider using one of the managed flavors of Kubernetes such as Amazon EKS, Azure AKS, or Google GKE.\nDo not stop at containers technologies, if your workload is unpredictable (in terms of customers load), consider even taking architecture one step further and consider using Function-as-a-Service (FaaS) such as AWS Lambda, Azure Functions, Google Cloud Functions, or event-driven architectures, using services such as Amazon EventBridge, Azure Event Grid, or Google Eventarc.\nResiliency is not wishful thinking # The public cloud, and the use of cloud-native services, allow us to raise the bar in terms of building highly resilient applications.\nIn the past, we needed to purchase solutions such as load-balancers, API gateways, DDoS protection services, and more, and we had to learn how to maintain and configure them.\nCloud providers offer us managed services, making it easy to design and implement resilient applications.\nCustomers\u0026rsquo; demand has also raised the bar – customers are no longer willing to accept downtime or availability issues while accessing applications – they expect (almost) zero downtime, which forces us to design applications while keeping resiliency in mind from day 1.\nWe need to architect our applications as clusters, deployed in multiple availability zones (and in rare cases even in multiple regions), but also make sure we constantly test the resiliency of our workloads.\nWe should consider implementing chaos engineering, as part of application development and test phases, and be able to conduct controlled experiments (at the bare minimum in the test stage, and ideally also in production), to be able to understand the impact of failures on our applications.\nObservability to the aid # The traditional monitoring of infrastructure and applications is no longer sufficient in modern and dynamic applications.\nThe dynamic nature of modern applications, where new components (from containers to functions) are been deployed, running for a short amount of time (according to application demand and configuration), and decommissioned when no longer needed, will not be able to handle by traditional monitoring tools (commonly deployed as agents).\nWe need to embed monitoring in any aspect of our workloads, at all layers - from the network layer such as flow logs, infrastructure layer (such as load-balancer, or OS, containers, and functions logs), all the way to application or even customer experience logs.\nStoring logs is not enough – we need managed services that can constantly review logs from various sources (ideally aggregated into a central log system), use machine learning capabilities, try to anticipate issues, before they impact customer experience, and provide insights and near real-time recommendations for fixing the arise problems.\nCost and efficiency # In the public cloud, almost any service has its pricing – sometimes it is the time a compute resource was running, the number of invocations of a running function, a storage service storing files, database queries, or even an egress data from the cloud environment back to on-prem or to the public Internet.\nUnderstanding the pricing of each component in a complex architecture is crucial, but not enough.\nWe need to embed cost in every architecture decision, understand what is the most valuable cost option (for example choosing between on-demand, savings plan, or Spot), and monitor each workload\u0026rsquo;s cost regularly.\nCost is very important, but not enough.\nWe need to embed efficiency in any architecture decision – are we using the most suitable compute service, are we using the most suitable storage tier (from real-time, to archive), are we using the most suitable functions resources (in terms of Memory/CPU), etc.\nWe need to combine an architect\u0026rsquo;s view (being able to see the bigger picture), with an engineer or developer\u0026rsquo;s experience (being able to write efficient code), to meet the business requirements.\nSecurity is job zero # I cannot stress enough how important security is in today\u0026rsquo;s world.\nI have mentioned before the dynamic nature of modern cloud-native applications, and the evolving threats identified every day require no mindset when talking about security.\nAt first, we need to embed automation – from testing new versions of code, regularly scanning for vulnerable open-source libraries, embedding SBOM (Software Bill of Materials) solutions (to be able to know which components are we using), automatically deploying security patches, and finally running an automated vulnerability scanning tools to detect vulnerabilities as soon as possible.\nWe should consider implementing immutable infrastructure, switching from over-changing VMs (containing both libraries, configuration, code, and data), to read-only immutable images of VMs or containers, being updated (to new versions), in an automated CI/CD process.\nData must be encrypted end-to-end, to protect its confidentiality and integrity.\nMature cloud providers allow us to manage both encryption keys (using customer-managed keys), and secrets (i.e., static credentials) using managed services, fully supported by (almost) all cloud-native services, which makes it extremely easy to protect data.\nLastly, we should embrace a zero-trust mindset. We should always assume breach, and in this mindset, we should verify any request coming from any customer, over any medium (mobile, public Internet, Wi-Fi, etc.). We need to authenticate any customer\u0026rsquo;s request and assign each customer the right number of privileges to access our applications and act, following the principle of least privilege.\nTraining, training, and training # It may be acceptable on day 1 for developers and operational teams to make mistakes, taking their first steps in the public cloud.\nTo allow organizations to move to day 2 cloud operations, we need to heavily invest in employee training.\nEncouraging a culture of experimentation, opening environments in the cloud for employee training, using the many options of online courses, and the fact that most cloud documentation is publicly available, will allow both developers and operational teams to gain confidence in using cloud services.\nAs more and more organizations are beginning to use more than a single cloud provider, (not necessarily a multi-cloud environment, but more than a single vendor), requires employees to have hands-on experience working with several cloud providers, with different platforms, services, and capabilities. The best way to achieve this experience is to train and gain experience working with different platforms.\nSummary # It is time for organizations to move on from the day 1 cloud operations phase (initial application deployment and configuration phase) to the day 2 cloud operations phase (fine-tune, and ongoing maintenance phase).\nIt is a change in mindset, but it is crucial for maintaining production applications, in the modern and cloud-native era.\nAbout the author # Eyal Estrin is a cloud and information security architect, and the author of the books Cloud Security Handbook and Security for Cloud Native Applications, with more than 20 years in the IT industry.\nYou can connect with him on social media (https://linktr.ee/eyalestrin).\nOpinions are his own and not the views of his employer.\n","date":"20 August 2024","externalUrl":null,"permalink":"/posts/time-to-move-on-to-day-2-cloud-operations/","section":"Posts","summary":"","title":"Time to move on to Day 2 cloud operations","type":"posts"},{"content":" When designing modern applications in the cloud, there is always the debate – should we base our application on a container engine, or should we go with a fully serverless solution?\nIn this blog post, I will review some of the pros and cons of each alternative, trying to understand which solution we should consider.\nThe containers alternative # Containers have been with us for about 10 years.\nThe Docker engine was released in 2013, and Kubernetes was released in 2015.\nThe concept of packaging an application inside a container image brought many benefits:\nPortability – The ability to run the same code on any system that supports a container engine.\nScalability – The ability to add or remove container instances according to application load.\nIsolation – The ability to limit the blast radius to a single container, instead of the whole running server (which in many cases used to run multiple applications).\nResource Efficiency – Container image is usually made of the bare minimum required binaries and libraries (compared to a fully operating system).\nDeveloper experience – The ability to integrate container development processes with developers\u0026rsquo; IDE, and with CI/CD pipelines.\nConsistency – Once you have completed creating the container image and fully tested it, it will be deployed and run in the same way every time.\nFast deployment time – It takes a short amount of time to deploy a new container (or to delete a running container when it is no longer needed).\nContainers are not perfect – they have their disadvantages, to name a few:\nSecurity – The container image is made of binaries, libraries, and code. Each of them may contain vulnerabilities and must be regularly scanned and updated, under the customer’s responsibility.\nStorage challenges – Container images are by default stateless. They should not hold any persistent data, which forces them to connect to external (usually managed) storage services (such as object storage, managed NFS, managed file storage, etc.)\nOrchestration – When designing a containers-based solution, you need to consider the networking side, meaning, how do I separate between a publicly facing interface (for receiving inbound traffic from customers), and private subnets (for deploying containers or Pods, and communication between them).\nContainers are very popular in many organizations (from small startups to large enterprises), and today organizations have many alternatives for running containers – from Amazon ECS, Azure Container Apps, and Google Cloud Run, to managed Kubernetes services such as Amazon EKS, Azure AKS, and Google GKE.\nThe Serverless alternative # Serverless, at a high level, is any solution that does not require end-users to deploy or maintain the underlying infrastructure (mostly servers).\nThere are many services under this category, to name a few:\nObject storage, such as Amazon S3, Azure Blob Storage, and Google Cloud Storage.\nManaged databases, such as Amazon Aurora, Azure SQL, and Google Cloud SQL.\nMessage queuing services, such as Amazon SQS, Azure Service Bus, and Google Pub/Sub.\nFunctions as a service (FaaS), such as AWS Lambda, Azure Functions, and Google Cloud Functions.\nThe Serverless alternative usually means the use of FaaS, together with other managed services, in the cloud provider ecosystem (such as running functions based on containers, mounting persistent storage, database, etc.)\nFaaS has been with us for nearly 10 years.\nAWS Lambda became available in 2015, Azure Functions became available in 2016, and Google Cloud Functions became available in 2018.\nThe use of FaaS has advantages, to name a few:\nInfrastructure maintenance – The cloud provider is responsible for maintaining the underlying servers and infrastructure, including resiliency (i.e., deploying functions across multiple AZs).\nFast Auto-scaling – The cloud provider is responsible for adding or removing running functions according to the application\u0026rsquo;s load. Customers do not need to take care of scale.\nFast time to market – Customers can focus on what is important to their business, instead of the burden of taking care of the server provisioning task.\nCost – You pay per the amount of time a function was running, and the number of running functions (also known as invocations or executions).\nFaaS is not perfect – it has its disadvantages, to name a few:\nVendor lock-in – Each cloud provider has its implementation of FaaS, making it almost impossible to migrate between cloud providers.\nMaximum execution time – Functions have hard limits in terms of maximum execution time – AWS Lambda is limited to 15 minutes, Azure Functions (in the Consumption plan) are limited to 10 minutes, and Google Cloud Functions (HTTP functions) are limited to 9 minutes.\nCold starts – The time it takes a function to respond (and execute), for a function that has not been in use recently, which increases the number of seconds it takes a function to load.\nSecurity – Each cloud provider implements isolation between different functions running for different customers. Customers have no visibility on how each deployed function is protected by the cloud provider, at the infrastructure level.\nObservability – Troubleshooting a running function in real-time is challenging in a fully managed environment, managed by cloud providers, in a distributed architecture.\nCost - Workloads with predictable load, or bugs in the function’s code which ends up with an endless loop, may generate high costs for running FaaS.\nHow do we know what to choose? # The answer to this question is not black or white, it depends on the use case.\nCommon use cases for choosing containers or Kubernetes:\nLegacy application modernization – The ability to package legacy applications inside containers, and run them inside a managed infrastructure at scale.\nEnvironment consistency – The ability to run containers consistently across different environments, from Dev, Test, to Prod.\nHybrid and Multi-cloud – The ability to deploy the same containers across hybrid or multi-cloud environments (with adjustments such as connectivity to different storage or database services).\nCommon use cases for choosing Functions as a Service:\nEvent-driven architectures – The ability to trigger functions by events, such as file upload, database change, etc.\nAPI backends – The ability to use functions to handle individual API requests and scale automatically based on demand.\nData processing – Functions are suitable for data processing tasks such as batch processing, stream processing, ETL operations, and more because you can spawn thousands of them in a short time.\nAutomation tasks – Functions are perfect for tasks such as log processing, scheduled maintenance tasks (such as initiating backups), etc.\nOne of the benefits of using microservices architecture is the ability to choose different solutions for each microservice.\nCustomers can mix between containers, and FaaS in the same architecture.\nBelow is a sample microservice architecture:\nA customer logs into an application using an API gateway.\nAPI calls are sent from the API gateway to a Kubernetes cluster (deployed with 3 Pods).\nUser access logs are sent from the Kubernetes cluster to Microservice A.\nMicroservice A sends the logs to Amazon Data Firehose.\nThe Amazon Data Firehose converts the logs to JSON format and stores them in an S3 bucket.\nThe Kubernetes cluster sends an API call to Microservice B.\nMicroservice B sends a query for information from DynamoDB.\nA Lambda function pulls information from DynamoDB tables.\nThe Lambda function sends information from DynamoDB tables to OpenSearch, for full-text search, which later be used to respond to customer\u0026rsquo;s queries.\nNote: Although the architecture above mentions AWS services, the same architecture can be implemented on top of Azure, or GCP.\nSummary # In this blog post, I have reviewed the pros and cons of using containers and Serverless.\nSome use cases are more suitable for choosing containers (such as modernization of legacy applications), while others are more suitable for choosing serverless (such as event-driven architecture).\nBefore designing an application using containers or serverless, understand what are you trying to achieve, which services will allow you to accomplish your goal, and what are the services\u0026rsquo; capabilities, limitations, and pricing.\nThe public cloud allows you to achieve similar goals using different methods, based on different services – never stop questioning your architecture decisions over time, and if needed, adjust to gain better results (in terms of performance, cost, etc.)\nAbout the authors\nEfi Merdler-Kravitz is an AWS Serverless Hero and the author of \u0026lsquo;Learning Serverless in Hebrew\u0026rsquo;. With over 15 years of experience, he brings extensive expertise in cloud technologies, encompassing both hands-on development and leadership of R\u0026amp;D teams.\nYou can connect with him on social media (https://linktr.ee/efimk).\nEyal Estrin is a cloud and information security architect, and the author of the books Cloud Security Handbook and Security for Cloud Native Applications, with more than 20 years in the IT industry.\nYou can connect with him on social media (https://linktr.ee/eyalestrin). Opinions are his own and not the views of his employer.\n","date":"19 August 2024","externalUrl":null,"permalink":"/posts/the-container-orchestration-vs-function-as-a-service-faas-debate/","section":"Posts","summary":"","title":"The Container Orchestration vs Function-as-a-Service (FaaS) Debate","type":"posts"},{"content":"","date":"29 June 2024","externalUrl":null,"permalink":"/categories/cybercrime/","section":"Categories","summary":"","title":"Cybercrime","type":"categories"},{"content":" While artificial intelligence (AI) can greatly increase productivity in the workplace, it can also be exploited to launch complex and sophisticated cyber-attacks. A recent report from the UK\u0026rsquo;s National Cyber Security Center (NCSC) claims that AI will \u0026ldquo;almost certainly increase the volume and heighten the impact of cyber-attacks over the next two years”.\nGenerative AI models, which can create new content such as text, images, and videos, have sparked controversy as they can be easily exploited to carry out malicious activities. For example, threat actors can use Generative AI to generate convincing phishing emails to lure people into handing over credentials, or other types of sensitive information. Likewise, AI can be used to create deepfake videos to manipulate public opinion on a variety of matters, including elections.\nIn this article we will explore some of the ways that AI has made it possible for even inexperienced hackers to join the ranks, allowing them to orchestrate sophisticated attacks with relative ease.\nPolymorphic Viruses\nArtificial Intelligence (AI) has significantly accelerated the development of polymorphic viruses, making it easier for hackers to create and deploy these malicious programs. AI-powered tools can rapidly generate countless code variants and code strings, allowing polymorphic viruses to evade detection by antivirus software and adapt to new environments. By leveraging machine learning algorithms and mutation engines, virus strains can be effortlessly created which continuously mutate and evade detection. As a result, polymorphic viruses have become a significant threat to cybersecurity, capable of infecting files on any operating system. While security technologies and methods, such as behavior-based analytics and application whitelisting can help detect these viruses, will they will be enough to adequately safeguard against such threats in the future?\nThe Use of Deepfakes for Social Engineering\nDeepfakes are artificially created digital content that can deceive people into believing they\u0026rsquo;re seeing or hearing something that never actually occurred. According to the World Economic Forum, an alarming 66% of cybersecurity professionals encountered deepfake attacks within their own organizations in 2022, highlighting the prevalence of this type of threat. These highly realistic forgeries can be easily produced using generative AI tools (mentioned above), and they have already been used to create fake videos of public figures, as well as unauthorized pornographic content. Unfortunately, deepfakes have also been employed to spread propaganda and influence political and social outcomes, and they can even be used to add credibility to social engineering attacks, such as impersonating senior executives on video and phone calls.\nIn recent years, deepfakes have been used to trick people into sending large sums of money to cybercriminals, with criminals using deepfakes to impersonate colleagues and initiate fraudulent payments. To prevent similar attacks, organizations should prepare by implementing robust governance mechanisms, such as requiring multiple sign-offs for payments. AI Voice Cloning\nAlongside the growing menace of visual deepfakes, AI voice cloning has emerged as a major concern. The widespread use of voice biometrics in various devices and systems, touted as a robust security measure, has now been rendered vulnerable to hacking. This is because AI has advanced to the point where it can accurately replicate audio fingerprints and mimic voice clips from mere sample vocals. The implication is that voice-protected systems are no longer secure, leaving them susceptible to manipulation by hackers. This can lead to a range of nefarious consequences, as hackers manipulate audio files to convincingly perpetuate false narratives. AI Keylogging\nAI Keylogging tools can actively record every keystroke, collecting sensitive information such as passwords, with astonishing accuracy, boasting a success rate of nearly 95%. This means that even the most cautious and security-conscious individuals can be vulnerable to having their sensitive information compromised by this type of malware. To defend against AI-powered keyloggers, it is essential to implement a multi-layered approach. One effective strategy is to monitor user behavior to identify and respond to unusual typing patterns. Additionally, a robust endpoint security solution can detect and prevent malware-driven keyloggers from infiltrating systems. Multi-factor authentication (MFA) adds an extra layer of protection, requiring an additional authentication factor even if keystrokes are intercepted. To ensure the integrity of keystrokes, encryption can be used to safeguard captured data, making it indecipherable without the encryption key. Finally, regular updates and patches to software, operating systems, and security applications are crucial to maintaining a secure environment and addressing known vulnerabilities exploited by attackers. Better Spelling and Grammar To Evade Spam Filters\nCybercriminals have traditionally used poor spelling and grammar to mask their phishing emails, but with the advent of AI-powered writing tools, they can now create convincing social engineering campaigns in any language in a matter of seconds. This new approach has made it increasingly difficult for spam and malicious content filters to detect and block these emails. According to a recent report by cybersecurity firm SlashNext, the use of AI-generated content has led to a 1,265% surge in phishing emails since 2022. As a result, AI-generated content has become a widespread and effective tactic used by cybercriminals on a large scale, making it a crucial concern for individuals and organizations seeking to protect themselves from cyber threats.\nAI Brute Force Attacks \u0026amp; CAPTCHA Cracking\nAI-powered brute force attacks have emerged as a significant threat to online security. These attacks use machine learning to analyze user behavior and patterns to crack passwords faster. Additionally, AI has also been able to outsmart CAPTCHA systems, which were previously designed to distinguish between human and bot interactions. By leveraging patterns learned from human behavior, AI can now accurately solve CAPTCHA forms, rendering these security measures less effective in preventing bots from accessing secured locations.\nSpecialized Language Models Are on The Rise\nWhile not a threat in itself, the rise of large language models (LLMs) has transformed the field of organizational cybersecurity, arming security teams with the power to sift through large amounts of data and generate actionable insights with simple queries. While these models have shown remarkable capabilities in understanding and generating human-like text, they are still limited in their ability to comprehend the intricacies of specialized cybersecurity datasets. However, in the coming years security teams can expect to transition to smaller language models that offer tailored and actionable insights, real-time data training, and the ability to adapt quickly to the ever-evolving threat landscape. These small language models will provide more focused and effective solutions for cybersecurity teams, enabling them to stay ahead of the curve in the fight against cyber threats.\nConclusion\nAs AI becomes increasingly pervasive in our daily lives, the way cybersecurity defenders respond to its emergence will be crucial. The rise of generative AI has sparked a heated debate about its ethical implications and potential uses, but what\u0026rsquo;s clear is that organizations must act quickly to harness its power before threat actors exploit it. It\u0026rsquo;s likely that threat actors will use AI to launch sophisticated phishing campaigns, create swarms of deepfakes, and gain access to detailed information about targets, ultimately bypassing endpoint security defenses. To stay ahead of the curve, security leaders must prepare for the inevitable wave of AI-generated threats and develop strategies to mitigate their impact.\nAuthor bio\nAidan Simister\nAidan Simister is the CEO of Lepide, a leading provider of data security and compliance solutions. With over two decades of experience in the IT industry, he is recognized for his expertise in cybersecurity and his commitment to helping organizations safeguard their sensitive data.\n","date":"29 June 2024","externalUrl":null,"permalink":"/posts/the-rise-of-ai-in-cyber-threats-key-challenges-and-how-to-respond/","section":"Posts","summary":"","title":"The Rise of AI in Cyber Threats: Key Challenges and How to Respond","type":"posts"},{"content":" When designing workloads in the cloud, it is rare to have a workload without persistent storage, for storing and retrieving data.\nIn this blog post, we will review the most common cloud storage services and the different use cases for choosing specific cloud storage.\nObject storage # Object storage is perhaps the most commonly used cloud-native storage service.\nIt is been used by various use cases from simple storage or archiving of logs or snapshots to more sophisticated use cases such as storage for data lakes or AI/ML workloads.\nObject storage is used by many cloud-native applications from Kubernetes-based workloads using CSI driver (such as Amazon EKS, Azure AKS, and Google GKE), and for Serverless / Function-as-a-Service (such as AWS Lambda, and Azure Functions).\nAs a cloud-native service, the access to object storage is done via Rest API, HTTP, or HTTPS.\nUnstructured data is stored inside object storage services as objects, in a flat hierarchy, where most cloud providers call it buckets.\nData is automatically synched between availability zones in the same region (unless we choose otherwise), and if needed, buckets can be synched between regions (using cross-region replication capability).\nTo support different data access patterns, each of the hyperscale cloud providers, offers its customers different storage classes (or storage tiers), from real-time, near real-time, to archive storage, and a capability for configuring rules for moving data between storage classes (also known as lifecycle policies).\nAs of 2023, all hyperscale cloud providers enforce data encryption at rest in all newly created buckets.\nComparison between Object storage alternatives:\nAs you can read in the comparison table above, most features are available in all hyper-scale cloud providers, but there are still some differences between the cloud providers:\nAWS – Offers a cheap storage tier called S3 One Zone-IA for scenarios where data access patterns are less frequent, and data availability and resiliency are not highly critical, such as secondary backups. AWS also offers a tier called S3 Express One Zone for single-digit millisecond data access requirements, with low data availability or resiliency, such as AI/ML training, Amazon Athena analytics, and more.\nAzure – Most storage services in Azure (Blob, files, queues, pages, and tables), require the creation of an Azure storage account – a unique namespace for Azure storage data objects, accessible over HTTP/HTTPS. Azure also offers a Premium block blob for high-performance workloads, such as AI/ML, IoT, etc.\nGCP – Cloud storage in Google, is not limited to a single region but can be provisioned and synched automatically to dual-regions and even multi-regions.\nBlock storage # Block storage is the disk volume attached to various compute services – from VMs, managed databases, Kubernetes worker notes, and mounted inside containers.\nBlock storage can be used as the storage for transactional databases, data warehousing, and workloads with high volumes of read and write.\nBlock storage is not just limited to traditional workloads deployed on top of virtual machines, they can be mounted as persistent volumes for container-based workloads (such as Amazon ECS), and for Kubernetes-based workloads using CSI driver (such as Amazon EKS, Azure AKS, and Google GKE).\nBlock storage volumes are usually limited to a single availability zone within the same region and should be mounted to a VM in the same AZ.\nComparison between Block storage alternatives:\nAs you can read in the comparison table above, most features are available in all hyper-scale cloud providers, but there are still some differences between the cloud providers:\nAWS – Offers a feature called Amazon Data Lifecycle Manager, which automates the process of creation, retention, and deletion of EBS snapshots.\nAzure – Offers the ability to manage data replication of persistent disks within the same region (Locally redundant storage / LRS and Zone-redundant storage / ZRS) and between primary and secondary regions (Geo-redundant storage / GRS, Geo-zone-redundant storage / GZRS, and Read-access geo-redundant storage / RA-GRS).\nGCP – Offers the ability to replicate persistent disks across two zones in the same region (Regional Persistent Disk). GCP also offers the ability to pre-purchase capacity, throughput, and IOPS to be provisioned as needed (Hyperdisk Storage Pools).\nFile storage # File storage services are the equivalent of the traditional Storage Area Network (SAN).\nAll major hyperscale cloud providers offer managed file storage services, allowing customers to share files between multiple Windows (CIFS/SMB), and Linux (NFS) virtual machines.\nFile storage is not just limited to traditional workloads sharing files between multiple virtual machines, they can be mounted as persistent volumes for container-based workloads (such as Amazon ECS, Azure Container Apps, and Google Cloud Run), Kubernetes-based workloads using CSI driver (such as Amazon EKS, Azure AKS, and Google GKE), and for Serverless / Function-as-a-Service (such as AWS Lambda, and Azure Functions).\nOther than the NFS or CIFS/SMB file storage services, major cloud providers also offer a managed NetApp files system (for customers who wish to have the benefits of NetApp storage) and managed Lustre file system (for HPC workloads or workloads that require extreme high-performance throughput).\nComparison between NFS File storage alternatives:\nAs you can read in the comparison table above, most features are available in all hyper-scale cloud providers, but there are still some differences between the cloud providers:\nAWS – Offers cheap storage tier called EFS One Zone file system, for scenarios where data access pattern is less frequent, and data availability and resiliency are not highly critical. By default, data inside the One Zone file system is automatically backed up using AWS Backup.\nAzure – Offers an additional security protection mechanism such as malware scanning and sensitive data threat detection, as part of a service called Microsoft Defender for Storage.\nGCP – Offers enterprise-grade tier for critical applications such as SAP or GKE workloads, with regional high-availability and data replication called Enterprise tier.\nComparison between CIFS/SMB File storage alternatives:\nComparison between managed NetApp File storage alternatives:\nComparison between File storage for HPC workloads alternatives:\nSummary # Persistent storage is required by almost any workload, including cloud-native applications.\nIn this blog post, we have reviewed the various managed storage options offered by the hyperscale cloud providers.\nAs best practice, it is crucial to understand the application\u0026rsquo;s requirements, when selecting the right storage option.\nAbout the Author # Eyal Estrin is a cloud and information security architect, and the author of the books Cloud Security Handbook and Security for Cloud Native Applications, with more than 20 years in the IT industry.\nYou can connect with him on social media (https://linktr.ee/eyalestrin).\nOpinions are his own and not the views of his employer.\n👇Help to support my authoring👇\n☕ Buy me a coffee ☕\n","date":"24 April 2024","externalUrl":null,"permalink":"/posts/comparison-of-cloud-storage-services/","section":"Posts","summary":"","title":"Comparison of Cloud Storage Services","type":"posts"},{"content":" When organizations are designing their first workload migrations to the cloud, they tend to mistakenly look at the public cloud as the promised land that will solve all their IT challenges (from scalability, availability, cost, and more).\nIn the way to achieve their goals, organizations tend to make poor architectural decisions.\nIn this blog post, we will review some of the common architectural mistakes made by organizations.\nLift and Shift approach # Migrating legacy monolithic workload from the on-premises and moving it as is to the public cloud might work (unless you have a license or specific hardware requirements), but it will result in poor outcomes.\nAlthough VMs can run perfectly well in the cloud, most of the chances you will have to measure the performance of the VMs over time and right-size the instances to match the actual running workload to match customers’ demand.\nThe lift and shift approach is suitable as an interim solution until the organization has the time and resources to re-architect the workload, and perhaps choose a different architecture (for example migrate from VMs to containers or even Serverless).\nIn the long run, lift and shift will be a costly solution (compared to the on-premises) and will not be able to gain the full capabilities of the cloud (such as horizontal scale, scale to zero, resiliency of managed services, and more).\nUsing Kubernetes for small/simple workloads # When designing modern applications, organizations tend to follow industry trends.\nOne of the hottest trends is to choose containers for deploying various application components, and in many cases, organizations choose Kubernetes as the container orchestrator engine.\nAlthough Kubernetes does have many benefits, and all hyper-scale cloud providers offer a managed Kubernetes control plane, Kubernetes creates many challenges.\nThe learning curve for fully understanding how to configure and maintain Kubernetes is very long.\nFor small or predictable applications, built from a small number of different containers, there are better and easy-to-deploy and maintain alternatives, such as Amazon ECS, Azure Container Apps, or Google Cloud Run — all of them are fully capable of running production workloads, and are much easier to learn and maintain then Kubernetes.\nUsing cloud storage for backup or DR scenarios # When organizations began to search for their first use cases for using the public cloud, they immediately thought about using cloud storage as a backup location or perhaps even for DR scenarios.\nAlthough both use cases are valid options, they both tend to miss the bigger picture.\nEven if we use object storage (or managed NFS/CIFS storage services) for the organization’s backup site, we must always take into consideration the restore phase.\nLarge binary backup files that we need to pull from the cloud environment back to on-premises will take a lot of time, not to mention the egress data cost, the read object API calls cost, and more.\nThe same goes with DR scenarios — if we back up our on-premises VMs or even databases to the cloud, if we don’t have a similar infrastructure environment in the cloud, what will a cold DR site assist us in case of a catastrophic disaster?\nSeparating between the application and the back-end data-store tiers # Most applications are built from a front-end/application tier and a back-end persistent storage tier.\nIn a legacy or tightly coupled architecture, there is a requirement for low latency between the application tier and the data store tier, specifically when reading or writing to a backend database.\nA common mistake is creating a hybrid architecture, where the front-end is in the cloud, pulling data from an on-prem database, or an architecture (rare scenario) where a legacy on-prem application is connecting to a managed database service in the cloud.\nUnless the target application is not prone to network latency, it is always recommended to architect all components close to each other, decreasing the network latency between the various application components.\nGoing multi-cloud in the hope of resolving vendor lock-in risk # A common risk many organizations looking into is vendor lock-in (i.e., customers being locked into the ecosystem of a specific cloud provider).\nWhen digging into this risk, vendor lock-in is about the cost of switching between cloud providers.\nMulti-cloud will not resolve the risk, but it will create many more challenges, from skills gap (teams familiar with different cloud providers ecosystems), central identity and access management, incident response over multiple cloud environments, egress traffic cost, and more.\nInstead of designing complex architectures to mitigate theoretical or potential risk, design solutions to meet the business needs, familiarize yourself with a single public cloud provider’s ecosystem, and over time, once your teams have enough knowledge about more than a single cloud provider, expand your architecture — don’t run to multi-cloud from day 1.\nChoosing the cheapest region in the cloud # As a rule of thumb, unless you have a specific data residency requirement, choose a region close to your customers, to lower the network latency.\nCost is an important factor, but you should design an architecture where your application and data reside close to customers.\nIf your application serves customers all around the globe, or in multiple locations, consider adding a CDN layer to keep all static content closer to your customers, combined with multi-region solutions (such as cross-region replication, global databases, global load-balancers, etc.)\nFailing to re-assess the existing architecture # In the traditional data center, we used to design an architecture for the application and keep it static for the entire lifecycle of the application.\nWhen designing modern applications in the cloud, we should embrace a dynamic mindset, meaning keep re-assessing the architecture, look at past decisions, and see if new technologies or new services can provide more suitable solutions for running the application.\nThe dynamic nature of the cloud, combined with evolving technologies, provides us with the ability to make changes and better ways to run applications faster, more resilient, and in a cost-effective manner.\nBias architecture decisions # This is a pitfall that many architects fall into — coming with a background in a specific cloud provider, and designing architectures around this cloud provider’s ecosystem, embedding bias decisions and service limitations into architecture design.\nInstead, architects should fully understand the business needs, the entire spectrum of cloud solutions, service costs, and limitations, and only then begin to choose the most appropriate services, to take part in the application’s architecture.\nFailure to add cost to architectural decisions # Cost is a huge factor when consuming cloud services, among the main reasons is the ability to consume services on demand (and stop paying for unused services).\nEach decision you are making (from selecting the right compute nodes, storage tier, database tier, and more), has its cost impact.\nOnce we understand each service pricing model, and the specific workload potential growth, we can estimate the potential cost.\nAs we previously mentioned, the dynamic nature of the cloud might cause different costs each month, and as a result, we need to keep evaluating the service cost regularly, replace services from time to time, and adjust it to suit the specific workload.\nSummary # The public cloud has many challenges in picking the right services and architectures to meet specific workload requirements and use cases.\nAlthough there is no right or wrong answer when designing architecture, in this blog post, we have reviewed many “poor” architectural decisions that can be avoided by looking at the bigger picture and designing for the long term, instead of looking at short-term solutions.\nRecommendation for the post readers — keep expanding your knowledge in cloud and architecture-related technologies, and keep questioning your current architectures, to see over time, if there are more suitable alternatives for your past decisions.\nAbout the Author # Eyal Estrin is a cloud and information security architect, and the author of the books Cloud Security Handbook and Security for Cloud Native Applications, with more than 20 years in the IT industry. You can connect with him on social media (https://linktr.ee/eyalestrin).\nOpinions are his own and not the views of his employer.\n","date":"5 April 2024","externalUrl":null,"permalink":"/posts/poor-architecture-decisions-when-migrating-to-the-cloud/","section":"Posts","summary":"","title":"Poor architecture decisions when migrating to the cloud","type":"posts"},{"content":" This post was originally published by the Cloud Security Alliance.\nIn Chapter 1 of this series about considerations when building cloud-native applications, we introduced various topics such as business requirements, infrastructure considerations, automation, resiliency, and more.\nIn this chapter, we will review security considerations when building cloud-native applications.\nIAM Considerations - Authentication # Identity and Access Management plays a crucial role when designing new applications.\nWe need to ask ourselves – Who are our customers?\nIf we are building an application that will serve internal customers, we need to make sure our application will be able to sync identities from our identity provider (IdP).\nOn the other hand, if we are planning an application that will serve external customers, in most cases we would not want to manage the identities themselves, but rather allow authentication based on SAML, OAuth, or OpenID connect, and manage the authorization in our application.\nExamples of managed cloud-native identity services: AWS IAM Identity Center, Microsoft Entra ID, and Google Cloud Identity.\nIAM Considerations - Authorization # Authorization is also an important factor when designing applications.\nWhen our application consumes services (such as compute, storage, database, etc.) from a CSP ecosystem, each CSP has its mechanisms to manage permissions to access services and take actions, and each CSP has its way of implementing Role-based access control (RBAC).\nRegardless of the built-in mechanisms to consume cloud infrastructure, we must always follow the principle of least privilege (i.e., minimal permissions to achieve a task).\nOn the application layer, we need to design an authorization mechanism to check each identity that was authenticated to our application, against an authorization engine (interactive authentication, non-interactive authentication, or even API-based access).\nAlthough it is possible to manage authorization using our own developed RBAC mechanism, it is time to consider more cloud-agnostic authorization policy engines such as Open Policy Agent (OPA).\nOne of the major benefits of using OPA is the fact that its policy engine is not limited to authorization to an application – you can also use it for Kubernetes authorization, for Linux (using PAM), and more.\nPolicy-as-Code Considerations # Policy-as-Code allows you to configure guardrails on various aspects of your workload.\nGuardrails are offered by all major cloud providers, outside the boundary of a cloud account, and impact the maximum allowed resource consumption or configuration.\nExamples of guardrails:\nLimitation on the allowed region for deploying resources (compute, storage, database, network, etc.)\nEnforce encryption at rest\nForbid the ability to create publicly accessible resources (such as a VM with public IP)\nEnforce the use of specific VM instance size (number of CPUs and memory allowed)\nGuardrails can also be enforced as part of a CI/CD pipeline when deploying resources using Infrastructure as Code for automation purposes – The IaC code is been evaluated before the actual deployment phase, and assuming the IaC code does not violate the Policy as Code, resources are been updated.\nExamples of Policy-as-Code: AWS Service control policies (SCPs), Azure Policy, Google Organization Policy Service, HashiCorp Sentinel, and Open Policy Agent (OPA).\nData Protection Considerations # Almost any application contains valuable data, whether the data has business or personal value, and as such we must protect the data from unauthorized parties.\nA common way to protect data is to store it in encrypted form:\nEncryption in transit – done using protocols such as TLS (where the latest supported version is 1.3)\nEncryption at rest – done on a volume, disk, storage, or database level, using algorithms such as AES\nEncryption in use – done using hardware supporting a trusted execution environment (TEE), also referred to as confidential computing\nWhen encrypting data we need to deal with key generation, secured vault for key storage, key retrieval, and key destruction.\nAll major CSPs have their key management service to handle the entire key lifecycle.\nIf your application is deployed on top of a single CSP infrastructure, prefer to use managed services offered by the CSP.\nFor encryption in use, select services (such as VM instances or Kubernetes worker nodes) that support confidential computing.\nSecrets Management Considerations # Secrets are equivalent to static credentials, allowing access to services and resources.\nExamples of secrets are API keys, passwords, database credentials, etc.\nSecrets, similarly to encryption keys, are sensitive and need to be protected from unauthorized parties.\nFrom the initial application design process, we need to decide on a secured location to store secrets.\nAll major CSPs have their own secrets management service to handle the entire secret’s lifecycle.\nAs part of a CI/CD pipeline, we should embed an automated scanning process to detect secrets embedded as part of code, scripts, and configuration files, to avoid storing any secrets as part of our application (i.e., outside the secured secrets management vault).\nExamples of secrets management services: AWS Secrets Manager, Azure Key Vault, Google Secret Manager, and HashiCorp Vault.\nNetwork Security Considerations # Applications must be protected at the network layer, whether we expose our application to internal customers or customers over the public internet.\nThe fundamental way to protect infrastructure at the network layer is using access controls, which are equivalent to layer 3/layer 4 firewalls.\nAll CSPs have access control mechanisms to restrict access to services (from access to VMs, databases, etc.)\nExamples of Layer 3 / Layer 4 managed services: AWS Security groups, Azure Network security groups, and Google VPC firewall rules.\nSome cloud providers support private access to their services, by adding a network load-balancer in front of various services, with an internal IP from the customer’s private subnet, enforcing all traffic to pass inside the CSP’s backbone, and not over the public internet.\nExamples of private connectivity solutions: AWS PrivateLink, Azure Private Link, and Google VPC Service Controls.\nSome of the CSPs offer managed layer 7 firewalls, allowing customers to enforce traffic based on protocols (and not ports), inspecting TLS traffic for malicious content, and more, in case your application or business requires those capabilities.\nExamples of Layer 7 managed firewalls: AWS Network Firewall, Azure Firewall, and Google Cloud NGFW.\nApplication Layer Protection Considerations # Any application accessible to customers (internal or over the public Internet), is exposed to application layer attacks.\nAttacks can range from malicious code injection, data exfiltration (or data leakage), data tampering, unauthorized access, and more.\nWhether you are exposing an API, a web application, or a mobile application, it is important to implement application layer protection, such as a WAF service.\nAll major CSPs offer managed WAF services, and there are many SaaS solutions by commercial vendors that offer managed WAF services.\nExamples of managed WAF services: AWS WAF, Azure WAF, and Google Cloud Armor.\nDDoS Protection Considerations # Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) is a risk for any service accessible over the public Internet.\nSuch attacks try to consume all the available resources (from network bandwidth to CPU/memory), directly impacting the service availability to be accessible by customers.\nAll major CSPs offer managed DDoS protection services, and there are many DDoS protection solutions by commercial vendors that offer managed DDoS protection services.\nExamples of managed DDoS protection services: AWS Shield, Azure DDoS Protection, Google Cloud Armor, and Cloudflare DDoS protection.\nPatch Management Considerations # Software tends to be vulnerable, and as such it must be regularly patched.\nFor applications deployed on top of virtual machines:\nCreate a \u0026ldquo;golden image\u0026rdquo; of a virtual machine, and regularly update the image with the latest security patches and software updates.\nFor applications deployed on top of VMs, create a regular patch update process.\nFor applications wrapped inside containers, create a \u0026ldquo;golden image\u0026rdquo; of each of the application components, and regularly update the image with the latest security patches and software updates.\nEmbed software composition analysis (SCA) tools to scan and detect vulnerable third-party components – in case vulnerable components (or their dependencies) are detected, begin a process of replacing the vulnerable components.\nExamples of patch management solutions: AWS Systems Manager Patch Manager, Azure Update Manager, and Google VM Manager Patch.\nCompliance Considerations # Compliance is an important security factor when designing an application.\nSome applications contain personally identifiable information (PII) about employees or customers, which requires compliance against privacy and data residency laws and regulations (such as the GDPR in Europe, the CPRA in California, the LGPD in Brazil, etc.)\nSome organizations decide to be compliant with industry or security best practices, such as the Center for Internet Security (CIS) Benchmark for hardening infrastructure components, and can be later evaluated using compliance services or Cloud security posture management (CSPM) solutions.\nReferences for compliance: AWS Compliance Center, Azure Service Trust Portal, and Google Compliance Resource Center.\nIncident Response # When designing an application in the cloud, it is important to be prepared to respond to security incidents:\nEnable logging from both infrastructure and application components, and stream all logs to a central log aggregator. Make sure logs are stored in a central, immutable location, with access privileges limited for the SOC team.\nSelect a tool to be able to review logs, detect anomalies, and be able to create actionable insights for the SOC team.\nCreate playbooks for the SOC team, to know how to respond in case of a security incident (how to investigate, where to look for data, who to notify, etc.)\nTo be prepared for a catastrophic event (such as a network breach, or ransomware), create automated solutions, to allow you to quarantine the impacted services, and deploy a new environment from scratch.\nReferences for incident response documentation: AWS Security Incident Response Guide, Azure Incident response, and Google Data incident response process.\nSummary # In the second blog post in this series, we talked about many security-related aspects, that organizations should consider when designing new applications in the cloud.\nIn this part of the series, we have reviewed various aspects, from identity and access management to data protection, network security, patch management, compliance, and more.\nIt is highly recommended to use the topics discussed in this series of blog posts, as a baseline when designing new applications in the cloud, and continuously improve this checklist of considerations when documenting your projects.\nAbout the Author # Eyal Estrin is a cloud and information security architect, and the author of the book Cloud Security Handbook, with more than 20 years in the IT industry. You can connect with him on Twitter.\nOpinions are his own and not the views of his employer.\n","date":"12 March 2024","externalUrl":null,"permalink":"/posts/checklist-for-designing-cloud-native-applications-part-2-security-aspects/","section":"Posts","summary":"","title":"Checklist for designing cloud-native applications – Part 2: Security aspects","type":"posts"},{"content":"","date":"12 March 2024","externalUrl":null,"permalink":"/categories/google/","section":"Categories","summary":"","title":"Google","type":"categories"},{"content":" This post was originally published by the Cloud Security Alliance.\nWhen organizations used to build legacy applications in the past, they used to align infrastructure and application layers to business requirements, reviewing hardware requirements and limitations, team knowledge, security, legal considerations, and more.\nIn this series of blog posts, we will review considerations when building today\u0026rsquo;s cloud-native applications.\nReaders of this series of blog posts can use the information shared, as a checklist to be embedded as part of a design document.\nIntroduction # Building a new application requires a thorough design process.\nIt is ok to try, fail, and fix mistakes during the process, but you still need to design.\nSince technology keeps evolving, new services are released every day, and many organizations now begin using multiple cloud providers, it is crucial to avoid biased decisions.\nDuring the design phase, avoid locking yourself to a specific cloud provider, instead, fully understand the requirements and constraints, and only then begin selecting the technology and services you will be using to architect your application’s workload.\nBusiness Requirements # The first thing we need to understand is what is the business goal. What is the business trying to achieve?\nBusiness requirements will impact architectural decisions.\nBelow are some of the common business requirements:\nService availability – If an application needs to be available for customers around the globe, design a multi-region architecture.\nData sovereignty – If there is a regulatory requirement to store customers data in a specific country, make sure it is possible to deploy all infrastructure components in a cloud region located in a specific country. Examples of data sovereignty services: AWS Digital Sovereignty, Microsoft Cloud for Sovereignty, and Google Digital Sovereignty\nResponse time – If the business requirement is to allow fast response to customer requests, you may consider the use of API or caching mechanisms.\nScalability – If the business requirement is to provide customers with highly scalable applications, to be able to handle unpredictable loads, you may consider the use of event-driven architecture (such as the use of message queues, streaming services, and more)\nCompute Considerations # Compute may be the most important part of any modern application, and today there are many alternatives for running the front-end and business logic of our applications:\nVirtual Machines – Offering the same alternatives as we used to run legacy applications on-premise, but can also be suitable for running applications in the cloud. For most cases, use VMs if you are migrating an application from on-premise to the cloud. Examples of services: Amazon EC2, Azure Virtual Machines, and Google Compute Engine.\nContainers and Kubernetes – Most modern applications are wrapped inside containers, and very often are scheduled using Kubernetes orchestrator. Considered as a medium challenge migrating container-based workloads between cloud providers (you still need to take under consideration the integration with other managed services in the CSPs eco-system). Examples of Kubernetes services: Amazon EKS, Azure AKS, and Google GKE.\nServerless / Functions-as-a-Service – Modern way to run various parts of applications. The underlying infrastructure is fully managed by the cloud provider (no need to deal with scaling or maintenance of the infrastructure). Considered as a vendor lock-in since there is no way to migrate between CSPs, due to the unique characteristics of each CSP\u0026rsquo;s offering. Examples of FaaS: AWS Lambda, Azure Functions, and Google Cloud Functions.\nData Store Considerations # Most applications require a persistent data store, for storing and retrieval of data.\nCloud-native applications (and specifically microservice-based architecture), allow selecting the most suitable back-end data store for your applications.\nIn a microservice-based architecture, you can select different data stores for each microservice.\nAlternatives for persistent data can be:\nObject storage – The most common managed storage service that most cloud applications are using to store data (from logs, archives, data lake, and more). Examples of object storage services: Amazon S3, Azure Blob Storage, and Google Cloud Storage.\nFile storage – Most CSPs support managed NFS services (for Unix workloads) or SMB/CIFS (for Windows workloads). Examples of file storage services: Amazon EFS, Azure Files, and Google Filestore.\nWhen designing an architecture, consider your application requirements such as:\nFast data retrieval requirements – Requirements for fast read/write (measures in IOPS)\nFile sharing requirements – Ability to connect to the storage from multiple sources\nData access pattern – Some workloads require constant access to the storage, while other connects to the storage occasionally, (such as file archive)\nData replication – Ability to replicate data over multiple AZs or even multiple regions\nDatabase Considerations # It is very common for most applications to have at least one backend database for storing and retrieval of data.\nWhen designing an application, understand the application requirements to select the most suitable database:\nRelational database – Database for storing structured data stored in tables, rows, and columns. Suitable for complex queries. When selecting a relational database, consider using a managed database that supports open-source engines such as MySQL or PostgreSQL over commercially licensed database engine (to decrease the chance of vendor lock-in). Examples of relational database services: Amazon RDS, Azure SQL, and Google Cloud SQL.\nKey-value database – Database for storing structured or unstructured data, with requirements for storing large amounts of data, with fast access time. Examples of key-value databases: Amazon DynamoDB, Azure Cosmos DB, and Google Bigtable.\nIn-memory database – Database optimized for sub-millisecond data access, such as caching layer. Examples of in-memory databases: Amazon ElastiCache, Azure Cache for Redis, and Google Memorystore for Redis.\nDocument database – Database suitable for storing JSON documents. Examples of document databases: Amazon DocumentDB, Azure Cosmos DB, and Google Cloud Firestore.\nGraph database – Database optimized for storing and navigating relationships between entities (such as a recommendation engine). Example of Graph database: Amazon Neptune.\nTime-series database – Database optimized for storing and querying data that changes over time (such as application metrics, data from IoT devices, etc.). Examples of time-series databases: Amazon Timestream, Azure Time Series Insights, and Google Bigtable.\nOne of the considerations when designing highly scalable applications is data replication – the ability to replicate data across multiple AZs, but the more challenging is the ability to replicate data over multiple regions.\nFew managed database services support global tables, or the ability to replicate over multiple regions, while most databases will require a mechanism for replicating database updates between regions.\nAutomation and Development # Automation allows us to perform repetitive tasks in a fast and predictable way.\nAutomation in cloud-native applications, allows us to create a CI/CD pipeline for taking developed code, integrating the various application components, and underlying infrastructure, performing various tests (from QA to securing tests) and eventually deploying new versions of our production application.\nWhether you are using a single cloud provider, managing environments on a large scale, or even across multiple cloud providers, you should align the tools that you are using across the different development environments:\nCode repositories – Select a central place to store all your development team’s code, hopefully, it will allow you to use the same code repository for both on-prem and multiple cloud environments. Examples of code repositories: AWS CodeCommit, Azure Repos, and Google Cloud Source Repositories.\nContainer image repositories – Select a central image repository, and sync it between regions, and if needed, also between cloud providers, to keep the same source of truth. Examples of container image repositories: Amazon ECR, Azure ACR, and Google Artifact Registry.\nCI/CD and build process – Select a tool to allow you to manage the CI/CD pipeline for all deployments, whether you are using a single cloud provider, or when using a multi-cloud environment. Examples of CI/CD build services: AWS CodePipeline, Azure Pipelines, and Google Cloud Build.\nInfrastructure as Code – Mature organizations choose an IaC tool to provision infrastructure for both single or multi-cloud scenarios, lowering the burden on the DevOps, IT, and developers’ teams. Examples of IaC: AWS CloudFormation, Azure Resource Manager, Google Cloud Deployment Manager, and HashiCorp Terraform.\nResiliency Considerations # Although many managed services in the cloud, are offered resilient by design by the cloud providers, consider resiliency when designing production applications.\nDesign all layers of the infrastructure to be resilient.\nRegardless of the computing service you choose, always deploy VMs or containers in a cluster, behind a load-balancer.\nPrefer to use a managed storage service, deployed over multiple availability zones.\nFor a persistent database, prefer a managed service, and deploy it in a cluster, over multiple AZs, or even better, look for a serverless database offer, so you won’t need to maintain the database availability.\nDo not leave things to the hands of faith, embed chaos engineering experimentations as part of your workload resiliency tests, to have a better understanding of how your workload will survive a failure. Examples of managed chaos engineering services: AWS Fault Injection Service, and Azure Chaos Studio.\nBusiness Continuity Considerations # One of the most important requirements from production applications is the ability to survive failure and continue functioning as expected.\nIt is crucial to design both business continuity in advance.\nFor any service that supports backups or snapshots (from VMs, databases, and storage services), enable scheduled backup mechanisms, and randomly test backups to make sure they are functioning.\nFor objects stored inside an object storage service that requires resiliency, configure cross-region replication.\nFor container registry that requires resiliency, configure image replication across regions.\nFor applications deployed in a multi-region architecture, use DNS records to allow traffic redirection between regions.\nObservability Considerations # Monitoring and logging allow you insights into your application and infrastructure behavior.\nTelemetry allows you to collect real-time information about your running application, such as customer experience.\nWhile designing an application, consider all the options available for enabling logging, both from infrastructure services and from the application layer.\nIt is crucial to stream all logs to a central system, aggregated and timed synched.\nLogging by itself is not enough – you need to be able to gain actionable insights, to be able to anticipate issues before they impact your customers.\nIt is crucial to define KPIs for monitoring an application\u0026rsquo;s performance, such as CPU/Memory usage, latency and uptime, average response time, etc.\nMany modern tools are using machine learning capabilities to review large numbers of logs, be able to correlate among multiple sources and provide recommendations for improvements.\nCost Considerations # Cost is an important factor when designing architectures in the cloud.\nAs such, it must be embedded in every aspect of the design, implementation, and ongoing maintenance of the application and its underlying infrastructure.\nCost aspects should be the responsibility of any team member (IT, developers, DevOps, architect, security staff, etc.), from both initial service cost and operational aspects.\nFinOps mindset will allow making sure we choose the right service for the right purpose – from choosing the right compute service, the right data store, or the right database.\nIt is not enough to select a service –make sure any service selected is tagged, monitored for its cost regularly, and perhaps even replaced with better and cost-effective alternatives, during the lifecycle of the workload.\nSustainability Considerations # The architectural decision we make has an environmental impact.\nWhen developing modern applications, consider the environmental impact.\nChoosing the right computing service will allow running a workload, with a minimal carbon footprint – the use of containers or serverless/FaaS wastes less energy in the data centers of the cloud provider.\nThe same thing when selecting a datastore, according to an application’s data access patterns (from hot or real-time tier, up to archive tier).\nDesigning event-driven applications, adding caching layers, shutting down idle resources, and continuously monitoring workload resources, will allow to design of an efficient and sustainable workload.\nSustainability related references: AWS Sustainability, Azure Sustainability, and Google Cloud Sustainability.\nEmployee Knowledge Considerations # The easiest thing is to decide to build a new application in the cloud.\nThe challenging part is to make sure all teams are aligned in terms of the path to achieving business goals and the knowledge to build modern applications in the cloud.\nOrganizations should invest the necessary resources in employee training, making sure all team members have the required knowledge to build and maintain modern applications in the cloud.\nIt is crucial to understand that all team members have the necessary knowledge to maintain applications and infrastructure in the cloud, before beginning the actual project, to avoid unpredictable costs, long learning curves, while running in production, or building a non-efficient workload due to knowledge gap.\nTraining related references: AWS Skill Builder, Microsoft Learn for Azure, and Google Cloud Training.\nSummary # In the first blog post in this series, we talked about many aspects, organizations should consider when designing new applications in the cloud.\nIn this part of the series, we have reviewed various aspects, from understanding business requirements to selecting the right infrastructure, automation, resiliency, cost, and more.\nWhen creating the documentation for a new development project, organizations can use the information in this series, to form a checklist, making sure all-important aspects and decisions are documented.\nIn the next chapter of this series, we will discuss security aspects when designing and building a new application in the cloud.\nAbout the Author # Eyal Estrin is a cloud and information security architect, and the author of the book Cloud Security Handbook, with more than 20 years in the IT industry. You can connect with him on Twitter.\nOpinions are his own and not the views of his employer.\n","date":"4 March 2024","externalUrl":null,"permalink":"/posts/checklist-for-designing-cloud-native-applications-part-1-introduction/","section":"Posts","summary":"","title":"Checklist for designing cloud-native applications – Part 1: Introduction","type":"posts"},{"content":" When designing architectures for modern applications in the cloud, we have multiple ways to achieve similar goals.\nNo matter which alternative we choose (selecting a service, an architecture, or even a pricing option), it forces us to understand the trade-offs we are making in our decisions.\nTo decide on the best option, we need to evaluate things such as the cost to implement and operate, the solution\u0026rsquo;s resiliency, the learning curve, and perhaps even vendor lock-in (i.e., the ability to migrate a service between different cloud providers).\nIn this blog post, we will review some of the most common trade-offs organizations make when using the public cloud, specifically AWS services.\nBuy vs. Build # One of the most common debates in many organizations is whether to buy a service or build it in-house.\nFor organizations with mature development teams, building your solutions (from pin-point service to a full-blown application) might be a better alternative, if the build process does not cost a lot of time and effort.\nFor many organizations, buying a service (such as a SaaS application, or a managed service), might be a better alternative, since a cloud provider is responsible for the scale and maintenance of the service itself, allowing the organization to be a consumer of a service, investing time and efforts in their business goals.\nOn-Premise vs. the Public Cloud # The cloud allows us to build modern highly scalable and elastic workloads, using the most up-to-date hardware, with a pay-as-you-go pricing option.\nAs much as the cloud allows us efficient ways to run applications and switch from running servers to consuming services, using the cloud requires a learning curve for many organizations.\nIn case an organization is still running legacy applications, sometimes with dedicated hardware or license requirements, or if there are regulatory or data residency requirements to keep data in a specific country, on-premise might be a better alternative for some organizations.\nMulti-AZ vs. Multi-Region # Depending on the application\u0026rsquo;s business requirements, a workload can be deployed in a resilient architecture, spread across multiple AZs or multiple regions.\nBy design, most services in AWS are bound to a specific region and can be deployed in a multi-AZ architecture (for example Amazon S3, Amazon RDS, Amazon EKS, etc.)\nWhen designing an architecture, we may want to consider multi-region architecture, but we need to understand:\nMost services are limited to a specific region, and cannot be replicated outside the region.\nSome services can be replicated to other regions (such as Amazon S3 cross-region replication, Amazon RDS cross-region read replica, etc.), but the other replicas will be read-only, and in case of failure, you will need to design a manual switch between primary and secondary replicas.\nMulti-region architecture increases the overall workload\u0026rsquo;s cost, and naturally, the complexity of designing and maintaining such architecture.\nAmazon EC2 vs. Containers # For most legacy or \u0026ldquo;lift \u0026amp; shift\u0026rdquo; applications, choosing an EC2 instance, is the easiest way to applications – customers have full control of the content of the EC2 instance, with the same experience as they used to on-prem.\nAlthough developing and wrapping applications inside containers requires a learning curve, containers offer better horizontal scaling, better use of the underlying hardware, and easier upgrade, when using immutable infrastructure (where no session information is stored inside the container image), since an upgrade is simply replacing one container image with a newer version.\nAmazon ECS vs. Amazon EKS # Both are managed orchestrators for running containers, and both a fully supported by AWS.\nAmazon ECS can be a better alternative for organizations looking to run workloads with predictable scaling patterns, and it is easier to learn and maintain, compared to Amazon EKS.\nAmazon EKS offers full-blown managed Kubernetes service for organizations who wish to deploy their applications on top of Kubernetes. As with any Kubernetes deployment, it takes time for the teams to learn how to deploy and maintain Kubernetes clusters, due to the large amount of configuration options.\nContainers vs. AWS Lambda # Both alternatives offer organizations the ability to run production applications in a microservice architecture.\nContainers allow development teams to develop their applications anywhere (from the developer\u0026rsquo;s IDE to running an entire development in the cloud), push container images to a container registry, and run them on any container environment (agnostic to the cloud provider\u0026rsquo;s ecosystem).\nContainers also allow developers SSH access to control the running containers, mostly for troubleshooting purposes on a small scale.\nAWS Lambda is running in a fully managed environment, where AWS takes care of the scale and maintenance of the underlying infrastructure, while developers focus on developing Lambda functions.\nAlthough AWS allows customers to wrap their code inside containers and run them in a Lambda serverless environment, Lambda is considered a vendor lock-in, since it cannot run outside the AWS ecosystem (i.e., other cloud providers).\nAWS Lambda does not allow customers access to the underlying infrastructure and is limited to a maximum of 15 minutes per invocation, meaning, long-running invocations are not suitable for Lambda.\nOn-demand vs. Spot vs. Saving Plans # AWS offers various alternatives to pay for running compute services (from EC2 instances, ECS or EKS, Lambda, Amazon RDS, and more).\nEach alternative is slightly better for different use cases:\nOn-demand – Useful for unpredictable workloads such as development environments (may be running for an entire month, or a couple of hours)\nSpot – Useful for workloads that can survive sudden interruption, such as loosely coupled HPC workloads, or stateless applications\nSaving Plans – Useful for workloads that are expected to be running for a long period (1 or 3 years), with the ability to replace instance type according to needs\nAmazon S3 lifecycle policies vs. Amazon S3 Intelligent-Tiering # When designing persistent storage solutions for workloads, AWS offers various storage tiers for storing objects inside Amazon S3 – from the standard tier to an archive tier.\nAmazon S3 allows customers efficient ways to store objects:\nAmazon S3 lifecycle policies – Allows customers to set up rules for moving objects from a real-time tier to an archive tier, according to the last time an object was accessed. It is a useful one-way solution, but it requires customers to set up the rules. Useful for expected and predictable data access patterns.\nAmazon S3 Intelligent-Tiering – Uses machine learning to inspect each object\u0026rsquo;s last access time, and automatically move objects between tiers (from real-time to archive and vice versa). Useful for unpredictable data access patterns.\nNAT Gateway vs. NAT Instances # When a service in a private subnet requires access to resources outside its subnet (for example the public Internet), we need to configure one of the NAT alternatives:\nNAT Gateway – A fully managed NAT service, supporting automated scaling capability, high availability, and performance, but with high cost (compared to NAT instance).\nNAT Instance – An EC2 instance, based on a generic AMI for allowing NAT capabilities. Requires customer maintenance (such as patching, manual resiliency, manual instance family size selection, and limited network bandwidth) at the cost of an EC2 instance (cheaper than NAT Gateway).\nIf an organization knows to automate the deployment and maintenance of NAT instances, they can use this alternative and save costs, otherwise, NAT Gateway is a much more resilient alternative.\nSummary # Making an architectural design has its trade-offs.\nIn many cases, you will have more than a single solution for the same challenge, and you need to measure the cost and benefits of each alternative, as we showed in this blog post.\nWe need to understand the implications and consequences of our decisions to be able to prioritize our options.\nReference # AWS re:Invent 2023 - Advanced integration patterns \u0026amp; trade-offs for loosely coupled systems About the Author # Eyal Estrin is a cloud and information security architect, and the author of the book Cloud Security Handbook, with more than 20 years in the IT industry. You can connect with him on Twitter.\nOpinions are his own and not the views of his employer.\n","date":"19 February 2024","externalUrl":null,"permalink":"/posts/trade-offs-when-designing-workloads-in-aws/","section":"Posts","summary":"","title":"Trade-Offs When Designing Workloads in AWS","type":"posts"},{"content":" When building an application for serving customers, one of the questions raised is how do I know if my application is resilient and will survive a failure?\nIn this blog post, we will review what it means to build resilient applications in the cloud, and we will review some of the common best practices for achieving resilient applications.\nWhat does it mean resilient applications? # AWS provides us with the following definition for the term resiliency:\n“The ability of a workload to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions, such as misconfigurations or transient network issues.”\n(Source: https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/resiliency-and-the-components-of-reliability.html)\nResiliency is part of the Reliability pillar for cloud providers such as AWS, Azure, GCP, and Oracle Cloud.\nAWS takes it one step further, and shows how resiliency is part of the shared responsibility model:\nThe cloud provider is responsible for the resilience of the cloud (i.e., hardware, software, computing, storage, networking, and anything related to their data centers)\nThe customer is responsible for the resilience in the cloud (i.e., selecting the services to use, building resilient architectures, backup strategies, data replication, and more).\nSource: https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/shared-responsibility-model-for-resiliency.html\nHow do we build resilient applications? # This blog post assumes that you are building modern applications in the public cloud.\nWe have all heard of RTO (Recovery time objective).\nResilient workload (a combination of application, data, and the infrastructure that supports it), should not only recover automatically, but it must recover within a pre-defined RTO, agreed by the business owner.\nBelow are common best practices for building resilient applications:\nDesign for high-availability # The public cloud allows you to easily deploy infrastructure over multiple availability zones.\nExamples of implementing high availability in the cloud:\nDeploying multiple VMs behind an auto-scaling group and a front-end load-balancer\nSpreading container load over multiple Kubernetes worker nodes, deploying in multiple AZs\nDeploying a cluster of database instances in multiple AZs\nDeploying global (or multi-regional) database services (such as Amazon Aurora Global Database, Azure Cosmos DB, Google Cloud Spanner, and Oracle Global Data Services (GDS)\nConfigure DNS routing rules to send customers’ traffic to more than a single region\nDeploy global load-balancer (such as AWS Global Accelerator, Azure Cross-region Load Balancer, or Google Global external Application Load Balancer) to spread customers’ traffic across regions\nImplement autoscaling # Autoscaling is one of the biggest advantages of the public cloud.\nAssuming we built a stateless application, we can add or remove additional compute nodes using autoscaling capability, and adjust it to the actual load on our application.\nIn a cloud-native infrastructure, we will use a managed load-balancer service, to receive traffic from customers, and send an API call to an autoscaling group, to add or remove additional compute nodes.\nImplement microservice architecture # Microservice architecture is meant to break a complex application into smaller parts, each responsible for certain functionality of the application.\nBy implementing microservice architecture, we are decreasing the impact of failed components on the rest of the application.\nIn case of high load on a specific component, it is possible to add more compute resources to the specific component, and in case we discover a bug in one of the microservices, we can roll back to a previous functioning version of the specific microservice, with minimal impact on the rest of the application.\nImplement event-driven architecture # Event-driven architecture allows us to decouple our application components.\nResiliency can be achieved using event-driven architecture, by the fact that even if one component fails, the rest of the application continues to function.\nComponents are loosely coupled by using events that trigger actions.\nEvent-driven architectures are usually (but not always) based on services managed by cloud providers, who are responsible for the scale and maintenance of the managed infrastructure.\nEvent-driven architectures are based on models such as pub/sub model (services such as Amazon SQS, Azure Web PubSub, Google Cloud Pub/Sub, and OCI Queue service) or based on event delivery (services such as Amazon EventBridge, Azure Event Grid, Google Eventarc, and OCI Events service).\nImplement API Gateways # If your application exposes APIs, use API Gateways (services such as Amazon API Gateway, Azure API Management, Google Apigee, or OCI API Gateway) to allow incoming traffic to your backend APIs, perform throttling to protect the APIs from spikes in traffic, and perform authorization on incoming requests from customers.\nImplement immutable infrastructure # Immutable infrastructure (such as VMs or containers) are meant to run application components, without storing session information inside the compute nodes.\nIn case of a failed component, it is easy to replace the failed component with a new one, with minimal disruption to the entire application, allowing to achieve fast recovery.\nData Management # Find the most suitable data store for your workload.\nA microservice architecture allows you to select different data stores (from object storage to backend databases) for each microservice, decreasing the risk of complete failure due to availability issues in one of the backend data stores.\nOnce you select a data store, replicate it across multiple AZs, and if the business requires it, replicate it across multiple regions, to allow better availability, closer to the customers.\nImplement observability # By monitoring all workload components, and sending logs from both infrastructure and application components to a central logging system, it is possible to identify anomalies, anticipate failures before they impact customers, and act.\nExamples of actions can be sending a command to restart a VM, deploying a new container instead of a failed one, and more.\nIt is important to keep track of measurements — for example, what is considered normal response time to a customer request, to be able to detect anomalies.\nImplement chaos engineering # The base assumption is that everything will eventually fail.\nImplementing chaos engineering, allows us to conduct controlled experiments, inject faults into our workloads, testing what will happen in case of failure.\nThis allows us to better understand if our workload will survive a failure.\nExamples can be adding load on disk volumes, injecting timeout when an application tier connects to a backend database, and more.\nExamples of services for implementing chaos engineering are AWS Fault Injection Simulator, Azure Chaos Studio, and Gremlin.\nCreate a failover plan # In an ideal world, your workload will be designed for self-healing, meaning, it will automatically detect a failure and recover from it, for example, replace failed components, restart services, or switch to another AZ or even another region.\nIn practice, you need to prepare a failover plan, keep it up to date, and make sure your team is trained to act in case of major failure.\nA disaster recovery plan without proper and regular testing is worth nothing — your team must practice repeatedly, and adjust the plan, and hopefully, they will be able to execute the plan during an emergency with minimal impact on customers.\nResilient applications tradeoffs # Failure can happen in various ways, and when we design our workload, we need to limit the blast radius on our workload.\nBelow are some common failure scenarios, and possible solutions:\nFailure in a specific component of the application — By designing a microservice architecture, we can limit the impact of a failed component to a specific area of our application (depending on the criticality of the component, as part of the entire application)\nFailure or a single AZ — By deploying infrastructure over multiple AZs, we can decrease the chance of application failure and impact on our customers\nFailure of an entire region — Although this scenario is rare, cloud regions also fail, and by designing a multi-region architecture, we can decrease the impact on our customers\nDDoS attack — By implementing DDoS protection mechanisms, we can decrease the risk of impacting our application with a DDoS attack\nWhatever solution we design for our workloads, we need to understand that there is a cost and there might be tradeoffs for the solution we design.\nMulti-region architecture aspects # A multi-region architecture will allow the most highly available resilient solution for your workloads; however, multi-region adds high cost for cross-region egress traffic, most services are limited to a single region, and your staff needs to know to support such a complex architecture.\nAnother limitation of multi-region architecture is data residency — if your business or regulator demands that customers’ data be stored in a specific region, a multi-region architecture is not an option.\nService quota/service limits # When designing a highly resilient architecture, we must take into consideration service quotas or service limits.\nSometimes we are bound to a service quota on a specific AZ or region, an issue that we may need to resolve with the cloud provider’s support team.\nSometimes we need to understand there is a service limit in a specific region, such as a specific service that is not available in a specific region, or there is a shortage of hardware in a specific region.\nAutoscaling considerations # Horizontal autoscale (the ability to add or remove compute nodes) is one of the fundamental capabilities of the cloud, however, it has its limitations.\nProvisioning a new compute node (from a VM, container instance, or even database instance) may take a couple of minutes to spin up (which may impact customer experience) or to spin down (which may impact service cost).\nAlso, to support horizontal scaling, you need to make sure the compute nodes are stateless, and that the application supports such capability.\nFailover considerations # One of the limitations of database failover is their ability to switch between the primary node and one of the secondary nodes, either in case of failure or in case of scheduled maintenance.\nWe need to take into consideration the data replication, making sure transactions were saved and moved from the primary to the read replica node.\nSummary # In this blog post, we have covered many aspects of building resilient applications in the cloud.\nWhen designing new applications, we need to understand the business expectations (in terms of application availability and customer impact).\nWe also need to understand the various architectural design considerations, and their tradeoffs, to be able to match the technology to the business requirements.\nAs I always recommend — do not stay on the theoretical side of the equation, begin designing and building modern and highly resilient applications to serve your customers — There is no replacement for actual hands-on experience.\nReferences # Understand resiliency patterns and trade-offs to architect efficiently in the cloud\nBuilding resilience to your business requirements with Azure\nSuccess through culture: why embracing failure encourages better software delivery\nBuilding Resilient Solutions in OCI\nAbout the Author # Eyal Estrin is a cloud and information security architect, and the author of the book Cloud Security Handbook, with more than 20 years in the IT industry. You can connect with him on Twitter.\nOpinions are his own and not the views of his employer.\n","date":"15 January 2024","externalUrl":null,"permalink":"/posts/building-resilient-applications-in-the-cloud/","section":"Posts","summary":"","title":"Building Resilient Applications in the Cloud","type":"posts"},{"content":"","date":"15 January 2024","externalUrl":null,"permalink":"/categories/oracle/","section":"Categories","summary":"","title":"Oracle","type":"categories"},{"content":"Professional guides for Cloud Architects and Security Engineers to navigate the complexities of AWS, Azure, and Google Cloud Platform.\nCloud Security Handbook # Effectively secure cloud environments using AWS, Azure, and GCP.\nThe Cloud Security Handbook is a comprehensive guide to building and maintaining a secure cloud infrastructure. It provides actionable insights into identity management, network security, and data protection across the three major cloud providers.\nFocus: Infrastructure security, Governance, and Compliance. Audience: Cloud Architects, Security Engineers, and IT Managers. Get it on Amazon\nSecurity for Cloud Native Applications # The practical guide for securing modern applications using AWS, Azure, and GCP.\nThis book shifts the focus to the application layer, covering the security lifecycle of cloud-native apps. From container security and Kubernetes to serverless functions and CI/CD pipeline integrity, this is a hands-on manual for the modern developer and security pro.\nFocus: K8s, Containers, DevSecOps, and Serverless security. Audience: DevOps Engineers, Security Researchers, and App Developers. Get it on Amazon\nAbout the Author # Eyal Estrin is a Cloud Architect and Author with nearly 20 years of experience in the technology industry. He specializes in cloud adoption and cybersecurity, providing insights through his books, newsletter, and public speaking engagements.\n","date":"1 January 2024","externalUrl":null,"permalink":"/posts/pages/books/","section":"Posts","summary":"","title":"Published Books","type":"posts"},{"content":"\nOne of the first decisions organizations make before migrating applications to the public cloud is deciding on a migration strategy.\nFor many years, the most common and easy way to migrate applications to the cloud was choosing a rehosting strategy, also known as “Lift and shift”.\nIn this blog post, I will review some of the reasons, showing that strategically this is a bad decision.\nIntroduction # When reviewing the landscape of possibilities for migrating legacy or traditional applications to the public cloud, rehosting is the best option as a short-term solution.\nTaking an existing monolith application, and migrating it as-is to the cloud, is supposed to be an easy task:\nMap all the workload components (hardware requirements, operating system, software and licenses, backend database, etc.)\nChoose similar hardware (memory/CPU/disk space) to deploy a new VM instance(s)\nConfigure network settings (including firewall rules, load-balance configuration, DNS, etc.)\nInstall all the required software components (assuming no license dependencies exist)\nRestore the backend database from the latest full backup\nTest the newly deployed application in the cloud\nExpose the application to customers\nFrom a time and required-knowledge perspective, this is considered a quick-win solution, but how efficient is it?\nCost-benefit # Using physical or even virtual machines does not guarantee us close to 100% of hardware utilization.\nIn the past organizations used to purchase hardware, and had to commit to 3–5 years (for vendor support purposes).\nAlthough organizations could use the hardware 24x7, there were many cases where purchased hardware was consuming electricity and floor-space, without running at full capacity (i.e., underutilized).\nVirtualization did allow organizations to run multiple VMs on the same physical hardware, but even then, it did not guarantee 100% hardware utilization — think about Dev/Test environments or applications that were not getting traffic from customers during off-peak hours.\nThe cloud offers organizations new purchase/usage methods (such as on-demand or Spot), allowing customers to pay just for the time they used compute resources.\nKeeping a traditional data-center mindset, using virtual machines, is not efficient enough.\nSwitching to modern ways of running applications, such as the use of containers, Function-as-a-Service (FaaS), or event-driven architectures, allows organizations to make better use of their resources, at much better prices.\nRight-sizing # On day 1, it is hard to predict the right VM instance size for the application.\nWhen migrating applications as-is, organizations tend to select similar hardware (mostly CPU/Memory), to what they used to have in the traditional data center, regardless of the application’s actual usage.\nAfter a legacy application is running for several weeks in the cloud, we can measure its actual performance, and switch to a more suitable VM instance size, gaining better utilization and price.\nTools such as AWS Compute Optimizer, Azure Advisor, or Google Recommender will allow you to select the most suitable VM instance size, but the VM still does not utilize 100% of the possible compute resources, compared to containers or Function-as-a-Service.\nScaling # Horizontal scaling is one of the main benefits of the public cloud.\nAlthough it is possible to configure multiple VMs behind a load-balancer, with autoscaling capability, allowing adding or removing VMs according to the load on the application, legacy applications may not always support horizontal scaling, and even if they do support scale out (add more compute nodes), there is a very good chance they do not support scale in (removing unneeded compute nodes).\nVMs do not support the ability to scale to zero — i.e., removing completely all compute nodes, when there is no customer demand.\nCloud-native applications deployed on top of containers, using a scheduler such as Kubernetes (such as Amazon EKS, Azure AKS, or Google GKE), can horizontally scale according to need (scale out as much as needed, or as many compute resources the cloud provider’s quota allows).\nFunctions as part of FaaS (such as AWS Lambda, Azure Functions, or Google Cloud Functions) are invoked as a result of triggers, and erased when the function’s job completes — maximum compute utilization.\nLoad time # Spinning up a new VM as part of auto-scaling activity (such as AWS EC2 Auto Scaling, Azure Virtual Machine Scale Sets, or Google Managed instance groups), upgrade, or reboot takes a long time — specifically for large workloads such as Windows VMs, databases (deployed on top of VM’s) or application servers.\nProvisioning a new container (based on Linux OS), including all the applications and layers, takes a couple of seconds (depending on the number of software layers).\nInvoking a new function takes a few seconds, even if you take into consideration cold start issues when downloading the function’s code.\nSoftware maintenance # Every workload requires ongoing maintenance — from code upgrades, third-party software upgrades, and let us not forget security upgrades.\nAll software upgrade requires a lot of overhead from the IT, development, and security teams.\nPerforming upgrades of a monolith, where various components and services are tightly coupled together increases the complexity and the chances that something will break.\nSwitching to a microservice architecture, allows organizations to upgrade specific components (for example scale out, upgrade new version of code, new third-party software component), with small to zero impact on other components of the entire application.\nInfrastructure maintenance # In the traditional data center, organizations used to deploy and maintain every component of the underlying infrastructure supporting the application.\nMaintaining services such as databases or even storage arrays requires a dedicated trained staff, and requires a lot of ongoing efforts (from patching, backup, resiliency, high availability, and more).\nIn cloud-native environments, organizations can take advantage of managed services, from managed databases, storage services, caching, monitoring, and AI/ML services, without having to maintain the underlying infrastructure.\nUnless an application relies on a legacy database engine, most of the chance, you will be able to replace a self-maintained database server, with a managed database service.\nFor storage services, most cloud providers already offer all the commodity storage services (from a managed NFS, SMB/CIFS, NetApp, and up to parallel file system for HPC workloads).\nMost modern cloud-native services, use object storage services (such as Amazon S3, Azure Blob Storage, or Google Filestore), allowing scalable file systems for storing large amounts of data (from backups, and log files to data lake).\nMost cloud providers offer managed networking services for load-balancing, firewalls, web application firewalls, and DDoS protection mechanisms, supporting workloads with unpredictable traffic.\nSaaS services # Up until now, we mentioned lift \u0026amp; shift from the on-premise to VMs (mostly IaaS) and managed services (PaaS), but let us not forget there is another migration strategy — repurchasing, meaning, migrating an existing application, or selecting a managed platform such as Software-as-a-Service, allowing organizations to consume fully managed services, without having to take care of the on-going maintenance and resiliency.\nSummary # Keeping a static data center mindset, and migrating using “lift \u0026amp; shift” to the public cloud, is the least cost-effective strategy and in most chances will end up with medium to low performance for your applications.\nIt may have been the common strategy a couple of years ago when organizations just began taking their first step in the public cloud, but as more knowledge is gained from both public cloud providers and all sizes of organizations, it is time to think about more mature cloud migration strategies.\nIt is time for organizations to embrace a dynamic mindset of cloud-native services and cloud-native applications, which provide organizations many benefits, from (almost) infinite scale, automated provisioning (using Infrastructure-as-Code), rich cloud ecosystem (with many managed services), and (if managed correctly) the ability to suit the workload costs to the actual consumption.\nI encourage all organizations to expand their knowledge about the public cloud, assess their existing applications and infrastructure, and begin modernizing their existing applications.\nRe-architecture may demand a lot of resources (both cost and manpower) in the short term but will provide an organization with a lot of benefits in the long run.\nReferences: # 6 Strategies for Migrating Applications to the Cloud\nOverview of application migration examples for Azure\nMigrate to Google Cloud\nAbout the Author # Eyal Estrin is a cloud and information security architect, and the author of the book Cloud Security Handbook, with more than 20 years in the IT industry. You can connect with him on Twitter.\nOpinions are his own and not the views of his employer.\n","date":"12 December 2023","externalUrl":null,"permalink":"/posts/why-choosing-lift-shift-is-a-bad-migration-strategy/","section":"Posts","summary":"","title":"Why choosing “Lift \u0026 Shift” is a bad migration strategy","type":"posts"},{"content":"\nWhen developing modern applications, we almost immediately think about wrapping our application components inside Containers — it may not be the only architectural alternative, but a very common one.\nAssuming our developers and DevOps teams have the required expertise to work with Containers, we still need to think about maintaining the underlying infrastructure — i.e., the Container hosts.\nIf our application has a steady and predictable load, and assuming we do not have experience maintaining Kubernetes clusters, and we do not need the capabilities of Kubernetes, it is time to think about an easy and stable alternative for deploying our applications on top of Containers infrastructure.\nIn the following blog post, I will review the alternatives of running Container workloads on top of Serverless infrastructure.\nWhy do we need Serverless infrastructure for running Container workloads? # Container architecture is made of a Container engine (such as Docker, CRI-O, etc.) deployed on top of a physical or virtual server, and on top of the Container engine, we deploy multiple Container images for our applications.\nThe diagram below shows a common Container architecture:\nIf we focus on the Container engine and the underlying operating system, we understand that we still need to maintain the operating system itself.\nCommon maintenance tasks for the operating system:\nMake sure it has enough resources (CPU, memory, storage, and network connectivity) for running Containers\nMake sure the operating system is fully patched and hardened from external attacks\nMake sure our underlying infrastructure (i.e., Container host nodes), provides us with high availability in case one of the host nodes fails and needs to be replaced\nMake sure our underlying infrastructure provides us the necessary scale our application requires (i.e., scale out or in according to application load)\nInstead of having to maintain the underlying host nodes, we should look for a Serverless solution, that allows us to focus on application deployment and maintenance and decrease as much as possible the work on maintaining the infrastructure.\nComparison of Serverless Container Services # Each of the hyperscale cloud providers offers us the ability to consume a fully managed service for deploying our Container-based workloads.\nBelow is a comparison of AWS, Azure, and Google Cloud alternatives:\nSide notes for Azure users # While researching for this blog post, I had a debate about whether to include Azure Containers Apps or Azure Container Instances.\nAlthough both services allow customers to run Containers in a managed environment, Azure Container Instances is more suitable for running a single Container application, while Azure Container Apps allows customers to build a full microservice-based application.\nSummary # In this blog post, I have compared alternatives for deploying microservice architecture on top of Serverless Container services offered by AWS, Azure, and GCP.\nWhile designing your next application based on microservice architecture, and assuming you don’t need a full-blown Kubernetes cluster (with all of its features and complexities), consider using Serverless Container service.\nReferences # Amazon ECS on AWS Fargate\nAzure Container Apps overview\nWhat is Google Cloud Run\nAbout the Author # Eyal Estrin is a cloud and information security architect, and the author of the book Cloud Security Handbook, with more than 20 years in the IT industry. You can connect with him on Twitter.\nOpinions are his own and not the views of his employer.\n","date":"20 November 2023","externalUrl":null,"permalink":"/posts/introduction-to-serverless-container-services/","section":"Posts","summary":"","title":"Introduction to Serverless Container Services","type":"posts"},{"content":" Using modern cloud environments, specifically production environments, decreases the need for human access.\nIt makes sense for developers to have access to Dev or Test environments, but in a properly designed production environment, everything should be automated – from deployment, and observability to self-healing. In most cases, no human access is required.\nProduction environments serve customers, require zero downtime, and in most cases contain customers\u0026rsquo; data.\nThere are cases such as emergency scenarios where human access is required.\nIn mature organizations, this type of access is done by the Site reliability engineering (SRE) team.\nThe term break-glass is an analogy to breaking a glass to pull a fire alarm, which is supposed to happen only in case of emergency.\nIn the following blog post, I will review the different alternatives each of the hyperscale cloud providers gives their customers to handle break-glass scenarios.\nGround rules for using break-glass accounts # Before talking about how each of the hyperscale cloud providers handles break-glass, it is important to be clear – break-glass accounts should be used in emergency cases only.\nAuthentication – All access through the break-glass mechanism must be authenticated, preferred against a central identity provider, and not using local accounts\nAuthorization – All access must be authorized using role-based access control (RBAC), following the principle of least privilege\nMFA – Since most break-glass scenarios require highly privileged access, it is recommended to enforce multi-factor authentication (MFA) for any interactive access\nJust-in-time access – All access through break-glass mechanisms must be granted temporarily and must be revoked after a pre-define amount of time or when the emergency is declared as over\nApproval process – Access through a break-glass mechanism should be manually approved\nAuditing – All access through break-glass mechanisms must be audited and kept as evidence for further investigation\nDocumented process – Organizations must have a documented and tested process for requesting, approving, using, and revoking break-glass accounts\nHandling break-glass scenarios in AWS # Below is a list of best practices provided by AWS for handling break-glass scenarios:\nIdentity Management # Identities in AWS are managed using AWS Identity and Access Management (IAM).\nWhen working with AWS Organizations, customers have the option for central identity management for the entire AWS Organization using AWS IAM Identity Center – a single-sign-on (SSO) and federated identity management service (working with Microsoft Entra ID, Google Workspace, and more).\nSince there might be a failure with a remote identity provider (IdP) or with AWS IAM Identity Center, AWS recommends creating two IAM users on the root of the AWS Organizations tree, and an IAM break-glass role on each of the accounts in the organization, to allow access in case of emergency.\nThe break-glass IAM accounts need to have console access, as explained in the documentation.\nAuthentication Management # When creating IAM accounts, enforce the use of a strong password policy, as explained in the documentation.\nPasswords for the break-glass IAM accounts must be stored in a secured vault, and once the work on the break-glass accounts is over, the passwords must be replaced immediately to avoid reuse.\nAWS recommends enforcing the use of MFA for any privileged access, as explained in the documentation.\nAccess Management # Access to resources inside AWS is managed using AWS IAM Roles.\nAWS recommends creating a break-glass IAM role, as explained in the documentation.\nAccess using break-glass IAM accounts must be temporary, as explained in the documentation.\nAuditing # All API calls within the AWS environment are logged into AWS CloudTrail by default, and stored for 90 days.\nAs best practices, it is recommended to send all CloudTrail logs to a central S3 bucket, from the entire AWS Organization, as explained in the documentation.\nSince audit trail logs contain sensitive information, it is recommended to encrypt all data at rest using customer-managed encryption keys (as explained in the documentation) and limit access to the log files to the SOC team for investigation purposes.\nAudit logs stored inside AWS CloudTrail can be investigated using Amazon GuardDuty, as explained in the documentation.\nResource Access # To allow secured access to EC2 instances, AWS recommends using EC2 Instance Connect or AWS Systems Manager Session Manager.\nTo allow secured access to Amazon EKS nodes, AWS recommends using AWS Systems Manager Agent (SSM Agent).\nTo allow secured access to Amazon ECS container instances, AWS recommends using AWS Systems Manager, and for debugging purposes, AWS recommends using Amazon ECS Exec.\nTo allow secured access to Amazon RDS, AWS recommends using AWS Systems Manager Session Manager.\nHandling break-glass scenarios in Azure # Below is a list of best practices provided by Microsoft for handling break-glass scenarios:\nIdentity Management # Although Identities in Azure are managed using Microsoft Entra ID (formally Azure AD), Microsoft recommends creating two cloud-only accounts that use the *.onmicrosoft.com domain, to allow access in case of emergency and case of problems log-in using federated identities from the on-premise Active Directory, as explained in the documentation.\nAuthentication Management # Microsoft recommends enabling password-less login for the break-glass accounts using a FIDO2 security key, as explained in the documentation.\nMicrosoft does not recommend enforcing the use of MFA for emergency or break-glass accounts to prevent tenant-wide account lockout and exclude the break-glass accounts from Conditional Access policies, as explained in the documentation.\nAccess Management # Microsoft allows customers to manage privileged access to resources using Microsoft Entra Privileged Identity Management (PIM) and recommends assigning the break-glass accounts permanent access to the Global Administrator role, as explained in the documentation.\nMicrosoft Entra PIM allows to control of requests for privileged access, as explained in the documentation.\nAuditing # Activity logs within the Azure environment are logged into Azure Monitor by default, and stored for 90 days.\nAs best practices, it is recommended to enable diagnostic settings for all audits and \u0026ldquo;allLogs\u0026rdquo; and send the logs to a central Log Analytics workspace, from the entire Azure tenant, as explained in the documentation.\nSince audit trail logs contain sensitive information, it is recommended to encrypt all data at rest using customer-managed encryption keys (as explained in the documentation) and limit access to the log files to the SOC team for investigation purposes.\nAudit logs stored inside a Log Analytics workspace can be queried for further investigation using Microsoft Sentinel, as explained in the documentation.\nMicrosoft recommends creating an alert when break-glass accounts perform sign-in attempts, as explained in the documentation.\nResource Access # To allow secured access to virtual machines (using SSH or RDP), Microsoft recommends using Azure Bastion.\nTo allow secured access to the Azure Kubernetes Service (AKS) API server, Microsoft recommends using Azure Bastion, as explained in the documentation.\nTo allow secured access to Azure SQL, Microsoft recommends creating an Azure Private Endpoint and connecting to the Azure SQL using Azure Bastion, as explained in the documentation.\nAnother alternative to allow secured access to resources in private networks is to use Microsoft Entra Private Access, as explained in the documentation.\nHandling break-glass scenarios in Google Cloud # Below is a list of best practices provided by Google for handling break-glass scenarios:\nIdentity and Access Management # Identities in GCP are managed using Google Workspace or using Google Cloud Identity.\nAccess to resources inside GCP is managed using IAM Roles.\nGoogle recommends creating a dedicated Google group for the break-glass IAM role, and configuring temporary access to this Google group as explained in the documentation.\nThe temporary access is done using IAM conditions, and it allows customers to implement Just-in-Time access, as explained in the documentation.\nFor break-glass access, add dedicated Google identities to the mentioned Google group, to gain temporary access to resources.\nAuthentication Management # Google recommends enforcing the use of MFA for any privileged access, as explained in the documentation.\nAuditing # Admin Activity logs (configuration changes) within the GCP environment are logged into Google Cloud Audit logs by default, and stored for 90 days.\nIt is recommended to manually enable data access audit logs to get more insights about break-glass account activity, as explained in the documentation.\nAs best practices, it is recommended to send all Cloud Audit logs to a central Google Cloud Storage bucket, from the entire GCP Organization, as explained in the documentation.\nSince audit trail logs contain sensitive information, it is recommended to encrypt all data at rest using customer-managed encryption keys (as explained in the documentation) and limit access to the log files to the SOC team for investigation purposes.\nAudit logs stored inside Google Cloud Audit Logs can be sent to the Google Security Command Center for further investigation, as explained in the documentation.\nResource Access # To allow secured access to Google Compute Engine instances, Google recommends using an Identity-Aware Proxy, as explained in the documentation.\nTo allow secured access to Google App Engine instances, Google recommends using an Identity-Aware Proxy, as explained in the documentation.\nTo allow secured access to Google Cloud Run service, Google recommends using an Identity-Aware Proxy, as explained in the documentation.\nTo allow secured access to Google Kubernetes Engine (GKE) instances, Google recommends using an Identity-Aware Proxy, as explained in the documentation.\nSummary # In this blog post, we have reviewed what break-glass accounts are, and how AWS, Azure, and GCP are recommending to secure break-glass accounts (from authentication, authorization, auditing, and secure access to cloud resources).\nI recommend any organization that manages cloud production environments follow the vendors\u0026rsquo; security best practices and keep the production environment secured.\nAbout the Author # Eyal Estrin is a cloud and information security architect, and the author of the book Cloud Security Handbook, with more than 20 years in the IT industry. You can connect with him on Twitter.\nOpinions are his own and not the views of his employer.\n","date":"13 November 2023","externalUrl":null,"permalink":"/posts/introduction-to-break-glass-in-cloud-environments/","section":"Posts","summary":"","title":"Introduction to Break-Glass in Cloud Environments","type":"posts"},{"content":" This post was originally published by the Cloud Security Alliance.\nThe use of the public cloud has become the new norm for any size organization.\nOrganizations are adopting cloud services, migrating systems to the cloud, consuming SaaS applications, and beginning to see the true benefits of the public cloud.\nIn this blog post, I will explain what it means to embrace a cloud-native mindset.\nWhat is Cloud-Native? # When talking about cloud-native, there are two complimentary terms:\nCloud-Native Infrastructure — Services that were specifically built to run on public cloud environments, such as containers, API gateways, managed databases, and more.\nCloud-Native applications — Applications that take the full benefits of the public cloud, such as auto-scaling (up or down), microservice architectures, function as a service, and more.\nCloud First vs. Cloud-Native # For many years, there was a misconception among organizations and decision-makers, should we embrace a “cloud first” mindset, meaning, any new application we develop or consume must reside in the public cloud?\nCloud-first mindset is no longer relevant.\nCloud, like any other IT system, is meant to support the business, not to dictate business decisions.\nOne of the main reasons for any organization to create a cloud strategy is to allow decision-makers to align IT capabilities or services to business requirements.\nThere might be legacy systems generating value for the organization, and the cost to re-architect and migrate to the cloud is higher than the benefit of migration — in this case, the business should decide how to manage this risk.\nWhen considering developing a new application or migrating an existing application to the cloud, consider the benefits of cloud-native (see below), and in any case, choosing the cloud makes sense (in terms of alignment to business goals, costs, performance, etc.), make it your first choice.\nWhat are the benefits of Cloud-Native? # Since we previously mentioned cloud-native, let us review some of the main benefits of cloud-native:\nAutomation # One of the pre-requirements of cloud-native applications is the ability to deploy an entire workload in an automated manner using Infrastructure as Code.\nIn cloud environments, IaC comes naturally, but do not wait until your workloads are migrated or developed in the cloud — begin automating on-premise infrastructure deployments using scripts today.\nScale # Cloud-native applications benefit from the infinite scale of the public cloud.\nModern applications will scale up or down according to customers’ demand.\nLegacy environments may have the ability to add more virtual machines in case of high load, but in most cases, they fail to release unneeded compute resources when the load on the application goes down, increasing resource costs.\nMicroservice architecture # One of the main benefits of cloud-native applications is the ability to break down complex architecture into small components (i.e., microservices)\nMicroservices allows development teams to own, develop, and maintain small portions of an application, making upgrading to newer versions an easy task.\nIf you are building new applications today, start architecting your applications using a microservices architecture, regardless if you are developing on-premise or in the public cloud.\nIt is important to note that microservices architecture increases the overall complexity of an application, by having many small components, so plan carefully.\nManaged services # One of the main benefits when designing applications (or migrating an existing application) in the cloud, is to gain the benefit of managed services.\nBy consuming managed services (such as managed databases, storage, API gateways, etc.), you shift the overall maintenance, security, and stability to the cloud provider, which allows you to consume a service, without having to deal with the underlying infrastructure maintenance.\nWhenever possible, prefer to choose a serverless managed service, which completely removes your requirement to deal with infrastructure scale (you simply do not specify how much computing power is required to run a service at any given time).\nCI/CD pipeline # Modern applications are developed using a CI/CD pipeline, which creates a fast development lifecycle.\nEach development team shares its code using a code repository, able to execute its build process, which ends up with an artifact ready to be deployed in any environment (Dev, Test, or Prod).\nModern compute services # Cloud-native applications allow us to have optimum use of the hardware.\nCompute services such as containers and function as a service, make better use of hardware resources, when compared to physical or even virtual machines.\nContainers can run on any platform (from on-premise to cloud environments), and although it may take some time for developers and DevOps to learn how to use them, they can suit most workloads (including AI/ML), and be your first step in embracing cloud-native applications.\nFunction as a Service is a different story — they suit specific tasks, and in most cases bound to a specific cloud environment, but if used wisely, they offer great efficiency when compared to other types of compute services.\nSummary # What does it mean to embrace a cloud-native mindset?\nMeasuring the benefits of cloud-native applications, consuming cloud-native services, looking into the future of IT services, and wisely adopting the public cloud.\nWill the public cloud suit 100% of scenarios? No, but it has more benefits than keeping legacy systems inside traditional data centers.\nWhether you are a developer, DevOps, architect, or cybersecurity expert, I invite you to read, take online courses, practice, and gain experience using cloud-native infrastructure and applications, and consider them the better alternatives for running modern applications.\nAbout the Author # Eyal Estrin is a cloud and information security architect, and the author of the book Cloud Security Handbook, with more than 20 years in the IT industry. You can connect with him on Twitter.\nOpinions are his own and not the views of his employer.\n","date":"6 November 2023","externalUrl":null,"permalink":"/posts/embracing-cloud-native-mindset/","section":"Posts","summary":"","title":"Embracing Cloud-Native Mindset","type":"posts"},{"content":" The past couple of years brought us tons of examples of using generative AI to improve many aspects of our lives.\nWe can see vendors, with strong community and developers\u0026rsquo; support, introducing more and more services for almost any aspect of our lives.\nThe two most famous examples are ChatGPT (AI Chatbot) and Midjourney (Image generator).\nWikipedia provides us with the following definition for Generative AI:\n\u0026ldquo;Generative artificial intelligence (also generative AI or GenAI) is artificial intelligence capable of generating text, images, or other media, using generative models. Generative AI models learn the patterns and structure of their input training data and then generate new data that have similar characteristics.\u0026rdquo;\nSource: https://en.wikipedia.org/wiki/Generative_artificial_intelligence\nIn this blog post, I will compare some of the alternatives for using Gen AI to assist developers in producing code.\nWhat are AI Code Generators? # AI code generators are services using AI/ML engines, integrated as part of the developer\u0026rsquo;s Integrated Development Environment (IDE), and provide the developer suggestions for code, based on the programming language and the project\u0026rsquo;s context.\nIn most cases, AI code generators come as a plugin or an addon to the developer\u0026rsquo;s IDE.\nMature AI code generators support multiple programming languages, can be integrated with most popular IDEs, and can provide valuable code samples, by understanding both the context of the code and the cloud provider\u0026rsquo;s eco-system.\nAI Code Generators Terminology # Below are a couple of terms to know when using AI code generators:\nSuggestions – The output of AI code generators is code samples\nPrompts - Collection of code and supporting contextual information\nUser engagement data / Client-side telemetry - Events generated at the client IDE (error messages, latency, feature engagement, etc.)\nCode snippets - Lines of code created by the developer inside the IDE\nCode References – Code originated from open-source or externally trained data\nAI Code Generators – Alternative Comparison # The table below provides a comparison between the alternatives the largest cloud providers offer their customers:\nAI Code Generators – Security Aspects # AI Code Generators can provide a lot of benefits for the developers, but at the end of the day we need to recall that these are still cloud-based services, deployed in a multi-tenant environment, and as with the case of any AI/ML, the vendor is aiming at training their AI/ML engines to provide better answers.\nCode may contain sensitive data – from static credentials (secrets, passwords, API keys), hard-coded IP addresses or DNS names (for accessing back-end or even internal services), or even intellectual property code (as part of the organization\u0026rsquo;s internal IP).\nBefore consuming AI code generators, it is recommended to thoroughly review the vendors\u0026rsquo; documentation, understand what data (such as telemetry) is transferred from the developer\u0026rsquo;s IDE back to the cloud, and how data is protected at all layers.\nThe table below provides a comparison between the alternatives the largest cloud providers offer their customers from a security point of view:\nSummary # In this blog post, we have reviewed alternatives of AI code generators, offered by AWS, Azure, and GCP.\nAlthough there are many benefits from using those services, allowing developers fast coding capabilities, the work on those services is still a work in progress.\nCustomers should perform their risk analysis before using those services, and limit as much as possible the amount of data shared with the cloud providers (since they are all built on multi-tenant environments).\nAs with any code developed, it is recommended to embed security controls, such as Static application security testing (SAST) tools, and invest in security training for developers.\nReferences # What is Amazon Code Whisperer? https://docs.aws.amazon.com/codewhisperer/latest/userguide/what-is-cwspr.html\nGitHub Copilot documentation https://docs.github.com/en/copilot\nDuet AI in Google Cloud overview https://cloud.google.com/duet-ai/docs/overview?hl=en\n","date":"5 October 2023","externalUrl":null,"permalink":"/posts/introduction-to-ai-code-generators/","section":"Posts","summary":"","title":"Introduction to AI Code Generators","type":"posts"},{"content":" This post was originally published by the Cloud Security Alliance.\nAccording to the Shared Responsibility Model, \u0026ldquo;The consumer does not manage or control the underlying cloud infrastructure\u0026rdquo;.\nAs customers, this leaves us with very little control over services managed by remote service providers, as compared to the amount of control we have over IaaS (Infrastructure as a Service), where we control the operating system and anything inside it (applications, configuration, etc.)\nThe fact that many modern applications are offered as a SaaS, has many benefits such as:\n(Almost) zero maintenance (we are still in charge of authorization)\n(Almost) zero requirements to deal with availability or performance issues (depending on business requirements and the maturity of the SaaS vendor)\n(Almost) zero requirement to deal with security and compliance (at the end of the day, we are still responsible for complying with laws and regulations and we still have obligations to our customers and employees, depending on the data classification we are about to store in the cloud)\nThe minimum requirement to handle licensing (depending on the SaaS pricing offers)\nAs customers, we can consume a service and focus on our business (instead of infrastructure and application maintenance)\nWhile there are many benefits of switching from maintaining servers to consuming (SaaS) applications, there are many security challenges we need to be aware of and risks to control.\nIn this blog post, I will review some of the security challenges facing SaaS applications.\nIdentity and Access Management # We may not control the underlining infrastructure, but as customers, we are still in charge of configuring proper authentication and authorization for our customers (internal or external).\nAs customers, we would like to take advantage of our current identities and leverage a federation mechanism to allow our end-users to log in once and through SSO to be able to access the SaaS application, all using standard protocols such as SAML, OAuth, or OpenID Connect.\nOnce the authentication phase is done, we need to take care of access permissions, following the role description/requirement.\nWe must always follow the principle of least privilege.\nWe should never accept a SaaS application that does not support granular role-based access control.\nWhile working with SaaS applications, we need to make sure we can audit who had access to our data and what actions have been done.\nThe final phase is to make sure access is granted by business needs – once an employee no longer needs access to a SaaS application, we must revoke the access immediately.\nData Protection # Once we are using SaaS applications, we need to understand we no longer have \u0026ldquo;physical\u0026rdquo; control over our data – whether it is employee\u0026rsquo;s data, customers\u0026rsquo; data, intellectual property, or any other type of data.\nOnce data is stored and processed by an external party, there is always a chance for a data breach, that may lead to data leakage, data tampering, encryption by ransomware, and more.\nIf we are planning to store sensitive data (PII\u0026rsquo;s, financial, healthcare, etc.) in the cloud, we must understand how data is being protected.\nWe must make sure data is encrypted both in transit and at rest (including backups, logs, etc.) and at any given time, access to data by anyone (from our employees, SaaS vendor employees, or even third-party companies), must be authenticated, authorized, and audited.\nMisconfiguration # The most common vulnerability is misconfiguration.\nThe easiest way is for an employee with administrative privileges to make a configuration mistake and grant someone unnecessary access permissions, make data publicly available, forget to turn encryption at rest on (depending on specific SaaS applications), and more.\nSome SaaS applications allow you to set configuration control using CASB (Cloud Access Security Brokers) or SSPM (SaaS Security Posture Management).\nThe problem is the lack of standardization in the SaaS industry.\nThere is no standard for allowing central configuration management using APIs.\nIf you are using common SaaS applications such as Office 365, Dropbox, SalesForce, or any other common SaaS application, you may be able to find many third-party security solutions that will allow you to mitigate misconfiguration.\nOtherwise, if you are working with a small start-up vendor or with an immature SaaS vendor, your only options are a good legal contract (defining the obligations of the SaaS vendor), demand for certifications (such as SOC2 Type II reports) and accepting the risk (depending on the business risk tolerance).\nInsecure API\u0026rsquo;s # Many SaaS applications allow you to connect using APIs (from audit logs to configuration management).\nRegardless of the data classification, you must always make sure your SaaS vendor\u0026rsquo;s APIs support the following:\nAll APIs require authentication and perform a back-end authorization process.\nAll traffic to the API is encrypted in transit\nAll-access to API is audited (for further analysis)\nIf the SaaS application allows traffic initiation through API back to your organization, make sure you enforce input validation to avoid inserting malicious code into your internal systems\nI recommend you never rely on third-party SaaS vendors – always coordinate penetration testing on exposed APIs to mitigate the risk of insecure APIs.\nThird-Party Access # Some SaaS vendors allow (or rely on) third-party vendor access.\nWhen conducting due diligence with SaaS vendors, make sure to check if it allows any third-party vendor access to customers\u0026rsquo; data and how is data protected.\nAlso, make sure the contract specifies if data is transferred to third-party vendors, who are they and for which purpose.\nMake sure everything is written in the contract with the SaaS vendor and that the SaaS vendor must notify you of any change regarding data access or transfer to third-party vendors.\nPatch Management and System Vulnerabilities # Since we are only consumers of a managed service, we have no control or visibility to infrastructure or application layers.\nEverything is made of software and software is vulnerable by design.\nWe may be able to coordinate vulnerability scanning or even short-term penetration testing with the SaaS vendor (depending on the SaaS vendor maturity), but we are still dependent on the transparency of the SaaS vendor and this is a risk we need to accept (depending on the business risk tolerance).\nLack of SaaS Vendor Transparency # This is very important.\nMature SaaS vendors will make sure we are up to date with information such as breach notifications, outages, and scheduled maintenance (at least when everybody on the Internet talks about critical software vulnerabilities requiring immediate patching, and assuming downtime is required).\nAs part of vendor transparency, I would expect the legal contract to force the SaaS vendor to keep us up to date with data breach incidents or potential unauthorized access to customers\u0026rsquo; data.\nSince in most cases, we do not have a real way to audit SaaS vendors\u0026rsquo; security controls, I recommend working only with mature vendors who can provide proof of their maturity level (such as SOC 2 Type II reports every year) and coordinate your assessments on the SaaS vendor.\nMature SaaS vendors will allow us access to audit logs, to query who has access to our data and what actions have been done with the data.\nRegulatory Compliance # Regardless of the cloud service model, we are always responsible for our data and we must always comply with laws and regulations, wherever our customers reside or wherever our SaaS vendor stores our data.\nMature SaaS vendors allow us to comply with data residency and make sure data does not leave a specific country or region.\nCompliance goes for the entire lifecycle of our data – from upload/store, process, data backup or retention, to finally data destruction.\nMake sure the legal contract specifies data residency and the vendor\u0026rsquo;s obligations regarding compliance.\nFrom a customer\u0026rsquo;s point of view, make sure you get legal advice on how to comply with all relevant laws and regulations.\nSummary # In this blog post, I have reviewed some of the most common security challenges working with SaaS applications.\nSaaS applications have many benefits (from a customer point of view), but they also contain security risks that we need to be aware of and manage regularly.\n","date":"11 September 2023","externalUrl":null,"permalink":"/posts/security-challenges-with-saas-applications/","section":"Posts","summary":"","title":"Security challenges with SaaS applications","type":"posts"},{"content":" In 2020, the world has suddenly stopped due to the pandemic.\nA couple of years later, we began to see changes in the way both home consumers and organizations are using technology.\nCommon areas that have changed in the post-covid era # Here are a couple of areas that adapted in the post-covid era:\nCustomer support # Traditional engagement methods (such as phone calls, Fax, or even emails) have decreased in the past couple of years.\nToday, customers are looking for fast and mobile methods to connect to contact centers from anywhere – from using mobile apps to connecting via chat (in some cases even a chatbot is a viable solution).\nThe use of mobile apps # Customers are using mobile apps for more than a decade - from social networks (for personal interaction), e-commerce (for purchasing products), banking (checking account status, money transfer, etc.), travel (for ordering flight tickets or hotels), and more.\nThe use of mobile apps is not something new, but in the past couple of years, we see customers using mobile for almost every step of their daily life.\nThe use of the public cloud # The public cloud has been in use for almost two decades, but during the Covid, more and more organizations began to see the benefits of the cloud and began migrating systems to the cloud.\nIt is true, that there are still organizations choosing to invest in maintaining data centers for running their applications, but as time goes by, more and more organizations are embracing the public cloud.\nThe fact that we pay for the resources we consume, and the (almost) infinite compute capacity, made the cloud very attractive to most organizations around the world – from large corporations to newly founded start-ups.\nHybrid work and work-life balance # In the post-covid era, more and more organizations are offering their employees the option of choosing whether to work from the office or from anywhere else, as long as the employee gets their work done.\nEmployers understand the importance of work-life balance and began to respect employee\u0026rsquo;s personal life, which decrease the levels of stress and creates satisfied and productive employees.\nThe use of AI # For many years, researchers have tried to teach computers how to support people in decision-making.\nIn the past couple of years, we see AI/ML solutions for almost any area in human lives.\nFrom advising on which music should listen to (based on their past listening history), aiding doctors in providing better medical care to patients (based on their health status and technological improvements), using AI to quickly calculate customers\u0026rsquo; credit scores and be able to offer customers with relevant investment plans, and more.\nHow can organizations prepare for the digital transformation? # There are various areas where organizations should adapt and better prepare themselves for the digital transformation:\nCustomer-centric # Organizations should change their mindset and put their customers first.\nConduct customer surveys and research what can provide your customers the most value, from better customer service to an easy-to-navigate mobile app or anything that will keep your customers satisfied.\nBe transparent with your customers, for example – if your organization is collecting personal data from customers, provide them with information about the data you are collecting, the purpose and what are you planning to do with the data, and allow your customers to choose whether to provide you their data.\nKeep your employees engaged # Explain to your employees about the coming changes, allow them to provide their feedback, and be part of the process.\nAs technology evolves, employees would like to re-invent themselves or even choose a different career path.\nAn organization should support its employees and find ways to allow employees to expand their knowledge or even switch to a different role within the organization.\nConduct training, allowing employees to expand their knowledge (from new ways to interact with customers, new technologies, new or modern development languages, and more).\nAllow your employees the ability to combine work from the office with remote work from home, to support employees\u0026rsquo; work-life balance.\nEmbrace the public cloud # No matter how professional your employees are, most of the chance your organization will never have the expertise of the public cloud providers, the scale, or the elasticity that the public cloud allows your organization and customers to get.\nDevelop a cloud strategy that clearly defines what workloads or data can be migrated to the cloud and begin to modernize your applications.\nModernize your applications # Your organization may have many applications, already serving you and your customers.\nNow is the time to ask yourself, what applications are still providing you value and what applications can be modernized or re-architect and provide better usability, higher availability, and elasticity with lower cost.\nConsider embracing cloud-native applications and gain the full benefit of the public cloud.\nSummary # Digital transformation is disrupting the way home consumers and organizations are using technology to make everyday life better.\nEvery day we find new ways to consume information, purchase products, get better healthcare or financial services, or even better ways to conduct business and interact with our customers.\nTo embrace digital transformation, we need to adapt to the change.\nIf you have not done so yet, now is the time to jump on the digital transformation train.\n","date":"28 August 2023","externalUrl":null,"permalink":"/posts/digital-transformation-in-the-post-covid-era/","section":"Posts","summary":"","title":"Digital Transformation in the Post-Covid Era","type":"posts"},{"content":"","date":"28 August 2023","externalUrl":null,"permalink":"/categories/digital-transformation/","section":"Categories","summary":"","title":"Digital-Transformation","type":"categories"},{"content":"","date":"19 June 2023","externalUrl":null,"permalink":"/categories/authentication/","section":"Categories","summary":"","title":"Authentication","type":"categories"},{"content":" IAM (Identity and Access Management) is a crucial part of any cloud environment.\nAs organizations evolve, they may look at multi-cloud as a solution to consume cloud services in different cloud providers\u0026rsquo; technologies (such as AI/ML, data analytics, and more), to have the benefit of using different pricing models, or to decrease the risk of vendor lock-in.\nBefore we begin the discussion about IAM, we need to understand the following fundamental concepts:\nIdentity – An account represents a persona (human) or service (non-interactive account)\nAuthentication – The act where an identity proves himself against a system (such as providing username and password, certificate, API key, and more)\nAuthorization – The act of validating granting an identity’s privileges to take actions on a system (such as view configuration, read database content, upload a file to object storage, and more)\nAccess Management – The entire lifecycle of IAM – from account provisioning, granting access, and validating privileges until account or privilege revocation.\nIdentity and Access Management Terminology # Authorization in the Cloud # Although all cloud providers have the same concept of identities, when we deep dive into the concept of authorization or access management to resources/services, we need to understand the differences between cloud providers.\nAuthorization in AWS # AWS has two concepts for managing permissions to resources:\nIAM Role – Permissions assigned to an identity temporarily.\nIAM Policy – A document defines a set of permissions assigned to an IAM role.\nPermissions in AWS can be assigned to:\nIdentity – A policy attached to a user, group, or role.\nResource – A policy attached to a resource (such as Amazon S3 bucket).\nAuthorization in Azure # Permissions in Azure AD are controlled by roles.\nA role defines the permissions an identity has over an Azure resource.\nWithin Azure AD, you control permissions using RBAC (Role-based access control).\nAzure AD supports the following types of roles:\nBuilt-in roles – A pre-defined role according to job function (as you can read on the link).\nCustom roles – A role that we create ourselves to match the principle of least privilege.\nAuthorization in Google Cloud # Permissions in Google Cloud IAM are controlled by IAM roles.\nGoogle Cloud IAM supports the following types of IAM roles:\nBasic roles – The most permissive type of roles (Owner, Editor, and Viewer).\nPredefined roles – Roles managed by Google, which provides granular access to specific services (as you can read on the link).\nCustom roles – User-specific roles, which provide the most granular access to resources.\nAuthorization – Default behavior # As we can see below each cloud provider takes a different approach to default permissions:\nAWS – By default, new IAM users have no permission to access any resource in AWS.\nTo allow access to resources or take actions, you need to manually assign the user an IAM role.\nAzure – By default, all Azure AD users are granted a set of default permissions (such as listing all users, reading all properties of users and groups, registering new applications, and more).\nGoogle Cloud – By default, a new service account is granted the Editor role on the project level.\nIdentity Federation # When we are talking about identity federation, there are two concepts:\nService Provider (SP) – Provide access to resources\nIdentity Provider (IdP) – Authenticate the identities\nIdentities (user accounts, service accounts, groups, etc.) are managed by an Identity Provider (IdP).\nAn IdP can exist in the local data center (such as Microsoft Active Directory) or the public cloud (such as AWS IAM, Azure AD, Google Cloud IAM, etc.)\nFederation is the act of creating trust between separate IdP’s.\nFederation allows us to keep identity in one repository (i.e., Identity Provider).\nOnce we set up an identity federation, we can grant an identity privilege to consume resources in a remote repository.\nExample: a worker with an account in Microsoft Active Directory, reading a file from object storage in Azure, once a federation trust was established between Microsoft Active Directory and Azure Active Directory.\nWhen federating between the on-premise and cloud environments, we need to recall the use of different protocols.\nOn-premise environments are using legacy authentication protocols such as Kerberos or LDAP.\nIn the public cloud, the common authentication protocols are SAML 2.0, Open ID Connect (OIDC), and OAuth 2.0\nEach cloud provider has a list of supported external third-party identity providers to federate with, as you can read in the list below:\nIntegrating third-party SAML solution providers with AWS\nAzure AD Identity Provider Compatibility Docs\nGoogle Cloud IAM - Configure workforce identity federation\nSingle Sign-On # The concept behind SSO is to allow identities (usually end-users) access to resources in the cloud while having to sign (to an identity provider) once.\nOver the past couple of years, the concept of SSO was extended and now it is possible to allow a single identity (who authenticated to a specific identity provider), access to resources over federated login to an external (mostly SAML) identity provider.\nEach cloud provider has its own SSO service, supporting federation with external identity providers:\nAWS IAM Identity Center\nAzure Active Directory single sign-on\nGoogle Cloud Workload identity federation\nSteps for creating a federation between cloud providers # The process below explains (at a high level) the steps require to set up identity federation between different cloud providers:\nChoose an IdP (where identities will be created and authenticated to).\nCreate a SAML identity provider.\nConfigure roles for your third-party identity provider.\nAssign roles to the target users.\nCreate trust between SP and IdP.\nTest the ability to authenticate and identify (user) to a resource in a remote/external cloud provider.\nAdditional References: # AWS IAM Identity Center and Azure AD as IdP\nHow to set up IAM federation using Google Workspace\nAzure AD SSO integration with AWS IAM Identity Center\nAzure AD SSO integration with Google Cloud / G Suite Connector by Microsoft\nFederating Google Cloud with Azure Active Directory\nConfigure Google workload identity federation with AWS or Azure\nSummary # In this blog post, we had a deep dive into identity and access management in the cloud, comparing different aspects of IAM in AWS, Azure, and GCP.\nAfter we have reviewed how authentication and authorization work for each of the three cloud providers, we have explained how federation and SSO work in a multi-cloud environment.\nImportant to keep in mind:\nWhen we are building systems in the cloud, whether they are publicly exposed or even internal, we need to follow some basic rules:\nAll-access to resources/systems/applications must be authenticated\nPermissions must follow the principle of least privileged and business requirements\nAll access must be audited (for future analysis, investigation purposes, etc.)\n","date":"19 June 2023","externalUrl":null,"permalink":"/posts/identity-and-access-management-in-multi-cloud-environments/","section":"Posts","summary":"","title":"Identity and Access Management in Multi-Cloud Environments","type":"posts"},{"content":"","date":"12 June 2023","externalUrl":null,"permalink":"/categories/privacy/","section":"Categories","summary":"","title":"Privacy","type":"categories"},{"content":" This post was originally published by the Cloud Security Alliance.\nWhen we are talking about building new systems, in the context of privacy or data protection, we often hear two concepts – Privacy by Design (PbD) and Privacy by Default.\nDealing with human privacy is not something new.\nWe build applications that store and process personal data – from e-commerce sites, banking, healthcare, advertisement, and more.\nThe concept of Privacy by Design (PbD) was embraced by the GDPR (General Data Protection Regulation) in Article 5 and Article 25, the CCPA (California Consumer Protection Act) in W410-1, the LGPD (Brazilian Data Protection Law) in Article 46 and the Canadian PIPEDA (Personal Information Protection and Electronic Documents Act) in Recommendation 14.\nWhen designing systems in the cloud, we must remember the Shared Responsibility Model.\nThe cloud provider is responsible for the underlining infrastructure layers and offers us many built-in security controls, but it is our responsibility as companies developing systems in the cloud, to use the security controls and design applications to meet all privacy requirements.\nIn this blog post, I will provide insights about how to implement those concepts when building new systems in the cloud.\nWhat is Privacy by Design? # Privacy by Design (PbD) is based on seven \u0026ldquo;foundational principles\u0026rdquo;:\nPrinciple 1: Proactive not reactive; preventive not remedial # To achieve this principle, we need to implement proactive security controls.\nExamples of security controls that come built-in as part of major cloud providers:\nIdentity and Access Management – Enforce authentication (who the persona claims to be) and authorization (what actions can be done by authenticated identity). Examples of services: AWS Identity and Access Management (IAM), Azure Active Directory (Azure AD), Google Cloud Identity and Access Management (IAM), and Oracle Cloud Infrastructure Identity and Access Management (IAM).\nNetwork Protection – Enforce inbound/outbound access to services using access control mechanisms. Examples of services: AWS Security groups, Azure Network security groups (NSG), GCP VPC firewall rules, and Oracle Cloud Infrastructure Security Lists.\nData Encryption – Enforce confidentiality by encrypting data in transit and at rest. Examples of services: AWS Key Management Service (AWS KMS), Azure Key Vault, Google Cloud KMS, and Oracle Cloud Infrastructure Vault.\nPrinciple 2: Privacy as the default setting # To achieve this principle, we need to implement default settings at the application level and on the infrastructure level.\nData minimization – When designing an application, we need to decide what is the minimum number of fields that will be stored (and perhaps processed) on data subjects in the application.\nData location – When designing an application, we need to take into consideration data residency, by selecting the target region to store data according to relevant laws and regulations.\nData retention – We need to set our application to keep data for as long as it is required and either delete or archive data when it is no longer needed (according to application/service capabilities).\nExamples: Amazon S3 lifecycle management, Amazon EFS lifecycle management, Azure Storage lifecycle management, Google Cloud Storage Lifecycle Management, and Oracle Cloud Infrastructure Object Storage Lifecycle Management.\nKeeping Audit Trail – By default administrative actions (usually using APIs) are logged by all major cloud providers. If we want to increase log retention or include data actions (what identity did with the data), we need to manually enable it. Examples of services: AWS CloudTrail, Azure Monitor, Google Cloud Audit Logs, and Oracle Cloud Infrastructure Logging service.\nData Encryption – Enforce confidentiality by encrypting data in transit and at rest. Principle 3: Privacy Embedded into Design # To achieve this principle, we need to embed privacy safeguards as part of the design.\nMost data protection or data privacy regulations offers the data subjects the following rights:\nThe right to be informed about the collection and use of their data.\nThe right to view and request copies of their data.\nThe right to request inaccurate or outdated personal information be updated or corrected.\nThe right to request their data be deleted.\nThe right to ask for their data to be transferred to another controller or provided to them.\nWhen we design an application, we need to develop it to support the above data subject rights from day one, so once we need to use those functionalities, we will have them prepared, even before collecting information about the first data subject.\nPrinciple 4: Full functionality – positive-sum, not zero-sum # To achieve this principle, we need to look at the bigger picture.\nPrivacy safeguards should be embedded as part of the application design, without affecting security controls or without causing performance impact on other services.\nAn example can be the security requirement to audit all actions in the system (for the incident response process) while keeping data privacy requirement to keep only a minimum amount of information about data subjects, not to mention the cost of keeping long-term audit log storage.\nIn the case of audit logs, we need to find the balance between having logs for investigation, while removing unnecessary information about data subjects, and perhaps moving old logs to an archive tier to save costs.\nPrinciple 5: End-to-end security – full lifecycle protection # To achieve this principle, we need to make sure data is kept private throughout its entire lifecycle, from collection, storage, retirement, and disposal (when not required anymore).\nWhen talking about data security, we must always remember to follow the CIA triad: Confidentiality, Integrity, and Availability.\nThe data lifecycle management contains the following:\nData generation of the collection – We need to take into consideration automatic data classification.\nStorage – We need to take into consideration data retention and archiving, including storage capacity and archiving capabilities.\nData use and sharing – We need to implement strong authentication and authorization processes to protect the data we store and process.\nData archive – We should take advantage of built-in storage archive capabilities that exist with all major cloud providers.\nData disposal – We should design mechanisms to allow us to destroy data no longer needed.\nPrinciple 6: Visibility and transparency – keep it open # To achieve this principle, we need to create and publish a privacy policy, that will be available for our customers, per application or per website we publicly expose to the Internet.\nThe privacy policy should contain information about:\nThe data we collect.\nThe purpose for collecting data from our customers.\nIf we share private data with third parties, the privacy policy should indicate it.\nThe data subject rights (such as viewing which data is been collected, the right to update data subjects\u0026rsquo; data or delete data subject data).\nHow can data subjects contact us (to view data, update it, delete it, or export it)?\nVisibility and transparency are crucial, and as such, the privacy policy must be kept up to date.\nPrinciple 7: Respect for user privacy – keep it user-centric # To achieve this principle, we need to put our customers (or data subjects) first.\nUser experience is an important factor – how will our customers know that we are collecting private data? How will they be able to consent to data collection, view the data we are collecting, or ask us to delete it?\nWe need to configure our application with privacy settings enabled by default and allow our customers an easy way to opt-in (subscribe) or opt out (unsubscribe) from our service.\nWe need to design our system to allow customers an easy way to export their private data and support the portability of the data we collect to another third-party system in a standard readable format.\nSummary # When designing applications that will store or process private data in the cloud, we should remember the shared responsibility model, together with the seven principles of privacy by design.\nSome of the principles can be achieved using services offered by cloud providers, for some, we can use third-party solutions and for some we are responsible for the implementation, to comply with privacy laws or regulations and to keep our customers\u0026rsquo; private data safe.\nFor any organization designing new applications in the cloud, I recommend creating teams containing representatives of both the technology department (such as DevOps, architects, and security personnel) and legal department (such as Lawyers, data privacy, compliance, and risk), to be able to design an end-to-end solution.\nI invite anyone designing new applications, to read and get more information about the privacy law and regulations affecting their customers.\nDisclaimer – This blog post contains my opinion. It does not replace any legal advice for complying with privacy obligations or regulations.\n","date":"12 June 2023","externalUrl":null,"permalink":"/posts/privacy-by-design-and-privacy-by-default-in-the-cloud/","section":"Posts","summary":"","title":"Privacy by Design and Privacy by Default in the Cloud","type":"posts"},{"content":"","date":"17 May 2023","externalUrl":null,"permalink":"/categories/chaos-engineering/","section":"Categories","summary":"","title":"Chaos-Engineering","type":"categories"},{"content":" When deploying a new application in the public cloud, we need to ask the business owner what are the resiliency (or SLA) requirements – How long can the business survive while our application is down and does not serve customers?\nThere are various answers to that question – from 24/7 availability (not realistic) to uptime of 99.9%, etc.\nThe domain of resiliency has two main concepts:\nRTO (Recovery Time Objective) – the amount of time it takes to recover a system after disruption\nRPO (Recovery Point Objective) – the amount of data loss, measured by time\nTo achieve high resiliency, or follow business SLA requirements, there are technical and cost consequences.\nNaturally, we want to provision resources in high-availability (such as a farm of front-end web servers behind load-balancer), in a cluster (such as a cluster of database instances), deployed in multiple availability zones or perhaps in multiple regions, and try to avoid single point of failure.\nWe need to plan an architecture that will support our business resiliency requirements.\nIn theory, an architect can look at proposed architecture and say whether or not he sees potential availability failures, but it does not scale in large and complex architectures.\nIn 2021, AWS announced the general availability of the AWS Resilience Hub.\nIn this blog post, I will review what is the purpose of this service and how can we use it regularly, as part of our CI/CD process.\nHow does AWS Resilience Hub work? # Source: https://docs.aws.amazon.com/resilience-hub/latest/userguide/how-it-works.html\nTo work with AWS Resilience Hub, follow the steps below:\nAdd an application # AWS Resilience Hub allows you to assess an application by scanning the following resources:\nAWS Resource Groups\nAWS AppRegistry applications\nAWS CloudFormation stacks\nTerraform state files\nAmazon EKS cluster configuration\nSet resilience targets # AWS Resilience Hub supports the following built-in tiers:\nFoundational IT core services\nMission critical\nCritical\nImportant\nNon-critical\nChoose the target policy according to the application business requirements of RTO and RPO.\nSelect one of the predefined suggested policies:\nNon-critical application\nImportant Application\nCritical Application\nGlobal Critical Application\nMission Critical Application\nGlobal Mission Critical Application\nFoundational Core Service\nAWS Resilience Hub allows you to evaluate the resiliency of an application against the following types of disruption:\nCustomer Application RTO and RPO\nAWS Infrastructure RTO and RPO\nCloud Infrastructure Availability Zone (AZ) disruption\nAWS Region disruption\nRun an assessment # AWS Resilience Hub allows you to either run manual on-time assessments or schedule an assessment daily.\nTo get the most value from AWS Resilience Hub, you can integrate it as part of a CI/CD pipeline, as an additional step, once you provision Infrastructure as Code (using CloudFormation templates or Terraform modules).\nA common example of integration with CI/CD pipeline:\nAWS CodePipeline\nJenkins Pipelines\nGitHub Actions\nIn a mature environment, you can take one step further and integrate AWS Resilience Hub with the built-in chaos engineering service AWS Fault Injection Simulator to conduct controlled experiments on your application and evaluate its resiliency.\nReview results and continue improvements # Once an assessment was completed, it is time to review the results, to make sure your application meets the business resiliency requirements (in terms of RTO/RPO).\nThe results will be written in a report, with recommendations for improvements to your application resiliency, such as adding another node to an RDS cluster, deploying another EC2 instance in another availability zone, enabling S3 bucket versioning, etc.\nTo make things easy to understand and improve over time, you can build dashboards using Amazon QuickSight and send alerts using CloudWatch, as explained in the blog post:\nhttps://aws.amazon.com/blogs/mt/resilience-reporting-dashboard-aws-resilience-hub/\nFor continuous and automated improvement, you can integrate AWS Resilience Hub with AWS Systems Manager to efficiently recover your application in the event of outages, as explained in the blog post:\nhttps://docs.aws.amazon.com/resilience-hub/latest/userguide/create-custom-ssm-doc.html\nSummary # In this blog post, we learned about the purpose of AWS Resilience Hub, what are the various steps for using it, and perhaps most important – how to automate the assessment as part of a CI/CD pipeline for continuous improvement.\nI encourage anyone who builds applications on top of AWS to learn about the benefits of this service, providing insights into the resiliency of applications to meet business requirements.\nAdditional References: # Validating and Improving the RTO and RPO Using AWS Resilience Hub\nEstablishing RPO and RTO Targets for Cloud Applications\nHow to use the AWS Resilience Hub score\nPrepare \u0026amp; Protect Your Applications from Disruption with AWS Resilience Hub\n","date":"17 May 2023","externalUrl":null,"permalink":"/posts/introduction-to-aws-resilience-hub/","section":"Posts","summary":"","title":"Introduction to AWS Resilience Hub","type":"posts"},{"content":" In the past couple of years, we hear the term \u0026ldquo;Chaos Engineering\u0026rdquo; in the context of cloud.\nMature organizations have already begun to embrace the concepts of chaos engineering, and perhaps the most famous use of chaos engineering began at Netflix when they developed Chaos Monkey.\nTo quote Werner Vogels, Amazon CTO: \u0026ldquo;Everything fails, all the time\u0026rdquo;.\nWhat is chaos engineering and what are the benefits of using chaos engineering for increasing the resiliency and reliability of workloads in the public cloud?\nWhat is Chaos Engineering? # \u0026ldquo;Chaos Engineering is the discipline of experimenting on a system to build confidence in the system’s capability to withstand turbulent conditions in production.\u0026rdquo; (Source: https://principlesofchaos.org)\nProduction workloads on large scale, are built from multiple services, creating distributed systems.\nWhen we design large-scale workloads, we think about things such as:\nCreating high-available systems\nCreating disaster recovery plans\nDecreasing single point of failure\nHaving the ability to scale up and down quickly according to the load on our application\nOne thing we usually do not stop to think about is the connectivity between various components of our application and what will happen in case of failure in one of the components of our application.\nWhat will happen if, for example, a web server tries to access a backend database, and it will not be able to do so, due to network latency on the way to the backend database?\nHow will this affect our application and our customers?\nWhat if we could test such scenarios on a live production environment, regularly?\nDo we trust our application or workloads infrastructure so much, that we are willing to randomly take down parts of our infrastructure, just so we will know the effect on our application?\nHow will this affect the reliability of our application, and how will it allow us to build better applications?\nHistory of Chaos Engineering # In 2010 Netflix developed a tool called \u0026ldquo;Chaos Monkey\u0026rdquo;, whose goal was to randomly take down compute services (such as virtual machines or containers), part of the Netflix production environment, and test the impact on the overall Netflix service experience.\nIn 2011 Netflix released a toolset called \u0026ldquo;The Simian Army\u0026rdquo;, which added more capabilities to the Chaos Monkey, from reliability, security, and resiliency (i.e., Chaos Kong which simulates an entire AWS region going down).\nIn 2012, Chaos Monkey became an open-source project (under Apache 2.0 license).\nIn 2016, a company called Gremlin released the first \u0026ldquo;Failure-as-a-Service\u0026rdquo; platform.\nIn 2017, the LitmusChaos project was announced, which provides chaos jobs in Kubernetes.\nIn 2019, Alibaba Cloud announced ChaosBlade, an open-source Chaos Engineering tool.\nIn 2020, Chaos Mesh 1.0 was announced as generally available, an open-source cloud-native chaos engineering platform.\nIn 2021, AWS announced the general availability of AWS Fault Injection Simulator, a fully managed service to run controlled experiments.\nIn 2021, Azure announced the public preview of Azure Chaos Studio.\nWhat exactly is Chaos Engineering? # Chaos Engineering is about experimentation based on real-world hypotheses.\nThink about Chaos Engineering, as one of the tests you run as part of a CI/CD pipeline, but instead of a unit test or user acceptance test, you inject controlled faults into the system to measure its resiliency.\nChaos Engineering can be used for both modern cloud-native applications (built on top of Kubernetes) and for the legacy monolith, to achieve the same result – answering the question – will my system or application survive a failure?\nOn high-level, Chaos Engineering is made of the following steps:\nCreate a hypothesis\nRun an experiment\nAnalyze the results\nImprove system resiliency\nAs an example, here is AWS’s point of view regarding the shared responsibility model, in the context of resiliency:\nSource: https://aws.amazon.com/blogs/architecture/chaos-engineering-in-the-cloud\nChaos Engineering managed platform comparison # In the table below we can see a comparison between AWS and Azure-managed services for running Chaos Engineering experiments:\nAdditional References: # AWS FIS actions reference\nAzure Chaos Studio fault and action library\nSummary # In this post, I have explained the concept of Chaos Engineering and compared alternatives to cloud-managed services.\nUsing Chaos Engineering as part of a regular development process will allow you to increase the resiliency of your applications, by studying the effect of failures and designing recovery processes.\nChaos Engineering can also be used as part of a disaster recovery and business continuity process, by testing the resiliency of your systems.\nAdditional References # Chaos engineering (Wikipedia)\nPrinciples of Chaos Engineering\nChaos Engineering in the Cloud\nWhat Chaos Engineering Is (and is not)\nAWS re:Invent 2022 - The evolution of chaos engineering at Netflix (NFX303)\nWhat is AWS Fault Injection Simulator?\nWhat is Azure Chaos Studio?\nPublic Chaos Engineering Stories / Implementations\n","date":"17 May 2023","externalUrl":null,"permalink":"/posts/introduction-to-chaos-engineering/","section":"Posts","summary":"","title":"Introduction to Chaos Engineering","type":"posts"},{"content":" Over the years, I have shared several blog posts about Kubernetes (What are Containers and Kubernetes, Modern Cloud deployment and usage, Introduction to Container Operating Systems, and more).\nKubernetes became a de-facto standard for running container-based workloads (for both on-premise and the public cloud), but most organizations tend to fail on what is referred to as Day 2 Kubernetes operations.\nIn this blog post, I will review what it means \u0026ldquo;Day 2 Kubernetes\u0026rdquo; and how to prepare your workloads for the challenges of Day 2 operations.\nReady, Set, Go! # In the software lifecycle, or the context of this post, the Kubernetes lifecycle, there are several distinct stages:\nDay 0 - Planning and Design # In this stage, we focus on designing our solution (application and underlying infrastructure), understanding business needs, budget, required skills, and more.\nFor the context of this post, let us assume we have decided to build a cloud-native application, made of containers, deployed on top of Kubernetes.\nDay 1 - Configuration and Deployment # In this stage, we focus on deploying our application using the Kubernetes orchestrator and setting up the configurations (number of replicas, public ports, auto-scale settings, and more).\nMost organizations taking their first steps deploying applications on Kubernetes are stacked at this stage.\nThey may have multiple environments (such as Dev, Test, UAT) and perhaps even production workloads, but they are still on Day 1.\nDay 2 - Operations # Mature organizations have reached this stage.\nThis is about ongoing maintenance, observability, and continuous improvement of security aspects of production workloads.\nIn this blog post, I will dive into \u0026ldquo;Day 2 Kubernetes\u0026rdquo;.\nDay 2 Kubernetes challenges # Below are the most common Kubernetes challenges:\nObservability # Managing Kubernetes at a large scale requires insights into the Kubernetes cluster(s).\nIt is not enough to monitor the Kubernetes cluster by collecting performance logs, errors, or configuration changes (such as Nodes, Pods, containers, etc.)\nWe need to have the ability to truly understand the internals of the Kubernetes cluster (from logs, metrics, etc.), be able to diagnose the behavior of the Kubernetes cluster – not just performance issues, but also debug problems, detect anomalies, and (hopefully) be able to anticipate problems before they affect customers.\nPrefer to use cloud-native monitoring and observability tools to monitor Kubernetes clusters.\nWithout proper observability, we will not be able to do root cause analysis and understand problems with our Kubernetes cluster or with our application deployed on top of Kubernetes.\nCommon tools for observability:\nPrometheus - An open-source systems monitoring and alerting toolkit for monitoring large cloud-native deployments.\nGrafana - An open-source query, visualization, and alerting tool (resource usage, built-in and customized metrics, alerts, dashboards, log correlation, etc.)\nOpenTelemetry - A collection of open-source tools for collecting and exporting telemetry data (metrics, logs, and traces) for analyzing software performance and behavior.\nAdditional references for managed services: # Amazon Managed Grafana\nAmazon Managed Service for Prometheus\nAWS Distro for OpenTelemetry\nAzure Monitor managed service for Prometheus (Still in preview on April 2023)\nAzure Managed Grafana\nOpenTelemetry with Azure Monitor\nGoogle Cloud Managed Service for Prometheus\nGoogle Cloud Logging plugin for Grafana\nOpenTelemetry Collector (Part of Google Cloud operations suite)\nSecurity and Governance # On the one hand, it is easy to deploy a Kubernetes cluster in private mode, meaning, the API server or the Pods are on an internal subnet and not directly exposed to customers.\nOn the other hand, many challenges in the security domain need to be solved:\nSecrets Management – A central and secure vault for generating, storing, retrieving, rotating, and eventually revoking secrets (instead of hard-coded static credentials inside our code or configuration files).\nAccess control mechanisms – Ability to control what persona (either human or service account) has access to which resources inside the Kubernetes cluster and to take what actions, using RBAC (Role-based access control) mechanisms.\nSoftware vulnerabilities – Any vulnerabilities related to code – from programming languages (such as Java, PHP, .NET, NodeJS, etc.), use of open-source libraries with known vulnerabilities, to vulnerabilities inside Infrastructure-as-Code (such as Terraform modules)\nHardening – Ability to deploy a Kubernetes cluster at scale, using secured configuration, such as CIS Benchmarks.\nNetworking – Ability to set isolation between different Kubernetes clusters or even between different development teams using the same cluster, not to mention multi-tenancy where using the same Kubernetes platform to serve different customers.\nAdditional Reference: # Securing the Software Supply Chain in the Cloud\nOPA (Open Policy Agent) Gatekeeper\nKyverno - Kubernetes Native Policy Management\nFoundational Cloud Security with CIS Benchmarks\nAmazon EKS Best Practices Guide for Security\nAzure security baseline for Azure Kubernetes Service (AKS)\nGKE Security Overview\nDevelopers experience # Mature organizations have already embraced DevOps methodologies for pushing code through a CI/CD pipeline.\nThe entire process needs to be done automatically and without direct access of developers to production environments (for this purpose you build break-glass mechanisms for the SRE teams).\nThe switch to applications wrapped inside containers, allowed developers to develop locally or in the cloud and push new versions of their code to various environments (such as Dev, Test, and Prod).\nIntegration of CI/CD pipeline, together with containers, allows organizations to continuously develop new software versions, but it requires expanding the knowledge of developers using training.\nThe use of GitOps and tools such as Argo CD allowed a continuous delivery process for Kubernetes environments.\nTo allow developers, the best experience, you need to integrate the CI/CD process into the development environment, allowing the development team the same experience as developing any other application, as they used to do in the on-premise for legacy applications, which can speed the developer onboarding process.\nAdditional References: # GitOps 101: What is it all about?\nArgo CD - Declarative GitOps CD for Kubernetes\nContinuous Deployment and GitOps delivery with Amazon EKS Blueprints and ArgoCD\nGetting started with GitOps, Argo, and Azure Kubernetes Service\nBuilding a Fleet of GKE clusters with ArgoCD\nStorage # Any Kubernetes cluster requires persistent storage - whether organizations choose to begin with an on-premise Kubernetes cluster and migrate to the public cloud, or provision a Kubernetes cluster using a managed service in the cloud.\nKubernetes supports multiple types of persistent storage – from object storage (such as Azure Blob storage or Google Cloud Storage), block storage (such as Amazon EBS, Azure Disk, or Google Persistent Disk), or file sharing storage (such as Amazon EFS, Azure Files or Google Cloud Filestore).\nThe fact that each cloud provider has its implementation of persistent storage adds to the complexity of storage management, not to mention a scenario where an organization is provisioning Kubernetes clusters over several cloud providers.\nTo succeed in managing Kubernetes clusters over a long period, knowing which storage type to use for each scenario, requires storage expertise.\nHigh Availability # High availability is a common requirement for any production workload.\nThe fact that we need to maintain multiple Kubernetes clusters (for example one cluster per environment such as Dev, Test, and Prod) and sometimes on top of multiple cloud providers, make things challenging.\nWe need to design in advance where to provision our cluster(s), thinking about constraints such as multiple availability zones, and sometimes thinking about how to provision multiple Kubernetes clusters in different regions, while keeping HA requirements, configurations, secrets management, and more.\nDesigning and maintaining HA in Kubernetes clusters requires a deep understanding of Kubernetes internals, combined with knowledge about specific cloud providers\u0026rsquo; Kubernetes management plane.\nAdditional References: # Designing Production Workloads in the Cloud\nAmazon EKS Best Practices Guide for Reliability\nAKS - High availability Kubernetes cluster pattern\nGKE best practices: Designing and building highly available clusters\nCost optimization # Cost is an important factor in managing environments in the cloud.\nIt can be very challenging to design and maintain multiple Kubernetes clusters while trying to optimize costs.\nTo monitor cost, we need to deploy cost management tools (either the basic services provided by the cloud provider) or third-party dedicated cost management tools.\nFor each Kubernetes cluster, we need to decide on node instance size (amount of CPU/Memory), and over time, we need to review the node utilization and try to right-size the instance type.\nFor non-production clusters (such as Dev or Test), we need to understand from the cloud vendor documentation, what are our options to scale the cluster size to the minimum, when not in use, and be able to spin it back up, when required.\nEach cloud provider has its pricing options for provisioning Kubernetes clusters – for example, we might want to choose reserved instances or saving plans for production clusters that will be running 24/7, while for temporary Dev or Test environment, we might want to choose Spot instances and save cost.\nAdditional References: # Cost optimization for Kubernetes on AWS\nAzure Kubernetes Service (AKS) – Cost Optimization Techniques\nBest practices for running cost-optimized Kubernetes applications on GKE\n5 steps to bringing Kubernetes costs in line\n4 Strategies for Kubernetes Cost Reduction\nKnowledge gap # Running Kubernetes clusters requires a lot of knowledge.\nFrom the design, provision, and maintenance, usually done by DevOps or experienced cloud engineers, to the deployment of new applications, usually done by development teams.\nIt is crucial to invest in employee training, in all aspects of Kubernetes.\nConstant updates using vendor documentation, online courses, blog posts, meetups, and technical conferences will enable teams to gain the knowledge required to keep up with Kubernetes updates and changes.\nAdditional References: # Kubernetes Blog\nAWS Containers Blog\nAzure Kubernetes Service (AKS) issue and feature tracking\nGoogle Cloud Blog - Containers \u0026amp; Kubernetes\nThird-party integration # Kubernetes solve part of the problems related to container orchestration.\nAs an open-source solution, it can integrate with other open-source complimentary solutions (from monitoring, security and governance, cost management, and more).\nEvery organization might wish to use a different set of tools to achieve each task relating to the ongoing maintenance of the Kubernetes cluster or for application deployment.\nSelecting the right tools can be challenging as well, due to various business or technological requirements.\nIt is recommended to evaluate and select Kubernetes native tools to achieve the previously mentioned tasks or resolve the mentioned challenges.\nSummary # In this blog post, I have reviewed the most common Day 2 Kubernetes challenges.\nI cannot stress enough the importance of employee training in deploying and maintaining Kubernetes clusters.\nIt is highly recommended to evaluate and look for a centralized management platform for deploying, monitoring (using cloud-native tools), and securing the entire fleet of Kubernetes clusters in the organization.\nAnother important recommendation is to invest in automation – from policy enforcement to application deployment and upgrade, as part of the CI/CD pipeline.\nI recommend you continue learning and expanding your knowledge in the ongoing changed world of Kubernetes.\n","date":"17 May 2023","externalUrl":null,"permalink":"/posts/introduction-to-day-2-kubernetes/","section":"Posts","summary":"","title":"Introduction to Day 2 Kubernetes","type":"posts"},{"content":" For more than a decade, organizations are using machine learning for various use cases such as predictions, assistance in the decision-making process, and more.\nDue to the demand for high computational resources and in many cases expensive hardware requirements, the public cloud became one of the better ways for running machine learning or deep learning processes.\nTerminology # Before we dive into the topic of this post, let us begin with some terminology:\nArtificial Intelligence – \u0026ldquo;The ability of a computer program or a machine to think and learn\u0026rdquo;, Wikipedia\nMachine Learning – \u0026ldquo;The task of making computers more intelligent without explicitly teaching them how to behave\u0026rdquo;, Bill Brock, VP of Engineering at Very\nDeep Learning – \u0026ldquo;A branch of machine learning that uses neural networks with many layers. A deep neural network analyzes data with learned representations like the way a person would look at a problem\u0026rdquo;, Bill Brock, VP of Engineering at Very\nSource: https://www.simplilearn.com/tutorials/artificial-intelligence-tutorial/ai-vs-machine-learning-vs-deep-learning\nPublic use cases of deep learning # Disney makes its archive accessible using deep learning built on AWS\nNBA accelerates modern app time to market to ramp up fans’ excitement\nSatair: Enhancing customer service with Lilly, a smart online assistant built on Google Cloud\nIn this blog post, I will focus on deep learning and hardware available in the cloud for achieving deep learning.\nDeep Learning workflow # The deep learning process is made of the following steps:\nPrepare – Store data in a repository (such as object storage or a database)\nBuild – Choose a machine learning framework (such as TensorFlow, PyTorch, Apache MXNet, etc.)\nTrain – Choose hardware (compute, network, storage) to train the model you have built (\u0026ldquo;learn\u0026rdquo; and optimize model from data)\nInference – Using the trained model (on large scale) to make a prediction\nDeep Learning processors comparison (Training phase) # Below is a comparison table for the various processors available in the public cloud, dedicated to the deep learning training phase:\nAdditional References # Amazon EC2 - Accelerated Computing\nAWS EC2 Instances Powered by Gaudi Accelerators for Training Deep Learning Models\nAWS Trainium\nAzure - GPU-optimized virtual machine sizes\nGoogle Cloud - GPU platforms\nGoogle Cloud - Introduction to Cloud TPU\nOracle Cloud Infrastructure - Compute Shapes - GPU Shapes\nAlibaba Cloud GPU-accelerated compute-optimized and vGPU-accelerated instance families\nNVIDIA T4 Tensor Core GPU\nNVIDIA A10 Tensor Core GPU\nNVIDIA A100 Tensor Core GPU\nDeep Learning processors comparison (Inference phase) # Below is a comparison table for the various processors available in the public cloud, dedicated to the deep learning inference phase:\nAdditional References # Amazon EC2 - Accelerated Computing\nAWS Inferentia\nGoogle Cloud - The G2 machine series\nSummary # In this blog post, I have shared information about the various alternatives for using hardware available in the public cloud to run deep learning processes.\nI recommend you to keep reading and expand your knowledge on both machine learning and deep learning, what services are available in the cloud and what are the use cases to achieve outcomes from deep learning.\nAdditional References # AWS Machine Learning Infrastructure\nAWS - Select the right ML instance for your training and inference jobs\nAWS - Accelerate deep learning and innovate faster with AWS Trainium\nAzure AI Infrastructure\nGoogle Cloud Platform - AI Infrastructure\nOracle Cloud - Machine Learning Services\nAlibaba Cloud - Machine Learning Platform for AI\n","date":"23 April 2023","externalUrl":null,"permalink":"/posts/introduction-to-deep-learning-hardware-in-the-cloud/","section":"Posts","summary":"","title":"Introduction to deep learning hardware in the cloud","type":"posts"},{"content":"","date":"20 April 2023","externalUrl":null,"permalink":"/categories/firewall/","section":"Categories","summary":"","title":"Firewall","type":"categories"},{"content":" Managing cloud environments on large scale has many challenges.\nOne of the challenges many organizations are facing is managing network inbound/outbound network connectivity to their cloud environments.\nDue to the nature of the public cloud, all resources are potentially public, unless we configured them otherwise.\nWhat are the challenges in the network security domain? # There are many challenges related to network security, here are the most common ones:\nUnauthorized inbound network access – Publicly facing resources (such as virtual machines, object storage, databases, etc.) allowing anyone on the Internet access to the resources Unrestricted outbound network access – Internal resources (such as virtual machines, databases, serverless, etc.) can initiate outbound traffic to resources on the public Internet Managing network access rules at large scale – Ability to control thousands of firewall rules created over time, while managing multiple accounts for a specific cloud provider (or even multiple different cloud providers) Understanding the network attack surface – Ability to get a clear view of what inbound or outbound traffic is allowed or denied in a large cloud environment with multiple accounts Enabling the business, while keeping the infrastructure secure – Ability to respond to multiple business requests, using small network/information security / IT team With all the above challenges, how do we keep our cloud network infrastructure secure and at a large scale?\nSet Guardrails # One of the common ways to configure guardrails is to use organizational policies using Policy-as-Code.\nAll major cloud providers support this capability.\nIt allows us to configure rules for the maximum allowed permissions over our cloud environments according to our company security policy while allowing developers / DevOps to continue provisioning resources.\nAWS Service control policies (SCPs) # Below are sample service control policies that can be configured at the AWS organizational level (with inheritance to the underlining OU\u0026rsquo;s), for restricting inbound access:\nDetect whether any Amazon EC2 instance has an associated public IPv4 address Detect whether Amazon S3 settings to block public access are set as true for the account Detects whether an Amazon EKS endpoint is blocked from public access Detect whether the AWS Lambda function policy attached to the Lambda resource blocks public access Detect whether any Amazon VPC subnets are assigned a public IP address Azure Policy # Below are sample Azure policies that can be configured at the Azure subscription level, for restricting inbound access:\nContainer Apps should disable external network access Network interfaces should not have public IPs All network ports should be restricted on network security groups associated to your virtual machine Function apps should disable public network access Azure SQL Managed Instances should disable public network access Public network access on Azure SQL Database should be disabled Public network access should be disabled for MySQL servers Public network access should be disabled for PostgreSQL servers Storage accounts should disable public network access Google Organization Policies # Below are sample Google organization policies that can be configured at the GCP Project level, for restricting inbound access:\nRestrict public IP access on Cloud SQL instances Enforce Public Access Prevention Disable VM serial port access Define allowed external IPs for VM instances Controlling inbound/outbound network traffic at scale # At large scale, we cannot rely on the built-in layer 4 access control mechanisms (such as AWS Security groups, Azure Network Security Groups, or GCP Firewall Rules) to define inbound or outbound traffic from/to our cloud environments.\nFor large scale, we should consider alternatives that will allow us to configure network restrictions, while allowing us central visibility over our entire cloud environment.\nAnother aspect we should keep in mind is that the default layer 4 access control mechanisms do provide us advanced protection against today\u0026rsquo;s threats, such as the ability to perform TLS inspection, control web traffic using URL filtering, etc.\nCloud-native firewall services: # Note: If you prefer to use 3rd party NGFW, you can deploy it using AWS Gateway Load Balancer or Azure Gateway Load Balancer.\nAdditional references # What is AWS Network Firewall? What is Azure Firewall? Google Cloud Firewall Overview Understanding the network attack surface # One of the common issues with large cloud environments is to have a visibility of which inbound or outbound ports are opened to the Internet, exposing the cloud environment.\nCommon services to allow network visibility:\nAWS Network Access Analyzer Azure Monitor Network Insights Google Network Intelligence Center Another alternative for getting insights into attack surface or network misconfiguration is to deploy 3rd party Cloud Security Posture Management (CSPM) solution, which will allow you central visibility into publicly accessible virtual machines, databases, object storage, and more, over multiple cloud providers\u0026rsquo; environments.\nSummary # In this blog post, I have presented common challenges in managing network security aspects in cloud environments.\nUsing a combination of organizational policies, strict inbound/outbound traffic control, and good visibility over large or complex cloud environments, it is possible to enable the business to move forward, while mitigating security risks.\nAs the cloud threat landscape evolves, so do security teams need to research for suitable solutions to enable the business, while keeping the cloud environments secure.\n","date":"20 April 2023","externalUrl":null,"permalink":"/posts/managing-network-security-aspects-in-the-public-cloud/","section":"Posts","summary":"","title":"Managing network security aspects in the public cloud","type":"posts"},{"content":"","date":"5 April 2023","externalUrl":null,"permalink":"/categories/database/","section":"Categories","summary":"","title":"Database","type":"categories"},{"content":" In 2020 I have published a blog post called Running MySQL Managed Database in the Cloud, comparing different alternatives for running MySQL database in the cloud.\nIn this blog post, I will take one step further, comparing PostgreSQL database alternatives deployed on a distributed system.\nBackground # PostgreSQL is an open-source relational database, used by many companies, and is very common among cloud applications, where companies prefer an open-source solution, supported by a strong community, as an alternative to commercial database engines.\nThe simplest way to run the PostgreSQL engine in the cloud is to choose one of the managed database services, such as Amazon RDS for PostgreSQL or Google Cloud SQL for PostgreSQL, and allow you to receive a fully managed database.\nIn this scenario, you as the customer, receive a fully managed PostgreSQL database cluster, that spans across multiple availability zones, and the cloud provider is responsible for maintaining the underlining operating system, including patching, hardening, monitoring, and backup (up to the service limits).\nAs a customer, you receive an endpoint (i.e., DNS name and port), configure access controls (such as AWS Security groups or GCP VCP Firewall rules), and set authentication and authorization for what identities have access to the managed database.\nThis solution is suitable for most common use cases if your applications (and perhaps customers) are in a specific region.\nWhat happens in a scenario where you would like to design a truly highly available architecture span across multiple regions (in the rare case of an outage in a specific region) and serve customers across the globe, deploying your application close to your customers?\nThe solution for allowing high availability and multi-region deployment is to deploy the PostgreSQL engine in a managed distributed database.\nPostgreSQL Distributed Database Alternatives # The distributed system allows you to run a database across multiple regions while keeping the data synchronized.\nIn a distributed database, the compute layer (i.e., virtual machines) running the database engine is deployed on separate nodes from the storage and logging layer, allowing you to gain the benefits of the cloud provider\u0026rsquo;s backend infrastructure low-latency replication capabilities.\nIn each system, there is a primary cluster (which oversees read/write actions) and one or more secondary clusters (read-only replicas).\nArchitecture diagram:\nLet us examine some of the cloud providers\u0026rsquo; alternatives:\nAdditional References # Working with Amazon Aurora PostgreSQL Google AlloyDB for PostgreSQL Summary # In this blog post, I have compared two alternatives for running PostgreSQL-compatible database in a distributed architecture.\nIf you are looking for a relational database solution with high durability that will auto-scale according to application load, and with the capability to replicate data across multiple regions, you should consider one of the alternatives I have mentioned in this blog post.\nAs always, I recommend you to continue reading and expanding your knowledge on the topic and evaluate during the architecture design phase, if your workloads can benefit from a distributed database system.\nAdditional References # Amazon Aurora: Design considerations for high throughput cloud-native relational databases AlloyDB for PostgreSQL under the hood: Intelligent, database-aware storage ","date":"5 April 2023","externalUrl":null,"permalink":"/posts/distributed-managed-postgresql-database-alternatives-in-the-cloud/","section":"Posts","summary":"","title":"Distributed Managed PostgreSQL Database Alternatives in the Cloud","type":"posts"},{"content":"","date":"5 April 2023","externalUrl":null,"permalink":"/categories/postgresql/","section":"Categories","summary":"","title":"Postgresql","type":"categories"},{"content":" I have been working with public clouds since 2015, and in the past couple of months I see more and more discussions (on newsletters, LinkedIn, and technical forums) about a term called “Cloud Repatriation”.\nIn this post, I will share my opinion on “Cloud Repatriation” and how I believe organizations can better prepare themselves in advance, to avoid such scenarios.\nWhat is Cloud Repatriation? # Cloud repatriation is when a company decides to move existing workloads from the public cloud to its data centers or co-location facilities.\nThe main reason companies decide on such a drastic move (after already investing in the public cloud) is due to cost.\nAbout a decade ago, when companies considered moving to the public cloud, there was a myth that moving to the cloud will allow companies to save money on IT spending.\nAnother myth about the public cloud that caused companies to re-think about the move to the cloud was the ability to easily migrate existing workloads from the on-premise to the cloud using a \u0026ldquo;lift \u0026amp; shift\u0026rdquo; strategy (also known as \u0026ldquo;we will re-architect it later…\u0026rdquo;), which in the long term found out to be perhaps the worst strategy to move applications to the cloud.\nI am not suggesting that the public cloud is suitable to run 100% of the workloads currently running on-premise – there are scenarios where your company would leave workloads locally due to legacy application constraints, latency issues (if there is no public cloud region in your country), or regulatory constraints.\nSo how do we prepare our company in advance, to avoid decisions such as going back on-premise?\nCloud Strategy # The ideal time to create a cloud strategy is before deploying the first workload in the public cloud.\nEven if your company already deployed a playground for gaining experience with the cloud, it still has time to invest in a cloud strategy.\nThe most important thing to keep in mind is that the public cloud allows us many capabilities, with a single goal – serving our business and providing us with business value.\nThe goal is never to migrate to the cloud just for the sake of migration.\nWe always need to ask ourselves – how can we use the public cloud to enable our business?\nAnother important question we need to ask ourselves – what systems/applications do we currently have and which of them are we going to move to the cloud or are worth the effort to move to the cloud?\nEven if our cloud strategy to going \u0026ldquo;cloud first\u0026rdquo;, it does not mean 100% of our applications will be migrated to the cloud – it only means that we will review each existing or new application if they are suitable to run in the cloud, and our priority is to move applications to the cloud (when feasible and when it makes sense in terms of cost, effort and technology capabilities).\nImportant note – having a cloud strategy is not enough – we must review and update our strategy regularly, according to our business requirements.\nArchitectural Decisions # To gain the most value from the public cloud, we need to consider the most suitable way to run our applications in the cloud.\nAlthough virtualization is still a valid option, it might not be the best option.\nMoving to the public cloud is a perfect time to consider modern deployments.\nContainerization is very popular both in the public cloud and in companies developing cloud-native applications.\nThe cloud offers us an easy way to run containers based on managed Kubernetes services, allowing us to focus on our business requirements, while leaving the maintenance of the control plan to the cloud provider.\nAnother option the gain benefit from the cloud is to use serverless – although each cloud provider has its alternative for running serverless (or Function as a Service), it does provide us with an easy way to run cloud-native applications, while taking benefit of the entire cloud providers eco-system.\nHaving a regular review of our workload architecture will allow us to make changes and take the full benefit of the public cloud – from scale, elasticity, and rich service eco-system.\nFinancial Management # I mentioned earlier that one of the reasons companies consider the public cloud to be more expansive than managing their data centers is because they tend to compare slightly different things.\nRunning our data centers requires us to take care of physical security, power, cooling, and redundancy for everything we use.\nIn the public cloud, the cloud provider takes responsibility for managing the data centers, including the manpower required to run their data center, and the cost of using compute, network, storage, and software license – everything is embedded as part of the price we pay for consuming resources in the cloud.\nMigrating workloads to the cloud, without understanding the importance of cost or financial management aspects will lead to disappointment from the cloud or to high monthly or yearly costs.\nWe must understand our cloud provider(s) pricing options (from on-demand, reserved instances / saving plans, to spot instances).\nWe need to match the most suitable pricing option to our target service or workload, and we need to have trained employees (such as DevOps, engineers, developers, or architects) monitoring, reviewing, and regularly adjusting the pricing options to our workloads.\nFailing to monitor the service cost, will end up with a high bill.\nEmployee Training / Awareness # This is the most important thing to invest in.\nMigrating to the cloud requires investment in training our employees.\nOur employees need to have a solid understanding of how services run on the cloud, what is the most suitable service to select for each workload, when to choose virtualization, and when to use modern compute services such as containers or serverless.\nIf we are considering multi-cloud, we need to make sure our employees are trained and knowledgeable in running various workloads and multiple services on top of multiple different cloud providers (a well-known challenge for any company).\nWe need to invest in training our employees about automation – from provisioning the entire environment using Infrastructure-as-Code to writing automation scripts to take actions (such as powering down idle VMs, performing data replication, and more).\nSummary # Moving to the cloud might be challenging for small, medium, or legacy organizations.\nRunning to the cloud without preparations will be both a costly and disappointing decision.\nIf we prepare in advance, develop a cloud strategy, and invest in employee training, we will be able to get the most value out of the public cloud and minimize the chance for cloud repatriation.\nAdditional References # Importance of cloud strategy https://eyal-estrin.medium.com/importance-of-cloud-strategy-cf37ee31bec9\nIntroduction to cloud financial management on AWS https://eyal-estrin.medium.com/introduction-to-cloud-financial-management-on-aws-cc23e564c365\nWhat is cloud repatriation? https://ubuntu.com/blog/what-is-cloud-repatriation\n","date":"29 March 2023","externalUrl":null,"permalink":"/posts/how-to-avoid-cloud-repatriation/","section":"Posts","summary":"","title":"How to Avoid Cloud Repatriation","type":"posts"},{"content":" In 2020, I have published the blog post \u0026quot;Confidential Computing and the Public Cloud\u0026quot;.\nNow, let us return to the subject of confidential computing and see what has changed among cloud providers.\nBefore we begin our conversation, let us define what is \u0026ldquo;Confidential Computing\u0026rdquo;, according to The Confidential Computing Consortium:\n\u0026ldquo;Confidential Computing is the protection of data in use by performing the computation in a hardware-based, attested Trusted Execution Environment\u0026rdquo;\nSource: https://confidentialcomputing.io/about\nIntroduction # When we store data in the cloud, there are various use cases where we would like to protect data from unauthorized access (from an external attacker to an internal employee and up to a cloud provider engineer who potentially might have access to customers\u0026rsquo; data).\nTo name a few examples of data who would like to protect – financial data (such as credit card information), healthcare data (PHI – Personal Health Information), private data about a persona (PII – Personally Identifiable Information), government data, military data, and more.\nWhen we would like to protect data in the cloud, we usually encrypt it in transit (with protocols such as TLS) and at rest (with algorithms such as AES).\nAt some point in time, either an end-user or a service needs access to the encryption keys and the data is decrypted in the memory of the running machine.\nConfidential computing comes to solve the problem, by encrypting data while in use, and this is done using a hardware-based Trusted Execution Environment (TEE), also known as the hardware root of trust.\nThe idea behind it is to decrease the reliance on proprietary software and provide security at the hardware level.\nTo validate that data is protected and has not been tampered with, confidential computing performs a cryptographic process called attestation, which allows the customer to audit and make sure data was not tempered by any unauthorized party.\nThere are two approaches to achieving confidential computing using hardware-based TEEs:\nApplication SDKs – The developer is responsible for data partitioning and encryption. Might be influenced by programming language and specific hardware TEEs. Runtime deployment systems – Allows the development of cross-TEE portable applications. As of March 2023, the following are the commonly supported hardware alternatives to achieve confidential computing or encryption in use:\nIntel Software Guard Extensions (Intel SGX) AMD Secure Encrypted Virtualization (SEV), based on AMD EPYC processors AWS took a different approach when they released the AWS Nitro Enclaves technology.\nThe AWS Nitro System is made from Nitro Cards (to provision and manage compute, memory, and storage), Nitro Security Chip (the link between the CPU and the place where customer workloads run), and the Nitro Hypervisor (receive virtual machine management commands and assign functions to the Nitro hardware interfaces).\nCloud Providers Comparison # All major cloud providers have their implementation and services that support confidential computing.\nBelow are the most used services supporting confidential computing:\nVirtual Machine supported instance types # Additional References: # Instances built on the AWS Nitro System Azure Confidential VMs Introducing high-performance Confidential Computing with N2D and C2D VMs Oracle Cloud Infrastructure Confidential Computing Alibaba Cloud - Build a confidential computing environment by using Enclave Managed Relational Database supported instance types # Additional References: # AWS DB instance classes AWS Aurora DB instance classes SQL Azure Always Encrypted Managed Containers Services Comparison # Additional References: # Using Enclaves with Amazon EKS Azure Confidential containers Encrypt workload data in use with Confidential Google Kubernetes Engine Nodes Alibaba Cloud Container Service for Kubernetes (ACK) clusters supports confidential computing Managed Hadoop Services supported instance types # Additional References: # Amazon EMR-supported instance types Google Dataproc Confidential Compute Summary # In this blog post, we have learned what confidential computing means, how it works, and why would we as customers need confidential computing to keep the privacy of our data stored in the public cloud.\nWe have also compared major cloud providers offering confidential computing-supported services.\nThe field of confidential computing continues to evolve – both from cloud providers adding more services to support confidential computing and allowing customers to have confidence storing data in the cloud and from third-party security vendors, offering cross-cloud platforms solutions, allowing an easy way to secure data in the cloud.\nI encourage everyone to read and expand their knowledge about confidential computing implementations.\nAdditional References: # Confidential Computing Consortium The Security Design of the AWS Nitro System Azure Confidential Computing Overview Google Confidential Computing Protect data in use with OCI Confidential Computing Alibaba Cloud - Privacy, Security and Confidential Computing - What You Need to Know ","date":"23 March 2023","externalUrl":null,"permalink":"/posts/comparing-confidential-computing-alternatives-in-the-cloud/","section":"Posts","summary":"","title":"Comparing Confidential Computing Alternatives in the Cloud","type":"posts"},{"content":" We have been using load-balancing technology for many years.\nWhat is the purpose of load-balancers and what are the alternatives offered as managed services by the public cloud providers?\nTerminology # Below are some important concepts regarding cloud load-balancers:\nPrivate / Internal Load-Balancer – A load-balancer serving internal traffic (such as traffic from public websites to a back-end database) Public / External Load-Balancer – A load-balancer that exposes a public IP and serves external traffic (such as traffic from customers on the public Internet to an external website) Regional Load-Balancer – A load-balancer that is limited to a specific region of the cloud provider Global Load-Balancer – A load-balancer serving customers from multiple regions around the world using a single public IP TLS Termination / Offloading – A process where a load-balancer decrypt encrypted incoming traffic, for further analysis (such as traffic inspection) and either pass the traffic to the back-end nodes decrypted (offloading the encrypted traffic) or pass the traffic encrypted to the back-end nodes What are the benefits of using load balancers? # Load-balancers offer our applications the following benefits:\nIncreased scalability – combined with \u0026ldquo;auto-scale\u0026rdquo; we can benefit from the built-in elasticity of cloud services, allowing us to increase or decrease the amount of compute services (such as VMs, containers, and database instances) according to our application\u0026rsquo;s load Redundancy – load-balancers allow us to send traffic to multiple back-end servers (or containers), and in case of a failure in a specific back-end node, the load-balancer will send traffic to other healthy nodes, allowing our service to continue serving customers Reduce downtime – consider a scenario where we need to schedule maintenance work (such as software upgrades in a stateful architecture), using a load-balancer, we can remove a single back-end server (or container), drain the incoming traffic, and send new customers\u0026rsquo; requests to other back-end nodes, without affecting the service Increase performance – assuming our service suffers from a peak in traffic, adding more back-end nodes will allow us a better performance to serve our customers Manage failures – one of the key features of a load-balancer is the ability to check the health status of the back-end nodes, and in case one of the nodes does not respond (or function as expected), the load-balancer will not send new traffic to the failed node Layer 4 Load-Balancers # The most common load-balancers operate at layer 4 of the OSI model (the network/transport layer), and usually, we refer to them as network load-balancers.\nThe main benefit of a network load balancer is extreme network performance.\nLet us compare the cloud providers\u0026rsquo; alternatives:\nAdditional reference # What is a Network Load Balancer? https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html\nWhat is Azure Load Balancer? https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-overview\nGoogle Cloud Load Balancing overview https://cloud.google.com/load-balancing/docs/load-balancing-overview\nLayer 7 Load-Balancers # When we need to load balance modern applications traffic, we use application load balancers, which operate at layer 7 of the OSI model (the application layer).\nLayer 7 load-balancers have an application awareness, meaning you can configure routing rules to route traffic to two different versions of the same application (using the same DNS name), but with different URLs.\nLet us compare the cloud providers\u0026rsquo; alternatives:\nAdditional reference # What is an Application Load Balancer? https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html\nWhat is Azure Application Gateway? https://learn.microsoft.com/en-us/azure/application-gateway/overview\nGlobal Load-Balancers # Although only Google has a native global load balancer, both AWS and Azure have alternatives, which allow us to configure a multi-region architecture serving customers from multiple regions around the world.\nLet us compare the cloud providers\u0026rsquo; alternatives:\nAdditional reference # What is AWS Global Accelerator? https://docs.aws.amazon.com/global-accelerator/latest/dg/what-is-global-accelerator.html\nWhat is Traffic Manager? https://learn.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview\nWhat is Azure Front Door? https://learn.microsoft.com/en-us/azure/frontdoor/front-door-overview\nSummary # In this blog post, we have reviewed why we need cloud load balancers when designing scalable and highly available architectures.\nWe reviewed the different types of managed cloud load balancers and compared the hyper-scale public cloud providers and their various capabilities.\nWhen designing a modern application, considering network aspects (such as internal, external, or even global availability requirements), will allow you better application performance, availability, and customer experience.\nAdditional references # AWS Elastic Load Balancing features https://aws.amazon.com/elasticloadbalancing/features\nAzure Load-balancing options https://learn.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview\nGoogle Cloud Load balancer feature comparison https://cloud.google.com/load-balancing/docs/features\n","date":"20 March 2023","externalUrl":null,"permalink":"/posts/introduction-to-cloud-load-balancers/","section":"Posts","summary":"","title":"Introduction to Cloud Load-Balancers","type":"posts"},{"content":" Whether we serve internal customers or external customers over the public Internet, we all manage production workloads at some stage in the application lifecycle.\nIn this blog post, I will review various aspects and recommendations when managing production workloads in the public cloud (although, some of them may be relevant for on-premise as well).\nTip #1 – Think big, plan for large scale # Production workloads are meant to serve many customers simultaneously.\nDon\u0026rsquo;t think about the first 1000 customers who will use your application, plan for millions of concurrent connections from day one.\nTake advantage of the cloud elasticity when you plan your application deployment, and use auto-scaling capabilities to build a farm of virtual machines or containers, to be able to automatically scale in or scale out according to application load.\nUsing event-driven architecture will allow you a better way to handle bottlenecks on specific components of your application (such as high load on front web servers, API gateways, backend data store, etc.)\nTip #2 – Everything breaks, plan for high availability # No business can accept downtime of a production application.\nAlways plan for the high availability of all components in your architecture.\nThe cloud makes it easy to design highly-available architectures.\nCloud infrastructure is built from separate geographic regions, and each region has multiple availability zones (which usually means several distinct data centers).\nWhen designing for high availability, deploy services across multiple availability zones, to mitigate the risk of a single AZ going down (together with your production application).\nUse auto-scaling services such as AWS Auto Scaling, Azure Autoscale, or Google Autoscale groups.\nTip #3 – Automate everything # The days we used to manually deploy servers and later manually configure each server are over a long time ago.\nEmbrace the CI/CD process, and build steps to test and provision your workloads, from the infrastructure layer to the application and configuration layer.\nTake advantage of Infrastructure-as-Code to deploy your workloads.\nWhether you are using a single cloud vendor and putting efforts into learning specific IaC language (such as AWS CloudFormation, Azure Resource Manager, or Google Cloud Deployment Manager), or whether you prefer to learn and use cloud-agnostic IaC language such as Terraform, always think about automation.\nAutomation will allow you to deploy an entire workload in a matter of minutes, for DR purposes or for provisioning new versions of your application.\nTip #4 – Limit access to production environments # Traditional organizations are still making the mistake of allowing developers access to production, \u0026ldquo;to fix problems in production\u0026rdquo;.\nAs a best practice human access to production workloads must be prohibited.\nFor provisioning of new services or making changes to existing services in production, we should use CI/CD process, running by a service account, in a non-interactive mode, following the principle of least privilege.\nFor troubleshooting or emergency purpose, we should create a break-glass process, allowing a dedicated group of DevOps or Service Reliability Engineers (SREs) access to production environments.\nAll-access attempts must be audited and kept in an audit system (such as SIEM), with read permissions for the SOC team.\nAlways use secure methods to login to operating systems or containers (such as AWS Systems Manager Session Manager, Azure Bastion, or Google Identity-Aware Proxy)\nEnforce the use of multi-factor authentication (MFA) for all human access to production environments.\nTip #5 – Secrets Management # Static credentials of any kind (secrets, passwords, certificates, API keys, SSH keys) are prone to be breached when used over time.\nAs a best practice, we must avoid storing static credentials or hard-code them in our code, scripts, or configuration files.\nAll static credentials must be generated, stored, retrieved, rotated, and revoked automatically using a secrets management service.\nAccess to the secrets management requires proper authentication and authorization process and is naturally audited and logs must be sent to a central logging system.\nUse Secrets Management services such as AWS Secrets Manager, Azure Key Vault, or Google Secret Manager.\nTip #6 – Auto-remediation of vulnerabilities # Vulnerabilities can arise for various reasons – from misconfigurations to packages with well-known vulnerabilities to malware.\nWe need to take advantage of cloud services and configure automation to handle the following:\nVulnerability management – Run vulnerability scanners on regular basis to automatically detect misconfigurations or deviations from configuration standards (services such as Amazon Inspector, Microsoft Defender, or Google Security Command Center). Patch management – Create automated processes to check for missing OS patches and use CI/CD processes to push security patches (services such as AWS Systems Manager Patch Manager, Azure Automation Update Management, or Google OS patch management). Software composition analysis (SCA) – Run SCA tools as part of the CI/CD process to automatically detect open-source libraries/packages with well-known vulnerabilities (services such as Amazon Inspector for ECR, Microsoft Defender for Containers, or Google Container Analysis). Malware – If your workload contains virtual machines, deploy anti-malware software at the operating system level, to detect and automatically block malware. Secure code analysis – Run SAST / DAST tools as part of the CI/CD process, to detect vulnerabilities in your code (if you cannot auto-remediate, at least break the build process). Tip #7 – Monitoring and observability # Everything will eventually fail.\nLog everything – from system health, performance logs, and application logs to user experience logs.\nMonitor the entire service activity (from the operating system, network, application, and every part of your workload).\nUse automated services to detect outages or service degradation and alert you in advance, before your customers complain.\nUse services such as Amazon CloudWatch, Azure Monitor, or Google Cloud Logging.\nTip #8 – Minimize deviations between Dev, Test, and Production environments # Many organizations still believe in the false sense that lower environments (Dev, Test, QA, UAT) can be different from production, and \u0026ldquo;we will make all necessary changes before moving to production\u0026rdquo;.\nIf you build your environments differently, you will never be able to test changes or new versions of your applications/workloads in a satisfying manner.\nUse the same hardware (from instance type, amount of memory, CPU, and storage type) when provisioning compute services.\nProvision resources to multiple AZs, in the same way, as provision for production workloads.\nUse the same Infrastructure-as-Code to provision all environments, with minor changes such as tagging indicating dev/test/prod, different CIDRs, and different endpoints (such as object storage, databases, API gateway, etc.)\nSome managed services (such as API gateways, WAF, DDoS protection, and more), has different pricing tiers (from free, standard to premium), allowing you to consume different capabilities or features – conduct a cost-benefit analysis and consider the risk of having different pricing tiers for Dev/Test vs. Production environments.\nSummary # Designing production workloads have many aspects to consider.\nWe must remember that production applications are our face to our customers, and as such, we would like to offer highly-available and secured production applications.\nThis blog post contains only part of the knowledge required to design, deploy, and operate production workloads.\nI highly recommend taking the time to read vendor documentation, specifically the well-architected framework documents – they contain information gathered by architects, using experience gathered over years from many customers around the world.\nAdditional references # AWS Well-Architected Framework https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html\nMicrosoft Azure Well-Architected Framework https://learn.microsoft.com/en-us/azure/architecture/framework\nGoogle Cloud Architecture Framework https://cloud.google.com/architecture/framework\n","date":"8 March 2023","externalUrl":null,"permalink":"/posts/designing-production-workloads-in-the-cloud/","section":"Posts","summary":"","title":"Designing Production Workloads in the Cloud","type":"posts"},{"content":"","date":"25 February 2023","externalUrl":null,"permalink":"/categories/ipv6/","section":"Categories","summary":"","title":"Ipv6","type":"categories"},{"content":" When connecting machines over the public Internet (or over private networks), we use IPv4 addresses.\nFor many years we heard about IPv4 address exhaustion or the fact that sometime in the future we will not able to request new IPv4 addresses to connect over the public Internet.\nWe all heard that IPv6 address space will resolve our problem, but is it?\nIn this blog post, I will try to compare common use cases for using cloud services and see if they are ready for IPv6.\nBefore we begin, when working with IPv6, we need to clarify what “Dual Stack” means - A device with dual-stack implementation in the operating system has an IPv4 and IPv6 address, and can communicate with other nodes in the LAN or the Internet using either IPv4 or IPv6.\nSource: https://en.wikipedia.org/wiki/IPv6\nStep 1 – Cloud Network Infrastructure # The first step in building our cloud environment begins with the network services.\nThe goal is to be able to create a network environment with subnets, an access control list, be able to create peering between cloud accounts (for the same cloud provider), and get ingress access to our cloud environment (either from the public Internet or from our on-premise data center).\nVendor documentation: # AWS VPC that supports IPv6 addressing https://docs.aws.amazon.com/vpc/latest/userguide/get-started-ipv6.html\nWhat is IPv6 for Azure Virtual Network? https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/ipv6-overview\nGoogle VPC networks https://cloud.google.com/vpc/docs/vpc\nStep 2 – Private Network Connectivity – Managed VPN Services # Now that we have a network environment in the cloud, how do we connect to it from our on-premise data center using Site-to-Site VPN?\nLet us compare the cloud providers\u0026rsquo; alternatives:\nVendor documentation: # Hybrid connectivity design - Amazon-managed VPN https://docs.aws.amazon.com/whitepapers/latest/ipv6-on-aws/hybrid-connectivity-design.html#amazon-managed-vpn\nGoogle Cloud VPN overview - IPv6 support https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview#ipv6_support\nStep 3 - Private Network Connectivity – Dedicated Network Connections # Assuming we managed to create a VPN tunnel between our on-premise data center and the cloud environment, what happens if we wish to set up a dedicated network connection (and have low latency and promised bandwidth)?\nLet us compare the cloud providers\u0026rsquo; alternatives:\nVendor documentation: # Hybrid connectivity design - AWS Direct Connect https://docs.aws.amazon.com/whitepapers/latest/ipv6-on-aws/hybrid-connectivity-design.html#aws-direct-connect\nAdd IPv6 support for private peering using the Azure portal https://learn.microsoft.com/en-us/azure/expressroute/expressroute-howto-add-ipv6-portal\nCreate and manage ExpressRoute public peering https://learn.microsoft.com/en-us/azure/expressroute/about-public-peering\nCan I reach my instances using IPv6 over Cloud Interconnect? https://cloud.google.com/network-connectivity/docs/interconnect/support/faq#ipv6\nStep 4 – Private Network Connectivity – Resources on the subnet level # We have managed to provision the network environment in the cloud using IPv6.\nWhat happens if we wish to connect to managed services using private network connectivity (inside the cloud provider\u0026rsquo;s backbone and not over the public Internet)?\nLet us compare the cloud providers\u0026rsquo; alternatives:\nVendor documentation: # Expedite your IPv6 adoption with PrivateLink services and endpoints https://aws.amazon.com/blogs/networking-and-content-delivery/expedite-your-ipv6-adoption-with-privatelink-services-and-endpoints\nCreate a Private Link service by using the Azure portal https://learn.microsoft.com/en-us/azure/private-link/create-private-link-service-portal?tabs=dynamic-ip\nStep 5 – Name Resolution – Managed DNS Service # In the previous step we configured network infrastructure, now, before provisioning resources, let us make sure we can access resources, meaning having a managed DNS service.\nBy name resolution, I mean both external customers over the public Internet and name resolution from our on-premise data centers.\nLet us compare the cloud providers\u0026rsquo; alternatives:\nVendor documentation: # Designing DNS for IPv6 https://docs.aws.amazon.com/whitepapers/latest/ipv6-on-aws/designing-dns-for-ipv6.html\nAzure DNS FAQ https://learn.microsoft.com/en-us/azure/dns/dns-faq\nGeneral Google Cloud DNS overview https://cloud.google.com/dns/docs/dns-overview\nStep 6 – Resource Provisioning – Compute (Virtual Machines) # In the previous steps we have set up the network infrastructure and name resolution, and now it is time to provision resources.\nThe most common resource we can find in IaaS is compute or virtual machines.\nLet us compare the cloud providers\u0026rsquo; alternatives:\nVendor documentation: # Amazon EC2 IPv6 addresses https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#ipv6-addressing\nCreate an Azure Virtual Machine with a dual-stack network using the Azure portal https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/create-vm-dual-stack-ipv6-portal\nConfiguring IPv6 for instances and instance templates https://cloud.google.com/compute/docs/ip-addresses/configure-ipv6-address\nStep 7 – Resource Provisioning – Compute (Managed Kubernetes) # Another common use case is to provision containers based on a managed Kubernetes service.\nLet us compare the cloud providers\u0026rsquo; alternatives:\nVendor documentation: # Running IPv6 EKS Clusters https://aws.github.io/aws-eks-best-practices/networking/ipv6/\nUse dual-stack kubenet networking in Azure Kubernetes Service (AKS) (Preview) https://learn.microsoft.com/en-us/azure/aks/configure-kubenet-dual-stack?tabs=azure-cli%2Ckubectl\nGKE - IPv4/IPv6 dual-stack networking https://cloud.google.com/kubernetes-engine/docs/concepts/alias-ips#dual_stack_network\nStep 8 – Resource Provisioning – Compute (Serverless / Function as a Service) # If we have already managed to provision VMs and containers, what about provisioning serverless or Function as a Service?\nLet us compare the cloud providers\u0026rsquo; alternatives:\nVendor documentation: # AWS Lambda now supports Internet Protocol Version 6 (IPv6) endpoints for inbound connections https://aws.amazon.com/about-aws/whats-new/2021/12/aws-lambda-ipv6-endpoints-inbound-connections\nStep 9 – Resource Provisioning – Managed Load Balancers # If we are planning to expose services either to the public internet or allow connectivity from our on-premise, we will need to use a managed load-balancer service.\nLet us compare the cloud providers\u0026rsquo; alternatives:\nVendor documentation: # Application Load Balancer and Network Load Balancer end-to-end IPv6 support https://aws.amazon.com/about-aws/whats-new/2021/11/application-load-balancer-network-load-balancer-end-to-end-ipv6-support\nOverview of IPv6 for Azure Load Balancer https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-ipv6-overview\nGCP - IPv6 termination for External HTTP(S), SSL Proxy, and External TCP Proxy Load Balancing https://cloud.google.com/load-balancing/docs/ipv6\nStep 10 – Resource Provisioning – Managed Object Storage # The next step after provisioning compute services is to allow us to store data in an object storage service.\nLet us compare the cloud providers\u0026rsquo; alternatives:\nVendor documentation: # Making requests to Amazon S3 over IPv6 https://docs.aws.amazon.com/AmazonS3/latest/userguide/ipv6-access.html\nStep 11 – Resource Provisioning – Managed Database Services # Most of the application we provision requires a backend database to store and retrieve data.\nLet us compare the cloud providers\u0026rsquo; alternatives:\nVendor documentation: # IPv6 addressing with Amazon RDS https://aws.amazon.com/blogs/database/ipv6-addressing-with-amazon-rds\nConnectivity architecture for Azure SQL Managed Instance - Networking constraints https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/connectivity-architecture-overview?view=azuresql\u0026amp;tabs=current#networking-constraints\nStep 12 – Protecting Network Access - Managed Firewall Services # If we are planning to expose services to the public Internet using IPv6 or allow access from on-premise, we need to consider a managed network firewall service.\nLet us compare the cloud providers\u0026rsquo; alternatives:\nVendor documentation: # AWS Network Firewall announces IPv6 support https://aws.amazon.com/about-aws/whats-new/2023/01/aws-network-firewall-ipv6-support\nStep 13 – Protecting Network Access – Managed DDoS Protection Services # On the topic of exposing services to the public Internet, we need to take into consideration protection against DDoS attacks.\nLet us compare the cloud providers\u0026rsquo; alternatives:\nVendor documentation: # AWS Shield FAQs https://aws.amazon.com/shield/faqs\nAbout Azure DDoS Protection SKU Comparison https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-sku-comparison\nGoogle Cloud Armor - Security policy overview https://cloud.google.com/armor/docs/security-policy-overview\nStep 14 – Protecting Network Access – Managed Web Application Firewall # We know that protection against network-based attacks is possible using IPv6.\nWhat about protection against application-level attacks?\nLet us compare the cloud providers\u0026rsquo; alternatives:\nVendor documentation: # IPv6 Support Update – CloudFront, WAF, and S3 Transfer Acceleration https://aws.amazon.com/blogs/aws/ipv6-support-update-cloudfront-waf-and-s3-transfer-acceleration\nWhat is Azure Front Door? https://learn.microsoft.com/en-us/azure/frontdoor/front-door-overview\nSummary # In this blog post we have compared various cloud services, intending to answer the question – Is the public cloud ready for IPv6?\nAs we have seen, many cloud services do support IPv6 today (mostly in dual-stack mode), and AWS does seem to be more mature than its competitors, however, at the time of writing this post, the public cloud is not ready to handle IPv6-only services.\nThe day we will be able to develop cloud-native applications while allowing end-to-end IPv6-only addresses, in all layers (from the network, compute, database, storage, event-driven / message queuing, etc.), is the day we know the public cloud is ready to support IPv6.\nFor the time being, dual stack (IPv4 and IPv6) is partially supported by many services in the cloud, but we cannot rely on end-to-end connectivity.\nAdditional References # AWS services that support IPv6 https://docs.aws.amazon.com/general/latest/gr/aws-ipv6-support.html\nAn Introduction to IPv6 on Google Cloud https://cloud.google.com/blog/products/networking/getting-started-with-ipv6-on-google-cloud\n","date":"25 February 2023","externalUrl":null,"permalink":"/posts/is-the-public-cloud-ready-for-ipv6/","section":"Posts","summary":"","title":"Is the Public Cloud Ready for IPv6?","type":"posts"},{"content":" Working with modern computing environments based on containers offers a lot of benefits (from small image footprint, fast deployment/decommission, and more), but it also has its challenges (from software/package update process, security, integration with container orchestrators, and more).\nIn this blog post, I will review container operating systems, what are their benefits in the modern cloud environment, and how AWS compares to Google Cloud in terms of container operating systems.\nWhat is Container Operating-Systems? # Container OS is a special type of Linux OS, dedicated to running container workloads.\nBelow are some of the benefits of using Container OS:\nSmall OS footprint – Container OS includes only the necessary packages and dependencies for running containers Optimized performance – Container OS is optimized specifically to run container workloads Immutable root filesystem – The root filesystem is mounted as read-only. No changes can be done to the root filesystem Remote control – SSH to the Container OS is disabled by default Automatic updates – Container OS software updates are done using the CSP-managed containers or Kubernetes service upgrade mechanisms AWS Bottlerocket vs. Google Container-Optimized OS # Summary # Container operating systems are considered the last word in the evolution of hypervisors, optimized to run container workloads.\nTheir small footprint, built-in security features, auto-update, and integration with managed Kubernetes services make them idle for running container workloads.\nAlthough both Bottlerocket and Container-Optimized OS were created by specific cloud providers, AWS Bottlerocket does offer much broader alternatives for running a container OS on various container platforms.\nReferences # AWS Bottlerocket https://aws.amazon.com/bottlerocket/\nGoogle Container-Optimized OS https://cloud.google.com/container-optimized-os/docs/how-to\n","date":"19 February 2023","externalUrl":null,"permalink":"/posts/introduction-to-container-operating-systems/","section":"Posts","summary":"","title":"Introduction to Container Operating Systems","type":"posts"},{"content":" In the past couple of years, there is a buzz about cloud-native applications.\nIn this series of posts, I will review what exactly is considered a cloud-native application and how can we secure cloud-native applications.\nBefore speaking about cloud-native applications, we should ask ourselves – what is cloud native anyway?\nThe CNCF (Cloud Native Computing Foundation) provides the following definition:\n\u0026ldquo;Cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, service meshes, microservices, immutable infrastructure, and declarative APIs exemplify this approach.\nThese techniques enable loosely coupled systems that are resilient, manageable, and observable. Combined with robust automation, they allow engineers to make high-impact changes frequently and predictably with minimal toil.\u0026rdquo;\nSource: https://github.com/cncf/toc/blob/main/DEFINITION.md\nIt means – taking full advantage of cloud capabilities, from elasticity (scale in and scale out according to workload demands), use of managed services (such as compute, database, and storage services), and the use of modern design architectures based on micro-services, APIs, and event-driven applications.\nWhat are the key characteristics of cloud-native applications? # Use of modern design architecture # Modern applications are built from loosely coupled architecture, which allows us to replace a single component of the application, with minimal or even no downtime to the entire application.\nExamples can be code update/change or scale in/scale out a component according to application load.\nRESTful APIs are suitable for communication between components when fast synchronous communication is required. We use API gateways as managed service to expose APIs and control inbound traffic to various components of our application. Example of services:\nAmazon API Gateway Azure API Management Google API Gateway Oracle API Gateway Event-driven architecture is suitable for asynchronous communication. It uses events to trigger and communicate between various components of our application. In this architecture, one component produces/publishes an event (such as a file uploaded to object storage) and another component subscribes/consumes the events (in a Pub/Sub model) and reacts to the event (for example reads the file content and steam it to a database). This type of architecture handles load very well. Example of services:\nAmazon EventBridge Amazon Simple Queue Service (SQS) Azure Event Grid Azure Service Bus Google Eventarc Google Cloud Pub/Sub Oracle Cloud Infrastructure (OCI) Events Service Additional References: # AWS - What is API management? AWS - What is an Event-Driven Architecture? Azure - API Design Azure - Event-driven architecture style Google API design guide GCP - Event-driven architectures Oracle API For Developers Oracle Cloud - Modern App Development - Event-Driven Use of microservices # Microservices represent the concept of distributed applications, and they enable us to decouple our applications into small independent components.\nComponents in a microservice architecture usually communicate using APIs (as previously mentioned in this post).\nEach component can be deployed independently, which provides a huge benefit for code change and scalability.\nAdditional references: # AWS - What are Microservices? Azure - Microservice architecture style GCP - What is Microservices Architecture? Oracle Cloud - Design a Microservices-Based Application The Twelve-Factor App Use of containers # Modern applications are heavily built upon containerization technology.\nContainers took virtual machines to the next level in the evolution of computing services.\nThey contain a small subset of the operating system – only the bare minimum binaries and libraries required to run an application.\nContainers bring many benefits – from the ability to run anywhere, small footprint (for container images), isolation (in case of a container crash), fast deployment time, and more.\nThe most common orchestration and deployment platform for containers is Kubernetes, used by many software development teams and SaaS vendors, capable of handling thousands of containers in many production environments.\nExample of services: # Amazon Elastic Kubernetes Service (EKS) Azure Kubernetes Service (AKS) Google Kubernetes Engine (GKE) Oracle Container Engine for Kubernetes (OKE) Additional References: # Containers on AWS Azure - What is a container? GCP - Containers in Cloud Use of Serverless / Function as a Service # More and more organizations are beginning to embrace serverless or function-as-a-service technology.\nThis is considered the latest evolution in computing services.\nThis technology allows us to write code and import it into a managed environment, where the cloud provider is responsible for the maintenance, availability, scalability, and security of the underlining infrastructure used to run our code.\nServerless / Function as a Service, demonstrates a very good use case for event-driven applications (for example – an event written to a log file triggers a function to update a database record).\nFunctions can also be part of a microservice architecture, where some of the application components are based on serverless technology, to run specific tasks.\nExample of services: # AWS Lambda Azure Functions Google Cloud Functions Oracle Cloud Functions Additional References: # Serverless on AWS Azure serverless Google Cloud Serverless computing Oracle Cloud - What is serverless? Use of DevOps processes # To support rapid application development and deployment, modern applications use CI/CD processes, which follow DevOps principles.\nWe use pipelines to automate the process of continuous integration and continuous delivery or deployment.\nThe process allows us to integrate multiple steps or gateways, where in each step we can embed additional automated tests, from static code analysis, functional test, integration test, and more.\nExample of services: # AWS CodePipeline Azure Pipelines Google Cloud Build OCI DevOps Additional References: # DevOps and AWS DevOps solutions on Azure Google Cloud DevOps capabilities Oracle Cloud DevOps Overview Use of automated deployment processes # Modern application deployment takes an advantage of automation using Infrastructure as Code.\nInfrastructure as Code is using declarative scripting languages, in in-order to deploy an entire infrastructure or application infrastructure stack in an automated way.\nThe fact that our code is stored in a central repository allows us to enforce authorization mechanisms, auditing of actions, and the ability to roll back to the previous version of our Infrastructure as Code.\nInfrastructure as Code integrates perfectly with CI/CD processes, which enables us to re-use the knowledge we already gained from DevOps principles.\nExample of solutions: # AWS CloudFormation What is Azure Resource Manager? Google Cloud Deployment Manager What is Terraform? Additional References: # Automation as key to cloud adoption success AWS - Infrastructure as Code Azure - What is infrastructure as code (IaC)? Want a repeatable scale? Adopt infrastructure as code on GCP Oracle Cloud - What Is Infrastructure as Code (IaC)? Summary # In this post, we have reviewed the key characteristics of cloud-native applications, and how can we take full advantage of the cloud, when designing, building, and deploying modern applications.\nI recommend you continue expanding your knowledge about cloud-native applications, whether you are a developer, IT team member, architect, or security professional.\nStay tuned for the next chapter of this series, where we will focus on securing cloud-native applications.\nAdditional references # AWS - What Is Cloud Native? Azure - What is Cloud Native? Google Cloud - What is cloud-native? Oracle Cloud - What is Cloud Native? What is a cloud-native application? What Modern Cloud-Native Apps are Made Of ","date":"28 January 2023","externalUrl":null,"permalink":"/posts/cloud-native-applications-part-1-introduction/","section":"Posts","summary":"","title":"Cloud Native Applications – Part 1: Introduction","type":"posts"},{"content":" In chapter 1 of this series about cloud-native applications, we have introduced the key characteristics of cloud-native applications.\nIn this chapter, we will review how to secure cloud-native applications.\nSecuring the CI/CD pipeline # Due to the dynamic nature of the cloud-native application, we need to begin securing our application stack from the initial steps of the CI/CD pipeline.\nSince I have already written posts on how to secure DevOps processes, automation, and supply chain, I will highlight the following:\nRun code analysis using automated tools (SAST – Static application security tools, DAST – Dynamic application security tools) Run SCA (Software composition analysis) tool to detect known vulnerabilities in open-source binaries and libraries Sign your software package before storing them in a repository Store all your sources (code, container images, libraries) in a private repository, protected by strong authorization mechanisms Invest in security training for developers, DevOps, and IT personnel Make sure no human access is allowed to production environments (use Break Glass accounts for emergency purposes) Additional references: # Integrate security aspects in a DevOps process Securing the Software Supply Chain in the Cloud Cloud Native Security Map Securing infrastructure build process # As I have mentioned in the previous chapter of this series, one of the characteristics of cloud-native applications is the fact that it is built using Infrastructure as Code.\nEach cloud provider has its own IaC scripting language, and naturally, there is cloud agnostic (or multi-cloud…) – HashiCorp Terraform.\nSince this is code, we need to store the code in a private repository and scan the code for security vulnerabilities, but we need an additional layer of protection for Infrastructure as Code.\nThis is referred to as Policy as Code, where we can define a set of controls, from enforcing encryption at transit and rest, enabling resource provisioning on specific regions, or prohibiting the creation of instances with public IP.\nThe next thing in terms of the policy as code is called OPA – Open Policy Agent. It supports all major cloud providers and has built-in integration with Terraform, Kubernetes, and more.\nOPA has its declarative language called Rego and it can integrate inside an existing CI/CD pipeline.\nAdditional references: # Introduction to Policy as Code Automation as key to cloud adoption success Open Policy Agent Terraform OPA policies examples Securing Containers / Kubernetes # Containers are one of the most common ways to package and deploy modern applications, and as a result, we need to secure the containerized environment.\nIt begins with a minimum number of binaries and libraries inside a container image.\nWe must make sure we scan our container images for vulnerable binaries or open-source libraries, and eventually, we need to store our container images inside a private container registry.\nIn most cases, when using Kubernetes as an orchestrator, we should choose a managed Kubernetes service (offered by each of the major cloud providers).\nUsing a Kubernetes control plane based on a managed service shifts the responsibility for securing and maintaining the Kubernetes control plane on the cloud provider.\nOne thing to keep in mind – we should always create private clusters, and make sure the control plane is never accessible outside our private subnets, to reduce the attack surface on our Kubernetes cluster.\nIn terms of authorization, we should follow the principle of least privilege and use RBAC (Role-based access control), to allow our application to function and our developers or support team the minimum number of required permissions to do their job.\nIn terms of network connectivity to and between pods, we should use one of the service mesh solutions (such as Istio), and set network policies that clearly define which pod can communicate with which pod, and who can access the API server.\nIn terms of secrets management that the containers need access to, we need to make sure all sensitive data (secrets, credentials, API keys, etc.) are stored in a secured location (such as AWS Secrets Manager, Azure Key Vault, Google Secret Manager, Oracle Cloud Infrastructure Vault or HashiCorp Vault), where all requests to pull a secret are authorized and audited, and secrets can automatically rotate.\nAdditional references: # Kubernetes security Overview of Cloud Native Security OWASP - Kubernetes Security Cheat Sheet CIS Benchmark for Kubernetes The Istio service mesh Securing APIs # As we have mentioned in the previous chapter, communication between containers is done using APIs. Also, when communicating with applications deployed inside pods as part of the Kubernetes cluster, all communication is done through the Kubernetes API server.\nNot to mention that modern applications, websites and naturally mobile applications are exposing APIs to customers from the public internet (unless your application is meant for private use only…).\nBelow are the main best practices for securing APIs:\nAuthentication – make sure all your APIs require authentication. Regardless if your API is supposed to share public stock exchange data, a retail book catalog, or weather statistics, all requests to pull data from an exposed API must be authenticated. Authorization – make sure you set strict access control on each API request, whether it is read data from a database, update records, or privileged actions such as deleting data. Keep in mind the principle of least privilege. Encryption – all traffic to an exposed API must be encrypted at transit using the most up-to-date encryption protocol (for example TLS 1.2 or above). Encryption keeps the data confidential and proves the identity of your API (or server) to your customers. Auditing – make sure all actions done on your APIs are auditing and all logs are sent to a central logging system (or SIEM) for further archive and analysis (to find out if someone is trying to take actions they are not supposed to). Input validation – make sure all input coming to your APIs is been validated, before storing it in a backend database. It will allow you to limit the chance of injection attacks. DDoS and web-related attacks – make sure all your exposed APIs are protected behind anti-DDoS and behind a web application firewall. If it will not block 100% of the attacks, at least you will be able to block the well-known and signature-based attacks and decrease the amount of unwanted traffic against your APIs. Code review – API is a piece of code. Before pushing new changes to any API, make sure you run static and dynamic code analysis, to locate security vulnerabilities embed in your code. Throttling – make sure you enforce a throttling mechanism, in case someone tries to access your API multiple times from the same source, to avoid a situation where your API is unavailable for all your customers. Additional reference: # OWASP API Security Project Authorization # Authorization in a cloud-native application can be challenging.\nOn legacy applications all components were built as part of a single monolith, users had to log in from a single-entry point, and once we have authenticated and authorized them, they were to access data and with proper permissions to make changes to data as well.\nSince modern applications are built upon micro-service architecture, we need to think not just about end users communicating with our application, but also about how each component in our architecture is going to communicate with other components (such as pod-to-pod communication required authorization).\nIf every component in our entire application is developed by a separate team, we need to think about a central authorization mechanism.\nBut central authorization mechanism is not enough.\nWe need to integrate our authorization mechanism with a central IAM (Identity and Access Management) system.\nI would not recommend to re-invent the wheel – try to use the IAM service from your cloud provider of choice. Cloud-native IAM systems have built-in integration with the cloud eco-system, including auditing capabilities – this way you will be able to consume the service, without maintaining the underlining infrastructure.\nChecking the end-users\u0026rsquo; privileges at login time might not be sufficient. We need to think about fine-grain permissions – is a generic \u0026ldquo;Reader user\u0026rdquo; enough? Do the user needs read access to all data stored in our data store? Perhaps he only needs read access to a specific line of business customers database and nothing more. Always keep in mind the principle of least privilege.\nOur authorization mechanism needs to be dynamic according to each request and data the user is trying to access, be verified constantly and allow us to easily revoke permissions in case of suspicious activity, when permissions are no longer needed or if data confidentially has changed over time.\nWe need to make sure our authorization mechanism can be easily integrated and consumed by each of the various development groups, as a standard authorization mechanism.\nAdditional references: # OPAL - Open-Policy Administration Layer Netflix’s permissions design in a talk at KubeCon Summary # In this post, we have reviewed various topics we need to take into consideration when talking about how to secure cloud-native applications.\nWe have reviewed the highlights of securing the build process, the infrastructure provisioning, Kubernetes (as an orchestrator engine to run our applications), and not forgetting topics that are part of the secure development lifecycle (securing APIs and authorization mechanism).\nNaturally, we have just covered some of the highlights of security in cloud-native applications.\nI strongly recommend you to deep dive into each topic, read the references and search for additional information that will allow any developer, DevOps, DevSecOps, architect, or security professional, to better secure cloud-native applications.\nAdditional References: # OWASP Cloud-Native Application Security Top 10 Cloud Native Security Whitepaper ","date":"28 January 2023","externalUrl":null,"permalink":"/posts/cloud-native-applications-part-2-security/","section":"Posts","summary":"","title":"Cloud Native Applications – Part 2: Security","type":"posts"},{"content":"","date":"28 January 2023","externalUrl":null,"permalink":"/categories/devops/","section":"Categories","summary":"","title":"Devops","type":"categories"},{"content":"","date":"28 January 2023","externalUrl":null,"permalink":"/categories/microservices/","section":"Categories","summary":"","title":"Microservices","type":"categories"},{"content":" Organizations migrating to the public cloud, or already provisioning workloads in the cloud come across limitations, either on production workloads or issues published in the media, as you can read below:\nSource: https://news.ycombinator.com/item?id=33743567\nSource: https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/allocation-failure\nSource: https://www.mirror.co.uk/news/uk-news/breaking-gmail-down-hundreds-email-28701750\nSource: https://www.datacenterknowledge.com/amazon/breaking-aws-experienced-outage-its-us-east-2-availability-zone\nAs a cloud consumer, you might be asking yourself, how do I mitigate such risks from affecting my production workloads? (Assuming your organization has already invested a lot of money and resources in the public cloud)\nThere is no one answer to this question, but in the following post, I will try to review some of the alternatives for protecting yourself or at least try to mitigate the risks.\nAlternative 1 – Switching to a cloud-native application # This alternative takes full advantage of cloud benefits.\nInstead of using VMs to run or process your workload, you will have to re-architect your application and use cloud-native services such as Serverless / Function as Service, managed services (from serverless database services, object storage, etc.), and event-driven services (such as Pub/Sub, Kafka, etc.)\nPros # You decrease your application dependencies on virtual machines (on-demand, reserved instances, and even Spot instances), so resource allocation limits of VMs should be less concerning. Cons # Full re-architecture of your applications can be an expensive and time-consuming process. It requires a deep review of the entire application stack, understanding the application requirements and limitations, and having an experienced team of developers, DevOps, architects, and security personnel, knowledgeable enough about your target cloud providers ecosystem. The more you use a specific cloud’s ecosystem (such as proprietary Serverless / Function as a Service), the higher your dependency on specific cloud technology, which will cause challenges in case you are planning to switch to another cloud provider sometime in the future (or consider the use of multi-cloud). Additional references: # AWS - What Is Cloud Native? Azure - What is Cloud Native? Google Cloud - What is cloud-native? Oracle Cloud - What is Cloud Native? Alternative 2 – The multi-region architecture # This alternative suggests designing a multi-region architecture, where you use several (separate) regions from your cloud provider of choice.\nPros # The use of multi-region architecture will decrease the chance of having an outage of your services or the chance of having resource allocation issues. Cons # In case the cloud provider fails to create a complete separation between his regions (see: https://www.theguardian.com/technology/2020/dec/14/google-suffers-worldwide-outage-with-gmail-youtube-and-other-services-down), multi-region architecture will not resolve potential global outage issues (or limit the blast radius). In case you have local laws or regulations which force you to store personal data on data centers in a specific jurisdiction, a multi-region solution is not an option. Most IaaS / PaaS services offered today by cloud providers are regional, meaning, they are limited to a specific region and do not span across regions, and as a result, you will have to design a plan for data migration or synchronization across regions, which increases the complexity of maintaining this architecture. In a multi-region architecture, you need to take into consideration the cost of egress data between separate regions. Additional references: # AWS - Multi-Region Application Architecture Azure - Multi-region N-tier application Google Cloud - Creating multi-region deployments for API Gateway Oracle Cloud - Implementing a high-availability architecture in and across regions Using the Cloud to build multi-region architecture Alternative 3 – Cloud agnostic architecture (or preparation for multi-cloud) # This alternative suggests using services that are available for all major cloud providers.\nAn example can be – to package your application inside containers and manage the containers orchestration using a Kubernetes-managed service (such as Amazon EKS, Azure AKS, Google GKE, or Oracle OKE).\nTo enable cloud agnostic architecture from day 1, consider provisioning all resources using HashiCorp Terraform – both for Kubernetes resources and any other required cloud service, with the relevant adjustments for each of the target cloud providers.\nPros # Since container images can be stored in a container registry of your choice, you might be able to migrate between cloud providers. Cons # Using Kubernetes might resolve the problem of using the same underlining orchestrator engine, but you will still need to think about the entire cloud provider ecosystem (from data store services, queuing services, caching, identity authentication and authorization services, and more. In case you have already invested a lot of resources in a specific cloud provider and already stored a large amount of data in a specific cloud provider\u0026rsquo;s storage service, migrating to another cloud provider will be an expensive move, not to mention the cost of egress data between different cloud providers. You will have to invest time in training your teams on working with several cloud providers\u0026rsquo; infrastructures and maintain several copies of your Terraform code, to suit each cloud provider infrastructure. Summary # Although there is no full-proof answer to the question \u0026ldquo;How do I protect myself from the risk of a cloud outage or lack of cloud resources\u0026rdquo;, we need to be aware of both types of risks.\nWe need to be able to explain the risks and the different alternatives provided in this post and explain them to our organization\u0026rsquo;s top management.\nOnce we understand the risks and the pros and cons of each alternative, our organization will be able to decide how to manage the risk.\nI truly believe that the future of IT is in the public cloud, but migrating to the cloud blindfolded, is the wrong way to fully embrace the potential of the public cloud.\n","date":"21 January 2023","externalUrl":null,"permalink":"/posts/mitigating-the-risk-of-a-cloud-outage-or-lack-of-cloud-resources/","section":"Posts","summary":"","title":"Mitigating the risk of a cloud outage or lack of cloud resources","type":"posts"},{"content":" The software supply chain is considered one of the common threats in today\u0026rsquo;s modern cloud-native development, which poses a high risk to any organization.\nIt is about consuming software packages, source code, or even APIs from a third-party or untrusted source.\nThe last thing we wish to do is to block developers from building new applications, but we need to understand the threats to the software supply chain.\nWhat are the common threats? # There are a couple of common threats that can arise from a software supply chain attack:\nRansomware – An example is the NotPetya malware and Maersk Data breach – An example is the Okta Hack Backdoor – An example is the SolarWinds backdoor Access to private data – An example is the GitHub OAuth tokens attack API vulnerabilities – An example is the BOLA (Broken Object Level Authorization) As we can see, most supply chain attacks begin with a download of an untrusted piece of code, which leads to malware infection, or pulling data from an external API, which inserts unverified data into a backend system.\nSteps to mitigate the risk of supply chain attacks # The modern development lifecycle is based on CI/CD (Continuous Integration / Continuous Deployment or Delivery), we can embed security gates at various stages of the CI/CD pipeline, as explained below.\nSource Code # Scan for software vulnerabilities (such as binaries and open-source libraries), before storing components/code/libraries inside VM or container images inside an image repository. Example of services:\nAmazon Inspector – Vulnerability scanner for Amazon EC2, container images (inside Amazon ECR), and Lambda functions Microsoft Defender for Containers – Vulnerability scanner for containers Google Container Analysis – Vulnerability scanner for containers Scan your code stored in your repositories, to make sure it does not contain sensitive data (such as secrets, API keys, credentials, etc.) Example of tools:\ngit-secrets\nGitleaks\nSecretScanner\nRun static code analysis on any developed or imported code, to search for vulnerabilities.\nExample of tools:\nSnyk – Scan for open-source, code, container, and Infrastructure-as-Code vulnerabilities\nTrivy - Scan for open-source, code, container, and Infrastructure-as-Code vulnerabilities\nChekov – Scan for open-source and Infrastructure-as-Code vulnerabilities\nKICS – Scan for Infrastructure-as-Code vulnerabilities\nTerrascan - Scan for Infrastructure-as-Code vulnerabilities\nKubescape – Scan for Kubernetes vulnerabilities\nScan your binaries to verify their trustworthiness – especially important when you import binaries from an external source.\nExample of services:\nMicrosoft Azure Attestation Google Binary Authorization Repositories # Create a private repository for storing source code, VM images, or container images Enforce authentication and authorization for who can access and make changes to the repository Sign all source code/images stored in the repository Audit access to the repositories Example of services for storing source code:\nAWS CodeCommit Azure Repos Google Cloud Source Repositories Example of services for storing VM images:\nStore and restore an AMI using S3 Azure Compute Gallery Example of services for storing container images:\nAmazon Elastic Container Registry Azure Container Registry Google Artifact Registry Example of service for storing serverless code:\nAWS Serverless Application Repository Authentication \u0026amp; Authorization # Configure authentication and authorization process (who has written permissions to the repository), and enforce the use of MFA. Example of services:\nAWS Identity and Access Management (IAM)\nAzure Active Directory (Azure AD)\nGoogle Cloud Identity and Access Management (IAM)\nStore all sensitive data (such as secrets, credentials, API keys, etc.) in a secured vault, enforce key rotation, and access management to keys.\nExample of services:\nAWS Secrets Manager Azure Key Vault Google Secret Manager Handling data from external APIs # There are many cases where we rely on data from external third parties, exposed using APIs.\nSince we cannot verify the trustworthiness of external data, we must follow the following guidelines:\nNever rely on unauthenticated APIs – always make sure the connectivity to the external APIs requires proper authentication (such as certificates, rotated API key, etc.) and proper Always make sure the remote API enforces proper authorization mechanism - if the remote API allows admin or even write access to anyone on the Internet, the data it provides is not considered trusted anymore Always make sure data is encrypted at transit – it allows to keep data confidentiality and provides a high degree of trust in the remote endpoint Always perform input validation and proper escaping, before storing data from an external source into any backend database For further reading, see:\nOWASP API Security Project Summary # In the post, we have reviewed threats as a result of software supply chain vulnerabilities, and various tools and services that can assist us in securing the modern development process of cloud-native applications.\nIt is possible to mitigate the risks coming from the software supply chain, whether it is code that we develop in-house or code/binaries/libraries that we import from a third-party source, but we must always follow the concept of \u0026ldquo;Trust but verify\u0026rdquo;.\nReferences # Build your secure software supply chains on AWS Supply Chain Security on Amazon Elastic Kubernetes Service (Amazon EKS) using AWS Key Management Service (AWS KMS), Kyverno, and Cosign Best practices for a secure software supply chain Monitoring the Software Supply Chain with Azure Sentinel Software supply chain security Perspectives on Security - Securing Software Supply Chains NIST - Defending Against Software Supply Chain Attacks CNCF Software Supply Chain Best Practices ","date":"10 December 2022","externalUrl":null,"permalink":"/posts/securing-the-software-supply-chain-in-the-cloud/","section":"Posts","summary":"","title":"Securing the software supply chain in the cloud","type":"posts"},{"content":" Maintaining cloud infrastructure, especially compute components, requires a lot of effort – from patch management, secure configuration, and more.\nOther than the efforts it takes for the maintenance part, it simply will not scale.\nWill we be able to support our workloads when we need to scale to thousands of machines at peak?\nImmutable infrastructure is a deployment method where compute components (virtual machines, containers, etc.) are never updated – we simply replace a running component with a new one and decommission the old one.\nImmutable infrastructure has its advantages, such as:\nNo dependent on previous VM/container state No configuration drifts The fast configuration management process Easy horizontal scaling Simple rollback/recovery process The Twelve-Factor App # Designing modern or cloud-native applications requires us to follow 12 principles, documents in https://12factor.net\nLooking at this guide, we see that factor number 3 (config) guides us to store configuration in environment variables, outside our code (or VMs/containers).\nFor further reading, see:\nThe Twelve-Factor App - Config https://12factor.net/config\nAWS - Applying the Twelve-Factor App Methodology to Serverless Applications https://aws.amazon.com/blogs/compute/applying-the-twelve-factor-app-methodology-to-serverless-applications/#config\nAzure - The Twelve-Factor Application https://learn.microsoft.com/en-us/dotnet/architecture/cloud-native/definition#the-twelve-factor-application\nGCP - Twelve-factor app development on Google Cloud https://cloud.google.com/architecture/twelve-factor-app-development-on-gcp#3_configuration\nIf we continue to follow the guidelines, factor number 6 (processes) guides us to create stateless processes, meaning, separating the execution environment and the data, and keeping all stateful or permanent data in an external service such as a database or object storage.\nFor further reading, see:\nThe Twelve-Factor App – Processes https://12factor.net/processes\nHow do we migrate to immutable infrastructure? # Build a golden image # Follow the cloud vendor\u0026rsquo;s documentation about how to download the latest VM image or container image (from a container registry), update security patches, binaries, and libraries to the latest version, customize the image to suit the application\u0026rsquo;s needs, and store the image in a central image repository.\nIt is essential to copy/install only necessary components inside the image and remove any unnecessary components – it will allow you to keep a minimal image size and decrease the attack surface.\nIt is recommended to sign your image during the storage process in your private registry, to make sure it was not changed and that it was created by a known source.\nFor further reading, see:\nAutomate OS Image Build Pipelines with EC2 Image Builder https://aws.amazon.com/blogs/aws/automate-os-image-build-pipelines-with-ec2-image-builder/\nCreating a container image for use on Amazon ECS https://docs.aws.amazon.com/AmazonECS/latest/userguide/create-container-image.html\nAzure VM Image Builder overview https://learn.microsoft.com/en-us/azure/virtual-machines/image-builder-overview\nBuild and deploy container images in the cloud with Azure Container Registry Tasks https://learn.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-quick-task\nCreate custom images https://cloud.google.com/compute/docs/images/create-custom\nBuilding container images https://cloud.google.com/build/docs/building/build-containers\nCreate deployment pipeline # Create a CI/CD pipeline to automate the following process:\nCheck for new software/binaries/library versions against well-known and signed repositories Pull the latest image from your private image repository Update the image with the latest software and configuration changes in your image registry Run automated tests (unit tests, functional tests, acceptance tests, integration tests) to make sure the new build does not break the application Gradually deploy a new version of your VMs / containers and decommission old versions For further reading, see:\nCreate an image pipeline using the EC2 Image Builder console wizard https://docs.aws.amazon.com/imagebuilder/latest/userguide/start-build-image-pipeline.html\nCreate a container image pipeline using the EC2 Image Builder console wizard https://docs.aws.amazon.com/imagebuilder/latest/userguide/start-build-container-pipeline.html\nStreamline your custom image-building process with the Azure VM Image Builder service https://azure.microsoft.com/de-de/blog/streamline-your-custom-image-building-process-with-azure-vm-image-builder-service/\nBuild a container image to deploy apps using Azure Pipelines https://learn.microsoft.com/en-us/azure/devops/pipelines/ecosystems/containers/build-image\nCreating the secure image pipeline https://cloud.google.com/software-supply-chain-security/docs/create-secure-image-pipeline\nUsing the secure image pipeline https://cloud.google.com/software-supply-chain-security/docs/use-image-pipeline\nContinues monitoring # Continuously monitor for compliance against your desired configuration settings, security best practices (such as CIS benchmark hardening settings), and well-known software vulnerabilities.\nIn case any of the above is met, create an automated process, and use your previously created pipeline to replace the currently running images with the latest image version from your registry.\nFor further reading, see:\nHow to Set Up Continuous Golden AMI Vulnerability Assessments with Amazon Inspector https://aws.amazon.com/blogs/security/how-to-set-up-continuous-golden-ami-vulnerability-assessments-with-amazon-inspector/\nScanning Amazon ECR container images with Amazon Inspector https://docs.aws.amazon.com/inspector/latest/user/enable-disable-scanning-ecr.html\nManage virtual machine compliance https://learn.microsoft.com/en-us/azure/architecture/example-scenario/security/virtual-machine-compliance\nUse Defender for Containers to scan your Azure Container Registry images for vulnerabilities https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-vulnerability-assessment-azure\nAutomatically scan container images for known vulnerabilities https://cloud.google.com/kubernetes-engine/docs/how-to/security-posture-vulnerability-scanning\nSummary # In this article, we have reviewed the concept of immutable infrastructure, its benefits, and the process for creating a secure, automated, and scalable solution for building immutable infrastructure in the cloud.\nReferences # The History of Pets vs Cattle and How to Use the Analogy Properly https://cloudscaling.com/blog/cloud-computing/the-history-of-pets-vs-cattle/\nDeploy using immutable infrastructure https://docs.aws.amazon.com/wellarchitected/latest/reliability-pillar/rel_tracking_change_management_immutable_infrastructure.html\nImmutable infrastructure CI/CD using Jenkins and Terraform on Azure https://learn.microsoft.com/en-us/azure/architecture/solution-ideas/articles/immutable-infrastructure-cicd-using-jenkins-and-terraform-on-azure-virtual-architecture-overview\nAutomate your deployments https://cloud.google.com/architecture/framework/operational-excellence/automate-your-deployments\n","date":"19 November 2022","externalUrl":null,"permalink":"/posts/using-immutable-infrastructure-to-achieve-cloud-security/","section":"Posts","summary":"","title":"Using immutable infrastructure to achieve cloud security","type":"posts"},{"content":"","date":"5 November 2022","externalUrl":null,"permalink":"/categories/encryption/","section":"Categories","summary":"","title":"Encryption","type":"categories"},{"content":" When talking about the public cloud, I always like the analogy to the OSI model.\n\u0026ldquo;The Open Systems Interconnection model (OSI model) is a conceptual model. Communications between a computing system are split into seven different abstraction layers: Physical, Data Link, Network, Transport, Session, Presentation, and Application\u0026rdquo; (Wikipedia)\nA similar and shorter model of the OSI model is the TCP/IP model.\nHere is a comparison of the two models:\nIn the public cloud, we find a similar concept when talking about the shared responsibility model, where we draw the line of responsibility between the public cloud provider and the customers, in the different cloud service models, usually in terms of security, as we can see in the diagram below:\nWhere do public cloud services fit in the OSI model? # There are many networks related services in each of the major public cloud providers.\nTo make things easy to understand, I have prepared the following diagram, comparing common network-related services to the various OSI model layers:\nEncryption / Cryptography and the OSI Model # Layer 6 of the OSI model is the presentation layer.\nAmong the things, we can find in this layer is data encryption.\nEncryption in this context is about encryption at rest – from object storage, block storage, file storage, and various data services.\nEncryption includes symmetric and asymmetric encryption keys, secrets, passwords, API keys, certificates, etc.\nThe process includes the generation, storage, retrieval, and rotation of encryption keys.\nHere are the most common encryption /cryptography-related services:\nIdentity Management and the OSI Model # Layer 7 of the OSI model is the application layer.\nAmong the things we can find in this layer are related to authentication and authorization, or the entire identity management.\nIdentity management is about managing the entire lifecycle of identity – from an end user, service account, computer accounts, etc.\nThe process includes account provisioning, password management (and MFA), permission management (role assignments), and finally account de-provisioning.\nHere are the most common identity-related services:\nHow does everything come together? # When reviewing a cloud architecture, I like to compare the various services in the architecture to the different layers of the OSI model, from the bottom up:\nNetwork connectivity and traffic flow Encryption (according to data sensitivity) Authentication and Authorization (according to the least privilege principle) The OSI model analogy, assist me to make sure I do not forget any important aspect when reviewing an architecture for a cloud workload.\n","date":"5 November 2022","externalUrl":null,"permalink":"/posts/where-is-the-osi-model-in-the-public-cloud/","section":"Posts","summary":"","title":"Where is the OSI model in the public cloud?","type":"posts"},{"content":" When thinking about cloud computing, we immediately think about technology.\nHave we ever stopped to think about how much energy this sort of technology requires to operate an average cloud data center, and what is the environmental effect of running such huge data centers around the world?\nData centers generate around 1% of the energy consumed around the world, daily.\nData centers consume a lot of energy – electricity (for running the servers) and water (for cooling the servers).\nThe more energy a common data center consumes, the bigger its carbon footprint (the total amount of greenhouse gases that is generated by running a data center).\nIn the past couple of years, there is a new concept for professionals working with cloud services, with high environmental awareness called cloud sustainability.\nThe idea behind it (from a cloud provider\u0026rsquo;s point of view) is to achieve 100% renewable energy – replace fuel-based electricity with wind and solar power, within a few years.\nAll major cloud providers (AWS, Azure, and GCP) put a lot of effort into building a new data center to be powered by green energy and making changes to the existing data center to lower their emissions as much as possible and use green energy as well.\nTo remain transparent to their customers, the major cloud providers have created carbon footprint tools:\nAWS customer carbon footprint tool https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/what-is-ccft.html\nMicrosoft Sustainability Calculator https://aka.ms/SustainabilityCalculator\nGCP Carbon Footprint https://cloud.google.com/carbon-footprint\nCloud Carbon Footprint (Open source) tool https://www.cloudcarbonfootprint.org/docs/getting-started\nIndeed, most of the responsibility for keeping the cloud data centers green is under the responsibility of the cloud providers, since they build and maintain their data centers, but what is our responsibility as consumers?\nAs an example, here is AWS\u0026rsquo;s point of view regarding the shared responsibility model, in the context of sustainability:\nSource: https://docs.aws.amazon.com/wellarchitected/latest/sustainability-pillar/the-shared-responsibility-model.html\nHow to act as responsible cloud consumers? # Region selection # Review business requirements (compliance, latency, cost, service, and features), and pay attention to regions with a low carbon footprint.\nAdditional information:\nAWS - What to Consider when Selecting a Region for your Workloads https://aws.amazon.com/blogs/architecture/what-to-consider-when-selecting-a-region-for-your-workloads\nCarbon-free energy for Google Cloud regions https://cloud.google.com/sustainability/region-carbon\nMeasuring greenhouse gas emissions in data centers: the environmental impact of cloud computing https://www.climatiq.io/blog/measure-greenhouse-gas-emissions-carbon-data-centres-cloud-computing\nArchitecture design considerations # Use cloud-native design patterns:\nMicroservices – use containers (and Kubernetes) to deploy your applications and leverage the scaling capabilities of the cloud Serverless – use serverless (or function as a service) whenever you can decouple your applications into small functions Use message queues as much as possible, to decouple your applications and lower the number of requests between the various services/components Use caching mechanisms to lower the number of queries to backend systems Infrastructure considerations # Embed the following as part of your infrastructure considerations:\nRight-sizing - when using VMs, always remember to right-size the VM size to your application demands Use up-to-date hardware – when using VMs, always use the latest VM family types and the latest block storage type, to suit your application demands ARM-based processors – consider using ARM processors (such as AWS Graviton Processor, Azure Ampere Altra Arm-based processors, GCP Ampere Altra Arm processors, and more), whenever your application supports the ARM technology (for better performance and lower cost) Idle hardware – monitor and shut down (or even delete) unused or idle hardware (VMs, databases, etc.) GPU – use GPUs only for tasks that are considered more efficient than CPUs (such as machine learning, rendering, transcoding, etc.) Spot instances – use spot instances, whenever your application supports sudden interruptions Schedule automatic start and stop of VMs – use scheduling capabilities (such as AWS Instance scheduler, Azure Start/Stop VMs, GCP start and stop virtual machine (VM) instances, etc.) to control the behavior of your workload VMs Managed services – prefer to use PaaS or managed services (from databases, storage, load-balancers, and more) Data lifecycle management – use object storage (or file storage) lifecycle policies to archive or remove unused or unnecessary data Auto-scaling – use the cloud built-in capabilities to scale horizontally according to your application load Content Delivery Network – use CDN (such as Amazon CloudFront, Azure Content Delivery Network, Google Cloud CDN, etc.) to lower the amount of customer traffic to your publicly exposed workloads Summary # Sustainability and green computing are here to stay.\nAlthough the large demand for cloud services has a huge environmental impact, I strongly believe that the use of cloud services is much more environmentally friendly than any use of legacy data center, for the following reasons:\nEfficient hardware utilization (nearly 100% of hardware utilization) Fast hardware replacement (due to high utilization) Better energy use (high use of renewable energy sources to support the electricity requirements) I advise all cloud customers, to put sustainability higher in their design considerations.\nAdditional reading materials # AWS Well-Architected Framework - Sustainability Pillar https://docs.aws.amazon.com/wellarchitected/latest/sustainability-pillar/sustainability-pillar.html\nMicrosoft Azure Well-Architected Framework – Sustainability https://learn.microsoft.com/en-us/azure/architecture/framework/sustainability/sustainability-get-started\nGoogle Cloud - Design for environmental sustainability https://cloud.google.com/architecture/framework/system-design/sustainability\n","date":"22 October 2022","externalUrl":null,"permalink":"/posts/sustainability-in-the-cloud-era/","section":"Posts","summary":"","title":"Sustainability in the cloud era","type":"posts"},{"content":" Storing data in the cloud, raise questions regarding data protection.\nData can be customers\u0026rsquo; data (PII, healthcare data, credit cards, etc.), company data (financial information, trade secrets, security vulnerabilities, etc.), or any information with value to our organization.\nAs in the traditional data center, we still have concerns regarding who has access to our data and what can he do with the access provided.\nIn this blog post, I will review the required controls for protecting data stored in cloud services.\nData discovery and classification # The first action we need to take regarding sensitive data is discovery and classification.\nData classification is the action of assigning labels or categories to our data, such as public information, internal, confidential, highly confidential, etc.\nDiscovery tools allow us to detect where we store sensitive information in storage locations such as object storage, file storage, databases, and more.\nExamples of services for the discovery process:\nAmazon Macie – discover sensitive information stored in Amazon S3 buckets. Microsoft Purview – map and discover data on-premise and in the cloud. Entitlement # Entitlement deals with the questions – who has access, to what resources, and what can he do with his access rights?\nIn any access request, we should always make sure the identity (human, service account, computer account, etc.) is authenticated against our system, preferably using a central identity provider.\nOnce the identity is authenticated against our system, we need to make sure it has proper access rights to take the exact number of privileges required to accomplish its desired task, according to the principle of least privilege (such as view configuration, read customer data, update records, etc.)\nEntitlement combines authentication with authorization.\nExamples of services for entitlements:\nAWS IAM Access Analyzer – detects AWS resources with permissions belonging to external identities and generates least privilege policies. Azure AD Identity Governance – assists in making sure an identity has the right access to the right resource. Encryption # To protect data, we need to protect it in any state the data resides:\nData in transit – all cloud services (from object storage, file storage, and databases) support encryption in transit using TLS protocol. Unlike the traditional data center where encryption in transit was either not supported or required an additional effort from our side, in the cloud, services support encryption in transit by default, and in many cases, we have no option to disable this feature. Data at rest – all cloud storage services (from object storage, file storage, and databases) support encryption at rest using the AES256 algorithm. In the traditional data center, encryption key management and key rotation were challenging.\nToday, most cloud providers allow us to choose between encryption at rest using encryption keys generated and managed by the cloud provider, or using encryption keys that we generate and control (to minimize the risk of rough cloud provider admin having access to our data).\nExamples of services for storing encryption keys and sensitive data:\nAWS KMS – controls the entire lifecycle of cryptographic keys.\nAWS Secrets Manager – controls the entire lifecycle of secrets, credentials, API keys, etc.\nAzure Key Vault – controls the entire lifecycle of cryptographic keys, secrets, credentials, API keys, etc.\nData in use – even if we encrypt the data while in transit and while at rest, at some point, we need to have the data accessible for reading or update, while in the memory of a server in the cloud. The common name for this technology is \u0026ldquo;confidential computing\u0026rdquo;, which in most cases relies upon hardware capabilities to encrypt data and make sure data in memory is kept confidential. Examples of solutions that provide confidential computing capabilities:\nAWS Nitro Enclaves – isolates data stored in the memory of EC2 instances. Azure Confidential Computing – isolates data stored in the memory of virtual machines and Azure Kubernetes Service nodes. Auditing and threat detection # The final action we need to take protecting data is to audit who accessed our data and detect anomalous behavior with actions performed on our data.\nAlthough it is considered a detective control, it is still an important phase in data control.\nExamples of services that perform audit trails:\nAWS CloudTrail – record all API actions done on AWS services. Azure Monitor – record all operations done on Azure resources. Now that we record all actions, we need a solution to review the logs and notify us about anomalous behavior that requires our attention.\nExamples of threat detection services:\nAmazon GuardDuty – detect anomalies from (among other) CloudTrail logs. Microsoft Defender for Cloud – detect anomalies in actions conducted against services such as Azure SQL and Azure storage. Summary # In this blog post, I have reviewed the necessary controls for protecting data stored in the cloud.\nIt is essential to understand that to get effective protection for data stored in the cloud, we must configure strong controls of both encryption at rest (preferred with customer-managed encryption keys), combined with entitlement process (which enforces the least privilege) – we cannot rely on single security control and pray that no unauthorized person will ever access our data.\n","date":"20 September 2022","externalUrl":null,"permalink":"/posts/data-protection-in-cloud-services/","section":"Posts","summary":"","title":"Data protection in cloud services","type":"posts"},{"content":" After deploying several workloads in the public cloud, making mistakes, failing, fixing, and beginning using the cloud for production workloads, it is now the time to think about the next step in cloud adoption.\nTo be able to fully embrace the benefits of the public cloud, the scale, the elasticity, and the short time it takes to deploy new resources, it is time to put automation in place.\nAutomation allows us to do the same tasks over and over again, deploying the same configuration to multiple environments (Dev, Test, Prod) and get the same results – no human errors (assuming you have tested your code…)\nAutomation can be achieved in various ways – from using the CLI, using the cloud vendor\u0026rsquo;s SDK (languages such as Python, Go, Java, and more), or using Infrastructure as Code (such as Terraform, AWS CloudFormation, Azure Resource Manager, and more).\nIn this article, we shall review some of the common alternatives for using automation using code.\nWhy use code? # The clear benefit of using code for automation is the ability to have change management. Simply choose your favorite source control (such as GitHub, AWS CodeCommit, Azure Repos, and more), upload your scripts and have the version history of your code, and be able to know at each stage who made changes to the code.\nAnother benefit of using code for automation is the fact that the Internet is full of samples you can find to automate (almost) anything in your cloud environment.\nThe downside of doing everything using code, is the learning curve required by your organization\u0026rsquo;s IT or DevOps teams, learning new languages, but once they pass this stage, you can have all the benefits of the scripting languages.\nAutomation – the AWS way # If AWS is your sole cloud provider, you should learn and start using the following built-in services or capabilities offered by AWS:\nInfrastructure as Code # AWS CloudFormation – The built-in IaC for deploying and managing AWS resources. Reference: https://github.com/aws-cloudformation/aws-cloudformation-samples\nAWS Cloud Development Kit (AWS CDK) – Ability to write CloudFormation templates, based on common programming languages such as Python, Java, DotNet, and more. Reference: https://github.com/aws-samples/aws-cdk-examples\nPolicy as Code # Service control policies (SCPs) – Managing permissions in AWS Organizations. Reference: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html\nCI/CD pipeline # AWS CodePipeline – A fully managed continuous delivery service. Reference: https://docs.aws.amazon.com/codepipeline/latest/userguide/tutorials.html\nContainers and Kubernetes # Amazon ECS – Container management service based on the AWS platform. Reference: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/example_task_definitions.html\nAmazon Elastic Kubernetes Service (EKS) – Managed Kubernetes service. Reference: https://github.com/aws-quickstart/quickstart-amazon-eks\nAutomation – the Azure way # If Azure is your sole cloud provider, you should learn and start using the following built-in services or capabilities offered by Azure:\nInfrastructure as Code # Azure Resource Manager templates (ARM templates) - The built-in IaC for deploying and managing Azure resources. Reference: https://github.com/Azure/azure-quickstart-templates\nBicep – Declarative language for deploying Azure resources. Reference: https://github.com/Azure/azure-docs-bicep-samples\nPolicy as Code # Azure Policy – Enforce organizational standards across the Azure organization. Reference: https://github.com/Azure/azure-policy\nCI/CD pipeline # Azure Pipelines – A fully managed continuous delivery service. Reference: https://github.com/microsoft/azure-pipelines-yaml\nContainers and Kubernetes # Azure Container Instances - Container management service based on the Azure platform. Reference: https://docs.microsoft.com/en-us/samples/browse/?products=azure\u0026amp;terms=container%2Binstance\nAzure Kubernetes Service (AKS) – Managed Kubernetes service. Reference: https://github.com/Azure/AKS\nAutomation – the Google Cloud way # If GCP is your sole cloud provider, you should learn and start using the following built-in services or capabilities offered by GCP:\nInfrastructure as Code # Google Cloud Deployment Manager - The built-in IaC for deploying and managing GCP resources. Reference: https://github.com/GoogleCloudPlatform/deploymentmanager-samples\nPolicy as Code # Google Organization Policy Service - Programmatic control over the organization\u0026rsquo;s cloud resources. Reference: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints#how-to_guides\nCI/CD pipeline # Google Cloud Build - A fully managed continuous delivery service. Reference: https://github.com/GoogleCloudPlatform/cloud-build-samples\nContainers and Kubernetes # Google Kubernetes Engine (GKE) – Managed Kubernetes service. Reference: https://github.com/GoogleCloudPlatform/kubernetes-engine-samples\nAutomation – the cloud agnostic way # If you plan for the future, plan for multi-cloud. Look for solutions that are capable of connecting to multiple cloud environments, to decrease the learning curve of your DevOps team learning the various scripting languages and being able to deploy workloads on several cloud environments.\nInfrastructure as Code # Hashicorp Terraform – The most widely used IaC for deploying and managing resources on both cloud and on-premise. Reference: https://registry.terraform.io/browse/providers\nPolicy as Code # Hashicorp Sentinel – Policy as code framework that compliments Terraform code. Reference: https://www.terraform.io/cloud-docs/sentinel/examples\nCI/CD pipeline # Jenkins – The most widely used open-source CI/CD tool. Reference: https://www.jenkins.io/doc/pipeline/examples/\nContainers and Kubernetes # Docker – The most widely used container run-time for deploying applications. Reference: https://github.com/dockersamples\nKubernetes – The most widely used container orchestration open-source platform. Reference: https://github.com/kubernetes/examples\nSummary # In this post, I have reviewed the most common solutions that allow you to automate your workloads\u0026rsquo; deployment, management, and maintenance using various scripting languages.\nSome of the solutions are bound to a specific cloud provider, while others are considered cloud agnostic.\nUse automation to fully embrace the power and benefits of the public cloud.\nIf you don\u0026rsquo;t have experience writing code, take the time to learn. The more you practice, the more experience you will gain.\nAs Werner Vogels, the Amazon CTO always says – \u0026ldquo;Go Build\u0026rdquo;.\n","date":"9 September 2022","externalUrl":null,"permalink":"/posts/automation-as-key-to-cloud-adoption-success/","section":"Posts","summary":"","title":"Automation as key to cloud adoption success","type":"posts"},{"content":" One of the most common concepts working with cloud services is the “Shared responsibility mode”.\nThe model is aim to set the responsibility boundaries between the cloud service provider and the cloud service consumer, depending on the cloud service model (IaaS, PaaS, SaaS).\nIn this post, I will review common misconceptions regarding the shared responsibility model.\nMisconception #1 — My cloud provider’s certifications allow me to comply with regulations # This is a common misconception for companies (and new SaaS providers) who fail to understand the shared responsibility model while deploying their first workload.\nReviewing cloud providers’ compliance pages, we can see that the providers have already certified themselves for most regulations and local laws, and in some cases even offer customers special environments that are already in compliance with regulations such as PCI-DSS or HIPAA.\nIf you are planning to store sensitive customers’ data (from PII, healthcare, financial, or any other types of sensitive data) in a public cloud, keep in mind that according to the shared responsibility model, the cloud provider is responsible only for the lower layers of the architecture:\n· IaaS — the CSP is responsible for all layers, from the physical layer to the virtualization layer\n· PaaS — the CSP is responsible for all layers, from the physical layer to the guest operating system, middleware, and even runtime\n· SaaS — the CSP is responsible for all layers, from the physical layer to the application layer\nBottom line — the fact that a CSP has all the relevant certifications, means almost nothing when talking about compliance with regulations or protecting customers’ data.\nEach organization storing sensitive data in the cloud must conduct a risk assessment, review which data is stored in the cloud (before storing data in the cloud), and set the proper controls to protect customers’ data.\nMisconception #2 — Who is responsible for protecting my data? # When customers (either organizations or personal customers) store their data in public cloud services, they sometimes mistakenly think that if they store their data in one of the major CSPs, their data is protected.\nThis is a misconception.\nAll major CSPs offer their customers a large variety of services and tools to protect their customers’ data (from network access control lists, encryption in transit and at rest, authentication, authorization, auditing, and more), however, according to the shared responsibility model, it is up to the customer (mostly organizations storing their data in the cloud), to decide which security controls to implement.\nIn most cases, the CSPs don’t have access to customers’ data stored in the cloud, whether organizations decide to use managed storage services (from object storage to managed CIFS/NFS services), managed database services (from relational databases to NoSQL databases) and more.\nThe most obvious exception to the mentioned above is SaaS services, where we allow CSP service accounts access to our data, to allow us to perform queries, get insights about our data or even perform regular backups — the access is mostly strict to specific actions, to a specific role or service account, and usually shouldn’t be used by the CSP employees.\nAt the end of the day, the customer is always the data owner, and as a data owner, the customer must decide whether or not to store sensitive data in the cloud, who should have access to the data stored in the cloud, what access rights do we allow people to access and update/delete our data, and more.\nMisconception #3 — Availability is not my concern since the cloud is highly available by design # The above headline is true, mainly for major SaaS services.\nWhen looking at availability and building highly available architectures, specifically in IaaS and PaaS, it is up to us, as organizations, to use the services and the service capabilities that CSPs offer us, to build highly available solutions.\nJust because we decided to deploy our application on a VM or store our data in a managed database service, but we failed to deploy everything behind a load-balancer or in a cluster, will not guarantee us the availability that our customers expect.\nEven if we are using managed object storage services and we choose a low redundancy tier, using a single availability zone, the CSP does not guarantee high availability.\nTo achieve high availability to our workloads, we need to review cloud providers’ documentation, such as “Well architected frameworks” and design our workloads to fit business needs.\nMisconception #4 — Incident response in the cloud is an impossible mission # This part is a little bit tricky.\nSince as AWS always mention, they are responsible for the security of the cloud — they are responsible for the incident response process of the cloud infrastructure, from the physical data center, the host OS, the network equipment, the virtualization, and all the managed services.\nWe, as customers of cloud services, are responsible for security within our cloud environments.\nIn IaaS, everything within the guest OS is our responsibility as customers of the cloud.\nIt is our responsibility to enable auditing as much as possible, and send all logs to a central log repository and from there to our SIEM system (whether it is located on-premise or in a managed cloud service).\nThere are also documented procedures for building a forensics environment, made out of snapshots of our VMs or databases, for further analysis.\nIt is not perfect; we still don’t control the entire flow of the packet from the lower network layers to the application layer, and on managed PaaS services we only have audit logs and we can’t perform memory analysis of managed services (such as databases).\nIn SaaS services, it gets even worse since, in at best case, the SaaS provider is mature enough to allow us to pull audit logs using API and send them to our SIEM system for further analysis — unfortunately, not all SaaS providers are mature enough to provide us access to the audit logs.\nBottom line — challenging, but not completely impossible. Depending on the cloud service model and the maturity of the cloud provider.\nSummary # It is important to understand the shared responsibility model, but what is more important is to understand the cloud service model and services or tools available for us, to enable us to build secure and highly available cloud environments.\nReferences # · AWS Compliance Programs\nhttps://aws.amazon.com/compliance/programs\n· Azure compliance documentation\nhttps://docs.microsoft.com/en-us/azure/compliance\n· GCP Compliance offerings\nhttps://cloud.google.com/security/compliance/offerings\n· AWS Well-Architected Framework\nhttps://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html\n· Forensic investigation environment strategies in the AWS Cloud\nhttps://aws.amazon.com/blogs/security/forensic-investigation-environment-strategies-in-the-aws-cloud\n· Computer forensics chain of custody in Azure\nhttps://docs.microsoft.com/en-us/azure/architecture/example-scenario/forensics\n","date":"6 July 2022","externalUrl":null,"permalink":"/posts/cloud-and-the-shared-responsibility-model-misconceptions/","section":"Posts","summary":"","title":"Cloud and the shared responsibility model misconceptions","type":"posts"},{"content":"","date":"6 July 2022","externalUrl":null,"permalink":"/categories/information-security/","section":"Categories","summary":"","title":"Information-Security","type":"categories"},{"content":" Building our first environment in the cloud, or perhaps migrating our first couple of workloads to the cloud is fairly easy until we begin the ongoing maintenance of the environment.\nPretty soon we start to realize we are losing control over our environment – from configuration changes, forgetting to implement security best practices, and more.\nAt this stage, we wish we could have gone back, rebuilt everything from scratch, and have much more strict rules for creating new resources and their configuration.\nManual configuration simply doesn\u0026rsquo;t scale.\nDevelopers would like to focus on what they do best – developing new products or features, while security teams would like to enforce guard rails, allowing developers to do their work, while still enforcing security best practices.\nIn the past couple of years, one of the hottest topics is called Infrastructure as Code, a declarative way to deploy new environments using code (mostly JSON or YAML format).\nInfrastructure as Code is a good solution for deploying a new environment or even reusing some of the code to deploy several environments, however, it is meant for a specific task.\nWhat happens when we would like to set guard rails on an entire cloud account or even on our entire cloud organization environment, containing multiple accounts, which may expand or change daily?\nThis is where Policy as Code comes into the picture.\nPolicy as Code allows you to write high-level rules and assign them to an entire cloud environment, to be effective on any existing or new product or service we deploy or consume.\nPolicy as Code allows security teams to define security, governance, and compliance policies according to business needs and assign them at the organizational level.\nThe easiest way to explain it is – can user X perform action Y on resource Z?\nA more practical example from the AWS realm – block the ability to create a public S3 bucket. Once the policy was set and assigned, security teams won\u0026rsquo;t need to worry whether or not someone made a mistake and left a publicly accessible S3 bucket – the policy will simply block this action.\nLooking for a code example to achieve the above goal? See:\nhttps://aws-samples.github.io/aws-iam-permissions-guardrails/guardrails/scp-guardrails.html#scp-s3-1\nPolicy as Code on AWS # When designing a multi-account environment based on the AWS platform, you should use AWS Control Tower.\nThe AWS Control Tower is aim to assist organizations deploying multiple AWS accounts under the same AWS organization, with the ability to deploy policies (or Service Control Policies) from a central location, allowing you to have the same policies for every newly created AWS account.\nExample of governance policy:\nEnabling resource creation in a specific region – this capability will allow European customers to restrict resource creation in regions outside Europe, to comply with the GDPR. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-deny-region\nAllow only specific EC2 instance types (to preserve cost). https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_ec2.html\nExample of security policies:\nPrevent upload of unencrypted objects to S3 bucket, to protect access to sensitive objects. https://aws-samples.github.io/aws-iam-permissions-guardrails/guardrails/scp-guardrails.html#scp-s3-2\nDeny the use of the Root user account (least privilege best practice). https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html#example-scp-root-user\nAWS Control Tower allows you to configure baseline policies using CloudFormation templates, over an entire AWS organization, or on a specific AWS account.\nTo further assist in writing CloudFormation templates and service control policies on large scale, AWS offers some additional tools:\nCustomizations for AWS Control Tower (CfCT) – ability to customize AWS accounts and OU\u0026rsquo;s, make sure governance and security policies remain synched with security best practices.\nAWS CloudFormation Guard – ability to check for CloudFormation templates compliance against pre-defined policies.\nSummary # Policy as Code allows an organization to automate governance and security policies deployment on large scale, keeping AWS organizations and accounts secure, while allowing developers to invest time in developing new products, with minimal required changes to their code, to be compliant with organizational policies.\nReferences # Best Practices for AWS Organizations Service Control Policies in a Multi-Account Environment https://aws.amazon.com/blogs/industries/best-practices-for-aws-organizations-service-control-policies-in-a-multi-account-environment/\nAWS IAM Permissions Guardrails https://aws-samples.github.io/aws-iam-permissions-guardrails/guardrails/scp-guardrails.html\nAWS Organizations – general examples https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html\nCustomizations for AWS Control Tower (CfCT) overview https://docs.aws.amazon.com/controltower/latest/userguide/cfct-overview.html\nPolicy-as-Code for Securing AWS and Third-Party Resource Types https://aws.amazon.com/blogs/mt/policy-as-code-for-securing-aws-and-third-party-resource-types/\n","date":"23 April 2022","externalUrl":null,"permalink":"/posts/introduction-to-policy-as-code/","section":"Posts","summary":"","title":"Introduction to Policy as Code","type":"posts"},{"content":" My name is Eyal, and I am a cloud architect.\nI have been in the IT industry since 1998 and began working with public clouds in 2015.\nOver the years I have gained hands-on experience working on the infrastructure side of AWS, Azure, and GCP.\nThe more I worked with the various services from the three major cloud providers, the more I had the urge to compare the cloud providers\u0026rsquo; capabilities, and I have shared several blog posts comparing the services.\nIn 2021 I was approached by PACKT publishing after they came across one of my blog posts on social media, and they offered me the opportunity to write a book about cloud security, comparing AWS, Azure, and GCP services and capabilities.\nOver the years I have published many blog posts through social media and public websites, but this was my first experience writing an entire book with the support and assistance of a well-known publisher.\nAs with any previous article, I began by writing down each chapter title and main headlines for each chapter.\nOnce the chapters were approved, I moved on to write the actual chapters.\nFor each chapter, I first wrote down the headlines and then began filling them with content.\nBefore writing each chapter, I have done research on the subject, collected references from the vendors\u0026rsquo; documentation, and looked for security best practices.\nOnce I have completed a chapter, I submitted it for review by the PACKT team.\nPACKT team, together with external reviewers, sent me their input, things to change, additional material to add, request for relevant diagrams, and more.\nSince copyright and plagiarism are important topics to take care of while writing a book, I have prepared my diagrams and submitted them to PACKT.\nFinally, after a lot of review and corrections, which took almost a year, the book draft was submitted to another external reviewer and once comments were fixed, the work on the book (at least from my side as an author) was completed.\nFrom my perspective, the book is unique by the fact that it does not focus on a single public cloud provider, but it constantly compares between the three major cloud providers.\nFrom a reader\u0026rsquo;s point of view or someone who only works with a single cloud provider, I recommend focusing on the relevant topics according to the target cloud provider.\nFor each topic, I made a list of best practices, which can also be referenced as a checklist for securing the cloud providers\u0026rsquo; environment, and for each recommendation I have added reference for further reading from the vendors\u0026rsquo; documentation.\nIf you are interested in learning how to secure cloud environments based on AWS, Azure, or GCP, my book is available for purchase in one of the following book stores:\nAmazon: https://www.amazon.com/Cloud-Security-Handbook-effectively-environments/dp/180056919X\nBarnes \u0026amp; Noble: https://www.barnesandnoble.com/w/cloud-security-handbook-eyal-estrin/1141215482?ean=9781800569195\nPACKT https://www.packtpub.com/product/cloud-security-handbook/9781800569195\n","date":"26 March 2022","externalUrl":null,"permalink":"/posts/journey-for-writing-my-first-book-about-cloud-security/","section":"Posts","summary":"","title":"Journey for writing my first book about cloud security","type":"posts"},{"content":" Cloud financial management (sometimes also referred to as FinOps) is about managing the ongoing cost of cloud services.\nWho should care about cloud financial management? Basically, anyone consuming IaaS or PaaS services – from IT, DevOps, developers, architects and naturally finance department.\nWhen we start consume IaaS or PaaS services, we realized that almost any service has its pricing model – we just need to read the service documentation.\nSome of the services\u0026rsquo; pricing model are easy to understand, such as EC2 (you pay for the amount of time and EC2 instance was up and running), and some of services\u0026rsquo; pricing model can be harder to calculate (you pay for the number of times the function was called in a month and the amount of memory allocated to the function).\nIn this post, we will review the tools that AWS offer us to manage cost.\nStep 1 - Cost management for beginners\nThe first thing that AWS recommend for new customers is to use Amazon CloudWatch to create billing alarms.\nEven if you cannot estimate your monthly cost, create a billing alarm (for example – send me email whenever the charges are above 200$). When time goes by, you will be able to adjust the value, per your account usage pattern.\nTo read more information about billing alarms, see:\nhttps://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/monitor_estimated_charges_with_cloudwatch.html\nIf you already know that certain department is using specific AWS account and has a known budget, use AWS budgets, to create a monthly, quarterly or even yearly budget, and configure the budget interface to send you notifications whenever the amount of money consumed is about certain threshold of your pre-defined budget.\nTo read more about AWS budget creation, see:\nhttps://docs.aws.amazon.com/cost-management/latest/userguide/budgets-create.html\nIf you wish to visualize your resource consumption over period of time, see trends, generate reports and customize the resource consumption information, use AWS Cost Explorer.\nTo read more about AWS Cost Explorer, see:\nhttps://docs.aws.amazon.com/cost-management/latest/userguide/ce-what-is.html\nFinally, if you wish to receive recommendations about saving costs, you have an easy tool called AWS Trusted Advisor.\nThe tool helps you get recommendations about cost optimization, performance, security and more.\nThis tool is the easiest way to get insights about how to save cost on AWS platform.\nTo read more about AWS Trusted Advisor, see:\nhttps://aws.amazon.com/premiumsupport/knowledge-center/trusted-advisor-cost-optimization\nStep 2 – Resource tagging and rightsizing\nOne of the best ways to detect and monitor cost over time and per business case (project, division, environment, etc.) is to use tagging.\nYou add descriptive tag for each and every resource you create, that will allow you later on to know which resources has been consumed – for example, which EC2 instances, public IP\u0026rsquo;s, S3 buckets and RDS instances, all relate to the same project.\nFor more information about AWS cost allocation tags, see:\nhttps://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html\nIf you manage multiple AWS accounts, all relate to the same AWS organization, it is considered best practice to configure all account costs in a single place, also known as consolidated billing.\nYou will define which AWS account will store billing information, and redirect all AWS accounts in your organization to this central account.\nUsing consolidated billing, will allow you to achieve volume discount, for example – volume discount for the total data transferred from multiple AWS accounts to the Internet, instead of separate charge per AWS account.\nFor more information about consolidated billing, see:\nhttps://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/consolidated-billing.html\nBy using compute services such as Amazon EC2 or Amazon RDS, you might be wasting money, by not using the right size (amount of memory/CPU) per your actual resource demand (for example – paying on large instance, when it is underutilized).\nTools such as AWS Trusted Advisor mentioned earlier, will help you get insights and recommend you to change instance size, to save money.\nAnother tool that can assist you choose an optimal size for your instances is AWS Compute Optimizer, which scan your AWS environment and generate recommendations for optimizing your compute resources.\nFor more information about AWS Cost Optimizer, see:\nhttps://docs.aws.amazon.com/compute-optimizer/latest/ug/getting-started.html\nEven when using storage services such as Amazon S3, you can save money, by using the right storage class per actual use (for example Amazon S3 standard for big data analytics, Amazon S3 Glacier for archive, etc.)\nThere are two options for optimizing S3 cost:\nUsing lifecycle policies, you configure how much time will an object stay in specific storage class without using the object, before it moves to a cheaper tier (until the object finally moves into deep archive tier or even deleted completely). For more information about setting lifecycle policies, see:\nhttps://docs.aws.amazon.com/AmazonS3/latest/userguide/how-to-set-lifecycle-configuration-intro.html\nUsing S3 Intelligent-Tiering, objects will automatically move to the most cost-effective storage tier by their access frequency. Unlike lifecycle policies, object might move between hot storage (such as S3) to archive storage (such as S3 Glacier or deep archive), and vice versa, if an object in an archive tier suddenly was accessed, it will move to hot tier (such as S3). For more information about S3 Intelligent-tiering, see:\nhttps://docs.aws.amazon.com/AmazonS3/latest/userguide/using-intelligent-tiering.html\nAnother simply tip for saving cost is to remove unused resources – from underutilized EC2 instance, unassigned public IP address, unattached EBS volume, etc.\nAWS Trusted Advisor can assist you discover underutilized or unused resources.\nFor more information, see:\nhttps://docs.aws.amazon.com/awssupport/latest/user/trusted-advisor-check-reference.html#cost-optimization-checks\nStep 3 – Get to know your workloads (cloud optimization)\nWhen you deploy your workload for the first time, you don\u0026rsquo;t have enough information about its potential usage and cost.\nYou might choose too small or too large instance type, you might be using too expensive storage tier, etc.\nOne of the ways to save cost on development or test environments, which might not need to run over weekends or after working hours, is to use AWS Instance scheduler – a combination of tagging and Lambda function, which allow you to schedule instance (both EC2 and RDS) shutdown on pre-defined hours.\nFor more information about AWS instance scheduler, see:\nhttps://aws.amazon.com/premiumsupport/knowledge-center/stop-start-instance-scheduler\nIf your workload can survive sudden shutdown and return to function from the moment it stopped (such as video rendering, HPC workloads for genomic sequencing, etc.) and you wish to save money, use AWS Spot instances, which allows you to save up to 90% of the cost, as compared to on-demand cost.\nFor more information about Spot instances, see:\nhttps://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-spot-instances.html#spot-get-started\nIf your workload has the same usage pattern for long period of time (without shutdown or restart), consider one of the following options:\nAmazon EC2 Reserved Instances – allows you to reserve capacity for 1 or 3 years in advanced, and save up to 72% of the on-demand price. For more information, see:\nhttps://aws.amazon.com/ec2/pricing/reserved-instances/buyer\nCompute savings plans – commitment to use EC2 instances, regardless of instance family, size, AZ or region. Allows saving up 66% of on-demand price. EC2 instance saving plans – commitment to use specific instance family in specific region. Allows saving up to 72% of on-demand price. For more information, see:\nhttps://aws.amazon.com/savingsplans/faq/#Compute_.26_EC2_Instances_Savings_Plans\nSummary\nIn this introduction post, we have reviewed the most common tools from AWS for detecting, managing and optimizing cost.\nUsing automated tools, allows organizations to optimize their resource consumption cost over time and over large scale and constant changing environments.\n","date":"19 February 2022","externalUrl":null,"permalink":"/posts/introduction-to-cloud-financial-management-on-aws/","section":"Posts","summary":"","title":"Introduction to cloud financial management on AWS","type":"posts"},{"content":"","date":"15 September 2021","externalUrl":null,"permalink":"/categories/api-management/","section":"Categories","summary":"","title":"Api-Management","type":"categories"},{"content":" When organizations debate workload migration to the cloud, they begin to realize the number of public cloud alternatives that exist, both U.S hyper-scale cloud providers and several small to medium European and Asian providers.\nThe more we study the differences between the cloud providers (both IaaS/PaaS and SaaS providers), we begin to realize that not all cloud providers are built the same.\nHow can we select a mature cloud provider from all the alternatives?\nTransparency # Mature cloud providers will make sure you don\u0026rsquo;t have to look around their website, to locate their security compliance documents, allow you to download their security controls documentation, such as SOC 2 Type II, CSA Star, CSA Cloud Controls Matrix (CCM), etc.\nWhat happens if we wish to evaluate the cloud provider by ourselves?\nWill the cloud provider (no matter what cloud service model), allow me to conduct a security assessment (or even a penetration test), to check the effectiveness of his security controls?\nGlobal presence # When evaluating cloud providers, ask yourself the following questions:\nDoes the cloud provider have a local presence near my customers? Will I be able to deploy my application in multiple countries around the world? In case of an outage, will I be able to continue serving my customers from a different location with minimal effort? Scale # Deploying an application for the first time, we might not think about it, but what happens in the peak scenario?\nWill the cloud provider allow me to deploy hundreds or even thousands of VM\u0026rsquo;s (or even better, containers), in a short amount of time, for a short period, from the same location?\nWill the cloud provider allow me infinite scale to store my data in cloud storage, without having to guess or estimate the storage size?\nMulti-tenancy # As customers, we expect our cloud providers to offer us a fully private environment.\nWe never want to hear about \u0026ldquo;noisy neighbor\u0026rdquo; (where one customer is using a lot of resources, which eventually affect other customers), and we never want to hear a provider admits that some or all of the resources (from VMs, database, storage, etc.) are being shared among customers.\nWill the cloud provider be able to offer me a commitment to a multi-tenant environment?\nStability # One of the major reasons for migrating to the cloud is the ability to re-architect our services, whether we are still using VMs based on IaaS, databases based on PaaS, or fully managed CRM services based on SaaS.\nIn all scenarios, we would like to have a stable service with zero downtime.\nWill the cloud provider allow me to deploy a service in a redundant architecture, that will survive data center outage or infrastructure availability issues (from authentication services, to compute, storage, or even network infrastructure) and return to business with minimal customer effect?\nAPIs # In the modern cloud era, everything is based on API (Application programming interface).\nWill the cloud provider offer me various APIs?\nFrom deploying an entire production environment in minutes using Infrastructure as Code, to monitoring both performances of our services, cost, and security auditing – everything should be allowed using API, otherwise, it is simply not scale/mature/automated/standard and prone to human mistakes.\nData protection # Encrypting data at transit, using TLS 1.2 is a common standard, but what about encryption at rest?\nWill the cloud provider allow me to encrypt a database, object storage, or a simple NFS storage using my encryption keys, inside a secure key management service?\nWill the cloud provider allow me to automatically rotate my encryption keys?\nWhat happens if I need to store secrets (credentials, access keys, API keys, etc.)? Will the cloud provider allow me to store my secrets in a secured, managed, and audited location?\nIn case you are about to store extremely sensitive data (from PII, credit card details, healthcare data, or even military secrets), will the cloud provider offer me a solution for confidential computing, where I can store sensitive data, even in memory (or in use)?\nWell architected # A mature cloud provider has a vast amount of expertise to share knowledge with you, about how to build an architecture that will be secure, reliable, performance efficient, cost-optimized, and continually improve the processes you have built.\nWill the cloud provider offer me rich documentation on how to achieve all the above-mentioned goals, to provide your customers the best experience?\nWill the cloud provider offer me an automated solution for deploying an entire application stack within minutes from a large marketplace?\nCost management # The more we broaden our use of the IaaS / PaaS service, the more we realize that almost every service has its price tag.\nWe might not prepare for this in advance, but once we begin to receive the monthly bill, we begin to see that we pay a lot of money, sometimes for services we don\u0026rsquo;t need, or for an expensive tier of a specific service.\nUnlike on-premise, most cloud providers offer us a way to lower the monthly bill or pay for what we consume.\nRegarding cost management, ask yourself the following questions:\nWill the cloud provider charge me for services when I am not consuming them?\nWill the cloud provider offer me detailed reports that will allow me to find out what am I paying for?\nWill the cloud provider offer me documents and best practices for saving costs?\nSummary # Answering the above questions with your preferred cloud provider, will allow you to differentiate a mature cloud provider, from the rest of the alternatives, and to assure you that you have made the right choice selecting a cloud provider.\nThe answers will provide you with confidence, both when working with a single cloud provider, and when taking a step forward and working in a multi-cloud environment.\nReferences # Security, Trust, Assurance, and Risk (STAR)\nhttps://cloudsecurityalliance.org/star/\nSOC 2 - SOC for Service Organizations: Trust Services Criteria\nhttps://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpasoc2report.html\nConfidential Computing and the Public Cloud\nhttps://eyal-estrin.medium.com/confidential-computing-and-the-public-cloud-fa4de863df3\nConfidential computing: an AWS perspective\nhttps://aws.amazon.com/blogs/security/confidential-computing-an-aws-perspective/\nAWS Well-Architected\nhttps://aws.amazon.com/architecture/well-architected\nAzure Well-Architected Framework\nhttps://docs.microsoft.com/en-us/azure/architecture/framework/\nGoogle Cloud\u0026rsquo;s Architecture Framework\nhttps://cloud.google.com/architecture/framework\nOracle Architecture Center\nhttps://docs.oracle.com/solutions/\nAlibaba Cloud’s Well-Architectured Framework\nhttps://www.alibabacloud.com/architecture/index\n","date":"15 September 2021","externalUrl":null,"permalink":"/posts/not-all-cloud-providers-are-built-the-same/","section":"Posts","summary":"","title":"Not all cloud providers are built the same","type":"posts"},{"content":" According to Gartner survey, \u0026ldquo;Through 2022, traditional infrastructure and operations skills will be insufficient for 58% of the operational tasks\u0026rdquo;, combine this information with previous Gartner forecast that predicts that organizations\u0026rsquo; spend on public cloud services will grow to 397 billion dollars, and you began to understand we have a serious threat.\nCovid-19 and the cloud era # The past year and a half with the Covid pandemic forced organizations to re-evaluate their IT services and as a result, more and more organizations began shifting to work from anywhere and began migrating part of their critical business applications from their on-premise environments to the public cloud.\nThe shift to the public cloud was sometimes quick, and in many cases, without proper evaluation of the security risk to their customer\u0026rsquo;s data.\nWhere is my data? # Migrating to the public cloud began raising questions such as \u0026ldquo;where is my data located\u0026rdquo;?\nThe hyper-scale cloud providers (such as AWS, Azure, GCP) have a global presence around the world, but the first question we should always ask is \u0026ldquo;where is my data located\u0026rdquo; and should we build new environments in a specific country or continent to comply with data protection laws such as the GDPR in Europe, the CCPA in California, etc.\nHybrid cloud, multi-cloud, any cloud? # Almost any organization began using the public cloud hear about the terms \u0026ldquo;hybrid cloud\u0026rdquo; and \u0026ldquo;multi-cloud\u0026rdquo;, and began debating on future architecture suits to the organization needs and business goals.\nI often hear the question – should I choose AWS, Azure, GCP, or perhaps a smaller public cloud provider, that will allow me to migrate to the cloud and be able to support my business needs?\nSecurity misconfiguration # Building new environments in the public cloud, using \u0026ldquo;quick and dirty methods\u0026rdquo;, often comes with misconfigurations, from allowing public access to cloud storage services, to open access to databases containing customer\u0026rsquo;s data, etc.\nClosing the knowledge gap # To prepare your organization for cloud adoption, the top management should invest a budget in employee training (from IT, support team, development teams, and naturally information security team).\nThe Internet is full of guidelines (from fundamental cloud services to security) and low-cost online courses.\nAllow your employees to close the skills gap, invest time allowing your security teams to shift their mindset from the on-premise environments (and attack surface) to the public cloud.\nAllow your security teams to take the full benefit of managed services and built-in security capabilities (from auditing, encryption, DDoS protection, etc.) that are embedded as part of mature cloud services.\n","date":"30 July 2021","externalUrl":null,"permalink":"/posts/knowledge-gap-as-a-cloud-security-threat/","section":"Posts","summary":"","title":"Knowledge gap as a cloud security threat","type":"posts"},{"content":"When migrating existing environments to the cloud, or even when building and deploying new environments in the cloud, there are many alternatives. There is no one right or wrong way.\nIn this post we will review the way it was done in the past (AKA “old school”) and review the more modern options for environment deployments.\nTraditional deployment # Traditionally, when we had to deploy a new dev/test or a production environment for a new service or application, we usually considered 3 tier applications. These built from a presentation layer (such as web server or full client deployment), a business logic (such as application server) and a back-end storage tier (such as database server).\nSince each layer (or tier) depended on the rest of the layers, each software upgrade or addition of another server (for high availability) required downtime for the entire application or service. The result: a monolith.\nThis process was cumbersome. It took several weeks to deploy the operating system, deploy the software, configure it, conduct tests, get approval from the business customer, take the same process to deploy a production environment and finally switch to production.\nThis process was viable for small scale deployments, or simple applications, serving a small number of customers.\nWe usually focus more on the system side of the deployment, perhaps a single server containing all the components. Until we reach the hardware limitations (CPU / Memory / Storage / Network limitations) before we begin to scale up (switching to newer hardware with more CPU / Memory / Storage / faster network interface card). Only then may we find out this solution does not scale enough to serve customers in the long run.\nWhen replacing the VM size does not solve bottlenecks, we begin scale out by adding more servers (such as more web servers, cluster of database servers, etc.). Then we face new kind of problems, when we need to take the entire monolith down, every time we plan to deploy security patches, deploy software upgrades, etc.\nMigrating existing architecture to the public cloud (AKA “lift and shift”) is a viable option, and it has its own pros and cons:\nPros: # · We keep our current deployment method\n· Less knowledge is required from the IT team\n· We shorten the time it takes to deploy new environments\n· We will probably be able to keep our investment in licenses (AKA “Bring your own license”)\n· We will probably be able to reuse our existing backup, monitoring and software deployment tools we used in the on-premises deployment.\nCons: # · Using the most common purchase model “on demand” or “pay as you go” is suitable for unknown usage patterns (such as development or test environment) but soon it will become expensive to use this purchase model on production environments, running 24x7 (even when using hourly based purchase model), as compared to purchase hardware for the on-premises, and using the hardware without a time limitation (until the hardware support ends)\n· We are still in-charge of operating system maintenance (upgrades, backup, monitoring, various agent deployment, etc.) — the larger our server farm is, the bigger the burden we have on maintenance, until it does not scale enough, and we need larger IT departments, and we lower the value we bring to our organization.\nDeployment in the modern world # Modern development and application deployment, also known as “Cloud Native applications”, focus on service (instead of servers with applications). It leverages the benefits of the cloud’s built-in capabilities and features:\nScale — We build our services to be able to serve millions of customers (instead of several hundred).\nElasticity — Our applications are aware of load and can expand or shrink resources in accordance with needs.\nHigh availability — Instead of exposing a single server in a single data center to the Internet, we deploy our compute resources (VMs, containers, etc.) behind a managed load-balancer service, and we spread the server deployment between several availability zones (usually an availability zone equals a data center). This allows us to automatically monitor the server’s availability and deploy new compute resources when one server fails or when we need more compute resources due to server load. Since the cloud offers managed services (from load-balancers, NAT gateways, VPN tunnel, object storage, managed databases, etc.) we benefit from cloud providers’ SLAs, which are extremely difficult to get in traditional data centers.\nObservability — In the past we used to monitor basic metrics such as CPU or memory load, free disk space (or maybe percentage of read/write events). Today, we add more and more metrics for the applications themselves, such as number of concurrent users, time it takes to query the database, percentage of errors in the web server log file, communication between components, etc. This allows us to predict service failures before our customers observe them.\nSecurity — Managing and maintaining large fleets of servers in the traditional data center requires a huge amount of work (security patches, firewall rules, DDoS protection, configuration management, encryption at transit and at rest, auditing, etc.). In the cloud, we benefit from built-in security capabilities, all working together and accessible both manually (for small scale environments) and automatically (as part of Infrastructure as a Code tools and languages).\nContainers and Kubernetes to the rescue # The use of microservice architecture revolutionized the way we develop and deploy modern applications by breaking previously complex architecture into smaller components and dividing them by the task they serve in our application or service.\nThis is where containers come into the picture. Instead of deploying virtual machines, with full operating system and entire software stacks, we use containers. This allows us to wrap the minimum number of binaries, libraries, and code, required for a specific task (login to the application, running the business logic, ingesting data into an object store or directly into the back-end database, running reporting model, etc.)\nContainers enable better utilization of the existing “hardware” by deploying multiple containers (each can be for different service) on the same virtual hardware (or bare metal) and reach near 100% of resource utilization.\nContainers allow small development teams to focus on specific tasks or components, almost separately from the rest of the development teams (components still needs to communicate between each other). They can upgrade lines of code, scale in and out according to load, and hopefully one day be able to switch between cloud providers (AKA be “Cloud agnostic”).\nKubernetes, is the de-facto orchestrator for running containers. It can deploy containers according to needs (such as load), monitor the status of each running container (and deploy a new container to replace of non-functioning container), automatically upgrade software build (by deploying containers that contain new versions of code), make certain containers are being deployed equally between virtual servers (for load and high availability), etc.\nPros: # · Decreases number of binaries and libraries, minimal for running the service\n· Can be developed locally on a laptop, and run-in large scale in the cloud (solves the problem of “it runs on my machine”)\n· Cloud vendor agnostic (unless you consume services from the cloud vendor’s ecosystem)\nCons: # · Takes time to learn how to wrap and maintain\n· Challenging to debug\n· A large percentage of containers available are outdated and contain security vulnerabilities.\nServerless / Function as a service # These are new modern ways to deploy applications in a more cost-effective manner, when we can take small portions of our code (AKA “functions”) for doing specific tasks and deploy them inside a managed compute environment (AKA “serverless”) and pay for the number of resources we consume (CPU / Memory) and the time (in seconds) it takes to run a function.\nServerless can be fitted inside microservice architecture by replacing tasks that we used to put inside containers.\nSuitable for stateless functions (for example: no need to keep caching of data) or for scenarios where we have specific tasks. For example, when we need to invoke a function as result of an event, like closing a port in a security group, or because of an event triggered in a security monitoring service.\nPros: # · No need to maintain the underlying infrastructure (compute resources, OS, patching, etc.)\n· Scales automatically according to load\n· Extremely inexpensive in small scale (compared to a container)\nCons: # · Limited to maximum of 15 minutes of execution time\n· Limited function storage size\n· Challenging to debug due to the fact that it is a closed environment (no OS access)\n· Might be expensive in large scale (compared to a container)\n· Limited number of supported development languages\n· Long function starts up time (“Warm up”)\nSummary # The world of cloud deployment is changing. And this is good news.\nInstead of server fleets and a focus on the infrastructure that might not be suitable or cost-effective for our applications, modern cloud deployment is focused on bringing value to our customers and to our organizations by shortening the time it takes to develop new capabilities (AKA “Time to market”). It allows us to experiment, make mistakes and recover quickly (AKA “fail safe”), while making better use of resources (pay for what we consume), being able to predict outages and downtime in advance.\n","date":"13 March 2021","externalUrl":null,"permalink":"/posts/modern-cloud-deployment-and-usage/","section":"Posts","summary":"","title":"Modern cloud deployment and usage","type":"posts"},{"content":" When we think about compute resources (AKA virtual machines) in the public cloud, most of us have the same picture in our head – operating system, above hypervisor, deployed above physical hardware.\nMost public cloud providers build their infrastructure based on the same architecture.\nIn this post we will review traditional virtualization, and then explain the benefits of modern cloud virtualization.\nIntroduction to hypervisors and virtualization technology # The idea behind virtualization is the ability to deploy multiple operating systems, on the same physical hardware, and still allow each operating system access to the CPU, memory, storage, and network resources.\nTo allow the virtual operating systems (AKA “Guest machines”) access to the physical resources, we use a component called a “hypervisor”.\nThere are two types of hypervisors:\nType 1 hypervisor – an operating system deployed on physical hardware (“bare metal” machine) and allows guest machines access to the hardware resources. Type 2 hypervisor – software within an operating system (AKA “Host operating system”) deployed on physical hardware. The guest machines are installed above the host operating system. The host operating system hypervisor allows guest machines access to the underlying physical resources. The main drawbacks of current hypervisors:\nThere is no full isolation between multiple guest VMs deployed on the same hypervisor and the same host machine. All the network passes through the same physical NIC and same hypervisor network virtualization. The more layers we add (either type 1 or type 2 hypervisors), we increase overhead on the host operating system and host hypervisor. This means the guest VMs will not be able to take full advantage of the underlying hardware. AWS Nitro System # In 2017 AWS introduced their latest generation of hypervisors.\nThe Nitro architecture, underneath the EC2 instances, made a dramatic change to the way we use hypervisors by offloading virtualization functions (such as network, storage, security, etc.) to dedicated software and hardware chips. This allows the customer to get much better performance, with much better security and isolation of customers’ data. Hypervisor prior to AWS Nitro:\nHypervisor based on AWS Nitro:\nThe Nitro architecture is based on Nitro cards:\nNitro card for VPC – handles network connectivity to the customer’s VPC, and fast network connectivity using ENA (Elastic Network Adapter) controller Nitro card for EBS – allows access to the Elastic Block Storage service Nitro card for instance storage – allows access to the local disk storage Nitro security chip – provides hardware-based root of trust In 2020, AWS introduced AWS Nitro Enclaves that allow customers to create isolated environments to protect customers’ sensitive data and reduce the attack surface.\nEC2 instance prior to AWS Nitro Enclaves:\nEC2 instance with AWS Nitro Enclaves enabled:\nThe diagram below shows two EC2 instances on the same EC2 host. One of the EC2 instances has Nitro Enclaves enabled:\nAdditional references: # AWS Nitro System https://aws.amazon.com/ec2/nitro/\nReinventing virtualization with the AWS Nitro System https://www.allthingsdistributed.com/2020/09/reinventing-virtualization-with-aws-nitro.html\nAWS Nitro - What Are AWS Nitro Instances, and Why Use Them? https://www.metricly.com/aws-nitro/\nAWS Nitro Enclaves https://aws.amazon.com/ec2/nitro/nitro-enclaves\nAWS Nitro Enclaves – Isolated EC2 Environments to Process Confidential Data https://aws.amazon.com/blogs/aws/aws-nitro-enclaves-isolated-ec2-environments-to-process-confidential-data\nOracle’s Generation 2 (GEN2) Cloud Infrastructure # In 2018 Oracle introduced their second generation of cloud infrastructures.\nOracle’s Gen2 cloud offers isolated network virtualization, using custom-designed SmartNIC (a special software and hardware card) which offers customers the following advantages:\nReduced attack surface Prevent lateral traversal between bare-metal, container or VM hosts Protection against Man-in-the-Middle attacks between hosts and guest VMs Protection against denial-of-service attacks against VM instances First generation cloud hypervisors:\nOracle Second generation cloud hypervisor:\nOracle Cloud architecture differs from the rest of the public cloud providers in terms of CPU power.\nIn OCI, 1 OCPU (Oracle Compute Unit) = 1 physical core, while other cloud providers use Intel hyperthreading technology, which calculates 2 vCPU = 1 physical core.\nAs a result, customers get better performance per each OCPU it consumes.\nAnother characteristic that differentiates OCI architecture is no resource oversubscription, which means a customer will never share the same resource (CPU, memory, network) with another customer. This avoids a “noisy neighbor” scenario and allows the customer better and guaranteed performance.\nAdditional references: # Oracle Cloud Infrastructure Security Architecture https://www.oracle.com/a/ocom/docs/oracle-cloud-infrastructure-security-architecture.pdf\nOracle Cloud Infrastructure — Isolated Network Virtualization https://www.oracle.com/security/cloud-security/isolated-network-virtualization/\nWhat is a Gen 2 Cloud? https://blogs.oracle.com/platformleader/what-is-a-gen-2-cloud\nExploring Oracle\u0026rsquo;s Gen 2 Cloud Infrastructure Security Architectures: Isolated Network Virtualization https://blogs.oracle.com/cloudsecurity/exploring-oracles-gen-2-cloud-infrastructure-security-architectures3a-isolated-network-virtualization\nProperly sizing workloads in the Oracle Government Cloud: Save costs and gain performance with OCPUs https://blogs.oracle.com/cloud-infrastructure/properly-sizing-workloads-in-the-oracle-government-cloud-save-costs-and-gain-performance-with-ocpus\n","date":"24 February 2021","externalUrl":null,"permalink":"/posts/modern-cloud-virtualization/","section":"Posts","summary":"","title":"Modern cloud virtualization","type":"posts"},{"content":"","date":"12 January 2021","externalUrl":null,"permalink":"/categories/openssl/","section":"Categories","summary":"","title":"Openssl","type":"categories"},{"content":" We have recently read a lot of posts about the SolarWinds hack, a vulnerability in a popular monitoring software used by many organizations around the world.\nThis is a good example of supply chain attack, which can happen to any organization.\nWe have seen similar scenarios over the past decade, from the Heartbleed bug, Meltdown and Spectre, Apache Struts, and more.\nOrganizations all around the world were affected by the SolarWinds hack, including the cybersecurity company FireEye, and Microsoft.\nEvents like these make organizations rethink their cybersecurity and data protection strategies and ask important questions.\nRecent changes in the European data protection laws and regulations (such as Schrems II) are trying to limit data transfer between Europe and the US.\nShould such security breaches occur? Absolutely not.\nShould we live with the fact that such large organization been breached? Absolutely not!\nShould organizations, who already invested a lot of resources in cloud migration move back workloads to on-premises? I don\u0026rsquo;t think so.\nBut no organization, not even major financial organizations like banks or insurance companies, or even the largest multinational enterprises, have enough manpower, knowledge, and budget to invest in proper protection of their own data or their customers’ data, as hyperscale cloud providers.\nThere are several of reasons for this:\nHyperscale cloud providers invest billions of dollars improving security controls, including dedicated and highly trained personnel. Breach of customers\u0026rsquo; data that resides at hyperscale cloud providers can drive a cloud provider out of business, due to breach of customer\u0026rsquo;s trust. Security is important to most organizations; however, it is not their main line of expertise.\nOrganization need to focus on their core business that brings them value, like manufacturing, banking, healthcare, education, etc., and rethink how to obtain services that support their business goals, such as IT services, but do not add direct value. Recommendations for managing security # Security Monitoring # Security best practices often state: \u0026ldquo;document everything\u0026rdquo;.\nThere are two downsides to this recommendation: One, storage capacity is limited and two, most organizations do not have enough trained manpower to review the logs and find the top incidents to handle.\nSwitching security monitoring to cloud-based managed systems such as Azure Sentinel or Amazon Guard​Duty, will assist in detecting important incidents and internally handle huge logs.\nEncryption # Another security best practice state: \u0026ldquo;encrypt everything\u0026rdquo;.\nA few years ago, encryption was quite a challenge. Will the service/application support the encryption? Where do we store the encryption key? How do we manage key rotation?\nIn the past, only banks could afford HSM (Hardware Security Module) for storing encryption keys, due to the high cost.\nToday, encryption is standard for most cloud services, such as AWS KMS, Azure Key Vault, Google Cloud KMS and Oracle Key Management.\nMost cloud providers, not only support encryption at rest, but also support customer managed key, which allows the customer to generate his own encryption key for each service, instead of using the cloud provider\u0026rsquo;s generated encryption key.\nSecurity Compliance # Most organizations struggle to handle security compliance over large environments on premise, not to mention large IaaS environments.\nThis issue can be solved by using managed compliance services such as AWS Security Hub, Azure Security Center, Google Security Command Center or Oracle Cloud Access Security Broker (CASB).\nDDoS Protection # Any organization exposing services to the Internet (from publicly facing website, through email or DNS service, till VPN service), will eventually suffer from volumetric denial of service.\nOnly large ISPs have enough bandwidth to handle such an attack before the border gateway (firewall, external router, etc.) will crash or stop handling incoming traffic.\nThe hyperscale cloud providers have infrastructure that can handle DDoS attacks against their customers, services such as AWS Shield, Azure DDoS Protection, Google Cloud Armor or Oracle Layer 7 DDoS Mitigation.\nUsing SaaS Applications # In the past, organizations had to maintain their entire infrastructure, from messaging systems, CRM, ERP, etc.\nThey had to think about scale, resilience, security, and more.\nMost breaches of cloud environments originate from misconfigurations at the customers’ side on IaaS / PaaS services.\nToday, the preferred way is to consume managed services in SaaS form.\nThese are a few examples: Microsoft Office 365, Google Workspace (Formerly Google G Suite), Salesforce Sales Cloud, Oracle ERP Cloud, SAP HANA, etc.\nLimit the Blast Radius # To limit the \u0026ldquo;blast radius\u0026rdquo; where an outage or security breach on one service affects other services, we need to re-architect infrastructure.\nSwitching from applications deployed inside virtual servers to modern development such as microservices based on containers, or building new applications based on serverless (or function as a service) will assist organizations limit the attack surface and possible future breaches.\nExample of these services: Amazon ECS, Amazon EKS, Azure Kubernetes Service, Google Kubernetes Engine, Google Anthos, Oracle Container Engine for Kubernetes, AWS Lambda, Azure Functions, Google Cloud Functions, Google Cloud Run, Oracle Cloud Functions, etc.\nSummary # The bottom line: organizations can increase their security posture, by using the public cloud to better protect their data, use the expertise of cloud providers, and invest their time in their core business to maximize value.\nSecurity breaches are inevitable. Shifting to cloud services does not shift an organization’s responsibility to secure their data. It simply does it better.\n","date":"12 January 2021","externalUrl":null,"permalink":"/posts/the-future-of-data-security-lies-in-the-cloud/","section":"Posts","summary":"","title":"The Future of Data Security Lies in the Cloud","type":"posts"},{"content":" What is cloud shell and what is it used for?\nCloud Shell is a browser-based shell, for running Linux commands, scripts, and command line tools, within a cloud environment, without having to install any tools on the local desktop. It contains ephemeral storage for saving configuration and installing software required for performing tasks. But we need to remember that the storage has a capacity limitation and eventually will be erased after a certain amount of idle time.\nCloud Shell Alternatives # AWS CloudShell Azure Cloud Shell Google Cloud Shell Oracle Cloud Shell Operating System Amazon Linux 2 Ubuntu 16.04 LTS Debian-based Linux Oracle Linux Shell interface Bash, Z shell Bash Bash Bash Scripting interface PowerShell PowerShell - - CLI Tools installed AWS CLI, Amazon ECS CLI, AWS SAM CLI Azure CLI, Azure Functions CLI, Service Fabric CLI, Batch Shipyard Google App Engine SDK, Google Cloud SDK OCI CLI Persistent storage for home directory 1GB 5GB 5GB 5GB Idle inactive termination 20-30 minutes 20 minutes 20 minutes 20 minutes Maximum data storage 120 days - 120 days 60 days Additional references # AWS CloudShell https://aws.amazon.com/cloudshell/features/\nLimits and restrictions for AWS CloudShell https://docs.aws.amazon.com/cloudshell/latest/userguide/limits.html\nAzure Cloud Shell https://docs.microsoft.com/en-us/azure/cloud-shell/features\nTroubleshooting \u0026amp; Limitations of Azure Cloud Shell https://docs.microsoft.com/en-us/azure/cloud-shell/troubleshooting\nGoogle Cloud Shell https://cloud.google.com/shell/docs\nLimitations and restrictions of Google Cloud Shell https://cloud.google.com/shell/docs/limitations\nOracle Cloud Infrastructure (OCI) Cloud Shell https://docs.oracle.com/en-us/iaas/Content/API/Concepts/cloudshellintro.htm\nOCI Cloud Shell Limitations https://docs.oracle.com/en-us/iaas/Content/API/Concepts/cloudshellintro.htm#Cloud_Shell_Limitations\n","date":"28 December 2020","externalUrl":null,"permalink":"/posts/cloud-shell-alternatives/","section":"Posts","summary":"","title":"Cloud Shell alternatives","type":"posts"},{"content":"","date":"23 December 2020","externalUrl":null,"permalink":"/categories/blockchain/","section":"Categories","summary":"","title":"Blockchain","type":"categories"},{"content":" Remember tokenized securities or securitization with tokens on blockchain?\nWith the entire year in crypto defined by a maelstrom of projects embarking on decentralized finance (DeFi) aspects to their products, it can be easy to forget that previous advancements in blockchain-based technologies have continued to make great headway in terms of adoption and application.\nSecurity tokens and tokenized securities # In 2019 especially, with greater regulatory scrutiny on blockchain-based crowdfunding in the shape of initial coin offerings (ICOs), many projects sought to reconcile crypto’s much-maligned aspect of democratic fundraising with increasingly unforgiving regulatory compliance. Hence the proliferation of Security Token Offerings (STOs) that meant to replace ICOs as legitimate, law-abiding instruments to raise funds and issue securities through blockchain-based tokens.\nIt’s important here to distinguish between security tokens and tokenized securities \u0026ndash; often used interchangeably, but hardly the same thing. In the former, blockchain technology is used to create new tokens that is a representation of real-world “securities”, ie. crypto assets that share some qualities as securities in the traditional sense. In the latter, we are talking about existing assets (securities) in the real world, that are expressed digitally… wrapped, if you will, in a token technology.\nAn overlooked breakthrough # Put in another way, security tokens create a token and create securities, but tokenized securities simply digitalize existing securities. That really is something that solves a major problem with traditional securities, which makes it somewhat surprising that it hasn’t been picked up more.\nTokenizing securities immediately helps with widening the market and improving their liquidity. In addition, it’s not a new product so it isn’t so much something for regulators to look at, it simply is a new, digital channel for distribution, which actually makes tokenized securities simpler to approve.\nThey’re not just an idea, they’re already here. # Because tokenizing securities are comparatively simple to do, there actually have been quite a number of them entering the market. Last year, we saw traditional funds like 22X Fund put together a tokenized fund (with money raised through an ICO in fact in 2018) to invest in 22 startups. But SPiCE will argue it was even earlier, as the VC fund set up in 2017 and lays claim to being the first tokenized VC fund able to offer immediate liquidity for venture capital \u0026ndash; which otherwise takes years to liquidate!\nThis year, AllianceBlock, which is building the “world’s first globally compliant decentralized capital market” partnered with another blockchain firm AIKON for secure blockchain-based identity management service \u0026ndash; making decentralized finance services accessible to all, and securing that access with the blockchain.\nThe data already shows that the coming years will see securities very soon fully digitized and empowered by blockchain. From owning a small share in your favorite soccer club, to fractional ownership of pizza restaurants in a country halfway around the world from you, blockchain and tokenized securities are spelling out a way for $256 trillion worth of real-world assets, mostly illiquid as physical representations, to go digital.\nAs they say in blockchain, tokenized securities are a matter of when, not if.\nThis article originally appeared on aikon.com\n","date":"23 December 2020","externalUrl":null,"permalink":"/posts/tokenized-securities-on-blockchain-are-here-and-theyve-been-around-for-a-while/","section":"Posts","summary":"","title":"Tokenized securities on blockchain are here. And they’ve been around for a while","type":"posts"},{"content":" Why do organizations need a cloud strategy and what are the benefits?\nIn this post, we will review some of the reasons for defining and committing an organizational cloud strategy to print, what topics should be included in such a document and how a cloud strategy enables organizations to manage risks involved in achieving secure and smart cloud usage to promote business goals.\nTerminology # A cloud strategy document should include a clear definition of what is considered a cloud service, based on the NIST definition:\nOn demand self-service – A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider Broad network access - Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations) Resource pooling - The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth Rapid elasticity - Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time Measured service - Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service The cloud strategy document should include a clear definition of what is not considered a cloud service – such as hosting services provided by hardware vendors (hosting service / hosting facility, Virtual Private Servers / VPS, etc.)\nBusiness Requirements # The purpose of cloud strategy document is to guide the organization in the various stages of using or migrating to cloud services, while balancing the benefits for the organization and conducting proper risk management at the same time.\nLack of a cloud strategy will result in various departments in the organization consuming cloud services for various reasons, such as an increase productivity, but without official policy on how to properly adopt the cloud services. New IT departments could be created (AKA “Shadow IT”), without any budget control, while increasing information security risks due to lack of guidance.\nA cloud strategy document should include the following:\nThe benefits for the organization as result of using cloud services Definitions of which services will remain on premise and which services can be consumed as cloud services Approval process for consuming cloud services Risks resulting from using unapproved cloud services Required controls to minimize the risks of using cloud services (information security and privacy, cost management, resource availability, etc.) Current state (in terms of cloud usage) Desired state (where the organization is heading in the next couple of years in terms of cloud usage) Exit strategy Benefits for the organization # Cloud strategy document should include possible benefits from using cloud services, such as:\nCost savings\nSwitching to flexible payment – customer pays for what he is consuming (on demand) Information security\nMoving to cloud services, shifts the burden of physical security to the cloud provider\nUsing cloud services allows better protection against denial-of-service attacks\nUsing cloud services allows access to managed security services (such as security monitoring, breach detection, anomaly, and user behavior detection, etc.) available as part of the leader cloud provider’s portfolio\nBusiness continuity and disaster recovery\nCloud infrastructure services (IaaS) are good alternative for deploying DR site Infrastructure flexibility\nUsing cloud services, allows scale out and scale in the number of resources (from Web servers to database clusters) according to application load Approval process for consuming cloud services # To formalize the use of cloud services for all departments of the organization, the cloud strategy document should define the approval process for using cloud services (according to organization’s size and maturity level)\nCIO / CTO / IT Manager Legal counsel / DPO / Chief risk officer Purchase department / Finance Risk Management # A cloud strategy document should include a mapping of risks in using cloud services, such as:\nLack of budget control The ability of each department, to use credit card details to open an account in the public cloud and begin consuming services without budget control from the finance department Regulation and privacy aspects Using cloud services for storing personal information (PII) without control by a DPO (or someone in charge of data protection aspects in the organization). This exposes the organization to both breach attempts and violation of privacy laws and regulation Information security aspects Using cloud services accessible by Internet visitors exposes the organization to data breach, data corruption, deletion, service downtime, reputation damage, etc. Lack of knowledge Use of cloud services requires proper training in IT, development, support, and information security teams on the proper usage of cloud services Controls for minimizing the risk out of cloud services usage # The best solution for minimizing the risks to the organization is to create a dedicated team (CCOE – Cloud Center of Excellence) with representatives of the following departments:\nInfrastructure Information security Legal Development Technical support Purchase department / FinOps Current state # The cloud strategy document should map the following current state in terms of cloud service usage:\nWhich SaaS applications are currently being consumed by the organization and for what purposes? Which IaaS / PaaS services are currently being consumed? (Dev / Test environments, etc.) Desired state # Cloud strategy document should define where the organization going in the next 2-5 years in terms of cloud service usage.\nThe document should answer these pivotal questions:\nDoes the organization wish to continue to manage and maintain infrastructure on its own or migrate to managed services in the cloud? Should the organization deploy private cloud? Should the organization migrate all applications and infrastructure to the public cloud or perhaps a combination of on premise and public cloud (Hybrid cloud)? And lastly, the strategy document should define KPIs for successful deployment of cloud services.\nExit strategy # A section should be included that addresses vendor lock-in risks and how to act if the organization chooses to migrate a system from the public cloud back to the on premise, or even migrate data between different public cloud providers for reasons such as cost, support, technological advantage, regulation, etc.\nIt is important to take extra care of the following topics during contractual agreement with public cloud provider:\nIs there an expected fine for scenarios if the organization decides to end the contract early? What is the process of exporting data from a SaaS application back to on premise (or between public cloud providers)? What is the public cloud providers commitment for data deletion at the end of the contractual agreement? How long is the cloud provider going to store organizational (and customer) data (including backup and logs) after the end of the contractual agreement? ","date":"22 December 2020","externalUrl":null,"permalink":"/posts/importance-of-cloud-strategy/","section":"Posts","summary":"","title":"Importance of cloud strategy","type":"posts"},{"content":" What exactly is “confidential computing” and what are the reasons and benefits for using it in the public cloud environment?\nIntroduction to data encryption # To protect data stored in the cloud, we usually use one of the following methods:\n· Encryption at transit — Data transferred over the public Internet can be encrypted using the TLS protocol. This method prohibits unwanted participants from entering the conversation.\n· Encryption at rest — Data stored at rest, such as databases, object storage, etc., can be encrypted using symmetric encryption which means using the same encryption key to encrypt and decrypt the data. This commonly uses the AES256 algorithm.\nWhen we wish to access encrypted data, we need to decrypt the data in the computer’s memory to access, read and update the data.\nThis is where confidential computing comes in — trying to protect the gap between data at rest and data at transit.\nConfidential Computing uses hardware to isolate data. Data is encrypted in use by running it in a trusted execution environment (TEE).\nAs of November 2020, confidential computing is supported by Intel Software Guard Extensions (SGX) and AMD Secure Encrypted Virtualization (SEV), based on AMD EPYC processors.\nComparison of the available options # Intel SGX Intel SGX2 AMD SEV 1 AMD SEV 2 Purpose Microservices and small workloads Machine Learning and AI Cloud and IaaS workloads (above the hypervisor), suitable for legacy applications or large workloads Cloud and IaaS workloads (above the hypervisor), suitable for legacy applications or large workloads Cloud VM support (November 2020) - Cloud containers support (November 2020) - - Operating system supported Windows, Linux Linux Linux Linux Memory limitation Up to 128MB Up to 1TB Up to available RAM Up to available RAM Software changes Require software rewrite Require software rewrite Not required - Reference Architecture # AMD SEV Architecture:\nAzure Kubernetes Service (AKS) Confidential Computing:\nReferences # · Confidential Computing: Hardware-Based Trusted Execution for Applications and Data\nhttps://confidentialcomputing.io/wp-content/uploads/sites/85/2020/10/ConfidentialComputing_Outreach_Whitepaper-8-5x11-1.pdf\n· Google Cloud Confidential VMs vs Azure Confidential Computing\nhttps://msandbu.org/google-cloud-confidential-vms-vs-azure-confidential-computing/\n· A Comparison Study of Intel SGX and AMD Memory Encryption Technology\nhttps://caslab.csl.yale.edu/workshops/hasp2018/HASP18_a9-mofrad_slides.pdf\n· SGX-hardware listhttps://github.com/ayeks/SGX-hardware\n· Performance Analysis of Scientific Computing Workloads on Trusted Execution Environments\nhttps://arxiv.org/pdf/2010.13216.pdf\n· Helping Secure the Cloud with AMD EPYC Secure Encrypted Virtualization\nhttps://developer.amd.com/wp-content/resources/HelpingSecuretheCloudwithAMDEPYCSEV.pdf\n· Azure confidential computing\nhttps://azure.microsoft.com/en-us/solutions/confidential-compute/\n· Azure and Intel commit to delivering next generation confidential computing\nhttps://azure.microsoft.com/en-us/blog/azure-and-intel-commit-to-delivering-next-generation-confidential-computing/\n· DCsv2-series VM now generally available from Azure confidential computing\nhttps://azure.microsoft.com/en-us/blog/dcsv2series-vm-now-generally-available-from-azure-confidential-computing/\n· Confidential computing nodes on Azure Kubernetes Service (public preview)\nhttps://docs.microsoft.com/en-us/azure/confidential-computing/confidential-nodes-aks-overview\n· Expanding Google Cloud’s Confidential Computing portfolio\nhttps://cloud.google.com/blog/products/identity-security/expanding-google-clouds-confidential-computing-portfolio\n· A deeper dive into Confidential GKE Nodes — now available in preview\nhttps://cloud.google.com/blog/products/identity-security/confidential-gke-nodes-now-available\n· Using HashiCorp Vault with Google Confidential Computing\nhttps://www.hashicorp.com/blog/using-hashicorp-vault-with-google-confidential-computing\n· Confidential Computing is cool!\nhttps://medium.com/google-cloud/confidential-computing-is-cool-1d715cf47683\n· Data-in-use protection on IBM Cloud using Intel SGX\nhttps://www.ibm.com/cloud/blog/data-use-protection-ibm-cloud-using-intel-sgx\n· Why IBM believes Confidential Computing is the future of cloud security\nhttps://venturebeat.com/2020/10/16/why-ibm-believes-confidential-computing-is-the-future-of-cloud-security/\n· Alibaba Cloud Released Industry’s First Trusted and Virtualized Instance with Support for SGX 2.0 and TPM\nhttps://www.alibabacloud.com/blog/alibaba-cloud-released-industrys-first-trusted-and-virtualized-instance-with-support-for-sgx-2-0-and-tpm_596821\n","date":"28 November 2020","externalUrl":null,"permalink":"/posts/confidential-computing-and-the-public-cloud/","section":"Posts","summary":"","title":"Confidential Computing and the Public Cloud","type":"posts"},{"content":"","date":"9 November 2020","externalUrl":null,"permalink":"/tags/devops/","section":"Tags","summary":"","title":"Devops","type":"tags"},{"content":"","date":"9 November 2020","externalUrl":null,"permalink":"/categories/devsecops/","section":"Categories","summary":"","title":"Devsecops","type":"categories"},{"content":"","date":"9 November 2020","externalUrl":null,"permalink":"/tags/devsecops/","section":"Tags","summary":"","title":"Devsecops","type":"tags"},{"content":"If you don\u0026rsquo;t include security testing, risk assessments, compliance evaluations as part of the entire software delivery or release pipeline, you’re putting your organizations at risk. It goes beyond just failed release or delay in getting a feature out in the market, you\u0026rsquo;ll be introducing vulnerabilities into production, bypassing compliance and failing audit tests. All of these instances of security negligence could have penalties and fines associated with them. Security in DevOps is a part of the natural evolution DevOps\nDevOps is not a technology but a cultural organization shift that organizations need to make. If we break down DevOps, it comes down to developers and IT operations. What is in the name? DevOps, if we look down at the history, it all started with developers, as in agile, breaking down codes into smaller components. Then they moved around on to the next constraint, “How can we deploy faster”. So we got really good at infrastructure as code and at deploying to not just our private cloud but our public clouds as well. The third constraint was testing. So we started to introduce automation testing into the release process, which evolved into continuous testing as we started shifting testing earlier in the release process.\nSecurity is a constraint if you think otherwise\nAs I said, it is a natural evolution, now we are in rendezvous with the fourth constraint—security. However, this constraint is not going very well with existing DevOps practices of continuous integration and delivery. To fix the things, it might take renaming DevOps to DevSecOps. DevOps are fine with it because security has always been the last step in that release process and security teams really don’t step in until the code is ready to move into production. I mean in terms of DevOps, a delay in release process of months even weeks is synonymous to blasphemy. Introducing security to DevOps is not as simple as we introduced testing to it. The notion “you move security ‘left’ and things will go right” will not work outright. It requires a change in mindset at organizational level of getting security to work with developers. It requires us to reevaluate and come up with better technology to be able to introduce security into our existing DevOps pipelines. Security is boring but ‘right’\nSecurity people have traditionally been tool operators. Some security people might do scripting but there\u0026rsquo;s a wide disassociation with software engineering group. Developers tend to criticize security people. For them, it is easy to break something than it is to build it. As companies are getting velocity and everyone\u0026rsquo;s a software company, they\u0026rsquo;re all building things faster quicker and security is last in the pipeline because it doesn\u0026rsquo;t inherently provide any business value other than risk reduction. Therefore, the security was left behind not just because DevOps was moving delivery pipelines too fast for security to catchup, but security teams took DevOps as something of a trend in line with agile. Eventually, it comes down to business value\nUltimately, security became a part of DevOps after organizations recognized it was a legitimate movement and provides business value. We finally realize that\u0026rsquo;s conveying and communicating risk reduction must be done at every part of the pipeline whatever your software development cycle looks like. From waterfall to continuous integration whatever you have in place, putting security in that as part of it whether it\u0026rsquo;s in name of the title or how we talk about it. I think that\u0026rsquo;s more of a sort of gimmick. Really, those cultures can come from works but just sliding security in DevOps is a start but there\u0026rsquo;s a lot behind that.\nModern DevSecOps schemes are about the right approach\nThe fundamentals of the modern DevSecOps schemes rely both on processes as well as the automation of DevSecOps. By processes I mean that there\u0026rsquo;s a big gap today between the security teams and the development teams in a DevOps process. To be frank, developers don\u0026rsquo;t really like fixing security issues. Eventually, the security teams take on the issues, and raise an alert but when it comes to communicating these issues and remediating them, they need the cooperation of the development teams. When they have a DevSecOps team that promotes collaboration, they understand how developers think and work, and automate the whole process. That\u0026rsquo;s the key to a successful relationship between the security teams and the development teams. If you look at number of people in those teams you will find hundreds or thousands of developers, probably a dozen or so DevOps people, and a couple of security people. In a nutshell, there is no workaround to introduce security into DevOps. You must automate and have the right tools in place to communicate and close the loops on resolving application security issues. There are two approaches to introduce security into DevOps. Security teams would put developers into security teams and teach themselves how developers work and want to see security issues communicated to them and resolved. Another approach is to put security analysts into dev teams in order to help developers improve the way they think about security and the way they develop their application. Regardless the approach, that\u0026rsquo;s something that resolves the gaps that hold automation and the communications by fixing friction between the dev and security team.\nDevSecOps is a mindset afterall that closely follows your culture\nThe purpose and intent of the word “DevSecOps” is a sort of mindset that an agile team is responsible for all aspects from design and development to operations and security. This achieves speed and scale without sacrificing the safety of the code. Traditionally, system is designed and implemented and before release the defects are determined by security staff. With agile practices, it is important to inject security and operational details as early as possible in the development cycle. “DevOps is the practice of operations and development engineers participating together in the entire service lifecycle, from design through the development process to production support.\n“DevOps is also characterized by operation staff using many of the same techniques as developers use for their system works.\n","date":"9 November 2020","externalUrl":null,"permalink":"/posts/why-not-just-have-devops-without-the-sec/","section":"Posts","summary":"","title":"Why not just have DevOps without the Sec?","type":"posts"},{"content":" When an organization needs to select a public cloud service provider, there are several variables and factors to take into consideration that will help you choose the most appropriate cloud provider suitable for the organization’s needs.\nIn this post, we will review various considerations that will help organizations in the decision-making process.\nBusiness goals # Before deciding to use a public cloud solution, or migrating existing environments to the cloud, it is important that organizations review their business goals. Explore what brings the organization value by maintaining existing systems on premise and what value does the migration to the cloud promise. In accordance with what you discover, decide which systems will be deployed in the cloud first, or which systems your organization will choose to use as managed services.\nReview the lists of services offered in the cloud # Public cloud providers publish a list of services in various areas.\nReview the list of current services and see how they stand up to your organization’s needs. This will help you narrow down the most suitable options.\nHere are some examples of public cloud service catalogs:\n· AWS — https://aws.amazon.com/products/\n· Azure — https://azure.microsoft.com/en-us/services/\n· GCP — https://cloud.google.com/products\n· Oracle Cloud — https://www.oracle.com/cloud/products.html\n· IBM — https://www.ibm.com/cloud/products\n· Salesforce — https://www.salesforce.com/eu/products/\n· SAP — https://www.sap.com/products.html\nCentrally authenticating users against Active Directory in IaaS / PaaS environments # Many organizations manage access rights to various systems based on an organizational Active Directory.\nAlthough it is possible to deploy Domain Controllers based on virtual servers in an IaaS environment, or create a federation between the on-premise and the cloud environments, at least some cloud providers offer managed Active Directory service based on Kerberos protocol (the most common authentication protocol in the on-premise environments) might ease the migration to the public cloud.\nExamples of managed Active Directory services:\n· AWS Directory Service\n· Azure Active Directory Domain Services\n· Google Managed Service for Microsoft Active Directory\nUnderstanding IaaS / PaaS pricing models # Public cloud providers publish pricing calculators and documentation on their service pricing models.\nUnderstanding pricing models might be complex for some services. For this reason, it is highly recommended to contact an account manager, a partners or reseller for assistance.\nComparing similar services among different cloud providers will enable an organization to identify and choose the most suitable cloud provider based on the organization’s needs and budget.\nExamples of pricing calculators:\n· AWS Simple Monthly Calculator\n· AWS Pricing Calculator\n· Azure Pricing calculator\n· Google Cloud Platform Pricing Calculator\n· Oracle Cloud Cost Estimator\nCheck if your country has a local region of one of the public cloud providers # The decision may be easier, or it may be easier to select one provider over a competitor, if in your specific country the provider has a local region. This can help for example in cases where there are limitations on data transfer outside a specific country’s borders (or between continents), or issues of network latency when transferring large amount of data sets between the local data centers and cloud environments,\nThis is relevant for all cloud service models (IaaS / PaaS / SaaS).\nExamples of regional mapping:\n· AWS:\nAWS Regions and Availability Zones\n· Azure and Office 365:\nAzure geographies\no Where your Microsoft 365 customer data is stored\n· Google Cloud Platform:\nGoogle Cloud Locations\n· Oracle Cloud:\nOracle Data Regions for Platform and Infrastructure Services\n· Salesforce:\nWhere is my Salesforce instance located?\n· SAP:\nSAP Cloud Platform Regions and Service Portfolio\nService status reporting and outage history # Mature cloud providers transparently publish their service availability status in various regions around the world, including outage history of their services.\nMature cloud providers transparently share service status and outages with customers, and know how to build stable and available infrastructure over the long term, and over multiple geographic locations, as well as how to minimize the “blast radius”, which might affect many customers.\nA thorough review of an outage history report allows organizations to get a good picture over an extended period and help in the decision-making process.\nExample of cloud providers’ service status and outage history documentation:\n· AWS:\nAWS Service Health Dashboard\nAWS Post-Event Summaries\n· Azure:\nAzure status\nAzure status history\n· Google Cloud Platform:\nGoogle Cloud Status Dashboard\nGoogle Cloud Status Dashboard — Incidents Summary\n· Oracle Cloud:\nOracle Cloud Infrastructure — Current Status\nOracle Cloud Infrastructure — Incident History\n· Salesforce:\nSalesforce products status\nSalesforce ongoing incidents\n· SAP:\nSAP Cloud Service Status\nSAP Cloud Platform Status Page\nSummary # As you can see, there are several important factors to take into consideration when selecting a specific cloud provider. We have covered some of the more common ones in this post.\nFor an organization to make an educated decision, it is recommended to check what brings value for the organization, in both the short and long-term. It is important to review cloud providers’ service catalogs, alongside a thorough review of global service availability, transparency, understanding pricing models and hybrid architecture that connects local data centers to the cloud.\n","date":"1 November 2020","externalUrl":null,"permalink":"/posts/tips-for-selecting-a-public-cloud-provider/","section":"Posts","summary":"","title":"Tips for Selecting a Public Cloud Provider","type":"posts"},{"content":"","date":"9 October 2020","externalUrl":null,"permalink":"/categories/mysql/","section":"Categories","summary":"","title":"Mysql","type":"categories"},{"content":" Today, more and more organizations are moving to the public cloud and choosing open source databases. They are choosing this for a variety of reasons, but license cost is one of the main ones.\nIn this post, we will review some of the common alternatives for running MySQL database inside a managed environment.\nLegacy applications may be a reason for manually deploying and managing MySQL database.\nAlthough it is possible to deploy a virtual machine, and above it manually install MySQL database (or even a MySQL cluster), unless your organization have a dedicated and capable DBA, I recommend looking at what brings value to your organization. Unless databases directly influence your organization’s revenue, I recommend paying the extra money and choosing a managed solution based on a Platform as a Service model.\nIt is important to note that several cloud providers offer data migration services to assist migrating existing MySQL (or even MS-SQL and Oracle) databases from on-premise to a managed service in the cloud.\nBenefits of using managed database solutions # Easy deployment – With a few clicks from within the web console, or using CLI tools, you can deploy fully managed MySQL databases (or a MySQL cluster) High availability and Read replica – Configurable during the deployment phase and after the product has already been deployed, according to customer requirements Maintenance – The entire service maintenance (including database fine-tuning, operating system, and security patches, etc.) is done by the cloud provider Backup and recovery – Embedded inside the managed solution and as part of the pricing model Encryption at transit and at rest – Embedded inside the managed solution Monitoring – As with any managed solution, cloud providers monitor service stability and allow customers access to metrics for further investigation (if needed) Alternatives for running managed MySQL database in the cloud # Summary # As you can read in this article, running MySQL database in a managed environment in the cloud is a viable option, and there are various reasons for taking this step (from license cost, decrease man power maintaining the database and operating system, backups, security, availability, etc.)\nReferences # https://aws.amazon.com/rds/mysql/\nhttps://aws.amazon.com/rds/mysql/pricing/\nhttps://aws.amazon.com/rds/aurora/\nhttps://aws.amazon.com/rds/aurora/pricing/\nhttps://azure.microsoft.com/en-us/services/mysql/\nhttps://azure.microsoft.com/en-us/pricing/details/mysql/\nhttps://cloud.google.com/sql\nhttps://cloud.google.com/sql/pricing#2nd-gen-pricing\nhttps://www.oracle.com/middleeast/mysql/\nhttps://www.oracle.com/middleeast/mysql/pricing.html\n","date":"9 October 2020","externalUrl":null,"permalink":"/posts/running-mysql-managed-database-in-the-cloud/","section":"Posts","summary":"","title":"Running MySQL Managed Database in the Cloud","type":"posts"},{"content":" Is it feasible to run HPC in the cloud? How different is it from running a local HPC cluster? What are some of the common alternatives for running HPC in the cloud?\nIntroduction # Before beginning our discussion about HPC (High Performance Computing) in the cloud, let us talk about what exactly HPC really means?\n\u0026ldquo;High Performance Computing most generally refers to the practice of aggregating computing power in a way that delivers much higher performance than one could get out of a typical desktop computer or workstation in order to solve large problems in science, engineering, or business.\u0026rdquo; (https://www.usgs.gov/core-science-systems/sas/arc/about/what-high-performance-computing)\nIn more technical terms – it refers to a cluster of machines composed of multiple cores (either physical or virtual cores), a lot of memory, fast parallel storage (for read/write) and fast network connectivity between cluster nodes.\nHPC is useful when you need a lot of compute resources, from image or video rendering (in batch mode) to weather forecasting (which requires fast connectivity between the cluster nodes).\nThe world of HPC is divided into two categories:\nLoosely coupled – In this scenario you might need a lot of compute resources, however, each task can run in parallel and is not dependent on other tasks being completed. Common examples of loosely coupled scenarios: Image processing, genomic analysis, etc.\nTightly coupled – In this scenario you need fast connectivity between cluster resources (such as memory and CPU), and each cluster node depends on other nodes for the completion of the task. Common examples of tightly coupled scenarios: Computational fluid dynamics, weather prediction, etc. Pricing considerations # Deploying an HPC cluster on premise requires significant resources. This includes a large investment in hardware (multiple machines connected in the cluster, with many CPUs or GPUs, with parallel storage and sometimes even RDMA connectivity between the cluster nodes), manpower with the knowledge to support the platform, a lot of electric power, and more.\nDeploying an HPC cluster in the cloud is also costly. The price of a virtual machine with multiple CPUs, GPUs or large amount of RAM can be very high, as compared to purchasing the same hardware on premise and using it 24x7 for 3-5 years.\nThe cost of parallel storage, as compared to other types of storage, is another consideration.\nThe magic formula is to run HPC clusters in the cloud and still have the benefits of (virtually) unlimited compute/memory/storage resources is to build dynamic clusters.\nWe do this by building the cluster for a specific job, according to the customer’s requirements (in terms of number of CPUs, amount of RAM, storage capacity size, network connectivity between the cluster nodes, required software, etc.). Once the job is completed, we copy the job output data and take down the entire HPC cluster in-order to save unnecessary hardware cost.\nAlternatives for running HPC in the cloud # Summary # As you can see, running HPC in the public cloud is a viable option. But you need to carefully plan the specific solution, after gathering the customer’s exact requirements in terms of required compute resources, required software and of course budget estimation.\nProduct documentation # Azure Batch https://azure.microsoft.com/en-us/services/batch/\nAzure CycleCloud https://azure.microsoft.com/en-us/features/azure-cyclecloud/\nAWS ParallelCluster https://aws.amazon.com/hpc/parallelcluster/\nSlurm on Google Cloud Platform https://github.com/SchedMD/slurm-gcp\nHPC on Oracle Cloud Infrastructure https://www.oracle.com/cloud/solutions/hpc.html\n","date":"7 October 2020","externalUrl":null,"permalink":"/posts/how-to-run-hpc-in-the-cloud/","section":"Posts","summary":"","title":"How to run HPC in the cloud?","type":"posts"},{"content":"","date":"7 October 2020","externalUrl":null,"permalink":"/categories/hpc/","section":"Categories","summary":"","title":"Hpc","type":"categories"},{"content":" Virtually any organization active in the public cloud needs at least one cloud architect to be able to see the big picture and to assist designing solutions.\nSo, what makes a cloud architect a good cloud architect?\nIn a word – be multidisciplinary.\nCustomer-Oriented # While the position requires good technical skills, a good cloud architect must have good customer facing skills. A cloud architect needs to understand the business needs, from the end-users (usually connecting from the Internet) to the technological teams. That means being able to speak many “languages,” and translate from one to the another while navigating the delicate nuances of each. All in the same conversation.\nAt the end of the day, the technology is just a means to serve your customers.\nSometimes a customer may ask for something non-technical at all (“Draw me a sheep…”) and sometimes it could be very technical (“I want to expose an API to allow read and update backend database”).\nA good cloud architect knows how to take make a drawing of a sheep into a full-blown architecture diagram, complete with components, protocols, and more. In other worlds, translating a business or customer requirement into a technical requirement.\nTechnical Skills # Here are a few of the technical skills good cloud architects should have under their belts.\nOperating systems – Know how to deploy and troubleshoot problems related to virtual machines, based on both Windows and Linux. Cloud services – Be familiar with at least one public cloud provider’s services (such as AWS, Azure, GCP, Oracle Cloud, etc.). Even better to be familiar with at least two public cloud vendors since the world is heading toward multi-cloud environments. Networking – Be familiar with network-related concepts such as OSI model, TCP/IP, IP and subnetting, ACLs, HTTP, routing, DNS, etc. Storage – Be familiar with storage-related concepts such as object storage, block storage, file storage, snapshots, SMB, NFS, etc. Database – Be familiar with database-related concepts such as relational database, NoSQL database, etc. Architecture – Be familiar with concepts such as three-tier architecture, micro-services, serverless, twelve-factor app, API, etc. Information Security # A good cloud architect can read an architecture diagram and knows which questions to ask and which security controls to embed inside a given solution.\nIdentity management – Be familiar with concepts such as directory services, Identity and access management (IAM), Active Directory, Kerberos, SAML, OAuth, federation, authentication, authorization, etc. Auditing – Be familiar with concepts such as audit trail, access logs, configuration changes, etc. Cryptography – Be familiar with concepts such as TLS, public key authentication, encryption at transit \u0026amp; at rest, tokenization, hashing algorithms, etc. Application Security – Be familiar with concepts such as input validation, OWASP Top10, SDLC, SQL Injection, etc. Laws, Regulation and Standards # In our dynamic world a good cloud architect needs to have at least a basic understanding of the following topics:\nLaws and Regulation – Be familiar with privacy regulations such as GDPR, CCPA, etc., and how they affect your organization’s cloud environments and products Standards – Be familiar with standards such as ISO 27001 (Information Security Management), ISO 27017 (Cloud Security), ISO 27018 (Protection of PII in public clouds), ISO 27701 (Privacy), SOC 2, CSA Security Trust Assurance and Risk (STAR), etc. Contractual agreements – Be able to read contracts between customers and public cloud providers, and know which topics need to appear in a typical contract (SLA, business continuity, etc.) Code # Good cloud architects, like a good DevOps guys or gals, are not afraid to get their hands dirty and be able read and write code, mostly for automation purposes.\nThe required skills vary from scenario to scenario, but in most cases include:\nCLI - Be able to run command line tools, in-order to query existing environment settings up to updating or deploying new components. Scripting – Be familiar with at least one scripting language, such as PowerShell, Bash scripts, Python, Java Script, etc. Infrastructure as a Code – Be familiar with at least one declarative language, such as HashiCorp Terraform, AWS Cloud​Formation, Azure Resource Manager, Google Cloud Deployment Manager, RedHat Ansible, etc. Programming languages – Be familiar with at least one programming language, such as Java, Microsoft .NET, Ruby, etc. Sales # A good cloud architect needs to be able to “sell” a solution to various audiences. Again the required skills vary from scenario to scenario, but in most cases include:\nPricing calculators – Be familiar with various cloud service pricing models and be able to estimate cloud service costs using tools such as AWS Simple Monthly Calculator, Azure Pricing Calculator, Google Cloud Platform Pricing Calculator, Oracle Cloud Cost Estimator, etc. Cloud vs. On-Premise – Be able to have weigh in on the pros and cons of cloud vs. on premise, with different audiences. Architecture alternatives – Be able to present different architecture alternatives (from VM to micro-services up to Serverless) for each scenario. It is always good idea to have backup plan. Summary # Recruiting a good cloud architect is indeed challenging. The role requires multidisciplinary skills – from soft skills (been a customer-oriented and salesperson) to deep technical skills (technology, cloud services, information security, etc.)\nThere is no alternative to years of hands-on experience. The more areas of experience cloud architects have, the better they will succeed at the job.\nReferences # What is a cloud architect? A vital role for success in the cloud. https://www.cio.com/article/3282794/what-is-a-cloud-architect-a-vital-role-for-success-in-the-cloud.html\nWant to Become a Cloud Architect? Here\u0026rsquo;s How https://www.businessnewsdaily.com/10767-how-to-become-a-cloud-architect.html\n","date":"31 August 2020","externalUrl":null,"permalink":"/posts/what-makes-a-good-cloud-architect/","section":"Posts","summary":"","title":"What makes a good cloud architect?","type":"posts"},{"content":" Image Source\nData loss prevention (DLP) is one of the most important tools that enterprises have to protect themselves from modern security threats like data exfiltration, data leakage, and other types of sensitive data and secrets exposure. Many organizations seem to understand this, with the DLP market expected to grow worldwide in the coming years. However, not all approaches to DLP are created equal. DLP solutions can vary in the scope of remediation options they provide as well as the security layers that they apply to. Traditionally, data loss prevention has been an on-premise or endpoint solution meant to enforce policies on devices connected over specific networks. As cloud adoption accelerates, though, the utility of these traditional approaches to DLP will substantially decrease.\nEstablished data loss prevention solution providers have attempted to address these gaps with developments like endpoint DLP and cloud access security brokers (CASBs) which provide security teams with visibility of devices and programs running outside of their walls or sanctioned environments. While both solutions minimize security blind spots, at least relative to network layer and on-prem solutions, they can result in inconsistent enforcement. Endpoint DLPs, for example, do not provide visibility at the application layer, meaning that policy enforcement is limited to managing what programs and data are installed on a device. CASBs can be somewhat more sophisticated in determining what cloud applications are permissible on a device or network, but may still face similar shortfalls surrounding behavior and data within cloud applications.\nCloud adoption was expected to grow nearly 17% between 2019 and 2020; however, as more enterprises embrace cloud-first strategies for workforce management and business continuity during the COVID-19 pandemic, we’re likely to see even more aggressive cloud adoption. With more data in the cloud, the need for policy remediation and data visibility at the application layer will only increase and organizations will begin to seek cloud-native approaches to cloud security.\nWhat is cloud-native data loss prevention? # The explosion of cloud technologies in the past decade has brought new architectural models for applications and computing systems. The concept of a cloud-native architecture, while not new, is a development that’s taken off in the last five years. But what exactly does cloud-native mean, and how can it apply to security products like data loss prevention (DLP)?\nCloud-native describes a growing class of platforms that are built in the cloud, for the cloud. True cloud-native data loss prevention is defined by the following features:\nAgentless. Cloud-native DLP solutions aren’t deployed as software programs that require installation, rather they integrate with the applications they secure through APIs. This makes deployment easy and updates to such platforms effortless, without getting end-users or IT involved. API driven. Central to cloud-native data loss prevention is the API driven nature of such solutions. Connecting with cloud platforms via API means that visibility and security policies immediately apply at the application layer. API-driven solutions can derive platform-specific context \u0026amp; metadata, as well as provide granular, platform-specific actions, versus broad-brush blocking on the network. Agnostic. True cloud-native solutions are platform, endpoint, and network agnostic in that they’re capable of integrating with cloud platforms quickly and can provide single pane of glass visibility across the cloud. Automated. True cloud-native solutions don’t just provide visibility into the cloud, but help automate policies whenever possible. The sheer volume of data that moves through cloud systems combined with the always-on nature of cloud applications means that incidents can happen at any time and will require immediate remediation. Automation ensures that security teams can respond to these as quickly as possible. Accurate. Finally, in order to help security teams process the massive amounts of data in the cloud, cloud-native DLP must be accurate. The accuracy of such platforms is often enabled by the same systems that make them automated — an effective use of machine learning that can quickly and accurately identify when business-critical data has been exposed. What are the advantages of cloud-native DLP? # When you consider the capabilities listed above, cloud-native DLP is designed to help organizations get a handle on protecting the massive volumes of data moving in and out of data silos daily. With organizations understanding that the security of their data in the cloud is their responsibility, security teams are increasingly investing in tools designed to help them address visibility and policy blindspots. While it might be the case that cloud-native data loss prevention platforms aren’t the only security tools companies choose to invest in, it’s clear that they’ll be one of the most essential parts of their security toolkit.\nAbout Nightfall # Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack \u0026amp; GitHub as well as IaaS platforms like AWS. You can schedule a demo with us below to see the Nightfall platform in action.\n“This article is originally posted on Nightfall.ai”\n","date":"29 August 2020","externalUrl":null,"permalink":"/posts/cloud-native-as-the-future-of-data-loss-prevention/","section":"Posts","summary":"","title":"Cloud-native as the Future of Data Loss Prevention","type":"posts"},{"content":"","date":"29 August 2020","externalUrl":null,"permalink":"/categories/dlp/","section":"Categories","summary":"","title":"Dlp","type":"categories"},{"content":" For a long time, public cloud providers have given users (almost) unlimited access to compute resources (virtual servers, storage, database, etc.) inside their end-to-end managed data centers. Recently the need for local on-premise solutions is now being felt.\nIn scenarios where network latency or there is a need to store sensitive or critical data inside a local data center, public cloud providers have built server racks meant for deployment of familiar virtual servers, storage and network equipment cloud infrastructure, while using the same user interface and the same APIs for controlling components using CLI or SDK.\nManaging the lower infrastructure layers (monitoring of hardware/software/licenses and infrastructure updates) is done remotely by the public cloud providers, which in some cases, requires constant inbound Internet connectivity.\nThis solution allows customers to enjoy all the benefits of the public cloud (minus the scale), transparently expand on-premise environments to the public cloud, continue storing and processing data inside local data centers as much as required, and in in cases where there is demand for large compute power, migrate environments (or deploy new environments) to the public cloud.\nThe solution is suitable for military and defense users, or organizations with large amounts of data sets which cannot be moved to the public cloud in a reasonable amount of time. Below is a comparison of three solutions currently available:\nAzure Stack Hub AWS Outposts Oracle Private Cloud at Customer Ability to work in disconnect mode from the public cloud / Internet Fully supported / Partially supported The solution requires constant connectivity to a region in the cloud The solution requires remote connectivity of Oracle support for infrastructure monitoring and software updates VM deployment support Fully supported Fully supported Fully supported Containers or Kubernetes deployment support Fully supported Fully supported Fully supported Support Object Storage locally Fully supported Will be supported in 2020 Fully supported Support Block Storage locally Fully supported Fully supported Fully supported Support managed database deployment locally - Fully supported (MySQL, PostgreSQL) Fully supported (Oracle Database) Support data analytics deployment locally - Fully supported (Amazon EMR) - Support load balancing services locally Fully supported Fully supported Fully supported Built in support for VPN connectivity to the solution Fully supported - - Support connectivity between the solution and resources from on premise site - Fully supported - Built in support for encryption services (data at rest) Fully supported (Key Vault) Fully supported (AWS KMS) - Maximum number of physical cores (per rack) 100 physical cores - 96 physical cores Maximum storage capacity (per rack) 5TB 55TB 200TB Summary # The private cloud solutions noted here are not identical in terms of their capabilities. At least for the initial installation and support, a partner who specializes in this field is a must.\nSupport for the well-known services from public cloud environments (virtual servers, storage, database, etc.) will expand over time, as these solutions become more commonly used by organizations or hosting providers.\nThese solutions are not meant for every customer. However they provide a suitable solution in scenarios where it is not possible to use the public cloud, for regulatory or military/defense reasons for example, or when organizations are planning for a long term migration to the public cloud a few years in advance. These plans can be due to legacy applications not built for the cloud, network latency issues or a large amount of data sets that need to be copied to the cloud.\n","date":"29 August 2020","externalUrl":null,"permalink":"/posts/the-public-cloud-is-coming-to-your-local-data-center/","section":"Posts","summary":"","title":"The Public Cloud is Coming to Your Local Data Center","type":"posts"},{"content":" The relatively high cost of cloud computing resources, compared to on-premise solutions, is a major challenge for organizations migrating to public cloud services. In this post, we will review several available plans for long-term cost saving of compute resources.\nBackground # The Pay-As-You-Go, or Pay on-Demand, is the most common option for paying for actual usage when consuming cloud resources. This method is suitable when the required compute power is changing or unpredictable. A good example of this is for services migrated from on-premise to the public cloud (Lift \u0026amp; Shift), or new environments (Dev/Test), and more.\nThe second most common pricing option is called Spot (Amazon EC2 Spot Instances, Azure Spot Virtual Machines or Google Preemptible Virtual Machines). These options can potentially deliver a discount of up to 90% and are best when there is a demand for large amounts of compute power, and the service is not sensitive to disruptions. Spot Instances are suitable for scenarios when compute power is required by another paying customer and the cloud provider claims the machine back, with 30-second to 2-minute notifications. This method is suitable for image/video processing, batch processing, HPC services, etc.\nReserved Instance # This is the most common pricing option for saving costs. Users commit to one to three years of usage in advance, with a potential savings of up to 70%.\nReserved Instances are available with various payment methods. These range from\n“All Upfront” - where you pay the entire server cost in advance for the entire commitment period “Partial Upfront” - where you pay the server costs on monthly basis in installments, until the end of the commitment period “No Upfront” - where you pay a fixed price for the server cost until till the end of the commitment period There are also options for more flexibility on Reserved Instance options. These include Standard RI, where you commit to a certain instance type (instance family type, operating system, payment method, etc.), and Convertible RI, where you are allowed to change the instance type (instance family type, operating system, etc.) during the commitment period.\nAdditional information about Reserved Instance options can be found at:\nAmazon EC2 Reserved Instances Azure Reserved VM Instances Google Committed use discounts Oracle Cloud Universal Credits, Monthly Flex It is important to note that these cost-saving options are not limited to virtual servers. It is possible to purchase a commitment for managed services, such as Amazon RDS Reserved Instances, Azure SQL Database reserved capacity, Azure Blob storage reserved capacity, and more.\nAWS Saving Plans # AWS has a flexible pricing option, like AWS Reserved Instances, which allows up to 72% discount.\nThese plans include two alternatives:\nCompute Saving Plans – This plan allows you to commit to resource consumption in advance, with the flexibility to choose, and change, instance family type, instance size (ratio between CPU/Memory), region, availability zone and operating systems. The Compute Saving plan covers compute resources from virtual machines (EC2 instances), through AWS Fargate and up to Amazon Lambda. EC2 Instance Saving Plans – This plan allows you to save on virtual servers’ costs. However, it is limited to virtual servers from specific instance family types, in a specific region. It is still possible to change instance size (ratio between CPU/Memory), availability zone and operating systems. Additional information can be found at: https://aws.amazon.com/savingsplans/faq/\nGoogle Sustained Use Discounts # This plan is designed to encourage customers to commit to long term use of Google compute resources, such as virtual servers or Google Kubernetes Engine, for any constant time, longer than 25% of the month. This plan grants an automatic discount of between 20% and 30% of the price list. No action needs to be taken; the discount is applied when reaching the plan’s minimum consumption level of compute resources.\nAdditional information can be found at: https://cloud.google.com/compute/docs/sustained-use-discounts\nConclusion # The first step toward enjoying long-term cost savings is understanding your compute demands. Studying up and staying up to date on vendors’ various pricing plans and options, then matching those to your needs and environments, is the key to achieving the most cost-effective public cloud solution.\n","date":"15 August 2020","externalUrl":null,"permalink":"/posts/how-to-achieve-long-term-cost-savings-using-cloud-services/","section":"Posts","summary":"","title":"How to Achieve Long Term Cost Savings Using Cloud Services","type":"posts"},{"content":" When organizations take their first steps to use public cloud services, they tend to look at a specific target.\nMy recommendation – think scale!\nPlan a couple of steps ahead instead of looking at single server that serves just a few customers. Think about a large environment comprised of hundreds or thousands of servers, serving 10,000 customers concurrently.\nPlanning will allow you to manage the environment (infrastructure, information security and budget) when you do reach a scale of thousands of concurrent customers. The more we plan the deployment of new environments in advance, according to their business purposes and required resources required for each environment, it will be easier to plan to scale up, while maintaining high level security, budget and change management control and more.\nIn this three-part blog series, we will review some of the most important topics that will help avoid mistakes while building new cloud environments for the first time.\nResource allocation planning\nThe first step in resources allocation planning is to decide how to divide resources based on an organizational structure (sales, HR, infrastructure, etc.) or based on environments (production, Dev, testing, etc.)\nIn-order to avoid mixing resources (or access rights) between various environments, the best practice is to separate the environments as follows:\nShare resource account (security products, auditing, billing management, etc.) Development environment account (consider creating separate account for test environment purposes) Production environment account Separating different accounts or environments can be done using:\nAzure Subscriptions or Azure Resource Groups AWS Accounts GCP Projects Oracle Cloud Infrastructure Compartments Tagging resources\nEven when deploying a single server inside a network environment (AWS VPC, Azure Resource Group, GCP VPC), it is important to tag resources. This allows identifying which resources belong to which projects / departments / environments, for billing purposes.\nCommon tagging examples:\nProject Department Environment (Prod, Dev, Test) Beyond tagging, it is recommended to add a description to resources that support this kind of meta-data, in-order to locate resources by their target use.\nAuthentication, Authorization and Password Policy\nIn-order to ease the management of working with accounts in the cloud (and in the future, multiple accounts according to the various environments), the best practice is to follow the rules below:\nCentral authentication – In case the organization isn’t using Active Directory for central account management and access rights, the alternative is to use managed services such as AWS IAM, Google Cloud IAM, Azure AD, Oracle Cloud IAM, etc. If managed IAM service is chosen, it is critical to set password policy according to the organization’s password policy (minimum password length, password complexity, password history, etc.)\nIf the central directory service is used by the organization, it is recommended to connect and sync the managed IAM service in the cloud to the organizational center directory service on premise (federated authentication). It is crucial to protect privileged accounts in the cloud environment (such as AWS Root Account, Azure Global Admin, Azure Subscription Owner, GCP Project Owner, Oracle Cloud Service Administrator, etc.), among others, by limiting the use of privileged accounts to the minimum required, enforcing complex passwords, and password rotation every few months. This enables multi-factor authentication and auditing on privileged accounts, etc. Access to resources should be defined according to the least privilege principle. Access to resources should be set to groups instead of specific users. Access to resources should be based on roles in AWS, Azure, GCP, Oracle Cloud, etc. Audit Trail\nIt is important to enable auditing in all cloud environments, in-order to gain insights on access to resources, actions performed in the cloud environment and by whom. This is both security and change management reasons.\nCommon managed audit trail services:\nAWS CloudTrail – It is recommended to enable auditing on all regions and forward the audit logs to a central S3 bucket in a central AWS account (which will be accessible only for a limited amount of user accounts). Working with Azure, it is recommended to enable the use of Azure Monitor for the first phase, in-order to audit all access to resources and actions done inside the subscription. Later on, when the environment expands, you may consider using services such as Azure Security Center and Azure Sentinel for auditing purposes. Google Cloud Logging – It is recommended to enable auditing on all GCP projects and forward the audit logs to the central GCP project (which will be accessible only for a limited amount of user accounts). Oracle Cloud Infrastructure Audit service – It is recommended to enable auditing on all compartments and forward the audit logs to the Root compartment account (which will be accessible only for a limited amount of user accounts). Budget Control\nIt is crucial to set a budget and budget alerts for any account in the cloud at in the early stages of working with in cloud environment. This is important in order to avoid scenarios in which high resource consumption happens due to human error, such as purchasing or consuming expensive resources, or of Denial of Wallet scenarios, where external attackers breach an organization’s cloud account and deploys servers for Bitcoin mining.\nCommon examples of budget control management for various cloud providers:\nAWS Consolidated Billing – Configure central account among all the AWS account in the organization, in-order to forward billing data (which will be accessible only for a limited amount of user accounts). GCP Cloud Billing Account – Central repository for storing all billing data from all GCP projects. Azure Cost Management – An interface for configuring budget and budget alerts for all Azure subscriptions in the organization. It is possible to consolidate multiple Azure subscriptions to Management Groups in-order to centrally control budgets for all subscriptions. Budget on Oracle Cloud Infrastructure – An interface for configuring budget and budget alerts for all compartments. Secure access to cloud environments\nIn order to avoid inbound access from the Internet to resources in cloud environments (virtual servers, databases, storage, etc.), it is highly recommended to deploy a bastion host, which will be accessible from the Internet (SSH or RDP traffic) and will allow access and management of resources inside the cloud environment.\nCommon guidelines for deploying Bastion Host:\nLinux Bastion Hosts on AWS Create an Azure Bastion host using the portal Securely connecting to VM instances on GCP Setting Up the Basic Infrastructure for a Cloud Environment, based on Oracle Cloud The more we expand the usage of cloud environments, we can consider deploying a VPN tunnel from the corporate network (Site-to-site VPN) or allow client VPN access from the Internet to the cloud environment (such as AWS Client VPN endpoint, Azure Point-to-Site VPN, Oracle Cloud SSL VPN).\nManaging compute resources (Virtual Machines and Containers)\nWhen selecting to deploy virtual machines in cloud environment, it is highly recommended to follow the following guidelines:\nChoose an existing image from a pre-defined list in the cloud providers’ marketplace (operating system flavor, operating system build, and sometimes an image that includes additional software inside the base image). Configure the image according to organizational or application demands. Update all software versions inside the image. Store an up-to-date version of the image (“Golden Image”) inside the central image repository in the cloud environment (for reuse). In case the information inside the virtual machines is critical, consider using managed backup services (such as AWS Backup or Azure Backup). When deploying Windows servers, it is crucial to set complex passwords for the local Administrator’s account, and when possible, join the Windows machine to the corporate domain. When deploying Linux servers, it is crucial to use SSH Key authentication and store the private key(s) in a secure location. Whenever possible, encrypt data at rest for all block volumes (the server’s hard drives / volumes). It is highly recommended to connect the servers to a managed vulnerability assessment service, in order to detect software vulnerabilities (services such as Amazon Inspector or Azure Security Center). It is highly recommended to connect the servers to a managed patch management service in-order to ease the work of patch management (services such as AWS Systems Manager Patch Manager, Azure Automation Update Management or Google OS Patch Management). When selecting to deploy containers in the cloud environment, it is highly recommended to follow the following guidelines:\nUse a Container image from a well know container repository. Update all binaries and all dependencies inside the Container image. Store all Container images inside a managed container repository inside the cloud environment (services such as Amazon ECR, Azure Container Registry, GCP Container Registry, Oracle Cloud Container Registry, etc.) Avoid using Root account inside the Containers. Avoid storing data (such as session IDs) inside the Container – make sure the container is stateless. It is highly recommended to connect the CI/CD process and the container update process to a managed vulnerability assessment service, in-order to detect software vulnerabilities (services such as Amazon ECR Image scanning, Azure Container Registry, GCP Container Analysis, etc.) Storing sensitive information\nIt is highly recommended to avoid storing sensitive information, such as credentials, encryption keys, secrets, API keys, etc., in clear text inside virtual machines, containers, text files or on the local desktop.\nSensitive information should be stored inside managed vault services such as:\nAWS KMS or AWS Secrets Manager Azure Key Vault Google Cloud KMS or Google Secret Manager Oracle Cloud Infrastructure Key Management HashiCorp Vault Object Storage\nWhen using Object Storage, it is recommended to follow the following guidelines:\nAvoid allowing public access to services such as Amazon S3, Azure Blob Storage, Google Cloud Storage, Oracle Cloud Object Storage, etc. Enable audit access on Object Storage and store the access logs in a central account in the cloud environment (which will be accessible only for a limited amount of user accounts). It is highly recommended to encrypt data at rest on all data inside Object Storage and when there is a business or regulatory requirement, and encrypt data using customer managed keys. It is highly recommended to enforce HTTPS/TLS for access to object storage (users, computers and applications). Avoid creating object storage bucket names with sensitive information, since object storage bucket names are unique and saved inside the DNS servers worldwide. Networking\nMake sure access to all resources is protected by access lists (such as AWS Security Groups, Azure Network Security Groups, GCP Firewall Rules, Oracle Cloud Network Security Groups, etc.) Avoid allowing inbound access to cloud environments using protocols such as SSH or RDP (in case remote access is needed, use Bastion host or VPN connections). As much as possible, it is recommended to avoid outbound traffic from the cloud environment to the Internet. If needed, use a NAT Gateway (such as Amazon NAT Gateway, Azure NAT Gateway, GCP Cloud NAT, Oracle Cloud NAT Gateway, etc.) As much as possible, use DNS names to access resources instead of static IPs. When developing cloud environments, and subnets inside new environments, avoid IP overlapping between subnets in order to allow peering between cloud environments. Advanced use of cloud environments\nPrefer to use managed services instead of manually managing virtual machines (services such as Amazon RDS, Azure SQL Database, Google Cloud SQL, etc.) It allows consumption of services, rather than maintaining servers, operating systems, updates/patches, backup and availability, assuming managed services in cluster or replica mode is chosen.\nUse Infrastructure as a Code (IoC) in-order to ease environment deployments, lower human errors and standardize deployment on multiple environments (Prod, Dev, Test). Common Infrastructure as a Code alternatives:\nHashiCorp Terraform\nAWS CloudFormation\nAzure Resource Manager\nGoogle Cloud Deployment Manager\nOracle Cloud Resource Manager\nSummary\nTo sum up:\nPlan. Know what you need. Think scale.\nIf you use the best practices outlined here, taking off to the cloud for the first time will be an easier, safer and smoother ride then you might expect.\nAdditional references\nAWS Well-Architected Microsoft Azure Well-Architected Framework Google Cloud\u0026rsquo;s Architecture Framework Oracle Cloud Infrastructure Best Practices Framework ","date":"3 August 2020","externalUrl":null,"permalink":"/posts/best-practices-for-deploying-new-environments-in-the-cloud-for-the-first-time/","section":"Posts","summary":"","title":"Best Practices for Deploying New Environments in the Cloud for the First Time","type":"posts"},{"content":"","date":"3 August 2020","externalUrl":null,"permalink":"/categories/linux/","section":"Categories","summary":"","title":"Linux","type":"categories"},{"content":"","date":"3 August 2020","externalUrl":null,"permalink":"/categories/vulnerability-assessment/","section":"Categories","summary":"","title":"Vulnerability-Assessment","type":"categories"},{"content":" Organizations considering migrating to cloud services encounter many myths along the way. In most cases, the myths are based on FUD factor (Fear, Uncertainty and Doubt).\nIn this post, I will review some of the common myths about clouds and see if they stand up to reality.\nMyth #1: The Cloud is less secure than on premise or the cloud is more secure than the on premise # The truth is that they are both right and both wrong. The real answer lies somewhere in the middle.\nWhen comparing managed services (SaaS) such as SAP SuccessFactors, Oracle CRM, Office 365, SalesForce, etc., to similar services provided on premise, they cannot be compared to on premise models.\nOn the one hand, the customer shifts the burden of security and maintenance to the cloud provider, and on the other, mature cloud providers (such as those mentioned above), invest huge amounts of money (when compared to most organizations) in information security, penetration testing, audit trails and constant training to their support and information security teams.\nThe comparison of IaaS solutions and on premise models is different. According to the shared responsibility model, customers get access from the operating system and above, and they are solely responsible for everything that happens inside the operating system. This includes backups, hardening, updates, authorization, access control and defense against attacks.\nThe IaaS model is similar to traditional virtualization from the local data center. But top IaaS providers enable access to various managed services in order to ease the burden on server maintenance (from managed databases, through backup services, patch management, vulnerability management, etc.) Bottom line – It is possible to reach the “sweet spot” where using the cloud makes an organization more secure than using on premise, as long as we are familiar with the cloud providers services and capabilities and as long as we learn how to make the most out of these services on-going basis.\nMyth #2: The cloud is more expensive than on premise or the cloud is less expensive than on premise # Again, the truth can be found somewhere in the middle.\nIn order to make an accurate comparison of on premise and cloud solutions, we need to take into consideration several factors. These include the cost of hardware, several years of maintenance, licenses, backup and archive storage, system availability and most important – manpower costs for system maintenance, including training of IT, development and security teams.\nWhen comparing managed services, such as managed databases vs. manual maintenance of on premise databases, the calculation would look something like this. The cloud saves maintenance cost, hardening, patching/updating, and even backups, if they are part of the managed service. That translates into significant savings on maintenance costs, compared to on premise environments, and allows organizations to consume services without the burden of maintaining the systems.\nWhen comparing IaaS environments, the picture changes. The costs of the cloud servers, in a pay-as-you-go model, in most cases are higher than comparable on-premises models (when comparing same amount of vCPU and memory). In-order to cut costs in IaaS model, we need to understand if we are dealing with a high performance workload and changing run time, or are we are dealing with servers operating 24x7 for long period of time. And if we are dealing with the long-term, it is highly recommended to purchase reserved instances for 1 or 3 years in advance.\nAnother alternative for saving server costs in an IaaS model is to choose Spot model and save up to 90% of the price, assuming the service itself is not fault-sensitive and can be recovered automatically, such as batch processing, image processing, etc. The best alternative for saving server costs will require re-architecting our systems (as much as possible) and migrating to building systems based on micro-service architecture, or use Serverless services and cut the cost on resources and monthly costs to the minimum required.\nMyth #3: The cloud is complex or Cloud migration is always complex # Migrating existing services from on premise to managed services in a SaaS model varies from one cloud provider to another, which makes it hard to generalize.\nMany SaaS vendors publish guidelines and tools to assist organizations with the migration process. Some examples are SalesForce, Oracle CRM, SAP, Office 365, Google G Suite, etc.\nWhen migrating to PaaS services, there are many guidelines and tools to assist organizations with the migration process. Some examples include AWS Database Migration Service, Azure Database Migration Service, Google BigQuery Data Transfer Service, etc.\nMigrating systems to IaaS model requires training IT personnel on how cloud providers implement infrastructure services, such as VM deployment, setting network access rules, connecting to storage, settings permissions, etc.\nOrganizations who train their IT, networking and information security teams on working with IaaS and PaaS environments will be able to make the migration process easier. There are many low cost online courses to assist closing the required knowledge gap.\nIf you want to migrate really easily (“fast and dirty”), you can always choose to migrate systems using “lift \u0026amp; shift” method, at least during first phase, although it is not considered a cost effective solution. Sometimes similar hardware in on premise environments is cheaper than similar hardware in an IaaS environment. But this method will allow the organization access to migrated environments and later on, to adapt the required resources to allow the system to function, change the system architecture, such as replacing servers with managed services, etc. Bottom line – It all begins with organizations willing to adapt to working in cloud environments and, of course, management support for the cloud migration.\nMyth #4: Multi-Cloud will prevent Vendor Lock-In # When organizations take their first steps toward working with public cloud solutions, it make sense to choose a single IaaS provider in-order to allow the organization to train employees, plan cloud migration strategy and begin the actual cloud migration phase and deployment of the new environments.\nThe fear of vendor lock-in, or from the cloud provider going bankrupt, is not unreasonable. However the most likely complimentary control mechanism is to choose one of the hyper-scale cloud providers, and mitigate the risk of the cloud provider going bankrupt.\nTheoretically, selecting multiple IaaS providers might allow migration between providers, but in reality, moving to multi-cloud environments creates many challenges. These include the requirement to enforce central authentication, requirements to understand how each cloud provider implements services differently (such as storage, network, compute, etc.), understanding how to deploy new environments over multiple cloud providers’ infrastructure, understanding how to enforce logging/auditing and how to centrally handle incident response processes over multiple providers, etc.\nWhen you want to mitigate the risk of vendor lock-in and allow organizations to move environments between cloud providers, we need to plan our infrastructure architecture ahead of time - from the very beginning phases and based architecture on Containers or Kubernetes. As long as services are wrapped in containers, you will be able to deploy and run them over multiple cloud providers. Also take into consideration the integration with each cloud providers’ ecosystem, such as storage, monitoring, message queuing services, etc. Bottom line – deploying production environments over multiple cloud providers requires deep understanding of the cloud ecosystem. Instead of resolving vendor lock-in risks, it can create high overhead for the organization, which may not be justified relative to the risk of vendor lock-in. Moving to container-based architectures might ease the organization’s ability to work with multiple cloud providers.\nMyth #5: Auditing cloud environments is hard # Correct. But only partially.\nCloud migration requires customers to understand that they may not be able to conduct on premise audits of the cloud providers’ data centers, as we used to conduct with hosting providers in the past. But on the other hand, mature cloud vendors provide us with complimentary audit controls, such as:\nAudit access on SaaS solutions: Office 365, SalesForce, Oracle HCM, etc. Audit access of cloud providers’ employees on SaaS solutions: Office 365 Customer LockBox, Oracle Break Glass, etc. Audit access on IaaS/PaaS solutions: Amazon CloudTrail, Google Cloud Audit Logs, etc. Access to external audit reports such as ISO27001, SOC 2 Type 2 (assuming we signed NDA with the cloud provider): AWS Compliance Programs, Microsoft Trust Center, GCP Compliance resource center, etc. Conducting penetration test on cloud environments (usually in IaaS environments): Azure, AWS, GCP, etc. Bottom line – It is possible and highly recommended to constantly audit cloud environments. Choosing one of the mature cloud providers will allow various complimentary controls in order to assure that cloud environments are secure and comply with standards and regulations.\nMyth #6: Migration to the cloud will cut manpower and cause employee job security issues # This perhaps one of the most common myths. But inaccurate.\nIt is true that IT and information security teams will need to undergo training to work with various services and adapt existing knowledge from the on premise environments to cloud environments. But here lies the great potential.\nIf in the past we used to have deep knowledge in a specific field, such as operating systems, networking, storage, databases, information security, etc., today organizations migrating to the cloud are looking for employees with multidisciplinary knowledge.\nThe migration from on premise models to the cloud will require organizations to streamline. Although migration to SaaS or managed services requires less IT personnel, the migration to IaaS/PaaS environments requires a shift in the mindset of IT teams. They will need to adapt existing knowledge from manual work, like server maintenance, databases, environment deployments, etc., to automation, like writing code (but no need for professional developers), switching to environment deployment based on Infrastructure as a Code, etc. This ability to adapt will be in high demand by organizations. They will seek professional IT personnel, and will make existing IT teams, who adapt to the changing world, even a more valuable asset to their organizations.\n","date":"4 July 2020","externalUrl":null,"permalink":"/posts/top-six-cloud-myths-debunked/","section":"Posts","summary":"","title":"Top Six Cloud Myths Debunked","type":"posts"},{"content":" Many organizations are talking and beginning to embrace system migration to the cloud, as part of a global IT strategy to use public clouds. The migration from the on premise to the public cloud, allows organizations to choose from a variety of alternatives, each with its own benefits, knowledge requirement and different pricing model (as compared to the on premise licensing model). In this article, I shell review the different methods, with their pros and cons and I will try to explain which method suites which scenario.\nLift \u0026amp; Shift Migration In this method, the customer chooses an existing system from the on premise environment, reviewing the required resources for running the system in a cloud environment (number of CPU/amount of Memory and required disk space), the operating system version (assuming the cloud provider has an image for this operating system), checking with the software vendor the ability to run the system a cloud environment (licensing issues) and deploying all software components on a virtual server in the cloud environment (or migrating the entire system, assuming the cloud provider offers a managed service for system migration).\nThis is the most common method and the simplest one (comparing to other alternatives…) for migrating to the cloud, and most cloud vendors (Infrastructure as a Service) support this method, but we should take under consideration, that cost-wise, this method is considered expensive (in terms of cost and resource usage) when comparing to purchasing physical hardware for 3-5 years in advanced in the on premise environment. The most common ways to lower the server cost are: • Resizing the server size (number of CPU/amount of memory) to the actual usage • Purchase reserved instance for 1 or 3 years in advanced • Using Spot instances for servers who does not require availability of 24x7 or for applications who can survive temporary downtime, without harming the entire service\nMoving to Micro-Services and Containers In this method, the organization begins migration from monolith application (a system where all components relay on each other and required to be deployed together) to micro-services based development, where each component runs independently (usually inside its own container) and it can be replaced, upgraded and vertically scale out as needed and independently from the rest of the system components. It is possible to run containers on virtual servers (the entire management, update and scale is the customer’s responsibility) or as part of a managed service (such as managed Kubernetes clusters service). This method requires the developer’s teams to know how to package their applications inside containers, take care of scaling, monitoring of containers activities (and the communications between containers), and taking care of security topics (such as who can access a container or whether or not the communication between containers is encrypted, etc.) This method is suitable for organizations who wish to change their current application architecture or being developing new applications. Modern applications are being developed today as containers and allows the customer to migrate between the on premise environments to the public cloud, and with proper adjustments between different cloud providers (once we solve topics such as connectivity to current cloud vendor’s services such as message queuing, storage, logging, etc.)\nMoving to Serverless / Function as a Service In this method, the customer isn’t in charge of operating system maintenance, system availability or scale. Due to the fact that the entire infrastructure is been managed by the cloud vendor, the vendor takes care of scale, as required by the application needs. This method is suitable for event based services, with short running time (few seconds to few minutes). As part of moving to modern applications, there are many scenarios for choosing specific development language, uploading the code to a managed cloud environment (Serverless), selecting the desired compute power (amount of memory, which effects the number of CPU) and creating triggers for running the function. It is possible to embed Serverless capabilities, as part of modern micro-services architecture. The pricing model for this method is based on the amount of time the function was running and the amount of memory used for running the function. Common use cases for Serverless – image processing, data analysis from IoT devices, etc. This method is not suitable for every application (due to short running intervals), and also not every development language is currently been supported by every cloud vendor. For example: • AWS Lambda (currently) support natively the following languages: Java, Go, PowerShell, Node.JS, C#, Python, Ruby • Azure Functions (currently) support natively the following languages: Java, JavaScript, C#, PowerShell, Python, TrueScript • Google Cloud Functions (currently) support natively the following languages: Python, Go, Node.JS • Oracle Functions (currently) support natively the following languages: Java, Python, Node.JS, Go, Ruby\nMigration to managed services (SaaS / PaaS) In this method, the organization chooses an existing SaaS (such as Messaging, CRM, ERP, etc.) or existing PaaS (such as Database, Storage, etc.) This method suites many scenarios in which the organization would like to consume existing service, without the need to maintain the infrastructure (operating system, storage, backup, security aspects, etc.). After choosing an existing service, the organization begin migrating data to the managed service, configure proper access rights, sometimes configure VPN connectivity between the on premise and the cloud environment, configures backup (according to the service support this capability) and being consuming the service. The pricing model changes between cloud vendors (sometime is it based on monthly pricing and sometimes it is based on consumed compute power or consumed storage space). Mature and transparent the cloud vendors, reveal accurate monthly billing information. Also, mature cloud vendors knows how to handle privacy, low and regulation aspects (such as GDPR compliance and other privacy regulations) using data processing agreements.\nSummary In this article, I have reviewed the various methods of using cloud service wisely. As we can see, not every method suites every scenario or every organization, but there is no doubt that the future is heading cloud and managed services. My recommendation for organizations – focus on what brings your organization business value (such as banking, commerce, retail, education, etc.), train your IT and development teams on the coming technological changes and migrate the responsibility for maintaining your organization infrastructure to vendors who specialized on the topic.\n","date":"17 April 2020","externalUrl":null,"permalink":"/posts/smart-use-of-cloud-services/","section":"Posts","summary":"","title":"Smart use of cloud services","type":"posts"},{"content":"","date":"17 November 2019","externalUrl":null,"permalink":"/categories/pci-dss/","section":"Categories","summary":"","title":"Pci-Dss","type":"categories"},{"content":"The hard-to-face reality is that billions of personal records are exposed each year. A commonly used, yet incomplete solution, is tokenization. Tokenizing sensitive data does not eliminate the need to achieve and certify PCI DSS compliance.\nIn order to completely descope from PCI, a business can partner with a data custodian (VGS) that handles 100% of data capture and vaulting – removing any compliance risk and completely avoiding data leaks.\nMassive data leaks, at this point, are becoming a frequent occurrence – with headlines regularly popping up highlighting cybersecurity disasters that have impacted millions of consumers.\nEarlier this summer, news of a cybersecurity disaster rattled North American consumers. The highly-publicized Capital One data breach of 2019 led to the sensitive data exposure of 100 million Americans and 6 million Canadians – including hundreds of thousands of social security numbers and bank account numbers.\nSimilarly, in July, we learned about the whopping $700 million settlement as a result of the Equifax data breach. Now, years later, the 147 million customers impacted by that disaster all get a piece of that pie.\nIt only seems like a matter of time until the next multi-million-dollar data breach settlement will be announced, and another consumer data-handling organization will have their feet publicly held to the fire.\nFrom the improper configuration of web applications to the massive security risk involved in cloud storage generally, companies have wisely been seeking alternatives to storing their own sensitive user data and opening themselves up to data breach risk.\nThe rise of tokenization\nIn order to reduce data leakage risk as much as possible, many tech organizations have leveraged a method called tokenization. It’s a way to limit storing plain text sensitive data within a company’s own systems by using “tokens” to replace private user information like medical data or credit card numbers.\nUnlike encryption, where a mathematical equation can “solve” the data replacement and reveal the original sensitive information, tokenization is not reversible. With no mathematical relationship to the original data point, tokenization is widely considered to be a safe way of transmitting and storing critical information.\nHowever, tokenizing sensitive data does not eliminate the need to achieve and certify PCI DSS compliance – although it can reduce the number of system components to which PCI DSS compliance would apply.\nWith tokenization, sensitive data is mostly hidden. But, there are two points where tokenized data still remains within the scope of PCI DSS compliance: the data vault and the original point of capture.\nEven when organizations store and use tokens instead of raw sensitive data, the original data is within PCI scope because they’re still within the cardholder data environment. In this environment, a business is still responsible for any leaked data.\nBut what if businesses could offload this data risk fully, and enjoy the benefits of tokenization while keeping all the original data completely off their own systems?\nDescoping entirely\nIn order to completely descope from PCI DSS compliance, a business can partner with a data custodian that handles 100% of data capture and vaulting – removing any compliance risk and completely avoiding data leaks.\nVGS is an innovative data custodian that takes on their clients’ compliance risk, securely storing all sensitive data and removing businesses from PCI scope in full.\nBy leveraging synthetic data ‘aliases,’ which are generated in real-time to protect all sensitive customer information, VGS empowers businesses to use customer data just as they did before – but never actually touch the sensitive data themselves.\nStartups that work with VGS remove their compliance risk and avoid the potential risk associated with data breaches because there’s nothing to steal in the first place.\nBy partnering with a data custodian, organizations can completely descope their systems and win over new customers with the peace of mind that their sensitive personal data is in safe hands.\nWhen businesses implement VGS solutions to handle their sensitive data, they instantly inherit VGS’s best-in-class security posture, which enables them to fast-track their certifications like PCI, SOC2 and others.\nWith data security as one less thing to worry about, organizations can focus their time and resources on growing their core businesses.\nThis article was originally published in Very Good Security.\n","date":"17 November 2019","externalUrl":null,"permalink":"/posts/to-tokenize-or-not-tokenize-the-truth-about-scope-and-compliance-risk/","section":"Posts","summary":"","title":"To Tokenize Or Not Tokenize – The Truth About Scope And Compliance Risk","type":"posts"},{"content":"","date":"17 November 2019","externalUrl":null,"permalink":"/categories/tokenization/","section":"Categories","summary":"","title":"Tokenization","type":"categories"},{"content":"When evaluating the security of an application and data model ask the questions:\nWhat is the sensitivity of the data? What are the regulatory, compliance, or privacy requirements for the data? What is the attack vector that a data owner is hoping to mitigate? What is the overall security posture of the environment, is it a hostile environment or a relatively trusted one? Data When threat modeling, consider the following common scenarios:\nData at rest (“DAR”)\nIn information technology means inactive data that is stored physically in any digital form (e.g. database/data warehouses, spreadsheets, archives, tapes, off-site backups, mobile devices etc.).\nTransparent Data Encryption (often abbreviated to TDE) is a technology employed by Microsoft SQL, IBM DB2 and Oracle to encrypt the “table-space” files in a database. TDE offers encryption at the file level. It solves the problem of protecting data at rest by encrypting databases both on the hard drive as well as on backup media. It does not protect data in motion DIM nor data in use DIU. Mount-point encryption: This is another form of TDE is available for database systems which do not natively support table-space encryption. Several vendors offer mount-point encryption for Linux/Unix/Microsoft Windows file system mount-points. When a vendor does not support TDE, this type of encryption effectively encrypts the database table-space and stores the encryption keys separate from the file system. So, if the physical or logical storage medium is detached from the compute resource, the database table-space remains encrypted. Data in Motion (“DIM”)\nData in motion considers the security of data that is being copied from one medium to another. Data in motion typically considers data being transmitted over a network transport. Web Applications represent common data in motion scenarios.\nTransport Layer Security (TLS or SSL): is commonly used to encrypt internet protocol based network transports. TLS works by encrypting the internet layer 7 “application layer” packets of a given network stream using symmetric encryption. Secure Shell/Secure File Transport (SSH, SCP, SFTP): SSH is a protocol used to securely login and access remote computers. SFTP runs over the SSH protocol (leveraging SSH security and authentication functionality) but is used for secure transfer of files. The SSH protocol utilizes public key cryptography to authenticate access to remote systems. Virtual Private Networks (VPNs) A virtual private network (VPN) extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Data in Use (“DIU”)\nData in use happens whenever a computer application reads data from a storage medium into volatile memory.\nFull memory encryption: Encryption to prevent data visibility in the event of theft, loss, or unauthorized access or theft. This is commonly used to protect Data in Motion and Data at Rest. Encryption is increasingly recognized as an optimal method for protecting Data in Use. There have been multiple approaches to encrypt data in use within memory. Microsoft’s Xbox has a capability to provide memory encryption. A company Private Core presently has a commercial software product cage to provide attestation along with full memory encryption for x86 servers. RAM Enclaves: enable an enclave of protected data to be secured with encryption in RAM. Enclave data is encrypted while in RAM but available as clear text inside the CPU and CPU cache, when written to disk, when traversing networks etc. Intel Corporation has introduced the concept of “enclaves” as part of its Software Guard Extensions in technical papers published in 2013. 2013 papers: from Workshop on Hardware and Architectural Support for Security and Privacy 2013 Innovative Instructions and Software Model for Isolated Execution Innovative Technology for CPU Based Attestation and Sealing Where do traditional data protection techniques fall short?\nTDE: Database and mount point encryption both fall short of fully protecting data across the data’s entire lifecycle. For instance: TDE was designed to defend against theft of physical or virtual storage media only. An authorized system administrator, or and unauthorized user or process can gain access to sensitive data either by running a legitimate query and , or by scraping RAM. TDE does not provide granular access control to data at rest once the data has been mounted.\nTLS/SCP/STFP/VPN, etc: TCP/IP Transport layer encryption also falls short of protecting data across the entire data lifecycle. For example, TLS does not protect data at rest or in use. Quite often TLS is only enabled on Internet facing application load balancers. Often TLS calls to web applications are plaintext on the datacenter or cloud side of the application load-balancer.\nDIU: Memory encryption, Data in use full memory encryption falls short of protecting data across the entire data lifecycle. DIU techniques are cutting edge and not generally available. Commodity compute architecture has just begun to support memory encryption. With DIU memory encryption, data is only encrypted while in memory. Data is in plaintext while in the CPU, Cache, written to disk, and traversing network transports.\nComplimentary or Alternative Approach: Tokenization\nWe need an alternative approach that address all the exposure gaps 100% of the time. In information security, we really want a defense in depth strategy. That is, we want layers of controls so that if a single layer is fails or is compromised another layer can compensate for the failure.\nTokenization and format preserving encryption are unique in the fact they protect sensitive data throughout the data lifecycle/across a data-flow. Tokenization and FPE are portable and remain in force across mixed technology stacks. Tokenization and Format preserving encryption do not share the same exposures as traditional data protection techniques.\nHow does this work? Fields of sensitive data are cryptographically transformed at the system of origin, that is during intake. A cryptographic transform of a sensitive field is applied, producing a non-sensitive token representation of the original data.\nTokenization, when applied to data security, is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value. The token is a reference (i.e. identifier) that maps back to the sensitive data through a tokenization system.\nFormat preserving encryption takes this a step further and allows the data element to maintain its original format and data type. For instance, a 16-digit credit card number can be protected and the result is another 16-digit value. The value here is to reduce the overall impact of code changes to applications and databases while reducing the time to market of implementing end to end data protection.\nIn Closing\nUse of tokenization or format preserving encryption to replace live data in systems results in minimized exposure of sensitive data to those applications, stores, people and processes. Replacing sensitive data results in reduced risk of compromise or accidental exposure and unauthorized access to sensitive data.\nApplications can operate using tokens instead of live data, with the exception of a small number of trusted applications explicitly permitted to detokenize when strictly necessary for an approved business purpose. Moreover: in several cases removal of sensitive data from an organization’s applications, databases, business processes will result in reduced compliance and audit scope, resulting in significantly less complex and shorter audits.\nThis article was originally published in Very Good Security.\n","date":"11 November 2019","externalUrl":null,"permalink":"/posts/threat-modeling-for-data-protection/","section":"Posts","summary":"","title":"Threat Modeling for Data Protection","type":"posts"},{"content":"","date":"5 July 2019","externalUrl":null,"permalink":"/tags/apache/","section":"Tags","summary":"","title":"Apache","type":"tags"},{"content":"","date":"5 July 2019","externalUrl":null,"permalink":"/tags/hardening/","section":"Tags","summary":"","title":"Hardening","type":"tags"},{"content":"","date":"5 July 2019","externalUrl":null,"permalink":"/tags/mariadb/","section":"Tags","summary":"","title":"Mariadb","type":"tags"},{"content":"","date":"5 July 2019","externalUrl":null,"permalink":"/tags/php/","section":"Tags","summary":"","title":"Php","type":"tags"},{"content":"","date":"5 July 2019","externalUrl":null,"permalink":"/tags/security/","section":"Tags","summary":"","title":"Security","type":"tags"},{"content":"","date":"5 July 2019","externalUrl":null,"permalink":"/tags/selinux/","section":"Tags","summary":"","title":"Selinux","type":"tags"},{"content":"","date":"5 July 2019","externalUrl":null,"permalink":"/tags/ssl/","section":"Tags","summary":"","title":"Ssl","type":"tags"},{"content":"","date":"5 July 2019","externalUrl":null,"permalink":"/tags/tls/","section":"Tags","summary":"","title":"Tls","type":"tags"},{"content":"","date":"5 July 2019","externalUrl":null,"permalink":"/tags/wordpress/","section":"Tags","summary":"","title":"Wordpress","type":"tags"},{"content":"This document explains the process of installation, configuration and hardening of Apache server from source files, based on CentOS 7.6 default installation (Linux Firewall and SELinux enabled by default), including support for TLS v1.2 and PHP 7.3\nPre-Requirements\nLinux server installed with CentOS 7.6 (64bit) policycoreutils-python-* package installed setools-libs-* package installed libcgroup-* package installed audit-libs-python-* package installed libsemanage-python-* package installed gcc* package installed gcc-c++* package installed autoconf* package installed automake* package installed libtool* package installed perl-core package installed zlib-devel package installed expat-devel package installed yum-utils package installed OpenSSL upgrade phase\nLogin using privileged account Run the commands below to download the latest build of OpenSSL: cd /usr/local/src wget https://www.openssl.org/source/openssl-1.1.1.tar.gz tar -xvzf openssl-1.1.1.tar.gz Run the commands below to compile the latest build of OpenSSL: cd openssl-1.1.1 ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared zlib make make test make install Edit using VI the file /etc/ld.so.conf.d/openssl-1.1.1.conf and add the following string to the file: /usr/local/ssl/lib Run the command below to reload the dynamic link: ldconfig -v Backup the original OpenSSL binary: mv /usr/bin/openssl /usr/bin/openssl.BEKUP Create using VI the file /etc/profile.d/openssl.sh and add the following content: #Set OPENSSL_PATH OPENSSL_PATH=/usr/local/ssl/bin export OPENSSL_PATH PATH=$PATH:$OPENSSL_PATH export PATH Run the commands below to complete the configuration of the OpenSSL: chmod +x /etc/profile.d/openssl.sh source /etc/profile.d/openssl.sh echo $PATH which openssl Apache 2.4.6 installation phase\nLogin using privileged account\nRun the command below to install Apache 2.4.6: yum install httpd -y\nUpdating Ownership and Permissions on Apache folders: chown root:root /usr/sbin/apachectl chown root:root /usr/sbin/httpd chmod 770 /usr/sbin/apachectl chmod 770 /usr/sbin/httpd chown -R root:root /etc/httpd chmod -R go-r /etc/httpd chown -R root:root /etc/httpd/logs chmod -R 700 /etc/httpd/logs\nCreate folder for the web content: mkdir -p /www\nUpdating Ownership and Permissions on the web content folder: chown -R root /www chmod -R 775 /www\nFix the SELinux security context on the new web folder: semanage fcontext -a -t httpd_sys_content_t \u0026quot;/www(/.*)?\u0026quot; restorecon -F -R -v /www chcon -R -t httpd_sys_content_t /www\nCreate folder for the first WordPress site: mkdir /www/WebSiteA Note: Replace WebSiteA with the relevant name\nCreate folder for the secondWordPress site: mkdir /www/WebSiteB Note: Replace WebSiteB with the relevant name\nCreate logs folder for the first WordPress site: mkdir /www/WebSiteA/logs Note: Replace WebSiteA with the relevant name\nCreate logs folder for the second WordPress site: mkdir /www/WebSiteB/logs Note: Replace WebSiteB with the relevant name\nConfigure permissions on the logs folder for the first WordPress site: chown -R apache:apache /www/WebSiteA/logs chmod -R 700 /www/WebSiteA/logs Note: Replace WebSiteA with the relevant name\nConfigure permissions on the logs folder for the second WordPress site: chown -R apache:apache /www/WebSiteB/logs chmod -R 700 /www/WebSiteB/logs Note: Replace WebSiteB with the relevant name\nFix the SELinux security context on the new web folder for the first WordPress site: semanage fcontext -a -t httpd_log_t \u0026quot;/www/WebSiteA/logs(/.*)?\u0026quot; restorecon -F -R -v /www/WebSiteA/logs chcon -R -t httpd_log_t /www/WebSiteA/logs Note: Replace WebSiteA with the relevant name\nFix the SELinux security context on the new web folder for the second WordPress site: semanage fcontext -a -t httpd_log_t \u0026quot;/www/WebSiteB/logs(/.*)?\u0026quot; restorecon -F -R -v /www/WebSiteB/logs chcon -R -t httpd_log_t /www/WebSiteB/logs Note: Replace WebSiteB with the relevant name\nCreate the following folders: mkdir /etc/httpd/sites-available mkdir /etc/httpd/sites-enabled\nEdit using VI the file /etc/httpd/conf/httpd.conf and change the following strings: From: LogLevel warnTo: LogLevel notice\nFrom: DocumentRoot \u0026quot;/var/www/html\u0026quot;\nTo: # DocumentRoot \u0026quot;/var/www/html\u0026quot;\nFrom: ScriptAlias /cgi-bin/ \u0026quot;/var/www/cgi-bin/\u0026quot;\nTo: # ScriptAlias /cgi-bin/ \u0026quot;/var/www/cgi-bin/\u0026quot;\nComment out the entire sections below inside the /etc/httpd/conf/httpd.conf \u0026lt;Directory /\u0026gt; \u0026lt;Directory \u0026quot;/var/www\u0026quot;\u0026gt; \u0026lt;Directory \u0026quot;/var/www/html\u0026quot;\u0026gt; \u0026lt;Directory \u0026quot;/var/www/cgi-bin\u0026quot;\u0026gt;\nAdd the following sections to the end of the /etc/httpd/conf/httpd.conf file: IncludeOptional sites-enabled/*.conf # Configure custom error message: ErrorDocument 400 \u0026quot;The requested URL was not found on this server.\u0026quot; ErrorDocument 401 \u0026quot;The requested URL was not found on this server.\u0026quot; ErrorDocument 403 \u0026quot;The requested URL was not found on this server.\u0026quot; ErrorDocument 404 \u0026quot;The requested URL was not found on this server.\u0026quot; ErrorDocument 405 \u0026quot;The requested URL was not found on this server.\u0026quot; ErrorDocument 408 \u0026quot;The requested URL was not found on this server.\u0026quot; ErrorDocument 410 \u0026quot;The requested URL was not found on this server.\u0026quot; ErrorDocument 411 \u0026quot;The requested URL was not found on this server.\u0026quot; ErrorDocument 412 \u0026quot;The requested URL was not found on this server.\u0026quot; ErrorDocument 413 \u0026quot;The requested URL was not found on this server.\u0026quot; ErrorDocument 414 \u0026quot;The requested URL was not found on this server.\u0026quot; ErrorDocument 415 \u0026quot;The requested URL was not found on this server.\u0026quot; ErrorDocument 500 \u0026quot;The requested URL was not found on this server.\u0026quot; # Configure Server Tokens ServerTokens Prod # Disable Server Signature ServerSignature Off # Disable Tracing TraceEnable Off # Maximum size of the request body. LimitRequestBody 4000000 # Maximum number of request headers in a request. LimitRequestFields 40 # Maximum size of request header lines. LimitRequestFieldSize 4000 # Maximum size of the request line. LimitRequestLine 4000 MaxRequestsPerChild 10000 # Configure clickjacking protection Header always append X-Frame-Options SAMEORIGIN\nRemove the files below: mv /etc/httpd/conf.d/autoindex.conf /etc/httpd/conf.d/autoindex.conf.bak mv /etc/httpd/conf.d/userdir.conf /etc/httpd/conf.d/userdir.conf.bak\nComment out the lines inside the /etc/httpd/conf.modules.d/00-base.conf file below to disable default modules: LoadModule status_module modules/mod_status.so LoadModule info_module modules/mod_info.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule include_module modules/mod_include.so LoadModule userdir_module modules/mod_userdir.so LoadModule env_module modules/mod_env.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule actions_module modules/mod_actions.so\nComment out the lines inside the /etc/httpd/conf.modules.d/01-cgi.conf file below to disable default modules: LoadModule cgi_module modules/mod_cgi.so\nUsing VI, create configuration file for the first WordPress site called /etc/httpd/sites-available/websitea.com.conf with the following content: \u0026lt;VirtualHost *:80\u0026gt; ServerAdmin admin@websitea.com ServerName www.websitea.com ServerAlias websitea.com DocumentRoot /www/WebSiteA \u0026lt;Directory /\u0026gt; Options FollowSymLinks AllowOverride None \u0026lt;/Directory\u0026gt; \u0026lt;Directory /www/WebSiteA\u0026gt; Options Indexes FollowSymLinks MultiViews AllowOverride all Require all granted Order allow,deny Allow from all \u0026lt;LimitExcept GET POST\u0026gt; deny from all \u0026lt;/limitexcept\u0026gt; \u0026lt;/Directory\u0026gt; ErrorLog /www/WebSiteA/logs/error.log CustomLog /www/WebSiteA/logs/access.log combined \u0026lt;/VirtualHost\u0026gt; Note: Replace WebSiteA with the relevant name\nUsing VI, create configuration file for the first WordPress site called /etc/httpd/sites-available/websiteb.com.conf with the following content: \u0026lt;VirtualHost *:80\u0026gt; ServerAdmin admin@websiteb.com ServerName www.websiteb.com ServerAlias websiteb.com DocumentRoot /www/WebSiteB \u0026lt;Directory /\u0026gt; Options FollowSymLinks AllowOverride None \u0026lt;/Directory\u0026gt; \u0026lt;Directory /www/WebSiteB\u0026gt; Options Indexes FollowSymLinks MultiViews AllowOverride all Require all granted Order allow,deny Allow from all \u0026lt;LimitExcept GET POST\u0026gt; deny from all \u0026lt;/limitexcept\u0026gt; \u0026lt;/Directory\u0026gt; ErrorLog /www/WebSiteB/logs/error.log CustomLog /www/WebSiteB/logs/access.log combined \u0026lt;/VirtualHost\u0026gt; Note: Replace WebSiteB with the relevant name\nRun the commands below to enable the new virtual host files: ln -s /etc/httpd/sites-available/websitea.com.conf /etc/httpd/sites-enabled/websitea.com.conf ln -s /etc/httpd/sites-available/websiteb.com.conf /etc/httpd/sites-enabled/websiteb.com.conf Note 1: Replace WebSiteA with the relevant name Note 2: Replace WebSiteB with the relevant name\nRun the command below to configure Apache to load at startup: systemctl enable httpd\nTo start the Apace service, run the command below: systemctl start httpd\nRun the commands below to enable HTTPD rule on the firewall: firewall-cmd --zone=public --add-service=http --permanent systemctl restart firewalld\nMariaDB installation phase\nLogin using privileged account Install MariaDB: yum install -y mariadb-server mariadb-client Enable the MariaDB service: systemctl enable mariadb.service Start the MariaDB service: systemctl start mariadb.service Run the command bellow to set ownership and permissions for /etc/my.cnf file: chown root /etc/my.cnf chmod 644 /etc/my.cnf Edit using VI, the file /etc/my.cnf and add the string bellow under the \\[mysqld\\] section bind-address = 127.0.0.1 Run the command below to secure the MySQL: mysql_secure_installation Specify the MySQL root account password (leave blank) -\u0026gt; Press Y to set the Root password -\u0026gt; specify new complex password (at least 14 characters, upper case, lower case, number, special characters) and document it -\u0026gt; Press Y to remove anonymous users -\u0026gt; Press Y to disallow root login remotely -\u0026gt; Press Y to remove test database -\u0026gt; Press Y to reload privilege tables and exit the script. Restart the MariaDB service: systemctl restart mariadb.service PHP 7.3 installation phase\nLogin using privileged account\nRun the commands below to install PHP 7.3: yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm -y yum-config-manager --enable remi-php73 yum install php php-mcrypt php-cli php-gd php-curl php-mysql php-ldap php-zip php-fileinfo -y\nChange the permissions on the php.ini file: chmod 640 /etc/php.ini\nEdit using VI, the file /etc/php.ini From: mysqli.default_host = To: mysqli.default_host = 127.0.0.1:3306From: allow_url_fopen = On\nTo: allow_url_fopen = Off\nFrom: expose_php = On\nTo: expose_php = Off\nFrom: memory_limit = 128M\nTo: memory_limit = 8M\nFrom: post_max_size = 8M\nTo: post_max_size = 2M\nFrom: upload_max_filesize = 2M\nTo: upload_max_filesize = 1M\nFrom: disable_functions =\nTo: disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuid\nRestart the Apache service: systemctl restart httpd.service **\nWordPress 5.x installation phase\n**3. Login using privileged account. 4. Run the command bellow to login to the MariaDB: /usr/bin/mysql -uroot -p Note: When prompted, specify the password for the MariaDB root account. 5. Run the following commands from the MariaDB prompt: CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'A3fg1j7x!s2gEq'; CREATE USER 'hswjm'@'localhost' IDENTIFIED BY 'hj5fa1fnu@zw0p'; CREATE DATABASE m6gf42s; CREATE DATABASE b7mf3aq; GRANT ALL PRIVILEGES ON m6gf42s.* TO \u0026quot;blgusr\u0026quot;@\u0026quot;localhost\u0026quot; IDENTIFIED BY \u0026quot;A3fg1j7x!s2gEq\u0026quot;; GRANT ALL PRIVILEGES ON b7mf3aq.* TO \u0026quot;hswjm\u0026quot;@\u0026quot;localhost\u0026quot; IDENTIFIED BY \u0026quot;hj5fa1fnu@zw0p\u0026quot;; FLUSH PRIVILEGES; quit Note 1: Replace “blgusr” with a username to access first the database. Note 2: Replace “A3fg1j7x!s2gEq” with complex password for the account who will access the first database (at least 14 characters, upper case, lower case, number, special characters). Note 3: Replace “hswjm” with a username to access second the database. Note 4: Replace “hj5fa1fnu@zw0p” with complex password for the account who will access the second database (at least 14 characters, upper case, lower case, number, special characters). Note 5: Replace “m6gf42s” with the first WordPress database name. Note 6: Replace “b7mf3aq” with the second WordPress database name. 6. Run the commands below to download the latest build of WordPress: cd /usr/local/src wget https://wordpress.org/latest.zip unzip latest.zip -d /www/WebSiteA unzip latest.zip -d /www/WebSiteB Note 1: Replace WebSiteA with the relevant name Note 2: Replace WebSiteB with the relevant name 7. Fix the SELinux security context on the new web folder for the first WordPress site: semanage fcontext -a -t httpd_sys_content_t \u0026quot;/www/WebSiteA(/.*)?\u0026quot; restorecon -F -R -v /www/WebSiteA chcon -R -t httpd_sys_content_t /www/WebSiteA semanage fcontext -a -t httpd_sys_rw_content_t \u0026quot;/www/WebSiteA/wp-content(/.*)?\u0026quot; restorecon -F -R -v /www/WebSiteA/wp-content chcon -R -t httpd_sys_rw_content_t /www/WebSiteA/wp-content Note: Replace WebSiteA with the relevant name 8. Fix the SELinux security context on the new web folder for the second WordPress site: semanage fcontext -a -t httpd_sys_content_t \u0026quot;/www/WebSiteB(/.*)?\u0026quot; restorecon -F -R -v /www/WebSiteB chcon -R -t httpd_sys_content_t /www/WebSiteB semanage fcontext -a -t httpd_sys_rw_content_t \u0026quot;/www/WebSiteB/wp-content(/.*)?\u0026quot; restorecon -F -R -v /www/WebSiteB/wp-content chcon -R -t httpd_sys_rw_content_t /www/WebSiteB/wp-content Note: Replace WebSiteB with the relevant name 9. Create using VI the file /www/WebSiteA/config.php with the following content: \u0026lt;?php define('DB_NAME', 'm6gf42s'); define('DB_USER', 'blgusr'); define('DB_PASSWORD', 'A3fg1j7x!s2gEq'); define('DB_HOST', 'localhost'); $table_prefix = 'm6gf42s_'; define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); define('FS_METHOD', 'direct'); ?\u0026gt; Note 1: Make sure there are no spaces, newlines, or other strings before an opening \u0026lsquo;\u0026lt; ?php\u0026rsquo; tag or after a closing \u0026lsquo;?\u0026gt;\u0026rsquo; tag. Note 2: Replace “blgusr” with MariaDB account to access the first database. Note 3: Replace “A3fg1j7x!s2gEq” with complex password (at least 14 characters). Note 4: Replace “m6gf42s” with the first WordPress database name. Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow: http://api.wordpress.org/secret-key/1.1/ 10. Create using VI the file /www/WebSiteB/config.php with the following content: \u0026lt;?php define('DB_NAME', 'b7mf3aq'); define('DB_USER', 'hswjm'); define('DB_PASSWORD', 'hj5fa1fnu@zw0p'); define('DB_HOST', 'localhost'); $table_prefix = 'b7mf3aq_'; define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); define('FS_METHOD', 'direct'); ?\u0026gt; Note 1: Make sure there are no spaces, newlines, or other strings before an opening \u0026lsquo;\u0026lt; ?php\u0026rsquo; tag or after a closing \u0026lsquo;?\u0026gt;\u0026rsquo; tag. Note 2: Replace “hswjm” with MariaDB account to access the second database. Note 3: Replace “hj5fa1fnu@zw0p” with complex password (at least 14 characters). Note 4: Replace “b7mf3aq” with the second WordPress database name. Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow: http://api.wordpress.org/secret-key/1.1/ 11. Copy the wp-config.php file: cp /www/WebSiteA/wordpress/wp-config-sample.php /www/WebSiteA/wordpress/wp-config.php cp /www/WebSiteB/wordpress/wp-config-sample.php /www/WebSiteB/wordpress/wp-config.php Note 1: Replace WebSiteA with the relevant name Note 2: Replace WebSiteB with the relevant name 12. Edit using VI, the file /www/WebSiteA/wordpress/wp-config.php Add the following lines before the string “That\u0026rsquo;s all, stop editing! Happy blogging”: /* Multisite */ define('WP_ALLOW_MULTISITE', true); include('/www/WebSiteA/config.php'); Remove or comment the following sections: define('DB_NAME', 'putyourdbnamehere'); define('DB_USER', 'usernamehere'); define('DB_PASSWORD', 'yourpasswordhere'); define('DB_HOST', 'localhost'); $table_prefix = 'wp_'; define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); Note: Replace WebSiteA with the relevant name 13. Edit using VI, the file /www/WebSiteB/wordpress/wp-config.php Add the following lines before the string “That\u0026rsquo;s all, stop editing! Happy blogging”: /* Multisite */ define('WP_ALLOW_MULTISITE', true); include('/www/WebSiteB/config.php'); Remove or comment the following sections: define('DB_NAME', 'putyourdbnamehere'); define('DB_USER', 'usernamehere'); define('DB_PASSWORD', 'yourpasswordhere'); define('DB_HOST', 'localhost'); $table_prefix = 'wp_'; define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); Note: Replace WebSiteB with the relevant name 14. Create using VI the file /www/WebSiteA/wordpress/.htaccess and add the following content: # BEGIN WordPress \u0026lt;IfModule mod_rewrite.c\u0026gt; RewriteEngine On RewriteBase / RewriteRule ^index\\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] \u0026lt;/IfModule\u0026gt; # END WordPress Header set X-XSS-Protection \u0026quot;1; mode=block\u0026quot; Header set X-Content-Type-Options nosniff Header set Content-Security-Policy \u0026quot;default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data:\u0026quot; Note: Replace WebSiteA with the relevant name 15. Create using VI the file /www/WebSiteA/wordpress/wp-content/.htaccess and add the following content: # BEGIN WordPress \u0026lt;IfModule mod_rewrite.c\u0026gt; RewriteEngine On RewriteBase / RewriteRule ^index\\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] \u0026lt;/IfModule\u0026gt; # END WordPress Note: Replace WebSiteA with the relevant name 16. Create using VI the file /www/WebSiteA/wordpress/wp-includes/.htaccess and add the following content: # BEGIN WordPress \u0026lt;IfModule mod_rewrite.c\u0026gt; RewriteEngine On RewriteBase / RewriteRule ^index\\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] \u0026lt;/IfModule\u0026gt; # END WordPress Note: Replace WebSiteA with the relevant name 17. Set ownership and permissions on the .htaccess files below: chown apache:apache /www/WebSiteA/wordpress/.htaccess chown apache:apache /www/WebSiteA/wordpress/wp-content/.htaccess chown apache:apache /www/WebSiteA/wordpress/wp-includes/.htaccess chmod 644 /www/WebSiteA/wordpress/.htaccess chmod 644 /www/WebSiteA/wordpress/wp-content/.htaccess chmod 644 /www/WebSiteA/wordpress/wp-includes/.htaccess Note: Replace WebSiteA with the relevant name 18. Create using VI the file /www/WebSiteB/wordpress/.htaccess and add the following content: # BEGIN WordPress \u0026lt;IfModule mod_rewrite.c\u0026gt; RewriteEngine On RewriteBase / RewriteRule ^index\\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] \u0026lt;/IfModule\u0026gt; # END WordPress Header set X-XSS-Protection \u0026quot;1; mode=block\u0026quot; Header set X-Content-Type-Options nosniff Header set Content-Security-Policy \u0026quot;default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data:\u0026quot; Note: Replace WebSiteB with the relevant name 19. Create using VI the file /www/WebSiteB/wordpress/wp-content/.htaccess and add the following content: # BEGIN WordPress \u0026lt;IfModule mod_rewrite.c\u0026gt; RewriteEngine On RewriteBase / RewriteRule ^index\\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] \u0026lt;/IfModule\u0026gt; # END WordPress Note: Replace WebSiteB with the relevant name 20. Create using VI the file /www/WebSiteB/wordpress/wp-includes/.htaccess and add the following content: # BEGIN WordPress \u0026lt;IfModule mod_rewrite.c\u0026gt; RewriteEngine On RewriteBase / RewriteRule ^index\\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] \u0026lt;/IfModule\u0026gt; # END WordPress Note: Replace WebSiteB with the relevant name 21. Set ownership and permissions on the .htaccess files below: chown apache:apache /www/WebSiteB/wordpress/.htaccess chown apache:apache /www/WebSiteB/wordpress/wp-content/.htaccess chown apache:apache /www/WebSiteB/wordpress/wp-includes/.htaccess chmod 644 /www/WebSiteB/wordpress/.htaccess chmod 644 /www/WebSiteB/wordpress/wp-content/.htaccess chmod 644 /www/WebSiteB/wordpress/wp-includes/.htaccess Note: Replace WebSiteB with the relevant name 22. Remove default content from the first WordPress site: rm -f /www/WebSiteA/wordpress/license.txt rm -f /www/WebSiteA/wordpress/readme.html rm -f /www/WebSiteA/wordpress/wp-config-sample.php rm -f /www/WebSiteA/wordpress/wp-content/plugins/hello.php 23. Remove default content from the second WordPress site: rm -f /www/WebSiteB/wordpress/license.txt rm -f /www/WebSiteB/wordpress/readme.html rm -f /www/WebSiteB/wordpress/wp-config-sample.php rm -f /www/WebSiteB/wordpress/wp-content/plugins/hello.php 24. Edit using VI the file /etc/httpd/sites-available/websitea.com.conf Replace the value of the string, from: DocumentRoot /www/WebSiteA To: DocumentRoot /www/WebSiteA/wordpress Replace the value of the string, from: \u0026lt;Directory /www/WebSiteA\u0026gt; To: \u0026lt;Directory /www/WebSiteA/wordpress\u0026gt; Note: Replace WebSiteA with the relevant name 25. Edit using VI the file /etc/httpd/sites-available/websiteb.com.conf Replace the value of the string, from: DocumentRoot /www/WebSiteB To: DocumentRoot /www/WebSiteB/wordpress Replace the value of the string, from: \u0026lt;Directory /www/WebSiteB\u0026gt; To: \u0026lt;Directory /www/WebSiteB/wordpress\u0026gt; Note: Replace WebSiteB with the relevant name 26. Restart the Apache service: systemctl restart httpd.service 27. Open a web browser from a client machine, and enter the URL bellow: http://Server_FQDN/wp-admin/install.php Note: Replace Server_FQDN with the relevant DNS name 28. Select language and click Continue 29. Specify the following information:\nSite Title Username - replace the default \u0026quot;admin\u0026quot; Password E-mail Click on “Install WordPress” button, and close the web browser.\nChange ownership and permissions on the files and folders below: chown -R apache:apache /www/WebSiteA/wordpress find /www/WebSiteA/wordpress/ -type d -exec chmod -R 755 {} \\; find /www/WebSiteA/wordpress/ -type f -exec chmod -R 644 {} \\; chmod 400 /www/WebSiteA/wordpress/wp-config.php chown apache:apache /www/WebSiteA/config.php chmod 644 /www/WebSiteA/config.php Note: Replace WebSiteA with the relevant name\nChange ownership and permissions on the files and folders below: chown -R apache:apache /www/WebSiteB/wordpress find /www/WebSiteB/wordpress/ -type d -exec chmod -R 755 {} \\; find /www/WebSiteB/wordpress/ -type f -exec chmod -R 644 {} \\; chmod 400 /www/WebSiteB/wordpress/wp-config.php chown apache:apache /www/WebSiteB/config.php chmod 644 /www/WebSiteB/config.php Note: Replace WebSiteB with the relevant name\nDownload \u0026ldquo;WordPress Firewall\u0026rdquo; plugin from: http://www.seoegghead.com/software/wordpress-firewall.seo\nCopy the \u0026ldquo;WordPress Firewall\u0026rdquo; plugin file \u0026ldquo;wordpress-firewall.php\u0026rdquo; using PSCP (or SCP) into /www/WebSiteA/wordpress/wp-content/plugins Note: Replace WebSiteA with the relevant name\nCopy the \u0026ldquo;WordPress Firewall\u0026rdquo; plugin file \u0026ldquo;wordpress-firewall.php\u0026rdquo; using PSCP (or SCP) into /www/WebSiteB/wordpress/wp-content/plugins\nOpen a web browser from a client machine, and enter the URL bellow: http://Server_FQDN/wp-login.php Note: Replace Server_FQDN with the relevant DNS name\nFrom WordPress dashboard, click on \u0026ldquo;settings\u0026rdquo; -\u0026gt; make sure that \u0026ldquo;Anyone can register\u0026rdquo; is left unchecked -\u0026gt; put a new value inside the \u0026ldquo;Tagline\u0026rdquo; field -\u0026gt; click on \u0026ldquo;Save changes\u0026rdquo;.\nFrom the left pane, click on Plugins -\u0026gt; Add New -\u0026gt; search, install and activate the following plugins:\nAcunetix WP Security\nAntispam Bee\nWP Limit Login Attempts\nLogin LockDown\nWP Security Audit Log\nFrom the list of installed plugins, locate and activate the Firewall plugin\nFrom the upper pane, click on \u0026ldquo;Log Out\u0026rdquo;.\nDelete the file /wp-admin/install.php\nSSL Configuration Phase\nLogin using privileged account To add support for SSL certificates, run the command below: yum install mod_ssl -y Run the command below to change the permissions on the certificates folder: chmod 700 /etc/pki/CA/private Run the command bellow to generate a key pair for the first WordPress site: openssl genrsa -des3 -out /etc/pki/CA/private/websitea-server.key 2048 Note 1: Specify a complex pass phrase for the private key (and document it) Note 2: Replace websitea with the relevant name Run the command bellow to generate a key pair for the second WordPress site: openssl genrsa -des3 -out /etc/pki/CA/private/websiteb-server.key 2048 Note 1: Specify a complex pass phrase for the private key (and document it) Note 2: Replace websiteb with the relevant name Run the command bellow to generate the CSR for the first WordPress site: openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout /etc/pki/CA/private/websitea-server.key -out /tmp/websitea-apache.csr Note 1: The command above should be written as one line. Note 2: Replace websitea with the relevant name Run the command bellow to generate the CSR for the second WordPress site: openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout /etc/pki/CA/private/websiteb-server.key -out /tmp/websiteb-apache.csr Note 1: The command above should be written as one line. Note 2: Replace websiteb with the relevant name Edit using VI the file /etc/httpd/sites-available/websitea.com.conf and add the following: \u0026lt;VirtualHost *:443\u0026gt; ServerAdmin admin@websitea.com ServerName www.websitea.com ServerAlias websitea.com DocumentRoot /www/WebSiteA/wordpress \u0026lt;Directory /\u0026gt; Options FollowSymLinks AllowOverride None \u0026lt;/Directory\u0026gt; \u0026lt;Directory /www/WebSiteA/wordpress\u0026gt; Options Indexes FollowSymLinks MultiViews AllowOverride all Require all granted Order allow,deny Allow from all \u0026lt;LimitExcept GET POST\u0026gt; deny from all \u0026lt;/limitexcept\u0026gt; \u0026lt;/Directory\u0026gt; SSLCertificateFile /etc/ssl/certs/websitea.crt SSLCertificateKeyFile /etc/pki/CA/private/websitea-server.key SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!aNULL:!EDH:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS SSLHonorCipherOrder On # Disable SSLv2 and SSLv3 SSLProtocol ALL -SSLv2 –SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 # Disable SSL Compression SSLCompression Off SSLEngine on ErrorLog /www/WebSiteA/logs/ssl_error.log CustomLog /www/WebSiteA/logs/ssl_access.log combined \u0026lt;/VirtualHost\u0026gt; Note: Replace WebSiteA with the relevant name Edit using VI the file /etc/httpd/sites-available/websiteb.com.conf and add the following: \u0026lt;VirtualHost *:443\u0026gt; ServerAdmin admin@websiteb.com ServerName www.websiteb.com ServerAlias websiteb.com DocumentRoot /www/WebSiteB/wordpress \u0026lt;Directory /\u0026gt; Options FollowSymLinks AllowOverride None \u0026lt;/Directory\u0026gt; \u0026lt;Directory /www/WebSiteB/wordpress\u0026gt; Options Indexes FollowSymLinks MultiViews AllowOverride all Require all granted Order allow,deny Allow from all \u0026lt;LimitExcept GET POST\u0026gt; deny from all \u0026lt;/limitexcept\u0026gt; \u0026lt;/Directory\u0026gt; SSLCertificateFile /etc/ssl/certs/websiteb.crt SSLCertificateKeyFile /etc/pki/CA/private/websiteb-server.key SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!aNULL:!EDH:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS SSLHonorCipherOrder On # Disable SSLv2 and SSLv3 SSLProtocol ALL -SSLv2 –SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 # Disable SSL Compression SSLCompression Off SSLEngine on ErrorLog /www/WebSiteB/logs/ssl_error.log CustomLog /www/WebSiteB/logs/ssl_access.log combined \u0026lt;/VirtualHost\u0026gt; Note: Replace WebSiteB with the relevant name Edit using VI the file /etc/httpd/conf.d/ssl.conf and comment the following commands: \u0026lt;VirtualHost _default_:443\u0026gt; ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA SSLCertificateFile SSLCertificateKeyFile Restart the Apace service, run the command below: systemctl restart httpd Run the commands below to enable HTTPD rule on the firewall: firewall-cmd --zone=public --add-service=https --permanent systemctl restart firewalld Run the command below to change the permissions on the certificates folder: chmod 600 /etc/pki/CA/private In-case the server was configured with SSL certificate, add the following line to the /www/WebSiteA/config.php file: define('FORCE_SSL_LOGIN', true); Note: Replace WebSiteA with the relevant name In-case the server was configured with SSL certificate, add the following line to the /www/WebSiteB/config.php file: define('FORCE_SSL_LOGIN', true); Note: Replace WebSiteB with the relevant name WordPress upgrade process\nRun the commands below to change the SELinux permissions: semanage fcontext -a -t httpd_sys_rw_content_t \u0026quot;/www/WebSiteA/wordpress(/.*)?\u0026quot; restorecon -F -R -v /www/WebSiteA/wordpress chcon -R -t httpd_sys_rw_content_t /www/WebSiteA/wordpress Note: Replace WebSiteA with the relevant name Login to the WordPress admin portal: http://Server_FQDN/wp-login.php Note: Replace Server_FQDN with the relevant DNS name When prompted, select to upgrade the Wordpress Once the upgrade process completes successfully, log off the WordPress admin portal Run the commands below to change the SELinux permissions: semanage fcontext -a -t httpd_sys_content_t \u0026quot;/www/WebSiteA/wordpress(/.*)?\u0026quot; restorecon -F -R -v /www/WebSiteA/wordpress chcon -R -t httpd_sys_content_t /www/WebSiteA/wordpress semanage fcontext -a -t httpd_sys_rw_content_t \u0026quot;/www/WebSiteA/wordpress/wp-content(/.*)?\u0026quot; restorecon -F -R -v /www/WebSiteA/wordpress/wp-content chcon -R -t httpd_sys_rw_content_t /www/WebSiteA/wordpress/wp-content Note: Replace WebSiteA with the relevant name Logoff the SSH console Check your site on the following test sites\nhttps://www.ssllabs.com/ssltest/ https://dnsflagday.net/ https://securityheaders.com/ https://search.google.com/test/mobile-friendly ","date":"5 July 2019","externalUrl":null,"permalink":"/posts/wordpress-5-x-hardening-guide-for-centos-7-6/","section":"Posts","summary":"","title":"WordPress 5.x Hardening Guide for CentOS 7.6","type":"posts"},{"content":"You might be thinking, shouldn’t the question be: Why should SMBs (Small to Medium-sized Businesses) deploy backup solutions at all? Well, we’re going with the assumption that you’ve already accepted that backup solutions; whether cloud based backups or on-premises backup appliances, are very important for SMBs. If you’re still dubious about the significance of data backup solutions for SMBs, then allow me to shed some brief light on the subject before venturing onto the main topic.\nWhy should SMBs deploy backup solutions # If you Google “data loss cost implications for SMBs”, you’ll find a ton of statistics how costly they can be. One such statistic, for your reference, is a report by National Archives and Records Administration in Washington. This report states that 93% of businesses that lost their data for 10 days or more filed for bankruptcy within 1 year and 50% filed for bankruptcy immediately. That’s how devastating data loss can be and that’s exactly the reason why SMBs need to deploy backup solutions.\nWith that established, let’s move to the main point of interest here: Why should SMBs focus on Software Defined Backup Solutions and not physical infrastructures or backup appliances.\nSoftware Defined Backup Solutions – Simpler, Easier, Less Costly and Reliable # I think software defined backup solutions are the best choice for SMBs. Backup appliances, verily, have their own perks. However, from an SMBs perspective, it’s better to look away from them.\nWhy do I say that software based backup is the best option for SMBs? Here are some of my reasons:\nSoftware based Backups are Simpler and deliver faster deployment # Consider the process of acquisition for a backup appliance. You have to order it, wait for it to be delivered. Once it gets to you, you have to follow a detailed manual that describes how it will be setup. After you make your way through all of that, the appliance is setup. As it starts working, it begins to consume resources like cooling, power, maintenance etc. You have to make sure there’s a professional keeping an eye on it and that it’s safe from physical harm as well. A backup appliance can be quite delicate as well. If someone accidentally ends up touching it the wrong way and it suddenly ends up on the ground, the impact will be on your pocket.\nSuffice to say, backup appliances take quite a bit of time to acquire and deploy. Backup appliances maybe essential for large enterprises but SMBs can work it out with software defined backup solutions instead.\nTo setup a software defined backup solution, you just have to go through a series of purchase procedures; that are far simpler and less time consuming compared to the acquisition of physical backup appliances. Once you’re done with those and you conclude the payment procedure, you can be up and running within a matter of an hour or two. It’s easier, it’s simpler and it’s a lot faster. Milestones are easily achieved with each click.\nSoftware based Backup solutions are Cost Effectiveness # As an SMB, cost is a major thing to consider in all matters. Software Defined Backup solutions are very economical. Compared to the initial cost of backup appliances, software defined backup solutions cost a lot less.\nAs mentioned earlier, backup appliances incur quite a few dynamic costs. Software defined backup solutions do not incur such costs. You can begin from the storage capacity that you immediately need and then you can increase as you go. Payment models like pay-as-you-go make the cost attribute of software defined backup solutions a lot more appealing.\nUnlike backup appliances that incur dynamic costs like maintenance or power or cooling; software backup solutions do not incur such costs.\nSoftware Based Backup Solutions offer Enhanced Data Security # Let’s say the backup appliance is accidentally damaged or it experiences hardware failure, all of the data within the appliance may never recover. If the appliance goes down, all the backed up data goes down with it. How difficult are accidents at a workplace? Something as simple as spilling your coffee is sometimes what it takes to initiate a disaster.\nHowever, you don’t have to worry about such things with a software defined backup solution that keeps all your backed up data in the cloud. With cloud backups,the data security of your backed up data is in the hands of the cloud service provider. These three are only the gist of my reasons why businesses should setup software defined backup solutions that facilitate simplified backup to the cloud. By effectively leveraging cloud technology, SMBs can ensure that their data is well protected and recoverable.\nThis article is written by George Williams. George is a Senior Technical Content Marketer at StoneFly Inc.\n","date":"25 May 2019","externalUrl":null,"permalink":"/posts/why-should-smbs-deploy-software-defined-backup-solutions/","section":"Posts","summary":"","title":"Why should SMBs deploy Software Defined Backup Solutions","type":"posts"},{"content":" Millennials don\u0026rsquo;t seem to care that Facebook and other companies harvest their data for profit. At least that’s the premise of a recent opinion piece in the New York Post. It suggests that millennials are consigned to the fact that, in order to have the many advantages that the new tech world provides, there has to be a sacrifice. If you are a millennial, I would be interested in your reaction to this premise and others which follow.\nMillennials seem more comfortable with the notion that if a product is free then you are the product, and allow themselves to be an ’’open book” for all to see. As it will be revealed later, the opinion piece opines that this is not true of previous generations who appear to be more guarded with their privacy. Of course, previous generations had fewer threats to their privacy to go along with markedly less availability to information, entertainment, and communication (just to name a few).\nSo it is not necessarily fair to single out the millennials as if they were some alien outliers. Although, like aliens, they come from and live in different worlds to their predecessors. I mean, book burning was non-existent before Guttenberg’s printing press printed books, and there wasn’t a need for fallout shelters until the world went nuclear. In fact, you could make a case that the dangerous, crazy world that was passed on to millennials, and that they now inherit, may make the exposure of their personal information to the public seem tame by comparison. Not to mention that heavy engagement with social media and the like is a needed distraction from modern life!\nBesides, no one would have guessed some fifteen years ago that Mark Zuckerberg’s dorm room doodle would morph into the behemoth of a business model it is today - replete with its invasive algorithms. Who could have imagined that social media companies could learn our political leanings, our likes and dislikes, our religious affiliations, and our sexual orientations and proclivities? If I, or some other legal or law enforcement entity want to retrace my activities on a given day - that is easily and readily accessible from my smartphone.\nAs millennials blithely rollover to the tech gods when it comes to filleting themselves publicly, the article takes them (and others) to task for handwringing and breathlessly expressing surprise and outrage at Cambridge Analytica for just working with the leeway given to them. Of course, if the company had helped Hillary Clinton win the Whitehouse instead of purportedly boosting the prospects of the odious ogre, Trump, there likely wouldn’t have been the same angst - or so the piece posits.\nBe that as it may, the question must be asked: what did Cambridge Analytica do that countless other companies haven’t done? I mean, why should it be treated any differently by Facebook because it’s a political firm and not an avaricious advertising scavenger? The other Silicon Valley savants - Google, Apple, and Microsoft - all monetize your information. They are eager to invite advertisers, researchers, and government agencies to discover your treasure trove of personal information through them.\nAnd millennials, as well as those of other generations, are only too willing, it seems, to provide such information- and in massive amounts. Indeed, they seem to relish, in a race to the bottom, who can post the most content, photos, and the like. They seem to be ambivalent about the inevitable fallout. “So what?” they say, “I’ve got nothing to hide.”\nThe article questions if those of previous generations would be so forthcoming, citing the so-called Greatest Generation eschewing the telephone if it meant that the government could eavesdrop on their conversations with impunity. On the contrary, millennials, it would appear, view the lack of privacy and the co-opting of personal information as the price for the plethora of pleasures that the digital medium supplies.\nAs Wired magazine founder Kevin Kelly said in his 2016 book, The Inevitable: Understanding the 12 Technological Forces That Will Shape Our Future:\n“If today’s social media has taught us anything about ourselves as a species, it is that the human impulse to share overwhelms the human impulse for privacy.\u0026quot;\nWhat do you think? Is it a fair assessment of the current state of affairs?\nThis article was originally published at BestVPN.com.\n","date":"11 April 2019","externalUrl":null,"permalink":"/posts/why-millennials-are-blase-about-privacy/","section":"Posts","summary":"","title":"Why Millennials Are Blasé About Privacy","type":"posts"},{"content":" In what has to be the most ironical turn of events, companies collectively pay cybersecurity experts billions of dollars every year so that they can keep their business safe and out of prying eyes. Once they have attained the level of security and privacy they want, they turn around to infringe upon the privacy of the people.\nThis has been the model many of them have been operating for a while now, and they don’t seem to be slowing down anytime soon. We would have said the government should fight against this, but not when they have a hand in the mud pie too.\nIn this piece, we discuss the various ways these organizations have been shredding your privacy to bits, what the future of internet privacy is shaping up to be and how to take back the control of your own data privacy.\nHow Your Internet Privacy Is Being Violated # A lot of the simple operations you perform with the internet every day means more to some data collectors than you know. In fact, it is what they are using to make decisions on what to offer you, what to hold back from you and so much more.\nGoing by the available technology, here are some of the frameworks that allow the collection and use of your information.\nBig data analytics: These are mapped to certain individuals/ demographics and used to predictive models for the future. When you hear big data, what is being referred to is a large body of data which is meant for later analysis. Via a combination of efforts from man, bot and algorithms, the large amount of data is sifted through with the sole aim of finding patterns, trends, and behaviors.\nInternet of Things: Thus, you can access live video feeds of your home from anywhere in the world. You can even have your refrigerator tell you what supplies you are running low on. What you don’t know is that as your IoT units collect this data, they are not just feeding it to you. In fact, they are sending back a lot more than you know to the companies that developed them. Everyday things (such as your printer, refrigerator, light, AC unit and so much more) can now be connected to an internet connection. This enables them to work with one another with the sole aim of interoperability and remote access.\nMachine learning: These machines are then released into data sets to practice their newfound freedom. Guess what they do? Mine for data from almost any source they can lay hands on, rigorously analyze the data and use that to diverse ends. Machines were taught to do more than just be machines. Instead of being given a set of commands to run with, they have now been given specialized commands to aid their learning.\nThe significance of The Data Collections # All of the above might look like normal procedures for the achievement of the intended purposes that these technologies bring. However, they cause more harm than good.\nOn the one hand, the datasets are used to pigeonhole consumers by companies.\nAs of the time of this writing, machine learning data is already being used by some credit card companies to determine who they should allow a credit card and who they shouldn’t. It is even more ridiculous to think this decision is based off something as simple as what type of car accessory a customer would opt for.\nAs if that is not enough, machine learning is approaching a place where it would soon be able to diagnose diseases. That is not the scary part. This diagnosis will be based on social media data.\nThe companies don’t even need to see you physically before they know what diseases you might have. Talk about prodding into the most sensitive areas of your life that you might not even have shared with family and friends.\nThat, and we have not even talked about how marketers will chase you around with ads based on what you’ve searched, offer suggested content based on your patterns and prevent you from seeing out of the box across the board.\nPutting an End to The Nonsense # You don’t have to put up with all these. Technology is meant to be enjoyed, so you shouldn’t be punished by being exploited.\nOne helpful tip is to layer all your connection over a VPN. These will help make you anonymous on the network, preventing data collectors and monitors from identifying your computer with your data stream.\nYour IoT devices will also benefit from a VPN if you can share one over your router. This helps to make them more secure since they cannot us a VPN otherwise.\nPrivate browser networks such as Tor will do you a lot of good when browsing the web. If you prefer conventional browsers, though, don’t forget to install an ad blocker before you go online again. They help prevent marketers and companies from tracking you all around the web after looking at some content.\nDon’t forget to switch from Google to other search engines that leave your data to you. DuckDuckGo and Qwant are some of the options on this list.\nCombine all of that, and you have your shot back at decency and privacy on the internet.\n","date":"25 February 2019","externalUrl":null,"permalink":"/posts/your-internet-privacy-is-at-risk-but-you-can-salvage-it-all/","section":"Posts","summary":"","title":"Your Internet Privacy Is at Risk, But You Can Salvage It All","type":"posts"},{"content":"Cloud services are no longer a buzz, they are existing fact. Small and large organizations are leading the revolution in the IT industry for almost a decade, some migrating small environments and conducting experiments while others deploying their entire production environments using this model.\nIt is commonly used to consider cloud services as a continue of the data center environment and in fact this is where the concept evolved, and yet, the differences between the traditional computing services, server farms, storage and even virtualization are fundamentally different from a true cloud. Let’s evaluate the differences:\nIn the past we used to call “cloud”, for any compute services containing the following characteristics as defined by NIST:\nOn-Demand Self-Service Broad Network Access Resource Pooling Rapid Elasticity Measured service When looking deeper into the various cloud service models such as IaaS (Infrastructure as a Service), PaaS (Platform as a Service) and SaaS (Software as a Service), we find that things are not always black or white: In some cases we come across services that we know for fact they are cloud services, we can’t always say these services include all the above characteristics.\nA good example: File sharing services such as Dropbox. As a private customer we are not exposed to data that will enable us to measure the service (in terms of performance or in terms of billing vs storage capacity cost).\nIn case we choose to deploy a “private cloud” inside our organizational data center, based on infrastructure such as VMWARE, OpenStack or alike, we expect all the above characteristics in our on premise as well.\nLet’s differentiate between cloud and hosting service # In the current IT industry there are many companies offering compute services, on the range between cloud services and hosting services.\nHosting companies (or managed services), usually offers the customer the following capabilities:\nCompute environments – Such as physical servers (in case of special hardware requirements), virtual servers, storage and network equipment (Routers, Firewalls, VPN Gateway, etc.) Managed services – Such as web hosting for marketing or commercial web sites, email services, file sharing services and organizational systems such as CRM as a service. Backup and DR as a service. Managed support/IT services. Hosting companies might offer the customer a capability to increase the number of servers and in some cases even to choose servers in data center abroad (in case we would like to allow access to the data/servers close to the end customer).\nFor SMB or enterprise organizations making their first move to the cloud, or for customers who wishes to outsource their IT services to external providers, there isn’t much of a difference between choosing hosting/managed service and choose public cloud service.\nThe differences between hosting and cloud services begins when trying to deploy entire environments in the cloud, based on architectures emphasizing service and platform (SaaS and PaaS), and less on infrastructure as a service (IaaS).\nIn this configuration, the system is developed based on dynamic scaling capabilities, environments deployed for a short amount of time, servers and infrastructure raised for specific purpose and stop to exist a few minutes after the entire process completes.\nThis model is called “Cloud Native Applications”, which allows us to avoid committing to pre-defined amount of infrastructure, specific task management, compatibility, server health check, etc., what is the role of each server or platform, in case they will be destroyed within a second? The infrastructure in this model is not important, only the service the system meant to provide.\nUnlike hard-coded infrastructure management, there is a new concept – “Infrastructure as a code”. Environments are written as “recipes”, sent to the cloud provider using API’s, and environments are being created instantly and on the fly.\nA few examples for the efficiencies of this model – A large American service provider destroys his entire IT environment in the cloud and deploys an entire up-to-date mirror environment within a few minutes instead of updating each and every server. A different American service provider increases the amount of servers automatically in advanced before peak hours, as a result of applicative monitoring, and after peak hours, all the new servers vanishes.\nThis change is not a magic, but a result of cloud efficient planning of systems and applications, training dedicated teams with the relevant capabilities, understanding the cloud provider’s services, billing, prioritization and the constant changes in the management interfaces.\nProcess of migrating systems to the public cloud # Infrastructure as a Service (IaaS) allows organizations to perform “Lift \u0026amp; Shift” (copying existing systems to the cloud with minor changes) from the on premise environment to the public cloud, as part of migration processes to the cloud.\nMost organizations will quickly find out that the “Lift \u0026amp; Shift” strategy is indeed easier as first stage, but in the long term it is a very bad economical decision, with the same challenges that organizations struggle with today: waste of hardware resources, un-optimized operating system and running code on servers, distributed management difficulties, etc.\nAt later stages, organizations who migrated systems to the public cloud, begin to perform tuning to their cloud environments by measuring resource usage, for their virtual servers, adapting the proper VM instance type for the actual use in terms of CPU/memory/storage.\nBelow is an example from AWS presentation about the evolution organizations pass migrating to public cloud in terms of cost: The future is here # Today, startup companies and enterprise organizations are developing applications for the cloud, agnostically to the hardware or infrastructure underneath.\nIn past, organizations used to migrate from developing on physical servers to virtual servers, and today, organizations are migrating from developing monolith applications to micro-service based applications and even Serverless applications (code running inside a managed compute environment, without the need to manage infrastructure resources such as servers, storage, etc.)\nChanges in the development world is crucial to understanding what is cloud service, due to the fact that today, we are less relying on NIST definition of cloud service, and providers offering Infrastructure as a Service (as most hosting providers) and today cloud service is characterized by the following capabilities:\nCollection of API’s Billing capability of services/resources by their actual usage Services managed using API (such as the ability to provision, decommission, start/stop, etc.) The bottom line # Today there are many providers who wrap VMWARE infrastructure with friendly user interface, allowing the customer to choose the VM type (in terms of CPU/Memory) and the number of servers the customer would like to consume, but it is not scale enough and it doesn’t allow the customer the flexibility to scale-up or scale-down to hundreds of servers automatically, and within seconds over multiple geographical regions.\nCloud provider who supports “Cloud Native Applications” enables the customer to connect his automation mechanisms, build and deployment processes using API’s to the cloud provider’s infrastructure, in-order to allow provisioning/changing compute environments, deploy micro-services based systems and even allowing the customer to deploy and run Serverless infrastructure.\nThe next time you are considering a service provider, whether using a hosting provider (sophisticated as he might be) or using public cloud provider, with capabilities of running hundreds of servers over multiple geographic regions within minutes, hands-free, supporting micro-services and Serverless applications, with API connectivity capabilities, simply present the service provider your requirements, and choose the most suitable service provider.\nThis article was written by Eyal Estrin, cloud security architect and Vitaly Unic, application security architect.\n","date":"13 January 2019","externalUrl":null,"permalink":"/posts/cloud-services-evolution-and-future-trends/","section":"Posts","summary":"","title":"Cloud Services - Evolution and Future Trends","type":"posts"},{"content":"","date":"5 September 2018","externalUrl":null,"permalink":"/categories/docker/","section":"Categories","summary":"","title":"Docker","type":"categories"},{"content":"A diagram of a common DevOps lifecycle:\nThe DevOps world meant to provide complementary solution for both quick development (such as Agile) and a solution for cloud environments, where IT personnel become integral part of the development process. In the DevOps world, managing large number of development environments manually is practically infeasible. Monitoring mixed environments become a complex solution and deploying large number of different builds is becoming extremely fast and sensitive to changes.\nThe idea behind any DevOps solution is to provide a solution for deploying an entire CI/CD process, which means supporting constant changes and immediate deployment of builds/versions. For the security department, this kind of process is at first look a nightmare – dozen builds, partial tests, no human control for any change, etc.\nFor this reason, it is crucial for the security department to embrace DevOps attitude, which means, embedding security in any part of the development lifecycle, software deployment or environment change.\nIt is important to understand that there are no constant stages as we used to have in waterfall development lifecycle, and most of the stages are parallel – in the CI/CD world everything changes quickly, components can be part of different stages, and for this reason it is important to confer the processes, methods and tools in all developments and DevOps teams.\nIn-order to better understand how to embed security into the DevOps lifecycle, we need to review the different stages in the development lifecycle:\nPlanning phase\nThis stage in the development process is about gathering business requirements.\nAt this stage, it is important to embed the following aspects:\nGather information security requirements (such as authentication, authorization, auditing, encryptions, etc.) Conduct threat modeling in-order to detect possible code weaknesses Training / awareness programs for developers and DevOps personnel about secure coding Creation / Code writing phase\nThis stage in the development process is about the code writing itself.\nAt this stage, it is important to embed the following aspects:\nConnect the development environments (IDE) to a static code analysis products Review the solution architecture by a security expert or a security champion on his behalf Review open source components embedded inside the code Verification / Testing phase\nThis stage in the development process is about testing, conducted mostly by QA personnel.\nAt this stage, it is important to embed the following aspects:\nRun SAST (Static application security tools) on the code itself (pre-compiled stage) Run DAST (Dynamic application security tools) on the binary code (post-compile stage) Run IAST (Interactive application security tools) against the application itself Run SCA (Software composition analysis) tools in-order to detect known vulnerabilities in open source components or 3rd party components Software packaging and pre-production phase\nThis stage in the development process is about software packaging of the developed code before deployment/distribution phase.\nAt this stage, it is important to embed the following aspects:\nRun IAST (Interactive application security tools) against the application itself Run fuzzing tools in-order to detect buffer overflow vulnerabilities – this can be done automatically as part of the build environment by embedding security tests for functional testing / negative testing Perform code signing to detect future changes (such as malwares) Software packaging release phase\nThis stage is between the packaging and deployment stages.\nAt this stage, it is important to embed the following aspects:\nCompare code signature with the original signature from the software packaging stage Conduct integrity checks to the software package Deploy the software package to a development environment and conduct automate or stress tests Deploy the software package in a green/blue methodology for software quality and further security quality tests Software deployment phase\nAt this stage, the software package (such as mobile application code, docker container, etc.) is moving to the deployment stage.\nAt this stage, it is important to embed the following aspects:\nReview permissions on destination folder (in case of code deployment for web servers) Review permissions for Docker registry Review permissions for further services in a cloud environment (such as storage, database, application, etc.) and fine-tune the service role for running the code Configure / operate / Tune phase\nAt this stage, the development is in the production phase and passes modifications (according to business requirements) and on-going maintenance.\nAt this stage, it is important to embed the following aspects:\nPatch management processes or configuration management processes using tools such as Chef, Ansible, etc. Scanning process for detecting vulnerabilities using vulnerability assessment tools Deleting and re-deployment of vulnerable environments with an up-to-date environments (if possible) On-going monitoring phase\nAt this stage, constant application monitoring is being conducted by the infrastructure or monitoring teams.\nAt this stage, it is important to embed the following aspects:\nRun RASP (Runtime application self-production) tools Implement defense at the application layer using WAF (Web application firewall) products Implement products for defending the application from Botnet attacks Implement products for defending the application from DoS / DDoS attacks Conduct penetration testing Implement monitoring solution using automated rules such as automated recovery of sensitive changes (tools such as GuardRails) Security recommendations for developments based on CI/CD / DevOps process\nIt is highly recommended to perform on-going training for the development and DevOps teams on security aspects and secure development It is highly recommended to nominate a security champion among the development and DevOps teams in-order to allow them to conduct threat modeling at early stages of the development lifecycle and in-order to embed security aspects as soon as possible in the development lifecycle Use automated tools for deploying environments in a simple and standard form. Tools such as Puppet require root privileges for folders it has access to. In-order to lower the risk, it is recommended to enable folder access auditing. Avoid storing passwords and access keys, hard-coded inside scripts and code. It is highly recommended to store credentials (SSH keys, privileged credentials, API keys, etc.) in a vault (Solutions such as HashiCorp vault or CyberArk). It is highly recommended to limit privilege access based on role (Role based access control) using least privileged. It is recommended to perform network separation between production environment and Dev/Test environments. Restrict all developer teams’ access to production environments, and allow only DevOps team’s access to production environments. Enable auditing and access control for all development environments and identify access attempts anomalies (such as developers access attempt to a production environment) Make sure sensitive data (such as customer data, credentials, etc.) doesn’t pass in clear text at transit. In-case there is a business requirement for passing sensitive data at transit, make sure the data is passed over encrypted protocols (such as SSH v2, TLS 1.2, etc.), while using strong cipher suites. It is recommended to follow OWASP organization recommendations (such as OWASP Top10, OWASP ASVS, etc.) When using Containers, it is recommended to use well-known and signed repositories. When using Containers, it is recommended not to rely on open source libraries inside the containers, and to conduct scanning to detect vulnerable versions (including dependencies) during the build creation process. When using Containers, it is recommended to perform hardening using guidelines such as CIS Docker Benchmark or CIS Kubernetes Benchmark. It is recommended to deploy automated tools for on-going tasks, starting from build deployments, code review for detecting vulnerabilities in the code and open source code, and patch management processes that will be embedded inside the development and build process. It is recommended to perform scanning to detect security weaknesses, using vulnerability management tools during the entire system lifetime. It is recommended to deploy configuration management tools, in-order to detect and automatically remediate configuration anomalies from the original configuration. Additional reading sources:\n20 Ways to Make Application Security Move at the Speed of DevOps The DevOps Security Checklist Making AppSec Testing Work in CI/CD Value driven threat modeling Automated Security Testing Security at the Speed of DevOps DevOps Security Best Practices The integration of DevOps and security When DevOps met Security - DevSecOps in a nutshell Grappling with DevOps Security Minimizing Risk and Improving Security in DevOps Security In A DevOps World Application Security in Devops Five Security Defenses Every Containerized Application Needs 5 ways to find and fix open source vulnerabilities This article was written by Eyal Estrin, cloud security architect and Vitaly Unic, application security architect.\n","date":"5 September 2018","externalUrl":null,"permalink":"/posts/integrate-security-aspects-in-a-devops-process/","section":"Posts","summary":"","title":"Integrate security aspects in a DevOps process","type":"posts"},{"content":"","date":"5 September 2018","externalUrl":null,"permalink":"/categories/tls/","section":"Categories","summary":"","title":"Tls","type":"categories"},{"content":"What Is Internet Security And Why Is It Important?\nWhile the digital age has revolutionized the way we communicate, interact, buy and sell products and search for information, it has also created new risks that were not risks before. The internet, while extraordinary, is not always the safest environment and learning how to protect yourself, your business and your data is an important part of being an internet user. Internet security is a term that encompasses all of the strategies, processes and means an individual or company might use to protect themselves online including browser security, data protection, authentication and security for any transactions made on the web. It is about securing and protecting your networks and ensuring your privacy online.\nWith more and more people using the internet every day, more and more information is being processed online and this means huge amounts of data is being moved around the web. Sadly, this has seen the rise of new types of cybercrime and more opportunities for those looking to act criminally online to do so. If you use the internet in any way, whether it be for personal or professional reasons, such as for social media, emailing, for banking, running a website, to buy groceries or to publish content, you need to be thinking about your internet security and how to keep yourself safe online.\nWhether you want to protect yourself or your business, it is important to know and understand internet security and the best methods for protecting yourself. Here are four ways you can begin to learn about internet security.\nTake An Online Course If you are serious about learning more about internet security and using your knowledge to help you professionally, then you may consider undertaking an online course on internet and network security. This is one of the more thorough and structured ways to learn everything there is to know about internet security and what strategies you can implement yourself. By doing an online course, diploma or degree, you know that you are learning from teachers and tutors who know what they are talking about which allows you to gain valuable skills and knowledge. With a qualification at the end of the course, you can then put this knowledge to good use and help others develop advanced internet security mechanisms.\nRead Blogs One of the great things about the internet is that you can find a wealth of information online about any topic that you are interested in. Whether it is baking, travel, fashion, or sports, you can find websites and blogs that help keep you up to date with what is going on in each of these areas. The same can be said for security. If you are interested in learning a bit more about security in your own time, then doing some online research is a good way to begin. Many experts out there understand the importance of network security and write about it. The good thing about reading blogs is that you can find blogs suitable for all levels of knowledge about network security. Whether you have very limited knowledge and are looking to understand basic terminology or you are more experienced and hoping to be introduced to more complex problems, you can find blogs that will be tailored to both.\nCheck Out Youtube Youtube may be a great platform for watching funny animal videos of music video clips, but it also a great online learning resource. There are many channels on Youtube that provide online learning videos, which offer a more hands-on approach to learning about internet security. With the videos, you can see the steps behind different processes in internet security and concepts that may be difficult to understand when you read about them can be more easily explained in a visual manner. Once you understand the basics of cybersecurity, Youtube is a great way to learn about how to use certain tools in a systematic fashion.\nRead Some Books It may seem ironic to read about internet security from a book but there are some great books and textbooks out there that are focused on internet security. These books are usually written by experts in the field who really know their stuff. Whether you want to learn about hacking, malware, security systems or privacy, chances are there is a book on the subject that will cover every aspect of the topic. Check out Amazon or your local library to see if they have any books that will interest you.\n","date":"20 June 2018","externalUrl":null,"permalink":"/posts/4-ways-to-learn-about-internet-security/","section":"Posts","summary":"","title":"4 Ways To Learn About Internet Security","type":"posts"},{"content":" Who we are # Our website address is: https://security-24-7.com.\nWhat personal data we collect and why we collect it # Comments # When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.\nMedia # If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.\nCookies # If you leave a comment on our site, we are not collecting any data about our site visitors.\nIf you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.\nWhen you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select \u0026ldquo;Remember Me\u0026rdquo;, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.\nIf you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.\nEmbedded content from other websites # Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.\nThese websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracing your interaction with the embedded content if you have an account and are logged in to that website.\nAnalytics # We are using StatCounter (https://statcounter.com)\nWho we share your data with # We share data with Statcounter. Statcounter is an online service which helps us to understand our visitors; for example, how visitors find our website, how long they spend on our site, which web pages they are most interested in etc. We use Statcounter because better understanding how visitors are interacting with our website helps us to improve the content, design and functionality of our site. This allows us to offer a better online experience to our visitors. Statcounter uses cookies and other technologies to collect data on visitors and visitor activity on our website. This data includes:\n•Time and date of visit (this can help us to identify and plan for busy periods on our website) •Browser and Operating System (this can help us to make sure that our website functions correctly in the browsers/operating systems used to access our site) •Device Information e.g. device type and screen size (this can help us to make sure that our website functions correctly in the devices used to access our site) •Referring Data e.g. a search engine link (this can help us to understand which search engines are helping visitors to find our website)\nHow long we retain your data # If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.\nFor users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.\nWhat rights you have over your data # If you have an account on this site, or have left comments, you can request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.\nWhere we send your data # Visitor comments may be checked through an automated spam detection service.\nContact information # You may contact us at webmaster@security-24-7.com\n","date":"2 June 2018","externalUrl":null,"permalink":"/posts/pages/privacy-policy/","section":"Posts","summary":"","title":"Privacy Policy","type":"posts"},{"content":" Who we are # Our website address is: https://security-24-7.com.\nWhat personal data we collect and why we collect it # Comments # When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.\nMedia # If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.\nCookies # If you leave a comment on our site, we are not collecting any data about our site visitors.\nIf you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.\nWhen you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select \u0026ldquo;Remember Me\u0026rdquo;, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.\nIf you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.\nEmbedded content from other websites # Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.\nThese websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracing your interaction with the embedded content if you have an account and are logged in to that website.\nAnalytics # We are using StatCounter (https://statcounter.com)\nWho we share your data with # We share data with Statcounter. Statcounter is an online service which helps us to understand our visitors; for example, how visitors find our website, how long they spend on our site, which web pages they are most interested in etc. We use Statcounter because better understanding how visitors are interacting with our website helps us to improve the content, design and functionality of our site. This allows us to offer a better online experience to our visitors. Statcounter uses cookies and other technologies to collect data on visitors and visitor activity on our website. This data includes:\n•Time and date of visit (this can help us to identify and plan for busy periods on our website) •Browser and Operating System (this can help us to make sure that our website functions correctly in the browsers/operating systems used to access our site) •Device Information e.g. device type and screen size (this can help us to make sure that our website functions correctly in the devices used to access our site) •Referring Data e.g. a search engine link (this can help us to understand which search engines are helping visitors to find our website)\nHow long we retain your data # If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.\nFor users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.\nWhat rights you have over your data # If you have an account on this site, or have left comments, you can request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.\nWhere we send your data # Visitor comments may be checked through an automated spam detection service.\nContact information # You may contact us at webmaster@security-24-7.com\n","date":"2 June 2018","externalUrl":null,"permalink":"/privacy-policy/","section":"Security \u0026 Cloud 24/7","summary":"","title":"Privacy Policy","type":"page"},{"content":" When using public cloud services for relational databases, you have two options:\nIaaS solution – Install a database server on top of a virtual machine PaaS solution – Connect to a managed database service In the traditional data center, organizations had to maintain the operating system and the database by themselves.\nThe benefits are very clear – full control over the entire stack.\nThe downside – The organization needs to maintain availability, license cost and security (access control, patch level, hardening, auditing, etc.)\nToday, all the major public cloud vendors offer managed services for databases in the cloud.\nTo connect to the database and begin working, all a customer needs is a DNS name, port number and credentials.\nThe benefits of a managed database service are:\nEasy administration – No need to maintain the operating system (including patch level for the OS and for the database, system hardening, backup, etc.) Scalability – The number of virtual machines in the cluster will grow automatically according to load, in addition to the storage space required for the data High availability – The cluster can be configured to span across multiple availability zones (physical data centers) Performance – Usually the cloud provider installs the database on SSD storage Security – Encryption at rest and in transit Monitoring – Built-in the service Cost – Pay only for what you use Not all features available on the on-premises version of the database are available on the PaaS version, and not all common databases are available as managed service of the major cloud providers.\nAmazon RDS\nAmazon managed services currently (as of April 2018) supports the following database engines:\nMicrosoft SQL Server (2008 R2, 2012, 2014, 2016, and 2017) Amazon RDS for SQL Server FAQs: https://aws.amazon.com/rds/sqlserver/faqs Known limitations: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html#SQLServer.Concepts.General.FeatureSupport.Limits MySQL (5.5, 5.6 and 5.7) Amazon RDS for MySQL FAQs: https://aws.amazon.com/rds/mysql/faqs Known limitations: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/MySQL.KnownIssuesAndLimitations.html Oracle (11.2 and 12c) Amazon RDS for Oracle Database FAQs: https://aws.amazon.com/rds/oracle/faqs Known limitations: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Limits.html PostgreSQL (9.3, 9.4, 9.5, and 9.6) Amazon RDS for PostgreSQL FAQs: https://aws.amazon.com/rds/postgresql/faqs Known limitations: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts.General.Limits MariaDB (10.2) Amazon RDS for MariaDB FAQs: https://aws.amazon.com/rds/mariadb/faqs Known limitations: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Limits.html Azure Managed databases\nMicrosoft Azure managed database services currently (as of April 2018) support the following database engines:\nAzure SQL Database Technical overview: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-technical-overview Known limitations: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-dtu-resource-limits MySQL (5.6 and 5.7) Technical overview: https://docs.microsoft.com/en-us/azure/mysql/overview Known limitations: https://docs.microsoft.com/en-us/azure/mysql/concepts-limits PostgreSQL (9.5, and 9.6) Technical overview: https://docs.microsoft.com/en-us/azure/postgresql/overview Known limitations: https://docs.microsoft.com/en-us/azure/postgresql/concepts-limits Google Cloud SQL\nGoogle managed database services currently (as of April 2018) support the following database engines:\nMySQL (5.6 and 5.7) Product documentation: https://cloud.google.com/sql/docs/mysql Known limitations: https://cloud.google.com/sql/docs/mysql/known-issues PostgreSQL (9.6) Product documentation: https://cloud.google.com/sql/docs/postgres Known limitations: https://cloud.google.com/sql/docs/postgres/known-issues Oracle Database Cloud Service\nOracle managed database services currently (as of April 2018) support the following database engines:\nOracle (11g and 12c) Product documentation: https://cloud.oracle.com/en_US/database/features Known issues: https://docs.oracle.com/en/cloud/paas/database-dbaas-cloud/kidbr/index.html#KIDBR109 MySQL (5.7) Product documentation: https://cloud.oracle.com/en_US/mysql/features ","date":"25 April 2018","externalUrl":null,"permalink":"/posts/benefits-of-using-managed-database-as-a-service-in-the-cloud/","section":"Posts","summary":"","title":"Benefits of using managed database as a service in the cloud","type":"posts"},{"content":" When working with cloud service providers, you may notice that at some point there are service / quota limitations.\nSome limits are per account / subscription; some of them are per region and some limits are per pricing tier (free tier vs billable).\nHere are some of the most common reasons for service / quota limitations:\nPerformance issues on the cloud provider’s side – loading a lot of virtual machines on the same data center requires a lot of resources from the cloud provider Avoiding spikes in usage – protect from a situation where one customer consumes a lot of resources that might affect other customers and might eventually cause denial of service For more information about default cloud service limits, see:\nAWS Service Limits: https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html Azure subscription and service limits, quotas, and constraints: https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits Google App Engine Quotas: https://cloud.google.com/appengine/quotas Oracle Cloud Service Limits: https://docs.us-phoenix-1.oraclecloud.com/Content/General/Concepts/servicelimits.htm Default limitations can be changed by contacting the cloud service provider’s support and requesting a change to the default limitation.\nFor instructions on how to change the service limitations, see:\nHow do I manage my AWS service limits? https://aws.amazon.com/premiumsupport/knowledge-center/manage-service-limits/ Understanding Azure Limits and Increases https://azure.microsoft.com/en-us/blog/azure-limits-quotas-increase-requests/ Google Resource Quotas https://cloud.google.com/compute/quotas#request_quotas Oracle Cloud – Requesting a Service Limit Increase https://docs.us-phoenix-1.oraclecloud.com/Content/General/Concepts/servicelimits.htm#three ","date":"10 April 2018","externalUrl":null,"permalink":"/posts/cloud-providers-service-limits/","section":"Posts","summary":"","title":"Cloud Providers Service Limits","type":"posts"},{"content":"AWS access keys enable us to use programmatic or AWS CLI services in a manner similar to using a username and password.\nAWS access keys have account privileges – for better and for worse.\nFor example, if you save access keys (credentials) of a root account inside code, anyone who uses this code can totally damage your AWS account.\nMany stories have been published about security breaches due to access key exposure, especially combined with open source version control systems such as GitHub and GitLab.\nIn order to avoid security breaches, here is a list of best practices for securing your environment when using access keys:\nAvoid using access keys for the root account. In case you already created access keys, delete them. https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#remove-credentials Use minimum privileges when creating account roles. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_controlling.html Use AWS IAM roles instead of using access keys, for resources such as Amazon EC2 instance. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html Use different access keys for each application, in-order to minimize the risk of credential exposure. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html Protect access keys by storing them on encrypted machines or encrypted volumes, and avoid sending access keys via email or any other insecure medium. https://docs.aws.amazon.com/kms/latest/developerguide/services-s3.html Rotate (change) access keys on a regular basis, to avoid reuse of credentials. https://aws.amazon.com/blogs/security/how-to-rotate-access-keys-for-iam-users/ Remove unused access keys, to avoid unnecessary access. https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html Use MFA (Multi-factor authentication) for privileged operations/accounts. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html Configure billing alerts using Amazon CloudWatch, to get notifications about anomaly operations in your AWS account. https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/monitor-charges.html Use AWS CloudTrail auditing to review when was an access key was last used. https://aws.amazon.com/blogs/security/new-in-iam-quickly-identify-when-an-access-key-was-last-used/ Use open source tools such as git-secrets to avoid storing passwords and sensitive information inside a GIT repository. https://github.com/awslabs/git-secrets Work according to GitHub recommendations and avoid using sensitive information in a public repository. https://help.github.com/articles/removing-sensitive-data-from-a-repository/ ","date":"3 March 2018","externalUrl":null,"permalink":"/posts/best-practices-for-using-aws-access-keys/","section":"Posts","summary":"","title":"Best practices for using AWS access keys","type":"posts"},{"content":"","date":"7 October 2017","externalUrl":null,"permalink":"/categories/ccsp/","section":"Categories","summary":"","title":"Ccsp","type":"categories"},{"content":"The CCSP is one of the hardest vendor-neutral cloud related certifications in the industry.\nThe CCSP exam test the candidate’s knowledge in the following domains:\nArchitectural Concepts and Design Requirements Cloud Data Security Cloud Platform and Infrastructure Security Cloud Application Security Operations Legal and Compliance I strongly recommend to take this exam if you are a solution or cloud security architect, passionate about cloud computing.\nCISSP certification gives you an advantage when taking the exam, due to the amount of study material, amount of exam questions and the exam length.\nHere are the steps I took in-order to pass the exam:\nOfficial Cloud Security Alliance course and exam – I have attended the CCSK course and took the official exam.\nAs part of the CCSK exam preparation, I read the following documents:\nSecurity Guidance for Critical Areas of Focus in Cloud Computing, V3 The European Network and Information Security Agency (ENISA) whitepaper \u0026ldquo;Cloud Computing: Benefits, Risks and Recommendations for Information Security\u0026rdquo; Official CCSP CBK training – I took the official live on-line training. Most of the study were based on the official book – “Official (ISC)2 Guide to the CISSP CBK”\nAs part of the instructor’s recommendations, I have summarized key aspects of the material and reviewed those couple of times (instead of reading 600 pages of the CBK more than once).\nThe online training was not cheap, but an exam voucher (for one year) was included.\nExtra reading – I read the “CCSP (ISC)2 Certified Cloud Security Professional Official Study Guide”\nPurchasing this book allowed me access to Wiley’s test bank of more than 700 practice exam questions, which allowed me to better test my knowledge and prepared for a long time-based exam.\nMobile applications – I have installed the following free applications with practice exam questions:\nCloud Security Exam Questions ISC® CCSP Practice Test 2017 Free CBT – I watched the Cybrary’s free CCSP Training, which covers the exam materials\nWork experience – I have no doubt that work experience gave me allot of knowledge for passing some of the tough scenarios.\nI have not measured the time it took me to review the written material and prepare myself for the exam, but I am guessing couple of months of preparations.\nI am proud to hold the CCSP (Certified Cloud Security Professional) certification.\n","date":"7 October 2017","externalUrl":null,"permalink":"/posts/how-i-passed-the-ccsp-exam/","section":"Posts","summary":"","title":"How I passed the CCSP exam","type":"posts"},{"content":"Cloud service provider questionnaire\nIn my previous post I gave you a short introduction to cloud computing.\nWhen engaging with cloud service provider, it is important to evaluate the provider’s maturity level by asking the provider, as many questions as possible to allow you the comfort level to sign a contract.\nBelow is a sample questionnaire I recommend you to ask the cloud service provider.\nPrivacy related questions:\nDoes the cloud service provider has an official privacy policy? Where are the cloud service provider data centers located around the world? Are the cloud service provider data centers compliant with the EU Directive 95/46/EC? Are the cloud service provider data centers compliant with the General Data Protection Regulation (GDPR)? Availability related questions:\nWhat is the SLA of the cloud service provider? (Please elaborate) Does the cloud service provider publish information about system issues or outages? What compensation does the cloud service provider offer in case of potential financial loss due to lack of availability? Does the cloud service provider sync data between more than one data center on the same region? How many data centers does the cloud service provider has in the same region? Does the cloud service provider have business continuity processes and procedures? (Please elaborate) What is the cloud service provider\u0026rsquo;s RTO? What is the cloud service provider\u0026rsquo;s RPO? What is the cloud service provider disaster recovery strategy? Does the cloud service provider have change management processes? (Please elaborate) Does the cloud service provider have backup processes? (Please elaborate) Interoperability related questions:\nDoes the cloud service provider support security event monitoring using an API? (Please elaborate) Does the cloud service provider support infrastructure related event monitoring using an API? (Please elaborate) Security related questions:\nWhat is the cloud service provider\u0026rsquo;s audit trail process for my organizational data stored or processed? (Please elaborate) What logical controls does the cloud service provider use for my organizational data stored or processed? (Please elaborate) What physical controls does the cloud service provider use for my organizational data stored or processed? (Please elaborate) Does the cloud service provider encrypt data at transit? (Please elaborate) Does the cloud service provider encrypt data at rest? (Please elaborate) What encryption algorithm is been used? What encryption key size is been used? Where are the encryption keys stored? At what interval does the cloud service provider rotate the encryption keys? Does the cloud service provider support BYOK (Bring your own keys)? Does the cloud service provider support HYOK (Hold your own keys): At what level does the data at rest been encrypted? (Storage, database, application, etc.) What security controls are been used by the cloud service provider to protect the cloud service itself? Is there an on-going process for Firewall rule review been done by the cloud service provider? (Please elaborate) Are all cloud service provider\u0026rsquo;s platform (Operating system, database, middleware, etc.) been hardened according to best practices? (Please elaborate) Does the cloud service provider perform an on-going patch management process for all hardware and software? (Please elaborate) What security controls are been used by the cloud service provider to protect against data leakage in a multi-tenant environment? How does the cloud service provider perform access management process? (Please elaborate) Does the cloud service provider enforce 2-factor authentication for accessing all management interfaces? Is the authentication to the cloud service based on standard protocols such as SAML, OAuth, OpenID? How many employees at the cloud service provider will have access to my organizational data? (Infrastructure and database level) Is there an access to the cloud service provider\u0026rsquo;s 3rd party suppliers to my organizational data? Does the cloud service provider enforce separation between production and development/test environments? (Please elaborate) What is the cloud service provider\u0026rsquo;s password policy (Operating system, database, network components, etc.) for systems that store or process my organizational data? Is it possible to schedule security survey and penetration test on the systems that stored my organizational data? Does the cloud service provider have incident response processes and procedures? (Please elaborate) What are the escalation processes in case of security incident related to my organizational data? (Please elaborate) What are the cloud service provider\u0026rsquo;s processes and controls against distributed denial-of-service? (Please elaborate) Does the cloud service provider have vulnerability management processes? (Please elaborate) Does the cloud service provider have secure development lifecycle (SDLC) process? (Please elaborate) Compliance related questions:\nIs the cloud service provider compliant with certifications or standards? (Please elaborate) What is the level of compliance with the Cloud Security Alliance Matrix (https://cloudsecurityalliance.org/research/ccm)? Is it possible to receive a copy of internal audit report performed on the cloud service in the last 12 months? Is it possible to receive a copy of external audit report performed on the cloud service in the last 12 months? Is it possible to perform an on site audit on the cloud service provider\u0026rsquo;s data center and activity? Contract termination related questions:\nWhat are the cloud service provider\u0026rsquo;s contract termination options? What options does the cloud service provider allow me to export my organizational data stored on the cloud? Is there a process for data deletion in case of contract termination? What standard does the cloud service provider use for data deletion? Stay tuned for my next article.\nHere are some recommended articles:\nPractical Guide to Cloud Service Agreements Due Diligence: 50 Questions for Cloud Computing Providers ","date":"11 March 2017","externalUrl":null,"permalink":"/posts/cloud-computing-journey-part-2/","section":"Posts","summary":"","title":"Cloud Computing Journey – Part 2","type":"posts"},{"content":"So, you decided to migrate a system to the cloud. It may be business or IT initiative, but what does it really mean switching between on premise and the cloud?\nFor ages, we used to manage our IT infrastructure by ourselves, on our own data centers (or network communication cabinets, for small companies…), using our purchased hardware, while maintaining and troubleshooting every software/hardware/network problem.\nIn the cloud, things change. In the cloud, we are one of the many customers sharing compute resources in multi-tenant environment. We have no control of the hardware or the chosen platform technology (from the servers\u0026rsquo; hardware vendor to the storage vendor), we barely control the virtualization layer, and don\u0026rsquo;t even get me started talking about troubleshooting the network layer.\nThere are 3 cloud service models:\nIaaS (Infrastructure as a service) – In this service model, the customer controls (almost) everything from the virtual servers operating system, through the application layer, up until the data itself. PaaS (Platform as a service) – In this service model, the customer controls the application layer, up until the data itself. SaaS (Software as a service) – In this service model, the customer has access to a close application, but the customer is the data owner and can control permissions (and auditing) of the data. Once we understood those basic rules, let\u0026rsquo;s analyze what does it really means migrating to the cloud.\nThe word that differentiates a mature cloud service provider from a rookie is transparency.\nMature cloud service provider won’t hesitate to answer tough questions such as “Can I have a copy of your last external audit report?”, “Do you have a business continuity plan?”, “Do you have an SDLC (Software development lifecycle) process?”, etc.\nWhen engaging with cloud service provider, it is important to know as much details about the provider as you can, until you are comfortable enough to sign a contract.\nA solid contract will give you assurance about the cloud service provider’s ability to fulfill his obligations and will higher the chances of project success.\nIn the next couple of articles, I will try to pinpoint important tips for a successful cloud project.\nStay tuned for my next article.\nHere are some recommended articles:\n10 Questions CIOs Should Ask Before Moving Operations to the Cloud Why cloud? Justification for non-techies Top Reasons for Moving to the Cloud 7 Cloud Migration Considerations ","date":"10 December 2016","externalUrl":null,"permalink":"/posts/cloud-computing-journey-part-1/","section":"Posts","summary":"","title":"Cloud Computing Journey – Part 1","type":"posts"},{"content":"","date":"29 October 2016","externalUrl":null,"permalink":"/tags/email/","section":"Tags","summary":"","title":"Email","type":"tags"},{"content":"","date":"29 October 2016","externalUrl":null,"permalink":"/tags/encryption/","section":"Tags","summary":"","title":"Encryption","type":"tags"},{"content":"","date":"29 October 2016","externalUrl":null,"permalink":"/tags/hacking/","section":"Tags","summary":"","title":"Hacking","type":"tags"},{"content":"Every day internet users send more than 200 billion emails and this statistics makes anonymous e-mail a number one feature to use in day-to-day communication.\nBelow here is a step by step guide to set up PGP encryption and communicate securely online. The tutorial is developed using Privatoria E-mail service, though one can use any e-mail client supporting this feature. The device used in this installation wizard is MacBook Air, OS X Yosemite. Pay attention that you can set up PGP on any device, regardless of OS.\nStep 1\nPlease login to your Control Panel and go to Services /Anonymous E-Mail / Go to your inbox. You will be redirected to your mail inbox.\nStep 2\nGo to Settings section in the right top corner of your page. Click Open PGP - Enable OpenPGP - Save.\nTo start sending encrypted emails you need to first of all generate a KEY and send it to the recipient.\nClick on Generate new key. It is recommended to set own password on this step and use it each and every time you want to send/receive encrypted emails. It provides additional security meaning that your PGP email can never be decrypted and/or your signature is really yours! Please note that this password cannot be reset, but you can create a new one in case you forget it :)\nClick Generate and wait for about half a minute until it is being generated. Once ready, you will see the following screen\nTo send an encrypted email you will need to use Public Key. Click View and then choose Send.\nStep 3\nYou will be redirected to email interface ready to send your email. Send this email to the recipient first and wait until they send you their key. Once received click Import. Now, once the key is received you can proceed with sending the actual both-end encrypted email. Type in the recipient’s email, add subject and body of your email.\nTo finalize the encryption click on PGP Sign/Encrypt and proceed further. You will receive a message “OpenPGP supports plain text only. Click OK to remove all the formatting and continue.” Click OK.\nNB! Private key is your own key that encrypts the data and is being generated for you only.\nEmail recipient should use any email client supporting PGP encryption function.\n","date":"29 October 2016","externalUrl":null,"permalink":"/posts/how-to-use-e-mail-pgp-encryption/","section":"Posts","summary":"","title":"How to Use E-mail PGP Encryption","type":"posts"},{"content":"","date":"29 October 2016","externalUrl":null,"permalink":"/tags/internet-security/","section":"Tags","summary":"","title":"Internet-Security","type":"tags"},{"content":"","date":"29 October 2016","externalUrl":null,"permalink":"/tags/security-tools/","section":"Tags","summary":"","title":"Security-Tools","type":"tags"},{"content":" What is a pentest? “Pentest” is short for “penetration test”, and involves having a trusted security expert attack a system for the purpose of discovering, and repairing, security vulnerabilities before malicious attackers can exploit them. This is a critical procedure for securing a system, as the alternative method for discovering vulnerabilities is to wait for unknown agents to exploit them. By this time it is, of course, too late to do anything about them.\nIn order to keep a system secure, it is advisable to conduct a pentest on a regular basis, especially when new technology is added to the stack, or vulnerabilities are exposed in your current stack.\n2. What is social engineering?\n“Social engineering” refers to the use of humans as an attack vector to compromise a system. It involves fooling or otherwise manipulating human personnel into revealing information or performing actions on the attacker’s behalf. Social engineering is known to be a very effective attack strategy, since even the strongest security system can be compromised by a single poor decision. In some cases, highly secure systems that cannot be penetrated by computer or cryptographic means, can be compromised by simply calling a member of the target organization on the phone and impersonating a colleague or IT professional.\nCommon social engineering techniques include phishing, clickjacking, and baiting, although several other tricks are at an attacker’s disposal. Baiting with foreign USB drives was famously used to introduce the Stuxnet worm into Iran’s uranium enrichment facilities, damaging the nation’s ability to produce nuclear material.\nFor more information, a good read is Christopher Hadnagy’s book Social Engineering: The Art of Human Hacking.\n3. You find PHP queries overtly in the URL, such as /index.php=?page=userID. What would you then be looking to test? This is an ideal situation for injection and querying. If we know that the server is using a database such as SQL with a PHP controller, it becomes quite easy. We would be looking to test how the server reacts to multiple different types of requests, and what it throws back, looking for anomalies and errors.\nOne example could be code injection. If the server is not using authentication and evaluating each user, one could simply try /index.php?arg=1;system(‘id’) and see if the host returns unintended data.\n4. You find yourself in an airport in the depths of of a foreign superpower. You’re out of mobile broadband and don’t trust the WI-FI. What do you do? Further, what are the potential threats from open WI-FIs?\nIdeally you want all of your data to pass through an encrypted connection. This would usually entail tunneling via SSH into whatever outside service you need, over a virtual private network (VPN). Otherwise, you’re vulnerable to all manner of attacks, from man-in-the-middle, to captive portals exploitation, and so on.\n5. What does it mean for a machine to have an “air gap”? Why are air gapped machines important?\nAn air gapped machine is simply one that cannot connect to any outside agents. From the highest level being the internet, to the lowest being an intranet or even bluetooth.\nAir gapped machines are isolated from other computers, and are important for storing sensitive data or carrying out critical tasks that should be immune from outside interference. For example, a nuclear power plant should be operated from computers that are behind a full air gap. For the most part, real world air gapped computers are usually connected to some form of intranet in order to make data transfer and process execution easier. However, every connection increases the risk that outside actors will be able to penetrate the system.\n6. You’re tasked with setting up an email encryption system for certain employees of a company. What’s the first thing you should be doing to set them up? How would you distribute the keys?\nThe first task is to do a full clean and make sure that the employees’ machines aren’t compromised in any way. This would usually involve something along the lines of a selective backup. One would take only the very necessary files from one computer and copy them to a clean replica of the new host. We give the replica an internet connection and watch for any suspicious outgoing or incoming activity. Then one would perform a full secure erase on the employee’s original machine, to delete everything right down to the last data tick, before finally restoring the backed up files.\nThe keys should then be given out by transferring them over wire through a machine or device with no other connections, importing any necessary .p7s email certificate files into a trusted email client, then securely deleting any trace of the certificate on the originating computer.\nThe first step, cleaning the computers, may seem long and laborious. Theoretically, if you are 100% certain that the machine is in no way affected by any malicious scripts, then of course there is no need for such a process. However in most cases, you’ll never know this for sure, and if any machine has been backdoored in any kind of way, this will usually mean that setting up secure email will be done in vain.\n7. You manage to capture email packets from a sender that are encrypted through Pretty Good Privacy (PGP). What are the most viable options to circumvent this?\nFirst, one should be considering whether to even attempt circumventing the encryption directly. Decryption is nearly impossible here unless you already happen to have the private key. Without this, your computer will be spending multiple lifetimes trying to decrypt a 2048-bit key. It’s likely far easier to simply compromise an end node (i.e. the sender or receiver). This could involve phishing, exploiting the sending host to try and uncover the private key, or compromising the receiver to be able to view the emails as plain text.\n8. What makes a script fully undetectable (FUD) to antivirus software? How would you go about writing a FUD script? A script is FUD to an antivirus when it can infect a target machine and operate without being noticed on that machine by that AV. This usually entails a script that is simple, small, and precise\nTo know how to write a FUD script, one must understand what the targeted antivirus is actually looking for. If the script contains events such as Hook_Keyboard(), File_Delete(), or File_Copy(), it’s very likely it wil be picked up by antivirus scanners, so these events are not used. Further, FUD scripts will often mask function names with common names used in the industry, rather than naming them things like fToPwn1337(). A talented attacker might even break up his or her files into smaller chunks, and then hex edit each individual file, thereby making it even more unlikely to be detected.\nAs antivirus software becomes more and more sophisticated, attackers become more sophisticated in response. Antivirus software such as McAfee is much harder to fool now than it was 10 years ago. However, there are talented hackers everywhere who are more than capable of writing fully undetectable scripts, and who will continue to do so. Virus protection is very much a cat and mouse game.\n9. What is a “Man-in-the-Middle” attack?\nA man-in-the-middle attack is one in which the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker, who even has the ability to modify the content of each message. Often abbreviated to MITM, MitM, or MITMA, and sometimes referred to as a session hijacking attack, it has a strong chance of success if the attacker can impersonate each party to the satisfaction of the other. MITM attacks pose a serious threat to online security because they give the attacker the ability to capture and manipulate sensitive information in real-time while posing as a trusted party during transactions, conversations, and the transfer of data. This is straightforward in many circumstances; for example, an attacker within reception range of an unencrypted WiFi access point, can insert himself as a man-in-the-middle.\nThis article is from Toptal.\n","date":"5 August 2016","externalUrl":null,"permalink":"/posts/9-essential-system-security-interview-questions/","section":"Posts","summary":"","title":"9 Essential System Security Interview Questions","type":"posts"},{"content":"","date":"5 August 2016","externalUrl":null,"permalink":"/categories/malware/","section":"Categories","summary":"","title":"Malware","type":"categories"},{"content":"","date":"5 August 2016","externalUrl":null,"permalink":"/categories/social-engineering/","section":"Categories","summary":"","title":"Social-Engineering","type":"categories"},{"content":"","date":"5 August 2016","externalUrl":null,"permalink":"/categories/ssl/","section":"Categories","summary":"","title":"Ssl","type":"categories"},{"content":"","date":"5 August 2016","externalUrl":null,"permalink":"/tags/system-security/","section":"Tags","summary":"","title":"System-Security","type":"tags"},{"content":"","date":"5 August 2016","externalUrl":null,"permalink":"/tags/web-safety/","section":"Tags","summary":"","title":"Web-Safety","type":"tags"},{"content":"","date":"5 August 2016","externalUrl":null,"permalink":"/tags/white-hat/","section":"Tags","summary":"","title":"White-Hat","type":"tags"},{"content":"","date":"20 May 2016","externalUrl":null,"permalink":"/tags/app-development/","section":"Tags","summary":"","title":"App-Development","type":"tags"},{"content":"","date":"20 May 2016","externalUrl":null,"permalink":"/tags/application/","section":"Tags","summary":"","title":"Application","type":"tags"},{"content":"","date":"20 May 2016","externalUrl":null,"permalink":"/tags/dev-ops/","section":"Tags","summary":"","title":"Dev-Ops","type":"tags"},{"content":"","date":"20 May 2016","externalUrl":null,"permalink":"/tags/docker/","section":"Tags","summary":"","title":"Docker","type":"tags"},{"content":"If you like whales, or are simply interested in quick and painless continuous delivery of your software to production, then I invite you to read this introductory Docker Tutorial. Everything seems to indicate that software containers are the future of IT, so let’s go for a quick dip with the container whales Moby Dock andMolly.\nDocker, represented by a logo with a friendly looking whale, is an open source project that facilitates deployment of applications inside of software containers. Its basic functionality is enabled by resource isolation features of the Linux kernel, but it provides a user-friendly API on top of it. The first version was released in 2013, and it has since become extremely popular and is being widely used by many big players such as eBay, Spotify, Baidu, and more. In the last funding round, Docker has landed a huge $95 million.\nTransporting Goods Analogy # The philosophy behind Docker could be illustrated with a following simple analogy. In the international transportation industry, goods have to be transported by different means like forklifts, trucks, trains, cranes, and ships. These goods come in different shapes and sizes and have different storing requirements: sacks of sugar, milk cans, plants etc. Historically, it was a painful process depending on manual intervention at every transit point for loading and unloading.\nIt has all changed with the uptake of intermodal containers. As they come in standard sizes and are manufactured with transportation in mind, all the relevant machineries can be designed to handle these with minimal human intervention. The additional benefit of sealed containers is that they can preserve the internal environment like temperature and humidity for sensitive goods. As a result, the transportation industry can stop worrying about the goods themselves and focus on getting them from A to B.\nAnd here is where Docker comes in and brings similar benefits to the software industry.\nHow Is It Different from Virtual Machines? # At a quick glance, virtual machines and Docker containers may seem alike. However, their main differences will become apparent when you take a look at the following diagram:\nApplications running in virtual machines, apart from the hypervisor, require a full instance of the operating system and any supporting libraries. Containers, on the other hand, share the operating system with the host. Hypervisor is comparable to the container engine (represented as Docker on the image) in a sense that it manages the lifecycle of the containers. The important difference is that the processes running inside the containers are just like the native processes on the host, and do not introduce any overheads associated with hypervisor execution. Additionally, applications can reuse the libraries and share the data between containers.\nAs both technologies have different strengths, it is common to find systems combining virtual machines and containers. A perfect example is a tool named Boot2Docker described in the Docker installation section.\nDocker Architecture # At the top of the architecture diagram there are registries. By default, the main registry is the Docker Hub which hosts public and official images. Organizations can also host their private registries if they desire.\nOn the right-hand side we have images and containers. Images can be downloaded from registries explicitly (docker pull imageName) or implicitly when starting a container. Once the image is downloaded it is cached locally.\nContainers are the instances of images - they are the living thing. There could be multiple containers running based on the same image.\nAt the centre, there is the Docker daemon responsible for creating, running, and monitoring containers. It also takes care of building and storing images. Finally, on the left-hand side there is a Docker client. It talks to the daemon via HTTP. Unix sockets are used when on the same machine, but remote management is possible via HTTP based API.\nInstalling Docker # For the latest instructions you should always refer to the official documentation.\nDocker runs natively on Linux, so depending on the target distribution it could be as easy as sudo apt-get install docker.io. Refer to the documentation for details. Normally in Linux, you prepend the Docker commands with sudo, but we will skip it in this article for clarity.\nAs the Docker daemon uses Linux-specific kernel features, it isn’t possible to run Docker natively in Mac OS or Windows. Instead, you should install an application called Boot2Docker. The application consists of a VirtualBox Virtual Machine, Docker itself, and the Boot2Docker management utilities. You can follow the official installation instructions for MacOS and Windows to install Docker on these platforms.\nUsing Docker # Let us begin this section with a quick example:\n1 docker run phusion/baseimage echo \u0026#34;Hello Moby Dock. Hello Molly.\u0026#34; We should see this output:\n1 Hello Moby Dock. Hello Molly. However, a lot more has happened behind the scenes than you may think:\nThe image ‘phusion/baseimage’ was download from Docker Hub (if it wasn’t already in local cache) A container based on this image was started The command echo was executed within the container The container was stopped when the command exitted On first run, you may notice a delay before the text is printed on screen. If the image had been cached locally, everything would have taken a fraction of a second. Details about the last container can be retrieved by by running docker ps -l:\n1 2 CONTAINER ID\tIMAGE\tCOMMAND\tCREATED\tSTATUS\tPORTS\tNAMES af14bec37930\tphusion/baseimage:latest\t\u0026#34;echo \u0026#39;Hello Moby Do\t2 minutes ago\tExited (0) 3 seconds ago\tstoic_bardeen Taking the Next Dive # As you can tell, running a simple command within Docker is as easy as running it directly on a standard terminal. To illustrate a more practical use case, throughout the remainder of this article, we will see how we can utilize Docker to deploy a simple web server application. To keep things simple, we will write a Java program that handles HTTP GET requests to ‘/ping’ and responds with the string ‘pong\\n’.\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 import java.io.IOException; import java.io.OutputStream; import java.net.InetSocketAddress; import com.sun.net.httpserver.HttpExchange; import com.sun.net.httpserver.HttpHandler; import com.sun.net.httpserver.HttpServer; public class PingPong { public static void main(String[] args) throws Exception { HttpServer server = HttpServer.create(new InetSocketAddress(8080), 0); server.createContext(\u0026#34;/ping\u0026#34;, new MyHandler()); server.setExecutor(null); server.start(); } static class MyHandler implements HttpHandler { @Override public void handle(HttpExchange t) throws IOException { String response = \u0026#34;pong\\n\u0026#34;; t.sendResponseHeaders(200, response.length()); OutputStream os = t.getResponseBody(); os.write(response.getBytes()); os.close(); } } } Dockerfile # Before jumping in and building your own Docker image, it’s a good practice to first check if there is an existing one in the Docker Hub or any private registries you have access to. For example, instead of installing Java ourselves, we will use an official image: java:8.\nTo build an image, first we need to decide on a base image we are going to use. It is denoted by _FROM_instruction. Here, it is an official image for Java 8 from the Docker Hub. We are going to copy it into our Java file by issuing a COPY instruction. Next, we are going to compile it with RUN. EXPOSE instruction denotes that the image will be providing a service on a particular port. ENTRYPOINT is an instruction that we want to execute when a container based on this image is started and CMD indicates the default parameters we are going to pass to it.\n1 2 3 4 5 6 FROM java:8 COPY PingPong.java / RUN javac PingPong.java EXPOSE 8080 ENTRYPOINT [\u0026#34;java\u0026#34;] CMD [\u0026#34;PingPong\u0026#34;] After saving these instructions in a file called “Dockerfile”, we can build the corresponding Docker image by executing:\n1 docker build -t toptal/pingpong . The official documentation for Docker has a section dedicated to best practices regarding writing Dockerfile.\nRunning Containers # When the image has been built, we can bring it to life as a container. There are several ways we could run containers, but let’s start with a simple one:\n1 docker run -d -p 8080:8080 toptal/pingpong where -p \\[port-on-the-host\\]:\\[port-in-the-container\\] denotes the ports mapping on the host and the container respectively. Furthermore, we are telling Docker to run the container as a daemon process in the background by specifying -d. You can test if the web server application is running by attempting to access ‘http://localhost:8080/ping’. Note that on platforms where Boot2docker is being used, you will need to replace ‘localhost’ with the IP address of the virtual machine where Docker is running.\nOn Linux:\n1 curl http://localhost:8080/ping On platforms requiring Boot2Docker:\n1 curl $(boot2docker ip):8080/ping If all goes well, you should see the response:\n1 pong Hurray, our first custom Docker container is alive and swimming! We could also start the container in an interactive mode -i -t. In our case, we will override the entrypoint command so we are presented with a bash terminal. Now we can execute whatever commands we want, but exiting the container will stop it:\n1 docker run -i -t --entrypoint=\u0026#34;bash\u0026#34; toptal/pingpong There are many more options available to use for starting up the containers. Let us cover a few more. For example, if we want to persist data outside of the container, we could share the host filesystem with the container by using -v. By default, the access mode is read-write, but could be changed to read-only mode by appending :ro to the intra-container volume path. Volumes are particularly important when we need to use any security information like credentials and private keys inside of the containers, which shouldn’t be stored on the image. Additionally, it could also prevent the duplication of data, for example by mapping your local Maven repository to the container to save you from downloading the Internet twice.\nDocker also has the capability of linking containers together. Linked containers can talk to each other even if none of the ports are exposed. It can be achieved with –link other-container-name. Below is an example combining mentioned above parameters:\n1 2 3 4 docker run -p 9999:8080 --link otherContainerA --link otherContainerB -v /Users/$USER/.m2/repository:/home/user/.m2/repository toptal/pingpong Other Container and Image Operations\nUnsurprisingly, the list of operations that one could apply to the containers and images is rather long. For brevity, let us look at just a few of them:\nstop - Stops a running container. start - Starts a stopped container. commit - Creates a new image from a container’s changes. rm - Removes one or more containers. rmi - Removes one or more images. ps - Lists containers. images - Lists images. exec - Runs a command in a running container. Last command could be particularly useful for debugging purposes, as it lets you to connect to a terminal of a running container:\n1 docker exec -i -t \u0026lt;container-id\u0026gt; bash Docker Compose for the Microservice World # If you have more than just a couple of interconnected containers, it makes sense to use a tool like docker-compose. In a configuration file, you describe how to start the containers and how they should be linked with each other. Irrespective of the amount of containers involved and their dependencies, you could have all of them up and running with one command: docker-compose up.\nDocker in the Wild # Let’s look at three stages of project lifecycle and see how our friendly whale could be of help.\nDevelopment # Docker helps you keep your local development environment clean. Instead of having multiple versions of different services installed such as Java, Kafka, Spark, Cassandra, etc., you can just start and stop a required container when necessary. You can take things a step further and run multiple software stacks side by side avoiding the mix-up of dependency versions.\nWith Docker, you can save time, effort, and money. If your project is very complex to set up, “dockerise” it. Go through the pain of creating a Docker image once, and from this point everyone can just start a container in a snap.\nYou can also have an “integration environment” running locally (or on CI) and replace stubs with real services running in Docker containers.\nTesting / Continuous Integration # With Dockerfile, it is easy to achieve reproducible builds. Jenkins or other CI solutions can be configured to create a Docker image for every build. You could store some or all images in a private Docker registry for future reference.\nWith Docker, you only test what needs to be tested and take environment out of the equation. Performing tests on a running container can help keep things much more predictable.\nAnother interesting feature of having software containers is that it is easy to spin out slave machines with the identical development setup. It can be particularly useful for load testing of clustered deployments.\nProduction # Docker can be a common interface between developers and operations personnel eliminating a source of friction. It also encourages the same image/binaries to be used at every step of the pipeline. Moreover, being able to deploy fully tested container without environment differences help to ensure that no errors are introduced in the build process.\nYou can seamlessly migrate applications into production. Something that was once a tedious and flaky process can now be as simple as:\n1 docker stop container-id; docker run new-image And if something goes wrong when deploying a new version, you can always quickly roll-back or change to other container:\n1 docker stop container-id; docker start other-container-id … guaranteed not to leave any mess behind or leave things in an inconsistent state.\nSummary # A good summary of what Docker does is included in its very own motto: Build, Ship, Run.\nBuild - Docker allows you to compose your application from microservices, without worrying about inconsistencies between development and production environments, and without locking into any platform or language. Ship - Docker lets you design the entire cycle of application development, testing, and distribution, and manage it with a consistent user interface. Run - Docker offers you the ability to deploy scalable services securely and reliably on a wide variety of platforms. Have fun swimming with the whales!\nPart of this work is inspired by an excellent book Using Docker by Adrian Mouat.\nThis article was written by RADEK OSTROWSKI, a Toptal Java developer.\n","date":"20 May 2016","externalUrl":null,"permalink":"/posts/getting-started-with-docker-simplifying-devops/","section":"Posts","summary":"","title":"Getting Started with Docker: Simplifying Devops","type":"posts"},{"content":"","date":"20 May 2016","externalUrl":null,"permalink":"/tags/scale/","section":"Tags","summary":"","title":"Scale","type":"tags"},{"content":"","date":"20 May 2016","externalUrl":null,"permalink":"/tags/web-development/","section":"Tags","summary":"","title":"Web-Development","type":"tags"},{"content":"","date":"14 May 2016","externalUrl":null,"permalink":"/tags/aws/","section":"Tags","summary":"","title":"Aws","type":"tags"},{"content":"","date":"14 May 2016","externalUrl":null,"permalink":"/categories/big-data/","section":"Categories","summary":"","title":"Big-Data","type":"categories"},{"content":" Why you may need it? # I am a developer, and I work daily in Integrated Development Environments (IDE), such as Intellij IDEA or Eclipse. These IDEs are desktop applications. Since the advent of Google Documents, I have seen more and more people moving their work from desktop versions of Word or Excel to the cloud using an online equivalent of a word processor or a spreadsheet application.\nThere are obvious reasons for using a cloud to keep your work. Today, compared to the traditional desktop business applications, some web applications do not have a significant disadvantage in functionalities. The content is available wherever there is a web browser, and these days, that’s almost everywhere. Collaboration and sharing are easier, and losing files is less likely.\nUnfortunately, these cloud advantages are not as common in the world of software development as is for business applications. There are some attempts to provide an online IDE, but they are nowhere close to traditional IDEs.\nThat is a paradox; while we are still bound to our desktop for daily coding, the software is now spawned on multiple servers. Developers needs to work with stuff they cannot keep any more on their computer. Indeed, laptops are no longer increasing their processing power; having more than 16GB of RAM on a laptop is rare and expensive, and newer devices, tablets, for example, have even less.\nHowever, even if it is not yet possible to replace classic desktop applications for software development, it is possible to move your entire development desktop to the cloud. The day I realized it it was no longer necessary to have all my software on my laptop, and noticing the availability of web version of terminals and VNC, I moved everything to the cloud. Eventually, I developed a build kit for creating that environment in an automated way.\nWhat is the cloud about for a developer? Developing in it, of course!\nIn this article I present a set of scripts to build a cloud-based development environment for Scala and big data applications, running with Docker in Amazon AWS, and comprising of a web-accessible desktop with IntelliJ IDE, Spark, Hadoop and Zeppelin as services, and also command line tools like a web based SSH, SBT and Ammonite. The kit is freely available on GitHub, and I describe here the procedure for using it to build your instance. You can build your environment and customize it to your particular needs. It should not take you more than 10 minutes to have it up and running.\nWhat is in the “BigDataDevKit”? # My primary goal in developing the kit was that my development environment should be something I can simply fire up, with all the services and servers I work with, and then destroy them when they are no longer needed. This is especially important when you work on different projects, some of them involving a large number of servers and services, as when you work on big data projects.\nMy ideal cloud-based environment should:\nInclude all the usual development tools, most importantly a graphical IDE. Have the servers and services I need at my fingertips. Be easy and fast to create from scratch, and expandable to add more services. Be entirely accessible using only a web browser. Optionally, allow access with specialized clients (VNC client and SSH client). Leveraging modern cloud infrastructure and software, the power of modern browsers, a widespread availability of broadband, and the invaluable Docker, I created a development environment for Scala and big data development that, for the better, replaced my development laptop.\nCurrently, I can work at any time, either from a MacBook Pro, a Surface Tablet, or even an iPad (with a keyboard), although admittedly the last option is not ideal. All these devices are merely clients; the desktop and all the servers are in the cloud.\nMy current environment is built using following online services:\nAmazon Web Services for the servers. GitHub for storing the code. Dropbox to save files. I also use a couple of free services, like DuckDns for dynamic IP addresses and Let’s encrypt to get a free SSL certificate.\nIn this environment, I currently have:\nA graphical desktop with Intellij idea, accessible via a web browser. Web accessible command line tools like SBT and Ammonite. Hadoop for storing files and running MapReduce jobs. Spark Job Server for scheduled jobs. Zeppelin for a web-based notebook. Most importantly, the web access is fully encrypted with HTTPS, for both web-based VNC and SSH, and there are multiple safeguards to avoid losing data, a concern that is, of course, important when you do not “own” the content on your physical hard disk. Note that getting a copy of all your work on your computer is automatic and very fast. If you lose everything because someone stole your password, you have a copy on your computer anyway, as long as you configured everything correctly.\nUsing a Web Based Development Environment with AWS and Docker # Now, let’s start describing how the environment works. When I start work in the morning, the first thing is to log into the Amazon Web Services console where I see all my instances. Usually, I have many development instances configured for different projects, and I keep the unused ones turned off to save billing. After all, I can only work on one project at a time. (Well, sometimes I work on two.)\nSo, I select the instance I want, start it, I wait for a little or go grab a cup of coffee. It’s not so different to turning on your computer. It usually takes a bunch of seconds to have the instance up and running. Once I see the green icon, I open a browser, and I go to a well known URL: https://msciab.duckdns.org/vnc.html. Note, this is my URL; when you create a kit, you will create your unique URL.\nSince AWS assigns a new IP to each machine when you start, I configured a dynamic DNS service, so you can always use the same URL to access your server, even if you stop and restart it. You can even bookmark it in your browser. Furthermore, I use HTTPS, with valid keys to get total protection of my work from sniffers, in case I need to manage passwords and other sensitive data.\nOnce loaded, the system will welcome you with a Web VNC web client, NoVNC. Simply log in and a desktop appears. I use a minimal desktop, intentionally, just a menu with applications, and my only luxury is a virtual desktop (since I open a lot of windows when I develop). For mail, I still rely on other applications, nowadays mostly other browser tabs.\nIn the virtual machine, I have what I need to develop big data applications. First and foremost, there is an IDE. In the build, I use the IntelliJ Idea community edition. Also, there is the SBT build tool and a Scala REPL, Ammonite.\nThe key features of this environment, however, are services deployed as containers in the same virtual machine. In particular, I have:\nZeppelin, the web notebook for using Scala code on the fly and doing data analysis (http://zeppelin:8080) The Spark Job Server, to execute and deploy spark jobs with a Rest interface (http://sparkjobserver:8080). An instance of Hadoop for storing and retrieving data from the HDFS (http://hadoop:50070). Note, these URLs are fixed but are accessible within the virtual environment. You can see their web interfaces in the following screenshot.\nEach service runs in a separate Docker container. Without becoming too technical, you can think of this as three separate servers inside your virtual machine. The beauty of using Docker is you can add services, and even add two or three virtual machines. Using Amazon containers, you can scale your environment easily.\nLast, but not least, you have a web terminal available. Simply access your URL with HTTPS and you will be welcomed with a terminal in a web page.\nIn the screenshot above you can see I list the containers, which are the three servers plus the desktop. This command line shell gives you access to the virtual machine holding the containers, allowing you to manage them. It’s as if your servers are “in the Matrix” (virtualized within containers), but this shell gives you an escape outside the “Matrix” to manage servers, and desktop. From here, you can restart the containers, access their filesystems and perform other manipulations allowed by Docker. I will not discuss in detail Docker here, but there is a vast amount of documentation on Docker website.\nHow to setup your instance # Do you like this so far, and you want your instance? It is easy and cheap. You can get it for merely the cost of the virtual machine on Amazon Web Services, plus the storage. The kit in the current configuration requires 4GB of RAM to get all the services running. If you are careful to use the virtual machine only when you need it, and you work, say, 160 hours a month, a virtual machine at current rates will cost 160 x $0.052, or $8 per month. You have to add the cost of storage. I use around 30GB, but everything altogether can be kept under $10.\nHowever, this does bot include the cost of an (eventual) Dropbox (Pro) account, should you want to backup more than 2GB of code. This costs another $15 per month, but it provides important safety for your data. Also, you will need a private repository, either a paid GitHub or another service, such as Bitbucket, which offers free private repositories.\nI want to stress that if you use it only when you need it, it is cheaper than a dedicated server. Yes, everything mentioned here can be setup on a physical server, but since I work with big data I need a lot of other AWS services, so I think it is logical to have everything in the same place.\nLet’s see how to do the whole setup.\nPrerequisites # Before starting to build a virtual machine, you need to register with the following four services:\nAmazon Web Services. DuckDNS. Dropbox. Let’s Encrypt. The only one you need your credit card for is Amazon Web Services. DuckDns is entirely free, while DropBox gives you 2GB of free storage, which can be enough for many tasks. Let’s Encrypt is also free, and it is used internally when you build the image to sign your certificate. Besides these, I recommend a repository hosting service too, like GitHub or Bitbucket, if you want to store your code, however, it is not required for the setup.\nTo start, navigate to the GitHub BigDataDevKit repository.\nScroll the page and copy the script shown in the image in your text editor of choice:\nThis script is needed to bootstrap the image. You have to change it and provide some values to the parameters. Carefully, change the text within the quotes. Note you cannot use characters like the quote itself, the backslash or the dollar sign in the password, unless you quote them. This problem is relevant only for the password. If you want to play safe, avoid a quote, dollar sign, or backslashes.\nThe PASSWORD parameter is a password you choose to access the virtual machine via a web interface. The EMAIL parameter is your email, and will be used when you register an SSL certificate. You will be required to provide your email, and it is the only requirement for getting a free SSL Certificate from Let’s Encrypt.\nTo get the values for TOKEN and HOST, go to the DuckDNS site and log in. You will need to choose an unused hostname.\nLook at the image to see where you have to copy the token and where you have to add your hostname. You must click on the “add domain” button to reserve the hostname.\nConfiguring your instance\nAssuming you have all the parameters and have edited the script, you are ready to launch your instance. Log in to the Amazon Web Services management interface, go to the EC2 Instances panel and click on “Launch Instance”.\nIn the first screen, you will choose an image. The script is built around the Amazon Linux, and there are no other options available. Select Amazon Linux, the first option in the QuickStart list.\nOn the second screen, choose the instance type. Given the size of the software running, there are multiple services and you need at least 4GB of memory, so I recommend you select the t2.medium instance. You could trim it down, using the t2.small if you shut down some services, or even the micro if you only want the desktop.\nOn the third screen, click “Advanced Details” and paste the script you configured in the previous step. I also recommend you enable protection against termination, so that with an accidental termination you won’t lose all your work.\nThe next step is to configure the storage. The default for an instance is 8GB, which is not enough to contain all the images we will build. I recommend increasing it to 20GB. Also, while it is not needed, I suggest another block device of at least 10GB. The script will mount the second block device as a data folder.You can make a snapshot of its contents, terminate the instance, then recreate it using the snapshot and recovering all the work. Furthermore, a custom block device is not lost when you terminate the instance so have double protection against accidental loss of your data. To increase your safety even further, you can backup your data automatically with Dropbox.\nThe fifth step is naming the instance. Pick your own. The sixth step offers a way to configure the firewall. By default only SSH is available but we also need HTTPS, so do not forget to add also a rule opening HTTPS. You could open HTTPS to the world, but it’s better if it’s only to your IP to prevent others from accessing your desktop and shell, even though that is still protected with a password.\nOnce done with this last configuration, you can launch the instance. You will notice that the initialization can take quite a few minutes the first time since the initialization script is running and it will also do some lengthy tasks like generating an HTTPS certificate with Let’s Encrypt.\nWhen you eventually see the management console “running” with a confirmation, and it is no longer “initializing”, you are ready to go.\nAssuming all the parameters are correct, you can navigate to https://YOURHOST.duckdns.org.\nReplace YOURHOST with the hostname you chose, but do not forget it is an HTTPS site, not HTTP, so your connection to the server is encrypted so you must write https// in the URL. The site will also present a valid certificate for Let’s Encrypt. If there are problems getting the certificate, the initialization script will generate a self-signed certificate. You will still be able to connect with an encrypted connection, but the browser will warn you it is an unknown site, and the connections are insecure. It should not happen, but you never know.\nAssuming everything is working, you then access the web terminal, Butterfly. You can log in using the user app and the password you put in the setup script.\nOnce logged in, you have a bootstrapped virtual machine, which also includes Docker and other goodies, such as a Nginx Frontend, Git, and the Butterfly Web Terminal. Now, you can complete the setup by building the Docker images for your development environment.\nNext, type the following commands:\n1 2 3 git clone https://github.com/sciabarra/BigDataDevKit cd BigDataDevKit sh build.sh The last command will also ask you to type a password for the Desktop access. Once done, it will start to build the images. Note the build will take a about 10 minutes, but you can see what is happening because everything is shown on the screen.\nOnce the build is complete, you can also install Dropbox with the following command:\n1 /app/.dropbox-dist/dropboxd The system will show a link you must click to enable Dropbox. You need to log into Dropbox and then you are done. Whatever you put in the Dropbox folder is automatically synced between all your Dropbox instances.\nOnce done, you can restart the virtual machine, and access your environment at the https://YOURHOST.dyndns.org/vnc.html URL.\nYou can stop your machine and restart it when you resume work. The access URL stay the same. This way, you will pay only for the time you are using it, plus monthly extra for the used storage.\nPreserving your data # The following discussion requires some knowledge of how Docker and Amazon works. If you do not want to understand the details, just keep in mind following simple rule: In the virtual machine, there is an /app/Dropbox folder available, whatever you place in /app/Dropbox is preserved, and everything else is disposable and can go away. To improve security further, also store your precious code in a version control system.\nNow, if you do want to understand this, read on. If you followed my directions in the virtual machine creation, the virtual machine is protected from termination, so you cannot destroy it accidentally. If you expressly decide to terminate it, the primary volume will be destroyed. All the Docker images will be lost, including all the changes you made.\nHowever, since the folder /app/Dropbox is mounted as a Docker Volume for containers, it is not part of Docker images. In the virtual machine, the folder /app is mounted in the Amazon Volume you created, which is also not destroyed even when you expressly terminate the virtual machine. To remove the volume, you have to remove it expressly.\nDo not confuse Docker volumes, which are a Docker logical entity, with Amazon Volumes, which is a somewhat physical entity. What happens is that the /app/Dropbox Docker volume is placed inside the /appAmazon volume.\nThe Amazon Volume is not automatically destroyed when you terminate the virtual machine, so whatever is placed in it will be preserved, until you also expressly destroy the volume. Furthermore, whatever you put in the Docker volume is stored outside of the container, so it is not destroyed when the container is destroyed. If you enabled Dropbox, as recommended, all your content is copied to the Dropbox servers, and to your hard disk if you sync Dropbox with your computer(s). Also, it is recommended that the source code be stored in a version control system.\nSo, if you place your stuff in version control system under the Dropbox folder, to lose your data all of this must happen:\nYou expressly terminate your virtual machine. You expressly remove the data volume from the virtual machine. You expressly remove the data from Dropbox, including the history. You expressly remove the data from the version control system. I hope your data is safe enough.\nI keep a virtual machine for each project, and when I finish, I keep the unused virtual machines turned off. Of course, I have all my code on GitHub and backed up in Dropbox. Furthermore, when I stop working on a project, I take a snapshot of the Amazon Web Services block before removing the virtual machine entirely. This way, whenever a project resumes, for example for maintenance, all I need to do is start a new virtual machine using the snapshot. All my data goes back in place, and I can resume working.\nOptimizing access # First, if you have direct internet access, not mediated by a proxy, you can use native SSH and VNC clients. Direct SSH access is important if you need to copy files in and out of the virtual machine. However, for file sharing, you should consider Dropbox as a simpler alternative.\nThe VNC web access is invaluable, but sometimes, it can be slower than a native client. You have access to the VNC server on the virtual machine using port 5900. You must expressly open it because it is closed by default. I recommend that you only open it to your IP address, because the internet is full of “robots” that scan the internet looking for services to hook into, and VNC is a frequent target of those robots.\nConclusion # This article explains how you can leverage modern cloud technology to implement an effective development environment. While a machine in the cloud cannot be a complete replacement for your working computer or a laptop, it is good enough for doing development work when it is important to have access to the IDE. In my experience, with current internet connections, it is fast enough to work with.\nBeing in the cloud, server access and manipulation is faster than having them locally. You can quickly increase (or decrease) memory, fire up another environment, create an image, and so on. You have a datacenter at your fingertips, and when you work with big data projects, well, you need robust services and lots of space. That is what the cloud provides.\nThe original article was written by MICHELE SCIABARRA - FREELANCE SOFTWARE ENGINEER @ TOPTAL and can be read here.\nIf you\u0026rsquo;d like to learn more about Toptal designers or hire one, check this out.\n","date":"14 May 2016","externalUrl":null,"permalink":"/posts/developing-for-the-cloud-in-the-cloud-bigdata-development-with-docker-in-aws/","section":"Posts","summary":"","title":"Developing for the Cloud in the Cloud: BigData Development with Docker in AWS","type":"posts"},{"content":"","date":"14 May 2016","externalUrl":null,"permalink":"/tags/how-to/","section":"Tags","summary":"","title":"How-To","type":"tags"},{"content":"","date":"14 May 2016","externalUrl":null,"permalink":"/tags/tech/","section":"Tags","summary":"","title":"Tech","type":"tags"},{"content":"The following article is a guest post from Toptal. Toptal is an elite network of freelancers that enables businesses to connect with the top 3% of software engineers and designers in the world.\nThe smart home technology boom is upon us. Despite lucrative projections for the market, and ever increasing numbers of connected devices, we have yet to witness much social impact from consumer adoption into the home. As a potential tipping point looms, there are several debates surrounding privacy, integration and other technical issues. Yet, there seems to be less speculation regarding why consumers still haven’t bought into the hype, nor how domestic life has improved. Considering how personal the home is, should it be concerning that those advertising these products discuss quality of life less than data, energy and ‘security’? Is the adoption of the Internet of Things into our homes inevitable, or is it already here?\nSomewhere in the Near Future # The smart person returns to their certified ‘Internet - of -Things‘ smart home after a long day at work. The smart security system senses that the smart person is alone and initiates the ‘Friday Night In’ sequence. Inside, an intercom with a standardized motherly voice suggests that the smart person might want to order in tonight. The smart person unloads their things in the kitchen where the smart stove displays a selection of take out, rather than it’s default recipe guide. Following the arrival of the food, the smart person retreats to the living room to wind down, and watch some TV in their underwear. The smart TV prepares a selection of Netflix marathons categorized by mood. The smart person chooses: ‘Looking to be cheered up? Comedy Playlist’. Before starting the show, the smart person reviews a set of graphs that display the data from activity and diet throughout the day. A list of tips for smart living is generated at the bottom, one of which reads that based on the amount of consecutive nights that the Smart Person has had alone, they might consider investigating a selection of popular dating sites instead of watching TV tonight. At the slip of a thumb the smart person OKS the request and instantly a set of profiles are displayed, each chosen from a generated list of Smart Person’s tracked preferences. Suddenly, a flurry of pings and messages from other stay-at-home hopefuls fill the screen. The smart home intercom repeats aloud ‘You’ve got mail!’. The smart person fumbles for the remote and - oops” - the TV snaps a selfie in response to the flood of pings. Their image, sitting in their underwear eating noodles appears briefly on the screen before being whisked off into the ether. The flood of messages doubles only to freeze the system, causing the smart home to reboot. The house goes dark. In the now blank screen of the smart TV reflects the image of the smart person again, finally alone.\nHome Smart Home # With all the debate and headlines regarding the Internet of Things, and amounts of devices connected and market valuations - is there anyone left to ask about what will happen to the home once Smart Homes take over? The keeping of a home is one of, if not the oldest traditions that we have as humans. Does the Smart Home mean the end of the home as we know it?\nThe home is the original place where we build our identity and mark our place in the world - the original profile. Each generation has formed its radical dwellings as their respective marks on the world. We can now look back into those past homes as windows into the past lives of those generations, their values and ambitions. What do our Smart Homes tell us about ourselves? Or perhaps instead, what is it telling everyone else? A Brief History of the Automated Home # The process towards the automated home began almost two centuries ago now. When we first plugged our homes in, the light bulb gave us the night. No longer was man confined to the limits of the sun. The technology offered liberation from the natural hours of the day. Later, appliances replaced tools and everything that moved, or could move, became battery powered. The first generation of the automated home advertised better performance for leisure in exchange. More time for the family, or affording the once confined housewife to pursue her career as well. The automated home liberated us from the need to maintain it.\nNow, the technological trend continues to carry us through the next generation into a new domesticity. Although there will always be laments for what has passed, perhaps change isn’t so bad. If there is a new liberation perhaps it is the freedom to stay home. The freedom to sit and allow the world to visit us inside. Freedom from the outdoors. Freedom from each other. Yet, this time, is the freedom coming at a cost?\nThe home is the original security device - the original firewall. But now, as we allow the entire world to float through our walls and into our homes, have we deflated the entire meaning of our home that has stood for millennia? We speak of security and privacy now in the context of technical systems and hardware. But have we forgotten the origin of what privacy meant? In the spaces where we were once the most intimate, by inviting the world in we are becoming the most exposed. To adopt the Smart Home, must we forfeit the home?\nGiven the acceptance worldwide that privacy is dead, these thoughts may be obsolete falling on ears of developers and web designers. The point though is to fundamentally question what the Smart Home is offering us in exchange for what we must give it. Effectively, is the trade worth it? Will domestic life improve as it did during the first generations of automation? Or, how do we ensure, especially as the community who may be taking part in that change, that some amount of domesticity is salvaged?\nThe State of the Internet of Things # The Internet of Things is one of those monster hot topic terms that when we hear it, we know of its significance, and yet may know much less about its tangible effects. We may hear that there are estimates of 200 billion devices being connected in the near future, or that the market’s value is projected at 80 billion dollars. The numbers have similar significance as knowing that the earth is 92.2 million miles away from the sun. They’re very important numbers, yet most of us don’t understand the specifics, or address the numbers daily. All that most people want to know is most cases, is how is this thing going to change, or improve our life?\nWhat is resisting smart home technology from becoming adopted with the same ubiquity as smart phones today? Consider the early phases of smartphone technology. What caused them to make the leap from a niche device, to being fastened to the hip of nearly every person and their grandparent?\nSmart phones existed for about a decade before the market saw a significant boom. The release of the iPhone in 2007 generated a major shift as Apple was the first to design and market the device for everyday use. The elements that the iPhone introduced or improved seem to be subtle interface adjustments, and yet were able to catalyze a major shift. Thus, what might be that critical tipping point, or product for smart homes?\nThe Issue With Niche Products # Everyday there seems to be more smart home products to outfit your home with. Yet with each new application there is a new device, with a new remote that might connect with another new app on your smart phone. No matter how potentially helpful any of these devices might be, they appear to be novel and excessive without being associate with a greater purpose.\nRecently, Yves Behar released the designs for a connected garden tracking system called Edyn. The system contains two products, one to monitor the soil, and another to respond to the tracked data and irrigate the garden as necessary. With the data, the app can recommend which plants might be the easiest to grow, and what the produce might need in order to flourish.\nSeems pretty handy - but is it necessary enough to become widely adopted, or to really change the way we maintain our yards? Especially considering that for many, gardening is a pleasurable activity. People often garden as a meditative tool. In fact, there was a study recently suggesting that the happier someone is, the more they garden, and the more someone gardens, the happier they are. So, what exactly is Edyn suggesting that they can improve upon in this process that gardening was without before? If gardening becomes easier, what else is to be gained in terms of time in the day? Perhaps now the smart gardener can fit in another Netflix episode, rather than do the watering themselves. Hopefully one day they won’t even have to lift a green thumb at all! Imagine all the Netflix that could be watched.\nNow, I don’t mean to pick on Edyn too much, but my point is that this tool is representative of most smart home technology. A lot of it would be nice to have I suppose, but it doesn’t quite seem worth the cost and the trouble.\nSo What’s Next # The issue with the clunky interaction between multiple apps is now clear to the market, as there is a definite push towards who can develop the ‘hub’ for all smart home devices. Some of the key players so far are SmartThings, Wink, Apple is supposedly generating momentum through AppleTV, and Amazon has the device Echo.\nHowever, there so far is no real front runner, nor have many homes really begun to adopt the technology. What seems to be lacking, as was the case with the iPhone, is the proper interface that can relieve the smart home technology of all of the headaches that get in the way of convenience.\nMost of the processes that these technologies are looking to improve are not exactly major burdens - turning of lights, playing music etc. Thus, if the experience is hardly more enjoyable, the new technology won’t be adopted.\nOne product, Josh.ai, has recognized this need for cohesion between devices, and focuses its manifesto towards interfacing. Josh.ai anticipates the need for programs to develop and build over time along witht the user. Eventually, certain commands become memorized such that Josh.ai will know that every morning it should slowly raise the lights, turn on the morning news, and prepare a cup of coffee. The interface takes any work out of choosing between apps, and instead responses to voice commands to manage all connected devices. Josh.ai is advertised as your home’s best friend. You even talk to Josh.ai as if its your best friend.\nJosh.ai bases its product around the use of voice rather than any other interface. This may be a critical move for smart home technology. Josh.ai’s platform essentially asks how can the user program their home with as little work as possible? The hope is that even complex processes like morning routines might be programmed by voice, then memorized for future instances. “Hey Josh, when I get home can you turn up the lights, set the oven to 300, and maybe put on something like Frank Sinatra? I’m bringing a friend home!”\nIf Josh.ai is one of the more optimistic potential hubs to move the Smart Home trend into the next stage, what does its manifesto tell us about the ambition of what we can expect from the technology in near future?\nVery often does the phrase ‘make your life easier and more productive’ occur in many of these manifestos. But, most of what these hubs offer is the autonomous control of small things like lights and music, how much easier will our lives get? Can this at all compare to the transition from brooms to vacuums?\nThe three essential points of Josh.ai are: thoughtless energy saving, continuous awareness of devices, and a more networked system. How do these new values compare to past technologies that significantly liberated the average person? In the manifestos of most of these hub devices, there is hardly any language that appears human at all.\nAlthough the benefits of some of the products seem underwhelming, the issue is that even the smallest thing poses a significant risk. Take Nest for example, what could be more harmless than a thermostat? Yet already in its relatively short life has Nest been now caught for the sale of information surrounding home fire history to insurance companies.\nEven if the Smart Home Hub were your ‘best friend’, do you want your best friend to know everything about your preferences? How much do we even allow our actual best friends to know about ourselves? Do we tell them that we’re lonely? Who’s profiles we look at online? Even if our best friend were really good at keeping secrets, would we tell them? About that one time?\nAnytime that someone cries out against the inevitable, they come across as a cranky soap boxer. But this is an odd transition where there seems to be little gained by most of these products, and yet there is such significant risk in what might be lost if the technologies are adopted. Doesn’t it feel strange that in the last century our parents and grandparents marched for privacy, and here we are eagerly handing it back?\n","date":"12 March 2016","externalUrl":null,"permalink":"/posts/home-smart-home-domesticating-the-internet-of-things/","section":"Posts","summary":"","title":"Home Smart Home: Domesticating the Internet of Things","type":"posts"},{"content":"","date":"12 March 2016","externalUrl":null,"permalink":"/categories/iot/","section":"Categories","summary":"","title":"Iot","type":"categories"},{"content":"","date":"12 March 2016","externalUrl":null,"permalink":"/categories/physical-security/","section":"Categories","summary":"","title":"Physical-Security","type":"categories"},{"content":"The following article is a guest post from Toptal. Toptal is an elite network of freelancers that enables businesses to connect with the top 3% of software engineers and designers in the world.\nSuppose I’m visiting a web site. I right-click on one of the navigation links and select to open the link in a new window. What should happen? If I’m like most users, I expect the new page to have the same content as if I had clicked the link directly. The only difference should be that the page appears in a new window. But if your web site is a single-page application (SPA), you may see weird results unless you’ve carefully planned for this case.\nRecall that in an SPA, a typical navigation link is often a fragment identifier, starting with a hash mark (#). Clicking the link directly does not reload the page, so all the data stored in JavaScript variables are retained. But if I open the link in a new tab or window, the browser does reload the page, reinitializing all the JavaScript variables. So any HTML elements bound to those variables will display differently, unless you’ve taken steps to preserve that data somehow.\nPersisting Data Across Page Reloads: Cookies, IndexedDB and Everything In-Between\nThere’s a similar issue if I explicitly reload the page, such as by hitting F5. You may think I shouldn’t ever need to hit F5, because you’ve set up a mechanism to push changes from the server automatically. But if I’m a typical user, you can bet I’m still going to reload the page. Maybe my browser seems to have repainted the screen incorrectly, or I just want to be certain I have the very latest stock quotes.\nAPIs May Be Stateless, Human Interaction Is Not # Unlike an internal request via a RESTful API, a human user’s interaction with a web site is not stateless. As a web user, I think of my visit to your site as a session, almost like a phone call. I expect the browser to remember data about my session, in the same way that when I call your sales or support line, I expect the representative to remember what was said earlier in the call.\nAn obvious example of session data is whether I’m logged in, and if so, as which user. Once I go through a login screen, I should be able to navigate freely through the user-specific pages of the site. If I open a link in a new tab or window and I’m presented with another login screen, that’s not very user friendly.\nAnother example is the contents of the shopping cart in an e-commerce site. If hitting F5 empties the shopping cart, users are likely to get upset.\nIn a traditional multi-page application written in PHP, session data would be stored in the $_SESSION superglobal array. But in an SPA, it needs to be somewhere on the client side. There are four main options for storing session data in an SPA:\nCookies Fragment identifier Web storage IndexedDB Four Kilobytes of Cookies # Cookies are an older form of web storage in the browser. They were originally intended to store data received from the server in one request and send it back to the server in subsequent requests. But from JavaScript, you can use cookies to store just about any kind of data, up to a size limit of 4 KB per cookie. AngularJS offers the ngCookies module for managing cookies. There is also a js-cookies package that provides similar functionality in any framework.\nKeep in mind that any cookie you create will be sent to the server on every request, whether it’s a page reload or an Ajax request. But if the main session data you need to store is the access token for the logged-in user, you want this sent to the server on every request anyway. It’s natural to try to use this automatic cookie transmission as the standard means of specifying the access token for Ajax requests.\nYou may argue that using cookies in this manner is incompatible with RESTful architecture. But in this case it is just fine as each request via the API is still stateless, having some inputs and some outputs. It’s just that one of the inputs is being sent in a funny way, via a cookie. If you can arrange for the login API request to send the access token back in a cookie also, then your client side code hardly needs to deal with cookies at all. Again, it’s just another output from the request being returned in an unusual way.\nCookies offer one advantage over web storage. You can provide a “keep me logged in” checkbox on the login form. With the semantics, I expect if I leave it unchecked then I will remain logged in if I reload the page or open a link in a new tab or window, but I’m guaranteed to be logged out once I close the browser. This is an important safety feature if I’m using a shared computer. As we’ll see later, web storage does not support this behavior.\nSo how might this approach work in practice? Suppose you’re using LoopBack on the server side. You’ve defined a Person model, extending the built-in User model, adding the properties you want to maintain for each user. You’ve configured the Person model to be exposed over REST. Now you need to tweak server/server.js to achieve the desired cookie behavior. Below is server/server.js, starting from what was generated by slc loopback, with the marked changes:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 var loopback = require(\u0026#39;loopback\u0026#39;); var boot = require(\u0026#39;loopback-boot\u0026#39;); var app = module.exports = loopback(); app.start = function() { // start the web server return app.listen(function() { app.emit(\u0026#39;started\u0026#39;); var baseUrl = app.get(\u0026#39;url\u0026#39;).replace(/\\/$/, \u0026#39;\u0026#39;); console.log(\u0026#39;Web server listening at: %s\u0026#39;, baseUrl); if (app.get(\u0026#39;loopback-component-explorer\u0026#39;)) { var explorerPath = app.get(\u0026#39;loopback-component-explorer\u0026#39;).mountPath; console.log(\u0026#39;Browse your REST API at %s%s\u0026#39;, baseUrl, explorerPath); } }); }; // start of first change app.use(loopback.cookieParser(\u0026#39;secret\u0026#39;)); // end of first change // Bootstrap the application, configure models, datasources and middleware. // Sub-apps like REST API are mounted via boot scripts. boot(app, __dirname, function(err) { if (err) throw err; // start of second change app.remotes().after(\u0026#39;Person.login\u0026#39;, function (ctx, next) { if (ctx.result.id) { var opts = {signed: true}; if (ctx.req.body.rememberme !== false) { opts.maxAge = 1209600000; } ctx.res.cookie(\u0026#39;authorization\u0026#39;, ctx.result.id, opts); } next(); }); app.remotes().after(\u0026#39;Person.logout\u0026#39;, function (ctx, next) { ctx.res.cookie(\u0026#39;authorization\u0026#39;, \u0026#39;\u0026#39;); next(); }); // end of second change // start the server if `$ node server.js` if (require.main === module) app.start(); }); The first change configures the cookie parser to use ‘secret’ as the cookie signing secret, thereby enabling signed cookies. You need to do this because although LoopBack looks for an access token in either of the cookies ‘authorization’ or ‘access_token’, it requires that such a cookie be signed. Actually, this requirement is pointless. Signing a cookie is intended to ensure that the cookie hasn’t been modified. But there’s no danger of you modifying the access token. After all, you could have sent the access token in unsigned form, as an ordinary parameter. Thus, you don’t need to worry about the cookie signing secret being hard to guess, unless you’re using signed cookies for something else.\nThe second change sets up some postprocessing for the Person.login and Person.logout methods. For Person.login, you want to take the resulting access token and send it to the client as the signed cookie ‘authorization’ also. The client may add one more property to the credentials parameter, rememberme, indicating whether to make the cookie persistent for 2 weeks. The default is true. The login method itself will ignore this property, but the postprocessor will check it.\nFor Person.logout, you want to clear out this cookie.\nYou can see the results of these changes right away in the StrongLoop API Explorer. Normally after a Person.login request, you would have to copy the access token, paste it into the form at the top right, and click Set Access Token. But with these changes, you don’t have to do any of that. The access token is automatically saved as the cookie ‘authorization’, and sent back on each subsequent request. When the Explorer is displaying the response headers from Person.login, it omits the cookie, because JavaScript is never allowed to see Set-Cookie headers. But rest assured, the cookie is there.\nOn the client side, on a page reload you would see if the cookie ‘authorization’ exists. If so, you need to update your record of the current userId. Probably the easiest way to do this is to store the userId in a separate cookie on successful login, so you can retrieve it on a page reload.\nThe Fragment Identifier # As I’m visiting a web site that has been implemented as an SPA, the URL in my browser’s address bar might look something like “https://example.com/#/my-photos/37”. The fragment identifier portion of this, “#/my-photos/37”, is already a collection of state information that could be viewed as session data. In this case, I’m probably viewing one of my photos, the one whose ID is 37.\nYou may decide to embed other session data within the fragment identifier. Recall that in the previous section, with the access token stored in the cookie ‘authorization’, you still needed to keep track of the userId somehow. One option is to store it in a separate cookie. But another approach is to embed it in the fragment identifier. You could decide that while I’m logged in, all the pages I visit will have a fragment identifier beginning with “#/u/XXX”, where XXX is the userId. So in the previous example, the fragment identifier might be “#/u/59/my-photos/37” if my userId is 59.\nTheoretically, you could embed the access token itself in the fragment identifier, avoiding any need for cookies or web storage. But that would be a bad idea. My access token would then be visible in the address bar. Anyone looking over my shoulder with a camera could take a snapshot of the screen, thereby gaining access to my account.\nOne final note: it is possible to set up an SPA so that it doesn’t use fragment identifiers at all. Instead it uses ordinary URLs like “http://example.com/app/dashboard” and “http://example.com/app/my-photos/37”, with the server configured to return the top level HTML for your SPA in response to a request for any of these URLs. Your SPA then does its routing based on the path (e.g. “/app/dashboard” or “/app/my-photos/37”) instead of the fragment identifier. It intercepts clicks on navigation links, and uses History.pushState() to push the new URL, then proceeds with routing as usual. It also listens for popstate events to detect the user clicking the back button, and again proceeds with routing on the restored URL. The full details of how to implement this are beyond the scope of this article. But if you use this technique, then obviously you can store session data in the path instead of the fragment identifier.\nWeb Storage # Web storage is a mechanism for JavaScript to store data within the browser. Like cookies, web storage is separate for each origin. Each stored item has a name and a value, both of which are strings. But web storage is completely invisible to the server, and it offers much greater storage capacity than cookies. There are two types of web storage: local storage and session storage.\nAn item of local storage is visible across all tabs of all windows, and persists even after the browser is closed. In this respect, it behaves somewhat like a cookie with an expiration date very far in the future. Thus, it is suitable for storing an access token in the case where the user has checked “keep me logged in” on the login form.\nAn item of session storage is only visible within the tab where it was created, and it disappears when that tab is closed. This makes its lifetime very different from that of any cookie. Recall that a session cookie is still visible across all tabs of all windows.\nIf you use the AngularJS SDK for LoopBack, the client side will automatically use web storage to save both the access token and the userId. This happens in the LoopBackAuth service in js/services/lb-services.js. It will use local storage, unless the rememberMe parameter is false (normally meaning the “keep me logged in” checkbox was unchecked), in which case it will use session storage.\nThe result is that if I log in with “keep me logged in” unchecked, and I then open a link in a new tab or window, I won’t be logged in there. Most likely I’ll see the login screen. You can decide for yourself whether this is acceptable behavior. Some might consider it a nice feature, where you can have several tabs, each logged in as a different user. Or you might decide that hardly anyone uses shared computers any more, so you can just omit the “keep me logged in” checkbox altogether.\nSo how would the session data handling look if you decide to go with the AngularJS SDK for LoopBack? Suppose you have the same situation as before on the server side: you’ve defined a Person model, extending the User model, and you’ve exposed the Person model over REST. You won’t be using cookies, so you won’t need any of the changes described earlier.\nOn the client side, somewhere in your outermost controller, you probably have a variable like $scope.currentUserId which holds the userId of the currently logged in user, or null if the user is not logged in. Then to handle page reloads properly, you just include this statement in the constructor function for that controller:\n1 $scope.currentUserId = Person.getCurrentId(); It’s that easy. Add ‘Person’ as a dependency of your controller, if it isn’t already.\nIndexedDB # IndexedDB is a newer facility for storing large amounts of data in the browser. You can use it to store data of any JavaScript type, such as an object or array, without having to serialize it. All requests against the database are asynchronous, so you get a callback when the request is completed.\nYou might use IndexedDB to store structured data that’s unrelated to any data on the server. An example might be a calendar, a to-do list, or saved games that are played locally. In this case, the application is really a local one, and your web site is just the vehicle for delivering it.\nAt present, Internet Explorer and Safari only have partial support for IndexedDB. Other major browsers support it fully. One serious limitation at the moment, though, is that Firefox disables IndexedDB entirely in private browsing mode.\nAs a concrete example of using IndexedDB, let’s take the sliding puzzle application by Pavol Daniš, and tweak it to save the state of the first puzzle, the Basic 3x3 sliding puzzle based on the AngularJS logo, after each move. Reloading the page will then restore the state of this first puzzle.\nI’ve set up a fork of the repository with these changes, all of which are in app/js/puzzle/slidingPuzzle.js. As you can see, even a rudimentary usage of IndexedDB is quite involved. I’ll just show the highlights below. First, the function restore gets called during page load, to open the IndexedDB database:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 /* * Tries to restore game */ this.restore = function(scope, storekey) { this.storekey = storekey; if (this.db) { this.restore2(scope); } else if (!window.indexedDB) { console.log(\u0026#39;SlidingPuzzle: browser does not support indexedDB\u0026#39;); this.shuffle(); } else { var self = this; var request = window.indexedDB.open(\u0026#39;SlidingPuzzleDatabase\u0026#39;); request.onerror = function(event) { console.log(\u0026#39;SlidingPuzzle: error opening database, \u0026#39; + request.error.name); scope.$apply(function() { self.shuffle(); }); }; request.onupgradeneeded = function(event) { event.target.result.createObjectStore(\u0026#39;SlidingPuzzleStore\u0026#39;); }; request.onsuccess = function(event) { self.db = event.target.result; self.restore2(scope); }; } }; The request.onupgradeneeded event handles the case where the database doesn’t exist yet. In this case, we create the object store.\nOnce the database is open, the function restore2 is called, which looks for a record with a given key (which will actually be the constant ‘Basic’ in this case):\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 /* * Tries to restore game, once database has been opened */ this.restore2 = function(scope) { var transaction = this.db.transaction(\u0026#39;SlidingPuzzleStore\u0026#39;); var objectStore = transaction.objectStore(\u0026#39;SlidingPuzzleStore\u0026#39;); var self = this; var request = objectStore.get(this.storekey); request.onerror = function(event) { console.log(\u0026#39;SlidingPuzzle: error reading from database, \u0026#39; + request.error.name); scope.$apply(function() { self.shuffle(); }); }; request.onsuccess = function(event) { if (!request.result) { console.log(\u0026#39;SlidingPuzzle: no saved game for \u0026#39; + self.storekey); scope.$apply(function() { self.shuffle(); }); } else { scope.$apply(function() { self.grid = request.result; }); } }; } If such a record exists, its value replaces the grid array of the puzzle. If there is any error in restoring the game, we just shuffle the tiles as before. Note that grid is a 3x3 array of tile objects, each of which is fairly complex. The great advantage of IndexedDB is that you can store and retrieve such values without having to serialize them.\nWe use $apply to inform AngularJS that the model has been changed, so the view will be updated appropriately. This is because the update is happening inside a DOM event handler, so AngularJS wouldn’t otherwise be able to detect the change. Any AngularJS application using IndexedDB will probably need to use $apply for this reason.\nAfter any action that would change the grid array, such as a move by the user, the function save is called which adds or updates the record with the appropriate key, based on the updated grid value:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 /* * Tries to save game */ this.save = function() { if (!this.db) { return; } var transaction = this.db.transaction(\u0026#39;SlidingPuzzleStore\u0026#39;, \u0026#39;readwrite\u0026#39;); var objectStore = transaction.objectStore(\u0026#39;SlidingPuzzleStore\u0026#39;); var request = objectStore.put(this.grid, this.storekey); request.onerror = function(event) { console.log(\u0026#39;SlidingPuzzle: error writing to database, \u0026#39; + request.error.name); }; request.onsuccess = function(event) { // successful, no further action needed }; } The remaining changes are to call the above functions at appropriate times. You can review the commitshowing all of the changes. Note that we are calling restore only for the basic puzzle, not for the three advanced puzzles. We exploit the fact that the three advanced puzzles have an api attribute, so for those we just do the normal shuffling.\nWhat if we wanted to save and restore the advanced puzzles also? That would require some restructuring. In each of the advanced puzzles, the user can adjust the image source file and the puzzle dimensions. So we’d have to enhance the value stored in IndexedDB to include this information. More importantly, we’d need a way to update them from a restore. That’s a bit much for this already lengthy example.\nConclusion # In most cases, web storage is your best bet for storing session data. It’s fully supported by all major browsers, and it offers much greater storage capacity than cookies.\nYou would use cookies if your server is already set up to use them, or if you need the data to be accessible across all tabs of all windows, but you also want to ensure it will be deleted when the browser is closed.\nYou already use the fragment identifier to store session data that’s specific to that page, such as the ID of the photo the user is looking at. While you could embed other session data in the fragment identifier, this doesn’t really offer any advantage over web storage or cookies.\nUsing IndexedDB is likely to require a lot more coding than any of the other techniques. But if the values you’re storing are complex JavaScript objects that would be difficult to serialize, or if you need a transactional model, then it may be worthwhile. Source: Toptal.\n","date":"25 February 2016","externalUrl":null,"permalink":"/posts/persisting-data-across-page-reloads-cookies-indexeddb-and-everything-in-between/","section":"Posts","summary":"","title":"Persisting Data Across Page Reloads: Cookies, IndexedDB and Everything In-Between","type":"posts"},{"content":"The following article is a guest post from Toptal. Toptal is an elite network of freelancers that enables businesses to connect with the top 3% of software engineers and designers in the world.\nIf you work in the software industry, it’s likely that you have heard about the divide and conquer design paradigm, which basically consists of recursively splitting a problem into two or more sub-problems (divide), until these become simple enough to be solved directly (conquer).\nWhat you might not know is that this paradigm originates from an old political strategy (the name is derived from the Latin saying divide et impera) that suggests it is possible to maintain control over one’s subordinates or subjects by encouraging dissent between them.\nThis strategy has been used by countless politicians and military leaders throughout history, such as Julius Caesar (who used it during the Gallic Wars to defeat the militarily strong Gauls) and Napoleon (the French artillery expert would divide the enemy troops so no portion was stronger than his own troops, and then disrupt their communications, impeding enemy efforts to coordinate and execute attacks).\nThe Art Of War: Ancient Principles Applied To Development # However, the divide and conquer rule is not the only political strategy that can be applied to software development. Although politics and warfare have little to do with software development, just like politicians and generals, developers must lead subordinates, coordinate efforts between teams, find the best strategies to resolve problems, and administer resources.\nSun Tzu’s principles and teachings have practical applications in politics, business, sports, and software development.\nThe Art of War is an ancient military treatise written in the fifth century B.C. and attributed to Sun Tzu, an ancient Chinese military strategist, whose theories had a profound influence on both Eastern and Western philosophy.\nDespite its age, the text is still included in the syllabus at many military schools in East Asia and it’s listed as a recommended reading in some military academies in the West. The text is divided into 13 chapters, each one devoted to a different aspect of warfare.\nHowever, in addition to warfare, Sun Tzu’s principles and teachings have practical applications in politics, business, sports, and, believe it or not, software development. In fact, you might just be applying some of these principles in your daily routine, without even knowing their origins.\nDetailed below, you will a find a brief list of basic tactics and tips explained in the Art of War. They can probably be applied to your job in the software industry, or any of a number of other industries.\nTime Is Crucial In Any Campaign # Chapter II, paragraph 2 # “When you engage in actual fighting, if victory is long in coming, then men’s weapons will grow dull and their ardor will be damped.”\nThis principle can be applied to software development, as a rule describing the relationship between the length of development cycles and the developer’s morale.\nIf a group of developers work on the same projects for months, with no clear goals or end in sight, they may become frustrated and their productivity may decline.\nDivide your development roadmap into easily achievable goals and milestones. It’s good for morale.\nSoftware development is an intellectual endeavour, so motivation is the main fuel for productivity. Working every day without perceiving that your work is generating real results can be very demotivating.\nAs indicated in some agile methodologies, the development roadmap should be divided into several goals and milestones, which the team might be able to achieve in short timeframes, and they are going to give them a sense of progress and achievement.\nChapter II, paragraph 18 # “In war, then, let your great object be victory, not lengthy campaigns.”\nThis phrase can be interpreted in two ways:\nFirst, it can be seen as a precursor of the UNIX philosophy: Write programs that do one thing and do it well. When developing software, you must always keep in mind the main objective of the program, the key feature that it provides, or the biggest problem that it solves, and ensure proper implementation.\nSometimes you might get inspired and think of a really cool feature to add, but do not forget that applications that have lot of infrequently used features have a disparaging name: bloatware.\nSecond, the statement may also be considered as a precursor for one of the lean software development principles: Deliver as fast as possible.\nThe sooner you deliver software without major defects, the sooner you will get feedback from the client, and you will be able to incorporate the changes into the next iteration.\nIf on the other hand, you deliver non-working software, you will miss out on valuable feedback, because clients won’t get a chance to test it properly. This will make the next stage of development more difficult, or impossible in situations where your next iteration depends on customer feedback.\nNo Leadership, No Results # Chapter III, paragraph 11 # “Now the general is the bulwark of the State; if the bulwark is complete at all points, the State will be strong; if the bulwark is defective, the State will be weak.”\nThis quote describes the importance of the role of the manager in a development team: the success of a project depends on the strength of all people involved, and the manager is the bulwark of the project. Responsibility starts at the top.\nResponsibility starts at the top. If your team lead is bad, no amount of talented engineers will help.\nEven though developers frequently work alone (each sitting behind a computer, with limited communication with coworkers), that does not mean that they don’t need good leadership. Project managers are in charge of keeping the team on track, ensuring effective communication and dispute resolution, and leaders, obviously, define the priorities of the project (among other tasks), so their role should not be underestimated. Neither should their responsibility if something goes wrong. Imagine what would happen to a military leader whose unit failed to perform its duty in the field of battle?\nA team can produce great software even if it has a few bad apples in development positions, but that’s unlikely to happen if the project manager is the bad apple, no matter how many rockstar developers the team has.\nChapter VI, paragraph 28 # “Do not repeat the tactics which have gained you one victory, but let your methods be regulated by the infinite variety of circumstances.”\nSometimes, when starting a project, it’s tempting to use the same set of technologies we used in previously successful projects (the same programming language, the same libraries, the same server, etc). However, unless the requirements of the new projects are exactly the same as previous ones, this might be the wrong approach.\nIn programming, as in most domains, the panacea (a supposed remedy capable of curing all diseases) does not exist. There is no single combination of technologies that you can use for solving all problems; each technology has its upsides and downsides.\nOf course, learning a new programming language or using an unknown API might initially be expensive but in the long term, the quality of the software will be superior and you will become a better developer.\nChapter XIII, paragraph 27 # “Hence it is only the enlightened ruler and the wise general who will use the highest intelligence of the army for purposes of spying, and thereby they achieve great results. Spies are a most important element in war, because on them depends an army’s ability to move.”\nThis phrase may be interpreted as the importance of using monitoring tools and logging libraries during the maintenance phase.\nAlthough sometimes clients might not think so, development does not end when you get a stable and fully tested release. Software is always evolving, either by fixing bugs, adding new features or improving efficiency.\nAnd there is no better source of information for knowing what changes to make than having spies monitoring the software in production environments, checking which features are used the most, the most common errors and the lengthiest operations.\nError reports, logging entries and usage data are fundamental for detecting bugs, identifying bottlenecks and other issues since it is not always possible to reproduce the same conditions in controlled testing environments.\nTeamwork And Motivation # Chapter X, paragraph 24 # “He who advances without seeking fame, Who retreats without escaping blame, He whose one aim is to protect his people and serve his lord, The man is a jewel of the Realm.”\nBasically, this is the ancient Chinese version of “there’s no I in team”. It is more important to work together with others rather than to pursue personal gain.\nSoftware development is a complex activity that requires developers to work effectively as a team. A good developer is not the one who fixes the most bugs, implements the most features or finishes assignments ahead of schedule; a good developer is the one who helps the team reach its goals.\nTeamwork wins battles. Remember, the best developers are inspiring individuals who help other team members reach their objectives.\nClaiming credit for everything you’ve done, not recognizing your errors or blaming others for them, or calling yourself a code ninja might fool some inexperienced managers and might even get you a raise, but you will become a counterproductive member of your team.\nChapter VII, paragraph 21 # “Ponder and deliberate before you make a move.”\nThis phrase indicates the importance of team development meetings, such as those proposed by agile methodologies.\nWhen working on a team, it is important to discuss any major changes before implementing them. It doesn’t matter if you are the team leader, or if you are the person with the most experience of the subject, you should always talk with, or at least inform, the rest of the team.\nRemember that other developers could give you insights into unfamiliar parts the software. This means they could start implementing the changes faster than expected, because they could be fully aware of the effects of said changes.\nChapter X, paragraph 25 # “Regard your soldiers as your children, and they will follow you into the deepest valleys; look upon them as your own beloved sons, and they will stand by you even unto death.”\nThis quote indicates the importance of motivation, a principle of management that is sometimes forgotten by managers and team leaders. Motivated developers will write better code, work faster, commit less errors and be more willing to put in extra hours.\nMotivation must be generated by managers, by taking genuine interest in their subordinates, listening to them, caring about their work-life balance, building positive work environments and caring about their career paths.\nAlso, you should not mistake motivation with remuneration. Recent studies demonstrates that money do not motivate most workers, money is mostly good at attracting and retaining employees, but not at make them happy about their jobs. So raises and promotions should not be seen as motivational tools.\nThinking Outside The Box # Chapter V, paragraph 7, 8 and 9 # “There are not more than five musical notes, yet the combinations of these five give rise to more melodies than can ever be heard.”\n“There are not more than five primary colors, yet in combination they produce more hues than can ever been seen.”\n“There are not more than five cardinal tastes, yet combinations of them yield more flavors than can ever be tasted.”\nOne of the good things about programming is that the possibilities are endless; you can develop basically wherever you want (at least, as long is not an NP-complete problem).\nMobile apps, websites, games, desktop applications… if you know programming, all of them are within your reach.\nIf you’re a talented developer, you need to think outside the box. The box is there to prevent incompetent people from wrecking stuff. It’s not for you.\nChapter III, paragraph 1 # “In the practical art of war, the best thing of all is to take the enemy’s country whole and intact; to shatter and destroy it is not so good. So, too, it is better to capture an army entire than to destroy it, to capture a regiment, a detachment or a company entire than to destroy them.”\nWhen working on a project with a large code base, it is common to find modules or sections of code that have been implemented with bad practices or by using deprecated libraries. Although it might be tempting to erase (or destroy) this code, it might not be the best idea for several reasons:\nLegacy code is not necessarily bad, sometimes it is good code that was written when other methodologies and technologies were considered the way to go. However, just because it is old doesn’t mean that it is not working. You might lose time fixing code that still works instead of focusing on fixing other, more critical parts of the code. Unless you are really sure of what you are doing, replacing a section of code that works means you are risking introducing new errors or bugs. This does not mean that the phrase “If it ain’t broke, don’t fix it” is a good strategy, but that every project has priorities, goals and time constraints. So, if you find code that could be improved, discuss it with the rest of the team or with the project manager in order to figure out when to optimize it.\nChapter VIII, paragraph 3 # “There are roads which must not be followed, armies which must not be attacked, towns which must not be besieged, positions which must not be contested, commands of the sovereign which must not be obeyed.”\nEven it does not say it directly, we could interpret this principle as a warning to avoid anti-patterns.\nAlthough using an anti-pattern may resolve a short-term issue, you should remember that in the long-term it is going to be counter-productive. So, no matter how much time you save, how many bugs you fix or how convenient it is for you, avoid them.\nStill, there are times you may be tempted to use an anti-pattern to resolve an urgent task, promising yourself you will implement a proper fix when you have more time, but remember one of Murphy’s laws: All quick fixes become permanent changes.\nConclusion # Although developing software is different from commanding soldiers in war or leading a country, all that they must solve problems that require teamwork, good leadership, efficiency and long-term solutions.\nHowever, the Art of War is not the only book which contains principles that may be applied to software development. Niccolò Machiavelli’s The Prince, is an example.\nIn fact, here is a list of quotes from Machiavelli that are still relevant. Try guessing which are the corresponding principles in the world of software development.\nThe lion cannot protect himself from traps, and the fox cannot defend himself from wolves. One must therefore be a fox to recognize traps, and a lion to frighten wolves. Never attempt to win by force what can be won by deception. Never was anything great achieved without danger. Whosoever desires constant success must change his conduct with the times. Men in general judge more from appearances than from reality. All men have eyes, but few have the gift of penetration. He who wishes to be obeyed must know how to command. Wisdom consists of knowing how to distinguish the nature of trouble, and in choosing the lesser evil. There is no avoiding war; it can only be postponed to the advantage of your enemy. Nature creates few men brave; industry and training makes many. ","date":"20 February 2016","externalUrl":null,"permalink":"/posts/the-art-of-war-applied-to-software-development/","section":"Posts","summary":"","title":"The Art of War Applied To Software Development","type":"posts"},{"content":"The following article is a guest post from Toptal. Toptal is an elite network of freelancers that enables businesses to connect with the top 3% of software engineers and designers in the world.\nSo what exactly is the bug anyway? # Here’s a very quick rundown:\nA potentially critical problem has surfaced in the widely used OpenSSL cryptographic library. It is nicknamed “Heartbleed” because the vulnerability exists in the “heartbeat extension” (RFC6520) to the Transport Layer Security (TLS) and it is a memory leak (“bleed”) issue. User passwords and other important data may have been compromised on any site affected by the vulnerability.\nThe vulnerability is particularly dangerous for two reasons:\nPotentially critical data is leaked. The attack leaves no trace. The affected OpenSSL versions are 1.0.1 through 1.0.1f, 1.0.2-beta, and 1.0.2-beta1.\nWho is affected by the problem? # Short answer: Anyone and everyone who uses these versions of OpenSSL.\nAnd that’s a LOT of companies and a LOT of people.\nBefore we get into our Heartbleed tutorial, here’s just a brief sampling of major companies and websites that are known to have been affected and that needed to patch their sites: Gmail, Yahoo Mail, Intuit TurboTax, USAA, Dropbox, Flickr, Instagram, Pinterest, SoundCloud, Tumblr, GitHub, GoDaddy, Boingo Wireless, and many more.\nMany, many corporate websites, of companies of all sizes, have been (or still need to be!) patched to fix the Heartbleed vulnerability.\nThe vulnerability has existed since December 31, 2011, with OpenSSL being used by about 66% of Internet hosts.\nAs a user, chances are that sites you frequent regularly are affected and that your data may have been compromised. As a developer or sys admin, sites or servers you’re responsible for are likely to have been affected as well.\nSo what do I need to do to protect myself if I use any of the affected sites? # The main thing you should do immediately is to change your passwords for any of the affected sites for which you have a login account.\nAnd what do I need to do to fix and protect against Heartbleed if I’m the sys admin for a site that uses OpenSSL? # If you’re using OpenSSL 1.0.1, do one of the following immediately:\nUpgrade to OpenSSL 1.0.1g, or Recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. If you’re using OpenSSL 1.0.2, the vulnerability will be fixed in 1.0.2-beta2 but you can’t wait for that. In the interim, do one of the following immediately:\nRevert to OpenSSL 1.0.1g, or Recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. Most distributions (e.g., Ubuntu, Fedora, Debian, Arch Linux) have upgraded their packages already. In cases like Gentoo, you can upgrade to a patched ebuild.\nOnce you’ve upgraded (or recompiled) and have established a secure version on your server:\nBe sure to restart all potentially affected processes. Major daemons affected by the bug include Apache, Nginx, OpenVPN, and sshd; basically anything and everything linked against libssl. (Note that a restart of these daemons should be sufficient. There should be no need to rebuild these binaries since they are dynamically linked with the openssl libraries.) Verify that you are no longer vulnerable using tools like this online test or this tool on GitHub or this tool on Pastebin. If your infrastructure was vulnerable, there are Heartbleed tutorial steps that you can and should take. A useful list of such mitigations is available here.\nMore gory Heartbleed details, for those who are interested… # As explained in the GitHub commit for the fix, a missing bounds check in the handling of the TLS heartbeat extension could be exploited to reveal up to 64k of memory to a connected client or server.\nWhile the exposed memory could potentially just be garbage, it could just as easily turn out to be extremely valuable to a malicious attacker.\nHere’s how the Heartbleed vulnerability works: An attacker provides the payload as well as the payload length. However, no validation is done to confirm that the payload length was actually provided by the attacker. If the payload length was not provided, an out-of-bounds read occurs, which in turn leaks process memory from the heap.\nLeaking previous request headers can be a very serious security problem. Specifically, a prior user’s login post data might still be available with their username, password, and cookies, all of which can then be exposed and exploited. Moreover, although private key leakage through Heartbleed was initially deemed to be unlikely, it has been verified that private SSL keys can be stolen by exploiting this vulnerability.\nThe vulnerability is also made possible due to OpenSSL’s silly use of a malloc() cache. By wrapping away libc functions and not actually freeing memory, the exploitation countermeasures in libc are never given the chance to kick in and render the bug useless.\nAdditional details on these ways to fix Heartbleed are available here and here.\nAnd, for what it’s worth, here’s a more amusing perspective.\nKudos to the discoverer, Neel Mehta of Google Security, as well as Adam Langley and Bodo Moeller who promptly provided the patch and helped sys admins determine how to fix Heartbleed. I also encourage you to educate yourself on some of the other common web security vulnerabilities to avoid issues in the future.\n","date":"13 February 2016","externalUrl":null,"permalink":"/posts/fixing-the-heartbleed-openssl-bug-a-tutorial-for-sys-admins/","section":"Posts","summary":"","title":"Fixing the “Heartbleed” OpenSSL Bug: A Tutorial for Sys Admins","type":"posts"},{"content":"The following article is a guest post from Toptal. Toptal is an elite network of freelancers that enables businesses to connect with the top 3% of software engineers and designers in the world.\nSince the term the World Wide Web was coined back in 1990, web application development has evolved from serving static HTML pages to completely dynamic, complex business applications.\nToday we have thousands of digital and printed resources that provide step-by-step instructions about developing all kinds of different web applications. Development environments are “smart” enough to catch and fix many mistakes that early developers battled with regularly. There are even many different development platforms that easily turn simple static HTML pages into highly interactive applications.\nAll of these development patterns, practices, and platforms share common ground, and they are all prone to similar web development issues caused by the very nature of web applications.\nThe purpose of these web development tips is to shed light on some of the common mistakes made in different stages of the web development process and to help you become a better developer. I have touched on a few general topics that are common to virtually all web developers such as validation, security, scalability, and SEO. You should of course not be bound by the specific examples I’ve described in this guide, as they are listed only to give you an idea of the potential problems you might encounter.\nCommon mistake #1: Incomplete input validation # Validating user input on client and server side is simply a must do! We are all aware of the sage advice “do not trust user input” but, nevertheless, mistakes stemming from validation happen all too often.\nOne of the most common consequences of this mistake is SQL Injection which is in OWASP Top 10 year after year.\nRemember that most front-end development frameworks provide out-of-the-box validation rules that are incredibly simple to use. Additionally, most major back-end development platforms use simple annotations to assure that submitted data are adhering to expected rules. Implementing validation might be time consuming, but it should be part of your standard coding practice and never set aside.\nCommon mistake #2: Authentication without proper Authorization # Before we proceed, let’s make sure we are aligned on these two terms. As stated in the 10 Most Common Web Security Vulnerabilities:\nAuthentication: Verifying that a person is (or at least appears to be) a specific user, since he/she has correctly provided their security credentials (password, answers to security questions, fingerprint scan, etc.).\nAuthorization: Confirming that a particular user has access to a specific resource or is granted permission to perform a particular action.\nStated another way, authentication is knowing who an entity is, while authorization is knowing what a given entity can do.\nLet me demonstrate this issue with an example:\nConsider that your browser holds currently logged user information in an object similar to the following:\n1 2 3 4 5 { username:\u0026#39;elvis\u0026#39;, role:\u0026#39;singer\u0026#39;, token:\u0026#39;123456789\u0026#39; } When doing a password change, your application makes the POST:\n1 POST /changepassword/:username/:newpassword In your /changepassword method, you verify that user is logged and token has not expired. Then you find the user profile based on the :username parameter, and you change your user’s password.\nSo, you validated that your user is properly logged-in, and then you executed his request thus changing his password. Process seems OK, right? Unfortunately, the answer is NO!\nAt this point it is important to verify that the user executing the action and the user whose password is changed are the same. Any information stored on the browser can be tampered with, and any advanced user could easily update username:'elvis' to username:'Administrator' without using anything else but built-in browser tools.\nSo in this case, we just took care of Authentication making sure that the user provided security credentials. We can even add validation that /changepassword method can only be executed by Authenticated users. However, this is still not enough to protect your users from malicious attempts.\nYou need to make sure that you verify actual requestor and content of request within your /changepasswordmethod and implement proper Authorization of the request making sure that user can change only her data.\nAuthentication and Authorization are two sides of the same coin. Never treat them separately.\nCommon mistake #3: Not ready to scale # In today’s world of high speed development, startup accelerators, and instant global reach of great ideas, having your MVP (Minimum Viable Product) out in the market as soon as possible is a common goal for many companies.\nHowever, this constant time pressure is causing even good web development teams to often overlook certain issues. Scaling is often one of those things teams take for granted. The MVP concept is great, but push it too far, and you’ll have serious problems. Unfortunately, selecting a scalable database and web server and separating all application layers on independent scalable servers is not enough. There are many details you need to think about if you wish to avoid rewriting significant parts of your application later - which becomes a major web development problem.\nFor example, say that you choose to store uploaded profile pictures of your users directly on a web server. This is a perfectly valid solution–files are quickly accessible to the application, file handling methods are available in every development platform, and you can even serve these images as static content, which means minimum load on your application.\nBut what happens when your application grows, and you need to use two or more web servers behind a load balancer? Even though you nicely scaled your database storage, session state servers, and web servers, your application scalability fails because of a simple thing like profile images. Thus, you need to implement some kind of file synchronization service (that will have a delay and will cause temporary 404 errors) or another workaround to assure that files are spread across your web servers.\nWhat you needed to do to avoid the problem in the first place was just use shared file storage location, database, or any other remote storage solution. It would have probably cost few extra hours of work to have it all implemented, but it would have been worth the trouble.\nCommon mistake #4: Wrong or missing SEO # The root cause of incorrect or missing SEO best practices on web sites is misinformed “SEO specialists”. Many web developers believe that they know enough about SEO and that it is not especially complex, but that’s just not true. SEO mastery requires significant time spent researching best practices and the ever-changing rules about how Google, Bing, and Yahoo index the web. Unless you constantly experiment and have accurate tracking + analysis, you are not a SEO specialist, and you should not claim to be one.\nFurthermore, SEO is too often postponed as some activity that is done at the end. This comes at a high price of web development issues. SEO is not just related to setting good content, tags, keywords, meta-data, image alt tags, site map, etc. It also includes eliminating duplicate content, having crawlable site architecture, efficient load times, intelligent back linking, etc.\nLike with scalability, you should think about SEO from the moment you start building your web application, or you might find that completing your SEO implementation project means rewriting your whole system.\nCommon mistake #5: Time or processor consuming actions in request handlers # One of the best examples of this mistake is sending email based on a user action. Too often developers think that making a SMTP call and sending a message directly from user request handler is the solution.\nLet’s say you created an online book store, and you expect to start with a few hundred orders daily. As part of your order intake process, you send confirmation emails each time a user posts an order. This will work without problem at first, but what happens when you scale your system, and you suddenly get thousands of requests sending confirmation emails? You either get SMTP connection timeouts, quota exceeded, or your application response time degrades significantly as it is now handling emails instead of users.\nAny time or processor consuming action should be handled by an external process while you release your HTTP requests as soon as possible. In this case, you should have an external mailing service that is picking up orders and sending notifications.\nCommon mistake #6: Not optimizing bandwidth usage # Most development and testing takes place in a local network environment. So when you are downloading 5 background images each being 3MB or more, you might not identify an issue with 1Gbit connection speed in your development environment. But when your users start loading a 15MB home page over 3G connections on their smartphones, you should prepare yourself for a list of complaintsand problems.\nOptimizing your bandwidth usage could give you a great performance boost, and to gain this boost you probably only need a couple of tricks. There are few things that many good web deveopers do by default, including:\nMinification of all JavaScript Minification of all CSS Server side HTTP compression Optimization of image size and resolution Common mistake #7: Not developing for different screen sizes # Responsive design has been a big topic in the past few years. Expansion of smartphones with different screen resolutions has brought many new ways of accessing online content, which also comes with a host of web development issues. The number of website visits that come from smartphones and tablets grows every day, and this trend is accelerating.\nIn order to ensure seamless navigation and access to website content, you must enable users to access it from all types of devices.\nThere are numerous patterns and practices for building responsive web applications. Each development platform has its own tips and tricks, but there are some frameworks that are platform independent. The most popular is probably Twitter Bootstrap. It is an open-source and free HTML, CSS, and JavaScript framework that has been adopted by every major development platform. Just adhere to Bootstrap patterns and practices when building your application, and you will get responsive web application with no trouble at all.\nCommon mistake #8: Cross browser incompatibility # The development process is, in most cases, under a heavy time pressure. Every application needs to be released as soon as possible and even good web developers are often focused on delivering functionality over design. Regardless of the fact that most developers have Chrome, Firefox, IE installed, they are using only one of these 90% of the time. It is common practice to use one browser during development and just as the application nears completion will you start testing it in other browsers. This is perfectly reasonable–assuming you have a lot of time to test and fix issues that show up at this stage.\nHowever, there are some web development tips that can save you significant time when your application reaches the cross-browser testing phase:\nYou don’t need to test in all browsers during development; it is time consuming and ineffective. However, that does not mean that you cannot switch browsers frequently. Use a different browser every couple of days, and you will at least recognize major problems early in development phase. Be careful of using statistics to justify not supporting a browser. There are many organizations that are slow in adopting new software or upgrading. Thousands of users working there might still need access to your application, and they cannot install the latest free browser due to internal security and business policies. Avoid browser specific code. In most cases there is an elegant solution that is cross-browser compatible. Common mistake #9: Not planning for portability # Assumption is the mother of all problems! When it comes to portability, this saying is more true than ever. How many times have you seen issues in web development like hard coded file paths, database connection strings, or assumptions that a certain library will be available on the server? Assuming that the production environment will match your local development computer is simply wrong.\nIdeal application setup should be maintenance-free:\nMake sure that your application can scale and run on a load-balanced multiple server environment. Allow simple and clear configuration–possibly in a single configuration file. Handle exceptions when web server configuration is not as expected. Common mistake #10: RESTful anti patterns # RESTful API’s have taken their place in web development and are here to stay. Almost every web application has implemented some kind of REST services, whether for internal use or integrating with external system. But we still see broken RESTful patterns and services that do not adhere to expected practices.\nTwo of the most common mistakes made when writing a RESTful API are:\nUsing wrong HTTP verbs. For example using GET for writing data. HTTP GET has been designed to be idempotent and safe, meaning that no matter how many times you call GET on the same resource, the response should always be the same and no change in application state should occur.\nNot sending correct HTTP status codes. The best example of this mistake is sending error messages with response code 200.\n1 2 3 4 HTTP 200 OK { message:\u0026#39;there was an error\u0026#39; } You should only send HTTP 200 OK when the request has not generated an error. In the case of an error, you should send 400, 401, 500 or any other status code that is appropriate for the error that has occurred.\nA detailed overview of standard HTTP status codes can be found here.\nWrap up # Web development is an extremely broad term that can legitimately encompass development of a website, web service, or complex web application.\nThe main takeaway of this web development guide is the reminder that you should always be careful about authentication and authorization, plan for scalability, and never hastily assume anything - or be ready to deal with a long list of web development problems!\n","date":"2 February 2016","externalUrl":null,"permalink":"/posts/avoid-the-10-most-common-mistakes-web-developers-make-a-tutorial-for-developers/","section":"Posts","summary":"","title":"Avoid the 10 Most Common Mistakes Web Developers Make: A Tutorial for Developers","type":"posts"},{"content":"","date":"25 January 2016","externalUrl":null,"permalink":"/tags/data-security/","section":"Tags","summary":"","title":"Data-Security","type":"tags"},{"content":"The following article is a guest post from Toptal. Toptal is an elite network of freelancers that enables businesses to connect with the top 3% of software engineers and designers in the world.\nSecurity # Security is the enemy of convenience, and vice versa. This statement is true for any system, virtual or real, from the physical house entrance to web banking platforms. Engineers are constantly trying to find the right balance for the given use case, leaning to one side or the other. Usually, when a new threat appears, we move towards security and away from convenience. Then, we see if we can recover some lost convenience without reducing the security too much. Moreover, this vicious circle goes on forever.\nSecurity is the enemy of convenience, and vice versa.\nLet’s try to see where REST services currently stand regarding security and convenience. REST (which stands for Representational State Transfer) services started off as an extremely simplified approach to Web Services that had huge specifications and cumbersome formats, such as WSDL for describing the service, or SOAP for specifying the message format. In REST, we have none of those. We can describe the REST service in a plain text file and use any message format we want, such as JSON, XML or even plain text again. The simplified approach was applied to the security of REST services as well; no defined standard imposes a particular way to authenticate users.\nAlthough REST services do not have much specified, an important one is the lack of state. It means the server does not keep any client state, with sessions as a good example. Thus, the server replies to each request as if it was the first the client has made. However, even now, many implementations still use cookie based authentication, which is inherited from standard website architectural design. The stateless approach of REST makes session cookies inappropriate from the security standpoint, but nevertheless, they are still widely used. Besides ignoring the required statelessness, simplified approach came as an expected security trade-off. Compared to the WS-Security standard used for Web Services, it is much easier to create and consume REST services, hence convenience went through the roof. The trade-off is pretty slim security; session hijacking and cross-site request forgery (XSRF) are the most common security issues.\nIn trying to get rid of client sessions from the server, some other methods have been used occasionally, such as Basic or Digest HTTP authentication. Both use an Authorization header to transmit user credentials, with some encoding (HTTP Basic) or encryption (HTTP Digest) added. Of course, they carried the same flaws found in websites: HTTP Basic had to be used over HTTPS since username and password are sent in easily reversible base64 encoding, and HTTP Digest forced the use of obsolete MD5 hashing that is proven to be insecure.\nFinally, some implementations used arbitrary tokens to authenticate clients. This option seems to be the best we have, for now. If implemented properly, it fixes all the security problems of HTTP Basic, HTTP Digest or session cookies, it is simple to use, and it follows the stateless pattern.\nHowever, with such arbitrary tokens, there’s little standard involved. Every service provider had his or her idea of what to put in the token, and how to encode or encrypt it. Consuming services from different providers required additional setup time, just to adapt to the specific token format used. The other methods, on the other hand (session cookie, HTTP Basic and HTTP Digest) are well known to developers, and almost all browsers on all devices work with them out of the box. Frameworks and languages are ready for these methods, having built-in functions to deal with each seamlessly.\nJWT # JWT (shortened from JSON Web Token) is the missing standardization for using tokens to authenticate on the web in general, not only for REST services. Currently, it is in draft status as RFC 7519. It is robust and can carry a lot of information, but is still simple to use even though its size is relatively small. Like any other token, JWT can be used to pass the identity of authenticated users between an identity provider and a service provider (which are not necessarily the same systems). It can also carry all the user’s claim, such as authorization data, so the service provider does not need to go into the database or external systems to verify user roles and permissions for each request; that data is extracted from the token.\nHere is how JWT is designed to work:\nClients logs in by sending their credentials to the identity provider. The identity provider verifies the credentials; if all is OK, it retrieves the user data, generates a JWT containing user details and permissions that will be used to access the services, and it also sets the expiration on the JWT (which might be unlimited). Identity provider signs, and if needed, encrypts the JWT and sends it to the client as a response to the initial request with credentials. Client stores the JWT for a limited or unlimited amount of time, depending on the expiration set by the identity provider. Client sends the stored JWT in an Authorization header for every request to the service provider. For each request, the service provider takes the JWT from the Authorization header and decrypts it, if needed, validates the signature, and if everything is OK, extracts the user data and permissions. Based on this data solely, and again without looking up further details in the database or contacting the identity provider, it can accept or deny the client request. The only requirement is that the identity and service providers have an agreement on encryption so that service can verify the signature or even decrypt which identity was encrypted. This flow allows for great flexibility while still keeping things secure and easy to develop. By using this approach, it is easy to add new server nodes to the service provider cluster, initializing them with only the ability to verify the signature and decrypt the tokens by providing them a shared secret key. No session replication, database synchronization or inter-node communication is required. REST in its full glory.\nThe main difference between JWT and other arbitrary tokens is the standardization of the token’s content. Another recommended approach is to send the JWT token in the Authorization header using the Bearer scheme. The content of the header should look like this:\n1 Authorization: Bearer \u0026lt;token\u0026gt; Implementation # For REST services to work as expected, we need a slightly different authorization approach compared to classic, multi-page websites.\nInstead of triggering the authentication process by redirecting to a login page when a client requests a secured resource, the REST server authenticates all requests using the data available in the request itself, the JWT token in this case. If such an authentication fails, redirection makes no sense. The REST API simply sends an HTTP code 401 (Unauthorized) response and clients should know what to do; for example, a browser will show a dynamic div to allow the user to supply the username and password.\nOn the other hand, after a successful authentication in classic, multi-page websites, the user is redirected by using HTTP code 301 (Moved permanently), usually to a home page or, even better, to the page the user initially requested that triggered the authentication process. With REST, again this makes no sense. Instead we would simply continue with the execution of the request as if the resource was not secured at all, return HTTP code 200 (OK) and expected response body.\nSpring Security # Now, let’s see how can we implement the JWT token based REST API using Java and Spring, while trying to reuse the Spring security default behavior where we can. As expected, Spring Security framework comes with many ready to plug-in classes that deal with “old” authorization mechanisms: session cookies, HTTP Basic, and HTTP Digest. However, it lacks the native support for JWT, and we need to get our hands dirty to make it work.\nFirst, we start with the usual Spring Security filter definition in web.xml:\n1 2 3 4 5 6 7 8 \u0026lt;filter\u0026gt; \u0026lt;filter-name\u0026gt;springSecurityFilterChain\u0026lt;/filter-name\u0026gt; \u0026lt;filter-class\u0026gt;org.springframework.web.filter.DelegatingFilterProxy\u0026lt;/filter-class\u0026gt; \u0026lt;/filter\u0026gt; \u0026lt;filter-mapping\u0026gt; \u0026lt;filter-name\u0026gt;springSecurityFilterChain\u0026lt;/filter-name\u0026gt; \u0026lt;url-pattern\u0026gt;/*\u0026lt;/url-pattern\u0026gt; \u0026lt;/filter-mapping\u0026gt; Note that the name of the filter must be exactly springSecurityFilterChain for the rest of the Spring config to work out of the box.\nNext comes the XML declaration of the Spring beans related to security. In order to simplify the XML, we will set the default namespace to security by adding xmlns=\u0026quot;http://www.springframework.org/schema/security\u0026quot; to the root XML element. The rest of the XML looks like this:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 \u0026lt;global-method-security pre-post-annotations=\u0026#34;enabled\u0026#34; /\u0026gt; (1) \u0026lt;http pattern=\u0026#34;/api/login\u0026#34; security=\u0026#34;none\u0026#34;/\u0026gt; (2) \u0026lt;http pattern=\u0026#34;/api/signup\u0026#34; security=\u0026#34;none\u0026#34;/\u0026gt; \u0026lt;http pattern=\u0026#34;/api/**\u0026#34; entry-point-ref=\u0026#34;restAuthenticationEntryPoint\u0026#34; create-session=\u0026#34;stateless\u0026#34;\u0026gt; (3) \u0026lt;csrf disabled=\u0026#34;true\u0026#34;/\u0026gt; (4) \u0026lt;custom-filter before=\u0026#34;FORM_LOGIN_FILTER\u0026#34; ref=\u0026#34;jwtAuthenticationFilter\u0026#34;/\u0026gt; (5) \u0026lt;/http\u0026gt; \u0026lt;beans:bean id=\u0026#34;jwtAuthenticationFilter\u0026#34; class=\u0026#34;com.toptal.travelplanner.security.JwtAuthenticationFilter\u0026#34;\u0026gt; (6) \u0026lt;beans:property name=\u0026#34;authenticationManager\u0026#34; ref=\u0026#34;authenticationManager\u0026#34; /\u0026gt; \u0026lt;beans:property name=\u0026#34;authenticationSuccessHandler\u0026#34; ref=\u0026#34;jwtAuthenticationSuccessHandler\u0026#34; /\u0026gt; (7) \u0026lt;/beans:bean\u0026gt; \u0026lt;authentication-manager alias=\u0026#34;authenticationManager\u0026#34;\u0026gt; \u0026lt;authentication-provider ref=\u0026#34;jwtAuthenticationProvider\u0026#34; /\u0026gt; (8) \u0026lt;/authentication-manager\u0026gt; (1) In this line, we activate @PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize annotations on any spring beans in the context. (2) We define the login and signup endpoints to skip security; even “anonymous” should be able to do these two operations. (3) Next, we define the filter chain applied to all requests while adding two important configs: Entry point reference and setting the session creation to stateless (we do not want the session created for security purposes as we are using tokens for each request). (4) We do not need csrf protection because our tokens are immune to it. (5) Next, we plug in our special authentication filter within the Spring’s predefined filter chain, just before the form login filter. (6) This bean is the declaration of our authentification filter; since it is extending Spring’s AbstractAuthenticationProcessingFilter, we need to declare it in XML to wire its properties (auto wire does not work here). We will explain later what the filter does. (7) The default success handler of AbstractAuthenticationProcessingFilter is not good enough for REST purposes because it redirects the user to a success page; that is why we set our own here. (8) The declaration of the provider created by the authenticationManager is used by our filter to authenticate users. Now let’s see how we implement the specific classes declared in the XML above. Note that Spring will wire them for us. We start with the simplest ones.\nRestAuthenticationEntryPoint.java # 1 2 3 4 5 6 7 8 9 public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint { @Override public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException { // This is invoked when user tries to access a secured REST resource without supplying any credentials // We should just send a 401 Unauthorized response because there is no \u0026#39;login page\u0026#39; to redirect to response.sendError(HttpServletResponse.SC_UNAUTHORIZED, \u0026#34;Unauthorized\u0026#34;); } } As explained above, this class just returns HTTP code 401 (Unauthorized) when authentication fails, overriding default Spring’s redirecting.\nJwtAuthenticationSuccessHandler.java # 1 2 3 4 5 6 7 8 public class JwtAuthenticationSuccessHandler implements AuthenticationSuccessHandler { @Override public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) { // We do not need to do anything extra on REST authentication success, because there is no page to redirect to } } This simple override removes the default behavior of a successful authentication (redirecting to home or any other page the user requested). If you are wondering why we do not need to override the AuthenticationFailureHandler, it is because default implementation will not redirect anywhere if its redirect URL is not set, so we just avoid setting the URL, which is good enough.\nJwtAuthenticationFilter.java # 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 public class JwtAuthenticationFilter extends AbstractAuthenticationProcessingFilter { public JwtAuthenticationFilter() { super(\u0026#34;/**\u0026#34;); } @Override protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) { return true; } @Override public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException { String header = request.getHeader(\u0026#34;Authorization\u0026#34;); if (header == null || !header.startsWith(\u0026#34;Bearer \u0026#34;)) { throw new JwtTokenMissingException(\u0026#34;No JWT token found in request headers\u0026#34;); } String authToken = header.substring(7); JwtAuthenticationToken authRequest = new JwtAuthenticationToken(authToken); return getAuthenticationManager().authenticate(authRequest); } @Override protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException { super.successfulAuthentication(request, response, chain, authResult); // As this authentication is in HTTP header, after success we need to continue the request normally // and return the response as if the resource was not secured at all chain.doFilter(request, response); } } This class is the entry point of our JWT authentication process; the filter extracts the JWT token from the request headers and delegates authentication to the injected AuthenticationManager. If the token is not found, an exception is thrown that stops the request from processing. We also need an override for successful authentication because the default Spring flow would stop the filter chain and proceed with a redirect. Keep in mind we need the chain to execute fully, including generating the response, as explained above.\nJwtAuthenticationProvider.java # 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 public class JwtAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider { @Autowired private JwtUtil jwtUtil; @Override public boolean supports(Class\u0026lt;?\u0026gt; authentication) { return (JwtAuthenticationToken.class.isAssignableFrom(authentication)); } @Override protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException { } @Override protected UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException { JwtAuthenticationToken jwtAuthenticationToken = (JwtAuthenticationToken) authentication; String token = jwtAuthenticationToken.getToken(); User parsedUser = jwtUtil.parseToken(token); if (parsedUser == null) { throw new JwtTokenMalformedException(\u0026#34;JWT token is not valid\u0026#34;); } List\u0026lt;GrantedAuthority\u0026gt; authorityList = AuthorityUtils.commaSeparatedStringToAuthorityList(parsedUser.getRole()); return new AuthenticatedUser(parsedUser.getId(), parsedUser.getUsername(), token, authorityList); } } In this class, we are using Spring’s default AuthenticationManager, but we inject it with our own AuthenticationProvider that does the actual authentication process. To implement this, we extend the AbstractUserDetailsAuthenticationProvider, which requires us only to return UserDetails based on the authentication request, in our case, the JWT token wrapped in the JwtAuthenticationToken class. If the token is not valid, we throw an exception. However, if it is valid and decryption by JwtUtil is successful, we extract the user details (we will see exactly how in the JwtUtil class), without accessing the database at all. All the information about the user, including his or her roles, is contained in the token itself.\nJwtUtil.java # 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 public class JwtUtil { @Value(\u0026#34;${jwt.secret}\u0026#34;) private String secret; /** * Tries to parse specified String as a JWT token. If successful, returns User object with username, id and role prefilled (extracted from token). * If unsuccessful (token is invalid or not containing all required user properties), simply returns null. * * @param token the JWT token to parse * @return the User object extracted from specified token or null if a token is invalid. */ public User parseToken(String token) { try { Claims body = Jwts.parser() .setSigningKey(secret) .parseClaimsJws(token) .getBody(); User u = new User(); u.setUsername(body.getSubject()); u.setId(Long.parseLong((String) body.get(\u0026#34;userId\u0026#34;))); u.setRole((String) body.get(\u0026#34;role\u0026#34;)); return u; } catch (JwtException | ClassCastException e) { return null; } } /** * Generates a JWT token containing username as subject, and userId and role as additional claims. These properties are taken from the specified * User object. Tokens validity is infinite. * * @param u the user for which the token will be generated * @return the JWT token */ public String generateToken(User u) { Claims claims = Jwts.claims().setSubject(u.getUsername()); claims.put(\u0026#34;userId\u0026#34;, u.getId() + \u0026#34;\u0026#34;); claims.put(\u0026#34;role\u0026#34;, u.getRole()); return Jwts.builder() .setClaims(claims) .signWith(SignatureAlgorithm.HS512, secret) .compact(); } } Finally, JwtUtil class is in charge of parsing the token into User object and generating the token from the User object. It is straightforward since it uses the jjwt library to do all the JWT work. In our example, we simply store the username, user ID and user roles in the token. We could also store more arbitrary stuff and add more security features, such as the token’s expiration. Parsing of the token is used in the AuthenticationProvider as shown above. The generateToken() method is called from login and signup REST services, which are unsecured and will not trigger any security checks or require a token to be present in the request. In the end, it generates the token that will be returned to the clients, based on the user.\nConclusion # Although the old, standardized security approaches (session cookie, HTTP Basic, and HTTP Digest) will work with REST services as well, they all have problems that would be nice to avoid by using a better standard. JWT arrives just in time to save the day, and most importantly it is very close to becoming an IETF standard.\nJWT’s main strength is handling user authentication in a stateless, and therefore scalable, way, while keeping everything secure with up-to-date cryptography standards. Storing claims (user roles and permissions) in the token itself creates huge benefits in distributed system architectures where the server that issues the request has no access to the authentication data source.\n","date":"25 January 2016","externalUrl":null,"permalink":"/posts/rest-security-with-jwt-using-java-and-spring-security/","section":"Posts","summary":"","title":"REST Security with JWT using Java and Spring Security","type":"posts"},{"content":"","date":"25 January 2016","externalUrl":null,"permalink":"/categories/rest-api/","section":"Categories","summary":"","title":"Rest-Api","type":"categories"},{"content":"http://www.toptal.com/#explore-competent-developers-today\nThe following article is a guest post from Toptal. Toptal is an elite network of freelancers that enables businesses to connect with the top 3% of software engineers and designers in the world.\nEver found yourself wondering “what were they thinking?” when integrating a web service via its API? If not, you’ve been far luckier than I have.\nAny software developer knows how easy it is to let a project devolve into spaghetti code, and web APIs are no less prone to resulting in a tangled web. But it doesn’t need to be that way. In truth, it’s possible to design great web APIs that people will actually enjoy using, and that you’ll enjoy creating as well. But how? The answer to that question is what this post is all about.\nPerspective # Most of the time when you’re building solutions, you’re designing for end users who are not programmers, or who are generally not technically sophisticated. You’re giving them a graphical interface and, if you’ve been doing your job right, you’ve gleaned a pretty good idea from them of what they need the interface to do.\nBut API development is different. You’re designing an interface for programmers, probably without even knowing who they are. And whoever they are, they will have the technical sophistication (or at least will think they have the technical sophistication) to point out every little flaw in your software. Your users are likely to be as critical of your API as you would be of theirs, and will thoroughly enjoy critiquing it.\nAnd therein lies part of the irony, by the way. If anyone should understand how to make a web API that’s easy-to-use, it’s you. After all, you’re a software engineer just like the users of your API, so you share their perspective. Don’t you?\nWell, while you certainly understand their perspective, you don’t necessarily share their perspective. When you’re developing or enhancing your API, you have the perspective of an API designer whereas they have the perspective of an API user.\nAPI designers typically focus on questions like “What does this service need to do?” or “What does this service need to provide?”, while API users are focused on “How can I use this API to do what I need?”, or more accurately, “How can I spend the bare minimum of effort to get what I need out of this API?”.\nThese different questions lead to two vastly different perspectives. As a result, the necessary prerequisite to designing a great API is to shift your perspective from that of the API designer to that of the API user. In other words, continually ask yourself the questions you would naturally ask if you were your own user. Rather than thinking about what your API can do, think about the different ways it may need or want to be used and then focus on making those tasks as easy as possible for your API’s users.\nWhile this may sound easy and obvious, it’s astounding how infrequently APIs appear to be designed this way. Think about the APIs you’ve encountered in your career. How frequently do they appear to have been designed with this perspective in mind? Web API design can be challenging.\nSo with that said, let’s proceed and talk about the 5 Golden Rules for Designing a Great Web API, namely:\nDocumentation Stability and Consistency Flexibility Security Ease of Adoption Rule 1: Documentation # Documentation. Yes, I’m starting here.\nDo you hate documentation? Well, I can empathize, but put on your “user perspective” hat and I’ll bet that the one thing you hate more than having to write documentation is having to try to use an undocumented API. I rest my case.\nThe bottom line is that, if you want anyone to use your API, documentation is essential. You’ve simply got to get this right. It’s the first thing users will see, so in some ways it’s like the gift wrap. Present well, and people are more likely to use your API and put up with any idiosyncrasies.\nSo how do we write good documentation?\nThe relatively easy part is documenting the API methods themselves; i.e., example requests and responses, along with descriptions of each of the elements in both. Fortunately, there are an increasing number of software tools that facilitate and simplify the task of generating documentation. Or you can write something yourself that introspects your API, endpoints, and functions, and generates the corresponding documentation for you.\nBut what separates great documentation from adequate documentation is the inclusion of usage examples and, ideally, tutorials. This is what helps the user understand your API and where to start. It orients them and helps them load your API into their brain.\nFor example, if the developers of Twilio were to list out every class, every method, and every possible response to their API, but didn’t bother to mention that you can send an SMS, track a call, or buy a phone number through their API, it would take a really long time for the API user to find that information and understand it cohesively. Can you imagine sorting through a giant tree of classes and methods without any insight into what they were used for, other than their name? Sounds terrible right? But that’s exactly what so many API providers do, thereby leaving their APIs opaque to anybody but themselves. The Rackspace CloudFiles developer and API guide is one such example; it’s difficult to get your bearings unless you already understand what they’re doing and what they’re providing.\nSo write concise tutorials that help get the developer up and running quickly, with at least a skeleton of what they’re trying to do, and then point them in the direction of the more detailed, fully-documented list of functionality so they can expand on what they have.\nOnce you’re done with your documentation, be sure to validate that it makes sense to people other than yourself. Send it out to other developers in your network, give them no instruction other than pointing them to the documentation, and ask them to follow a tutorial or build something really basic in about 15 minutes. If they can’t have a basic integration with your API in 15 minutes, you have more work to do.\nFor some noteworthy examples of excellent and detailed documentation, check out Twilio, Django, and MailChimp. None of these products are necessarily the best in their markets (although they are all good products), yet they do distinguish themeselves by providing some of the best documentation within their markets, which has certainly facilitated their wide acceptance and market share.\nRule 2: Stability and Consistency # If you’ve ever used Facebook’s API, you know how often they deprecate and completely rewrite their APIs. No matter how much you respect their hacker culture, or their product, their’s is not a developer-friendly perspective. The reason they are still successful is because they have a billion users, not because their API is great.\nBut you probably don’t have the luxury of such a mammoth user base and market share, so you’re going to need have a much less volatile API, keeping old versions running and supported for quite a long period of time. Maybe even years. So toward that end, here are some tips and tricks.\nLet’s say, for example, that your API is accessible via the URL http://myapisite.com/api/widgets and provides its response in JSON format. While this may seem fine at first blush, what happens when you need to modify the format of the JSON response? Everyone that’s already integrated with you is going to break. Oops.\nSo do some planning ahead, and version your API from the outset, explicitly incorporating a version number into the URL (e.g., http://myapisite.com/api/widgets?version=1 or http://myapisite.com/api/widgets/v1) so that people can rely on version 1 working and can upgrade to any subsequent version when they’re ready to do so. If you need to phase out a prior version at some point, go ahead, but give plenty of notice and offer some sort of transition plan.\nA good URL scheme will include major versions in the URL. Any change to the output format or supported data types should result in bumping up to a new major version. Generally, it’s acceptable to keep the same version if all you are doing is adding keys or nodes to your output, but to be on the safe side, any time the output changes, bump a version.\nIn addition to being stable over time, APIs need to be internally consistent. I’ve seen many APIs that change parameter names or methods of POSTing data, depending on the endpoint that is being used. Instead, you should handle common parameters globally within your API and use inheritance or a shared architecture to reuse the same naming conventions and data handling consistently throughout your API.\nFinally, you need to record and publish a changelog to show differences between versions of your API so that users know exactly how to upgrade.\nRule 3: Flexibility # Garbage in, garbage out (GIGO) is a well known mantra to most programmers. As applied to web API design, this guiding principle tends to dictate a fairly rigid approach to request validation. Sounds great, right? No mess, no problem.\nYet as with everything, there needs to be some balance. As it is not possible to anticipate every way that users will want to employ your service, and since not every client platform is consistent (i.e., not every platform has very good JSON support, a decent OAuth library, etc.), it’s good to have at least some degree of flexibility or tolerance with regard to your input and output constraints.\nFor example, many APIs will support a variety of output formats, like JSON, YAML, XML, et. al., but will only support specifying the format in the URL itself. In the spirit of remaining flexible, you could allow this to also be specified in the URL (e.g., /api/v1/widgets.json), or you might also read and recognize an Accept: application/json HTTP header, or support a querystring variable such as ?format=JSON, and so on.\nAnd while we’re at it, why not allow for the format specified to be case-insensitive, so the user could specify ?format=json as well? That’s a classic example of a way to alleviate unnecessary frustration for the user of your API.\nAnother example is allowing for different ways of inputting variables. So, just like you have a variety of output formats, allow for a variety of input formats as well (e.g., plain POST variables, JSON, XML, etc.). You should at least be supporting standard POST variables, and many modern applications support JSON as well, so those two are a good place to start.\nThe point here is that you shouldn’t assume that everyone shares your technical preferences. With a little research into how other APIs work, and through dialog with other developers, you can glean other valuable alternatives that are useful and include them in your API.\nRule 4: Security # Security is obviously one of the most important things to build into your web service, but so many developers make it ridiculously hard to use. As the API provider, you should be offering usable examples of how to authenticate and authorize when accessing your API. This should not be a difficult issue that an end user spends hours working on. Make it your goal that they either don’t have to write any code, or it takes them less than 5 minutes to write it.\nFor most APIs, I prefer a simple token-based authentication, where the token is a random hash assigned to the user and they can reset it at any point if it has been stolen. Allow the token to be passed in through POST or an HTTP header. For example, the user could (and should) send an SHA-1 token as a POST variable, or as a header in a format such as “Authorization: da39a3ee5e6b4b0d3255bfef95601890afd80709”.\nAlso, choose a secure token, not a short numeric identifier. Something irreversible is best. For example, it’s relatively simple to just generate out an SHA token during user creation and store it in the database. Then, you can simply query your database for any users matching that token. You could also do a token generated with a unique identifier and a salt value, something like SHA(User.ID + \u0026quot;abcd123\u0026quot;), and then query for any user that matches; e.g., where TokenFromPost = SHA(User.ID + \u0026quot;abcd123\u0026quot;).\nAnother very good option is OAuth 2 + SSL. You should be using SSL anyway, but OAuth 2 is reasonably simple to implement on the server side, and libraries are available for many common programming languages.\nIf the API you have made is supposed to be accessible on a public website via JavaScript, you need to also make sure you validate a list of URLs per-account for the token. That way, nobody can go inspect the calls to your API, steal the token from your user, and go use it for themselves.\nHere are some other important things to keep in mind:\nWhitelisting Functionality. APIs generally allow you to do basic create, read, update, and delete operations on data. But you don’t want to allow these operations for every entity, so make sure each has a whitelist of allowable actions. Make sure, for example, that only authorized users can run commands like /user/delete/\u0026lt;id\u0026gt;. Similarly, all useful headers that are sent in the user’s request need to be validated against a whitelist as well. If you are allowing Content-type headers, verify that whatever the user sends in actually matches a whilelist of supported content types. If it doesn’t, then send back an error message such as a 406 Not Acceptable response. Whitelisting is important as a lot of APIs are automatically generated, or use a blacklist instead, which means you have to be explicit about what you don’t want. However, the golden rule of security is to start with absolutely nothing, and only explicitly allow what you do want. Protect yourself against Cross-Site Request Forgery (CSRF). If you are allowing session or cookie authentication, you need to make sure that you’re protecting yourself from CSRF attacks. The Open Web Application Security Project (OWASP) provides useful guidance on ways to preclude these vulnerabilities. Validate access to resources. In every request, you need to verify that a user is in fact allowed access to the specific item they are referencing. So, if you have an endpoint to view a user’s credit card details (e.g., /account/card/view/152423), be sure that the ID “152423” is referencing a resource that the user really is authorized to access. Validate all input. All input from a user needs to be securely parsed, preferably using a well-known library if you are using complicated input like XML or JSON. Don’t build your own parser, or you’re in for a world of hurt. Rule 5: Ease Of Adoption # This is really the most important rule in the bunch, and builds on all the others. As I mentioned during the documentation rule, try this out with people that are new to your API. Make sure that they can get up and running with at least a basic implementation of your API, even if it’s just following a tutorial, within a few minutes. I think 15 minutes is a good goal.\nHere are some specific recommendations to ease and facilitate adoption of your API:\nMake sure people can actually use your API and that it works the first time, every time. Have new people try to implement your API occasionally to verify that it’s not confusing in some way that you’ve become immune to. Keep it simple. Don’t do any fancy authentication. Don’t do some crazy custom URL scheme. Don’t reinvent SOAP, or JSON, or REST, or anything. Use all the tools you can that have already been implemented and are widely accepted, so that developers only have to learn your API, not your API + 10 obscure new technologies. Provide language-specific libraries to interface with your service. There are some nice tools to automatically generate a library for you, such as Alpaca or Apache Thrift. Currently Alpaca supports Node, PHP, Python, and Ruby. Thrift supports C++, Java, Python, PHP, Ruby, Erlang, Perl, Haskell, C#, Cocoa, JavaScript, Node.js, Smalltalk, OCaml, Delphi and more. Simplify any necessary signup. If you are not developing an open source API, or if there is a signup process of any sort, make sure that upon signup, a user is very quickly directed to a tutorial. And make the signup process completely automated without any need for human interaction on your part. Provide excellent support. A big barrier to adoption is lack of support. How will you handle and respond to a bug report? What about unclear documentation? An unsophisticated user? Forums, bug trackers, and email support are fantastic starts, but do make sure that when someone posts a bug, you really address it. Nobody wants to see a ghost town forum or a giant list of bugs that haven’t been addressed. Web API Wrap-up # Web services and their APIs abound. Unfortunately, the vast majority are difficult to use. Reasons range from poor design, to lack of documentation, to volatility, to unresolved bugs, or, in some cases, all of the above.\nFollowing the guidance in this post will help ensure that your web API is clean, well-documented, and easy-to-use. Such APIs are truly rare and are therefore that much more likely to be widely adopted and used.\n","date":"18 January 2016","externalUrl":null,"permalink":"/posts/5-golden-rules-for-great-web-api-design/","section":"Posts","summary":"","title":"5 Golden Rules for Great Web API Design","type":"posts"},{"content":"","date":"18 January 2016","externalUrl":null,"permalink":"/tags/api/","section":"Tags","summary":"","title":"Api","type":"tags"},{"content":"","date":"14 January 2016","externalUrl":null,"permalink":"/categories/certificate-authority/","section":"Categories","summary":"","title":"Certificate-Authority","type":"categories"},{"content":"","date":"14 January 2016","externalUrl":null,"permalink":"/tags/hiring-guide/","section":"Tags","summary":"","title":"Hiring-Guide","type":"tags"},{"content":"","date":"14 January 2016","externalUrl":null,"permalink":"/tags/job/","section":"Tags","summary":"","title":"Job","type":"tags"},{"content":"The following hiring guide is from Toptal. Toptal is an elite network of freelancers that enables businesses to connect with the top 3% of software engineers and designers in the world.\nSystem Security professionals are experts on preventing and mitigating security breaches that may arise from vulnerabilities in computer systems. This field covers a range of areas of expertise, including information security, network security, and mobile security. System Security professionals must \u0026ldquo;think like a hacker\u0026rdquo; in order to anticipate the main vectors of likely attack by malicious outsiders. They should have a keen eye for the most minute details, plus a well-rounded and in-depth knowledge of computer systems and the the tools of the trade.\nSystem Security professionals are experts on preventing and mitigating security breaches that may arise from vulnerabilities in computer systems. This field covers a range of areas of expertise, including information security, network security, and mobile security. System Security professionals must “think like a hacker” in order to anticipate the main vectors of likely attack by malicious outsiders. They should have a keen eye for the most minute details, plus a well-rounded and in-depth knowledge of computer systems and the the tools of the trade.\nThere is a shortage of formal training available to those who wish to go into the security field. While a formal education in computer systems is desirable, many of the best security experts are self-taught hobbyists when it comes to their familiarity with “hacking” and the techniques and vulnerabilities exploited by attackers. Since your security expert will be intimately aware of all of your system’s weakest points, it is critical that you can trust him or her.\nThis article provides a sample System Security Expert job description that will help you write the perfect job ad, and ensure that you find and hire the person that matches your specific criteria.\nSystem Security Expert - Job Description and Ad Template # Company Introduction # {{Write a short and catchy paragraph about your company. Provide information about the company’s culture, perks, and benefits. Mention office hours, remote working possibilities, and anything else that makes your company interesting.}}\nJob Description # We are looking for a Systems Security Expert with emphasis on {{WLAN/networks/web applications/penetration testing}}. You must be passionate about security and staying ahead of all possible threats to the system. You will be working with our development team to ensure that our network and technology stack is watertight. You will become thoroughly familiar with our architecture, helping to direct its development. You will provide regular reports of potential vulnerabilities and risk profiles. Good communication skills are critical to efficiently coordinate with our team and build a secure end product.\nResponsibilities # Actively look for security vulnerabilities in our application and network, reporting issues and describing possible solutions. Design and maintain our security infrastructure. Stay up to date with security news, keeping an eye out for the latest vulnerabilities and remedies emerging in the field. Actively liaise with the development team to ensure a secure architecture. Actively liaise with the development team to ensure thorough automated testing of all source code (e.g., via Test-Driven Development). Provide regular reports auditing our current services and latest changes, as well as our internal practices. Monitor our server traffic, ticketing and reporting unusual packets. {{Add other responsibilities here that are relevant.}} Skills and Qualifications # {{Relevant education in Computer Science or Computer Engineering.}} {{Relevant certification, such as CCNA or OWSE.}} Thorough understanding of potential attack vectors such as XSS, injection, hijacking, social engineering, and so on. Thorough understanding of cryptographic primitives and their underlying principles. Sound command of {{your application’s environment}} and the command line. Thorough understanding of networking protocols, such as TCP/IP. Thorough understanding of HTTP and HTTPS, as well as their underlying implementations. Thorough understanding of Content Delivery Networks and their integration into applications. Basic programming proficiency, sufficient to write and execute scripts from the command line. Active in the security community. Regularly attends meetups or conferences. Contributes to open source projects, or creates purpose built tools for security work. Working understanding of Agile Development processes. Excellent communication skills. Ability to translate complex ideas into simple solutions on paper. {{Include any framework, library, or any other technology related to your development stack.}} http://www.toptal.com/#explore-competent-developers-today\n","date":"14 January 2016","externalUrl":null,"permalink":"/posts/system-security-expert-job-description-template/","section":"Posts","summary":"","title":"System Security Expert Job Description Template","type":"posts"},{"content":"The following article is a guest post by Nermin Hajdarbegovic, Technical Editor at Toptal. Toptal is an elite network of freelancers that enables businesses to connect with the top 3% of software engineers and designers in the world.\nPasswordless authentication has been the Holy Grail of security for years, but progress has been painfully slow. This does not mean that huge strides have not been made, but unfortunately, most of these developments have been relegated to research labs or professional niches. Until a few years ago, the technology to implement passwordless authentication on a grand scale simply wasn’t available.\nHowever, the industry juggernaut is slowly but surely changing this. There are a few technical, legal and even ethical considerations to take into account, but be as it may, biometric security and passwordless authentication is here to stay.\nBiometrics are already changing the game, and they will continue to do so.\nWhy Go Paswordless In The First Place? # Since this is an engineering blog, I don’t feel the need to explain to a group of security-minded developers the upsides of fast logins. We need not look at the problem from a consumer perspective – all of us are compelled to use a myriad of online services and an ever increasing number of devices. This won’t change anytime soon, and if anything, the number of services and devices we will have to log into will keep increasing.\nOf course, there are plenty of ways passwords are being dispensed with, including biometric authentication. From a user perspective, the use of Google, Microsoft and Facebook accounts to log into third-party services works, since the user can avoid password bloat and not have to create accounts for every service and device.\nOAuth and OpenID have been used for years to consolidate digital identities, and the standards are employed by some of the biggest names in the tech industry.\nTechnically, this is not really a passwordless approach, but the average user might not see the distinction.\nThe pros and cons of using this approach are:\nPros:\nConvenience Easy to implement Good security Brand name peace of mind Cons:\nDependency on a centralised service All eggs in one basket – by compromising one account, an attacker can gain access to others Potential security vulnerabilities, beyond your control, can be used against you People may be reluctant to use such services due to privacy concerns Much of this is true of alternative solutions, although it does not apply to security certificates which are usually relegated to business users rather than consumers. The pros outweigh the cons, hence we can already log into countless third-party services using our existing accounts.\nHow Can Biometrics and Biometric Security Help? # Using biometric authentication systems addresses many issues; there’s no reliance on centralised services, privacy is not a concern, and the user experience is not compromised – provided it’s done right. So, let’s take a look at the pros and cons.\nPros:\nFingerprint scanning is quick, cheap and relatively secure Voice recognition is easy to use and difficult to manipulate Iris scans are very secure and potentially more convenient than fingerprint scanning Electrocardiogram technology offers “always on” authentication All biometric security methods address privacy concerns while offering good security Cons:\nBiometrics are not suitable for all applications Cost of deploying biometric security is often prohibitive Support is limited to certain platforms and unavailable on most Some technologies are still immature Biometrics are not a silver bullet – security can still be compromised Biometrics are not a new concept, or a new technology. Biometric security has been used in many industries for decades, and it’s been a staple of Hollywood script writers even longer. I am sure many readers had a chance to play around with facial recognition and fingerprint scanners on their notebooks years ago – I know I did, and I also know I was not impressed; most of these early solutions were cheap gimmicks.\nHowever, we’ve come a long way since then. More processing power is available, along with vastly superior imaging sensors, and everything is backed by increasingly sophisticated software. This is why some of these technologies are making a comeback, which they’re doing with a vengeance.\nIndustry Gives Thumbs Up To Fingerprint Scanners # Apple’s Touch ID is probably the most recognisable fingerprint authentication solution on the market, but it’s by no means the only one. Apple opened Touch ID to third-party developers in iOS 8 and proceeded to integrate the technology in new iPhones and iPads, as well as its Apple Pay service.\nThis is why iOS has a clear lead over Android and other platforms; every new iPhone and iPad will ship with Touch ID until Cupertino comes up with something better.\nThis does not mean that Android should be written off because an increasing number of Android phones are shipping with fingerprint scanners. The first biometric authentication devices featured small scanners that required the user to swipe their finger over the scanner, but touch-scan units, similar to Apple’s, are becoming increasingly common. It is important to note that this feature is not reserved for expensive, flagship products – even some $200 phones marketed by Chinese vendors feature such scanners.\nHowever, there is still a consideration; Google has not integrated a fingerprint scanner on any of its Nexus devices, although it is rumoured that it originally intended to include it on the Nexus 6 smartphone. In fact, Android Open Source Project (AOSP) provided evidence that fingerprint support was removed from the device. This is not good news for Android developers, as Google usually showcases new technology on Nexus devices and follows up with documentation and APIs, as was the case with NFC support on the Nexus S, or the barometer sensor on the Galaxy Nexus.\nStill, this did not prevent vendors from using their own code, with a few types of scanners. But, this is bad news for developers whose hands are tied since there is no standard that would eliminate fragmentation and insure interoperability. Samsung tried to overcome the problem by allowing developers to play around with its Pass API, but this is still not an ideal solution. Motorola tried to do the same four years ago with its old Atrix devices.\nA number of hardware manufacturers and developers also released SDKs enabling developers to integrate support for various fingerprint scanners, but the lack of a standardised environment that would reduce or eliminate fragmentation is still a big issue.\nIt may take a while before we see fingerprint scanners on most phones, but a lot of progress is being made. We went from no scanners on flagship phones to relatively reliable scanners on $200 phones in the space of a couple of years.\nBut, how useful are they? Are they just gimmicks like first-generation fingerprint scanners on old notebooks?\nThe technology works, there is no doubt about that, but for the time being applications are limited. Software development has to catch up with hardware, we need more services that can use such solution, and we need more APIs and standards and guidelines from industry leaders (namely, Google). At this point, fingerprint scanners on many Android devices are gimmicks, nothing more.\nOverall, fingerprint scanners are convenient, but they’re not an ideal solution. While every fingerprint is unique, there are still some security concerns. Many scanners can be tricked, although it is getting increasingly difficult to pull this off with a simple image. There are alternatives though, including 3D printing, and some morbid ways of doing this, as one security expert pointed out a couple of years ago.\nNeedless to say, you can’t use fingerprint readers with gloves, an injured thumb, or in other extreme situations. But, these are relatively minor drawbacks.\nMicrosoft Wants To Look You In The Eye # So, let’s sum up. Android and iOS can already use fingerprint scanners for biometric security, and they are currently underutilised. But what about desktop environments? We can unlock our phones and authenticate payments using biometrics, but we still work on desktops, so how about making them truly passwordless?\nMicrosoft recently announced Windows Hello and in case you missed it, check out the official Windows blog for a comprehensive overview of this initiative.\nThis is how Microsoft explains its vision for Windows Hello:\nInstead of using a shared or shareable secret like a password, Windows 10 helps to securely authenticate to applications, websites and networks on your behalf—without sending up a password. Thus, there is no shared password stored on their servers for a hacker to potentially compromise.\nWindows 10 will ask you to verify that you have possession of your device before it authenticates on your behalf, with a PIN or Windows Hello on devices with biometric sensors. Once authenticated with ‘Passport,’ you will be able to instantly access a growing set of websites and services across a range of industries – favorite commerce sites, email and social networking services, financial institutions, business networks and more.\nWindows Hello is a biometric authentication system that will enable users to instantly access their Windows 10 devices, using fingerprint scanning, iris scanning or facial recognition. Microsoft says “plenty” of new Windows 10 devices will support Windows Hello, but, personally, I find one technique particularly interesting.\nIris scanning is one of the methods supported by Microsoft and it has a few benefits over the alternatives. It should be more reliable, and potentially more convenient, than fingerprint scanning. In case you were wondering, this won’t be handled by our webcams or phone cameras – Microsoft wants to use “a combination of special hardware and software” to make sure the system can’t be beaten.\nThe iris scanner will rely on infrared technology (potentially, near-infrared). This means it will be able to operate in all lighting conditions and see your iris through glasses, even tinted glasses. Hardware designers won’t have to set aside a lot of room on a device to integrate the scanner; it could be integrated right next to the selfie cam on our mobiles, or as an addition to a standalone web cameras used on many office machines today. This means it could be easily retrofitted to existing desktop PCs.\nAside from infrared scanners, Microsoft will also use more traditional biometric security measures such as facial recognition, relying on Intel RealSense camera technology. This should help make Windows Hello more prolific, especially as users upgrade to new notebooks and hybrids based on Intel platforms.\nOn the mobile front, an iris scan offers several advantages over fingerprint authentication; it can work with gloves, iris injuries are a lot less common than thumb injuries, and it should be much more difficult to beat a consumer grade iris scanner than a fingerprint scanner.\nThere is another angle to Microsoft’s approach – the software giant won’t store users’ biometric data. The biometric signature will be secured locally on devices and shared with no one but the user. The signature will only be used to unlock the device and Passport, so it won’t be used to authenticate users over the network.\nThe jury is still out on Microsoft’s biometrics plans and we will have to wait for Windows 10 to see it in action.\nWhat About Always-On Authentication? # While all these technologies might do a good job at replacing traditional passwords, there are emerging concepts that could give engineers more freedom. What if we could dispense with the process entirely, no passwords, no fingerprint scans – nothing?\n“Always-on authentication” is the next frontier, and a number of ways of getting there have already been proposed. However, an important distinction needs to be made. Always-on authentication usually refers to machine-to-machine authentication, such as a system of “always-on” SSL authentication, SHH connections, NFC credentials and various networking technologies. These are usually developed to monitor and authenticate financial transactions, thus reducing the risk of online fraud.\nThere are relatively few solutions for always-on user authentication. One such example is Bionym’s Nymiwristband. It is a wearable device that looks a lot like your average fitness tracker, but it’s more clever than that.\nNymi scans the user’s unique electrocardiogram (ECG). This means that you only need to have the device on your wrist to provide always-on authentication. As long as your heart keeps beating, you’ll be logged in.\nIf you’re thinking of trying the same trick on the Apple Watch or Android Wear watches, hold your horses, we’re not there yet. The Nymi doesn’t merely track the user’s heart rate like a smartwatch, it actually analyses the shape of the user’s ECG wave, which takes a more sensitive sensor. Smartwatches sound like the ideal hardware platform for this application and, sooner or later, they will be able to do the same thing.\nImagine unlocking your phone, car, office and computer simply by being there and having a pulse? Logging into any account seamlessly, then paying for lunch, doing some shopping on the way home and maybe withdrawing cash from an ATM, all without having to juggle your groceries and credit cards. We’re not there, yet, but we are slowly getting there.\nWhat Does All This Mean For Software Developers And Users? # For the time being, software developers can use off-the-shelf middleware and tokenization to deploy paswordless solutions. One such example is Passwordless, a token-based, open-source framework for Node.js and Express. In case you are interested in how it’s deployed, Mozilla has a comprehensive blog post that explains it.\nIt will take a while, but biometric building blocks are slowly falling into place. The current crop of passwordless technologies will be augmented, and eventually replaced by biometric authentication.\nMany biometric security skeptics including many of my colleagues, don’t believe this will happen anytime soon, but I am an incorrigible optimist; I think passwordless security will be standard by the end of the decade, and this is why: If we merely observe one particular field, be it software or hardware, we will find countless problems with biometrics, many of which I’ve already outlined. However, if we take a few steps back and look at the big picture, if we take a look at new industry trends and the increasing emphasis on personal and corporate security, highly publicised security breaches, privacy concerns – we are bound to see things from a different perspective.\nEven so, the elephant in the room isn’t privacy or B2B security, it’s mobile payments.\nThe volume of mobile transactions in the US is expected to more than double this year to $10bn. By 2018, Bloomberg expects the volume to reach $110bn. On a per-capita basis, the average American consumer will make about $30 in transactions this year, but by 2018 the number will go up to $330 per capita, for every man, woman and child. Assuming the same compound annual growth rate in 2019 and 2020, we could be looking at four digits per capita by 2021.\nWith that sort of money in play, what do you think?\n","date":"5 January 2016","externalUrl":null,"permalink":"/posts/biometric-security-the-key-to-passwordless-authentication-or-a-fad/","section":"Posts","summary":"","title":"Biometric Security – The Key To Passwordless Authentication Or A Fad?","type":"posts"},{"content":"","date":"1 January 2016","externalUrl":null,"permalink":"/tags/java/","section":"Tags","summary":"","title":"Java","type":"tags"},{"content":"","date":"1 January 2016","externalUrl":null,"permalink":"/tags/online-security/","section":"Tags","summary":"","title":"Online-Security","type":"tags"},{"content":"The following article is a guest post by Mikhail Selivanov, Freelance Java Developer at Toptal. Toptal is an elite network of freelancers that enables businesses to connect with the top 3% of software engineers and designers in the world.\nJava is a programming language that was initially developed for interactive television, but over time it has become widespread over everywhere software can be used. Designed with the notion of object-oriented programming, abolishing the complexities of other languages such as C or C++, garbage collection, and an architecturally agnostic virtual machine, Java created a new way of programming. Moreover, it has a gentle learning curve and appears to successfully adhere to its own moto - “Write once, run everywhere”, which is almost always true; but Java problems are still present. I’ll be addressing ten Java problems that I think are the most common mistakes. In case you missed it, you may check out my post on The 5 Most Common Mistakes HTML5 Developers Make: A Beginner’s Guide here.\nCommon Mistake #1: Neglecting Existing Libraries # It’s definitely a mistake for Java Developers to ignore the innumerable amount of libraries written in Java. Before reinventing the wheel, try to search for available libraries - many of them have been polished over the years of their existence and are free to use. These could be logging libraries, like logback and Log4j, or network related libraries, like Netty or Akka. Some of the libraries, such as Joda-Time, have become a de facto standard.\nThe following is a personal experience from one of my previous projects. The part of the code responsible for HTML escaping was written from scratch. It was working well for years, but eventually it encountered a user input which caused it to spin into an infinite loop. The user, finding the service to be unresponsive, attempted to retry with the same input. Eventually, all the CPUs on the server allocated for this application were being occupied by this infinite loop. If the author of this naive HTML escape tool had decided to use one of the well known libraries available for HTML escaping, such as HtmlEscapers from Google Guava, this probably wouldn’t have happened. At the very least, true for most popular libraries with a community behind it, the error would have been found and fixed earlier by the community for this library.\nCommon Mistake #2: Missing the ‘break’ Keyword in a Switch-Case Block # These Java issues can be very embarrassing, and sometimes remain undiscovered until run in production. Fallthrough behavior in switch statements is often useful; however, missing a “break” keyword when such behavior is not desired can lead to disastrous results. If you have forgotten to put a “break” in “case 0” in the code example below, the program will write “Zero” followed by “One”, since the control flow inside here will go through the entire “switch” statement until it reaches a “break”. For example:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 public static void switchCasePrimer() { int caseIndex = 0; switch (caseIndex) { case 0: System.out.println(\u0026#34;Zero\u0026#34;); case 1: System.out.println(\u0026#34;One\u0026#34;); break; case 2: System.out.println(\u0026#34;Two\u0026#34;); break; default: System.out.println(\u0026#34;Default\u0026#34;); } } In most cases, the cleaner solution would be to use polymorphism and move code with specific behaviors into separate classes. Java mistakes such as this one can be detected using static code analyzers, e.g. FindBugsand PMD.\nCommon Mistake #3: Forgetting to Free Resources # Every time a program opens a file or network connection, it is important for Java beginners to free the resource once you are done using it. Similar caution should be taken if any exception were to be thrown during operations on such resources. One could argue that the FileInputStream has a finalizer that invokes the close() method on a garbage collection event; however, since we can’t be sure when a garbage collection cycle will start, the input stream can consume computer resources for an indefinite period of time. In fact, there is a really useful and neat statement introduced in Java 7 particularly for this case, called try-with-resources:\n1 2 3 4 5 6 7 8 9 private static void printFileJava7() throws IOException { try(FileInputStream input = new FileInputStream(\u0026#34;file.txt\u0026#34;)) { int data = input.read(); while(data != -1){ System.out.print((char) data); data = input.read(); } } } This statement can be used with any object that implements the AutoClosable interface. It ensures that each resource is closed by the end of the statement.\nCommon Mistake #4: Memory Leaks # Java uses automatic memory management, and while it’s a relief to forget about allocating and freeing memory manually, it doesn’t mean that a beginning Java developer should not be aware of how memory is used in the application. Problems with memory allocations are still possible. As long as a program creates references to objects that are not needed anymore, it will not be freed. In a way, we can still call this memory leak. Memory leaks in Java can happen in various ways, but the most common reason is everlasting object references, because the garbage collector can’t remove objects from the heap while there are still references to them. One can create such a reference by defining class with a static field containing some collection of objects, and forgetting to set that static field to null after the collection is no longer needed. Static fields are considered GC roots and are never collected.\nAnother potential reason behind such memory leaks is a group of objects referencing each other, causing circular dependencies so that the garbage collector can’t decide whether these objects with cross-dependency references are needed or not. Another issue is leaks in non-heap memory when JNI is used.\nThe primitive leak example could look like the following:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 final ScheduledExecutorService scheduledExecutorService = Executors.newScheduledThreadPool(1); final Deque\u0026lt;BigDecimal\u0026gt; numbers = new LinkedBlockingDeque\u0026lt;\u0026gt;(); final BigDecimal divisor = new BigDecimal(51); scheduledExecutorService.scheduleAtFixedRate(() -\u0026gt; { BigDecimal number = numbers.peekLast(); if (number != null \u0026amp;\u0026amp; number.remainder(divisor).byteValue() == 0) { System.out.println(\u0026#34;Number: \u0026#34; + number); System.out.println(\u0026#34;Deque size: \u0026#34; + numbers.size()); } }, 10, 10, TimeUnit.MILLISECONDS); scheduledExecutorService.scheduleAtFixedRate(() -\u0026gt; { numbers.add(new BigDecimal(System.currentTimeMillis())); }, 10, 10, TimeUnit.MILLISECONDS); try { scheduledExecutorService.awaitTermination(1, TimeUnit.DAYS); } catch (InterruptedException e) { e.printStackTrace(); } This example creates two scheduled tasks. The first task takes the last number from a deque called “numbers” and prints the number and deque size in case the number is divisible by 51. The second task puts numbers into the deque. Both tasks are scheduled at a fixed rate, and run every 10 ms. If the code is executed, you’ll see that the size of the deque is permanently increasing. This will eventually cause the deque to be filled with objects consuming all available heap memory. To prevent this while preserving the semantics of this program, we can use a different method for taking numbers from the deque: “pollLast”. Contrary to the method “peekLast”, “pollLast” returns the element and removes it from the deque while “peekLast” only returns the last element.\nTo learn more about memory leaks in Java, please refer to our article that demystified this problem.\nCommon Mistake #5: Excessive Garbage Allocation # Excessive garbage allocation may happen when the program creates a lot of short-lived objects. The garbage collector works continuously, removing unneeded objects from memory, which impacts applications’ performance in a negative way. One simple example:\n1 2 3 4 5 String oneMillionHello = \u0026#34;\u0026#34;; for (int i = 0; i \u0026lt; 1000000; i++) { oneMillionHello = oneMillionHello + \u0026#34;Hello!\u0026#34;; } System.out.println(oneMillionHello.substring(0, 6)); In Java, strings are immutable. So, on each iteration a new string is created. To address this we should use a mutable StringBuilder:\n1 2 3 4 5 StringBuilder oneMillionHelloSB = new StringBuilder(); for (int i = 0; i \u0026lt; 1000000; i++) { oneMillionHelloSB.append(\u0026#34;Hello!\u0026#34;); } System.out.println(oneMillionHelloSB.toString().substring(0, 6)); While the first version requires quite a bit of time to execute, the version that uses StringBuilder produces a result in a significantly less amount of time.\nCommon Mistake #6: Using Null References without Need # Avoiding excessive use of null is a good practice. For example, it’s preferable to return empty arrays or collections from methods instead of nulls, since it can help prevent NullPointerException.\nConsider the following method that traverses a collection obtained from another method, as shown below:\n1 2 3 4 List\u0026lt;String\u0026gt; accountIds = person.getAccountIds(); for (String accountId : accountIds) { processAccount(accountId); } If getAccountIds() returns null when a person has no account, then NullPointerException will be raised. To fix this, a null-check will be needed. However, if instead of a null it returns an empty list, then NullPointerException is no longer a problem. Moreover, the code is cleaner since we don’t need to null-check the variable accountIds.\nTo deal with other cases when one wants to avoid nulls, different strategies may be used. One of these strategies is to use Optional type that can either be an empty object or a wrap of some value:\n1 2 3 4 Optional\u0026lt;String\u0026gt; optionalString = Optional.ofNullable(nullableString); if(optionalString.isPresent()) { System.out.println(optionalString.get()); } In fact, Java 8 provides a more concise solution:\n1 2 Optional\u0026lt;String\u0026gt; optionalString = Optional.ofNullable(nullableString); optionalString.ifPresent(System.out::println); Optional type has been a part of Java since version 8, but it has been well known for a long time in the world of functional programming. Prior to this, it was available in Google Guava for earlier versions of Java.\nCommon Mistake #7: Ignoring Exceptions # It is often tempting to leave exceptions unhandled. However, the best practice for beginner and experienced Java developers alike is to handle them. Exceptions are thrown on purpose, so in most cases we need to address the issues causing these exceptions. Do not overlook these events. If necessary, you can either rethrow it, show an error dialog to the user, or add a message to the log. At the very least, it should be explained why the exception has been left unhandled in order to let other developers know the reason.\n1 2 3 4 5 6 selfie = person.shootASelfie(); try { selfie.show(); } catch (NullPointerException e) { // Maybe, invisible man. Who cares, anyway? } A clearer way of highlighting an exceptions’ insignificance is to encode this message into the exceptions’ variable name, like this:\n1 try { selfie.delete(); } catch (NullPointerException unimportant) { } Common Mistake #8: Concurrent Modification Exception # This exception occurs when a collection is modified while iterating over it using methods other than those provided by the iterator object. For example, we have a list of hats and we want to remove all those that have ear flaps:\n1 2 3 4 5 6 7 8 9 List\u0026lt;IHat\u0026gt; hats = new ArrayList\u0026lt;\u0026gt;(); hats.add(new Ushanka()); // that one has ear flaps hats.add(new Fedora()); hats.add(new Sombrero()); for (IHat hat : hats) { if (hat.hasEarFlaps()) { hats.remove(hat); } } If we run this code, “ConcurrentModificationException” will be raised since the code modifies the collection while iterating it. The same exception may occur if one of the multiple threads working with the same list is trying to modify the collection while others iterate over it. Concurrent modification of collections in multiple threads is a natural thing, but should be treated with usual tools from the concurrent programming toolbox such as synchronization locks, special collections adopted for concurrent modification, etc. There are subtle differences to how this Java issue can be resolved in single threaded cases and multithreaded cases. Below is a brief discussion of some ways this can be handled in a single threaded scenario:\nCollect objects and remove them in another loop # Collecting hats with ear flaps in a list to remove them later from within another loop is an obvious solution, but requires an additional collection for storing the hats to be removed:\n1 2 3 4 5 6 7 8 9 List\u0026lt;IHat\u0026gt; hatsToRemove = new LinkedList\u0026lt;\u0026gt;(); for (IHat hat : hats) { if (hat.hasEarFlaps()) { hatsToRemove.add(hat); } } for (IHat hat : hatsToRemove) { hats.remove(hat); } Use Iterator.remove method # This approach is more concise, and it doesn’t need an additional collection to be created:\n1 2 3 4 5 6 7 Iterator\u0026lt;IHat\u0026gt; hatIterator = hats.iterator(); while (hatIterator.hasNext()) { IHat hat = hatIterator.next(); if (hat.hasEarFlaps()) { hatIterator.remove(); } } Use ListIterator’s methods # Using the list iterator is appropriate when the modified collection implements List interface. Iterators that implement ListIterator interface support not only removal operations, but also add and set operations. ListIterator implements the Iterator interface so the example would look almost the same as the Iterator remove method. The only difference is the type of hat iterator, and the way we obtain that iterator with the “listIterator()” method. The snippet below shows how to replace each hat with ear flaps with sombreros using “ListIterator.remove” and “ListIterator.add” methods:\n1 2 3 4 5 6 7 8 9 IHat sombrero = new Sombrero(); ListIterator\u0026lt;IHat\u0026gt; hatIterator = hats.listIterator(); while (hatIterator.hasNext()) { IHat hat = hatIterator.next(); if (hat.hasEarFlaps()) { hatIterator.remove(); hatIterator.add(sombrero); } } With ListIterator, the remove and add method calls can be replaced with a single call to set:\n1 2 3 4 5 6 7 8 IHat sombrero = new Sombrero(); ListIterator\u0026lt;IHat\u0026gt; hatIterator = hats.listIterator(); while (hatIterator.hasNext()) { IHat hat = hatIterator.next(); if (hat.hasEarFlaps()) { hatIterator.set(sombrero); // set instead of remove and add } } Use stream methods introduced in Java 8 With Java 8, programmers have the ability to transform a collection into a stream and filter that stream according to some criteria. Here is an example of how stream api could help us filter hats and avoid “ConcurrentModificationException”.\n1 2 hats = hats.stream().filter((hat -\u0026gt; !hat.hasEarFlaps())) .collect(Collectors.toCollection(ArrayList::new)); The “Collectors.toCollection” method will create a new ArrayList with filtered hats. This can be a problem if the filtering condition were to be satisfied by a large number of items, resulting in a large ArrayList; thus, it should be use with care. Use List.removeIf method presented in Java 8 Another solution available in Java 8, and clearly the most concise, is the use of the “removeIf” method:\n1 hats.removeIf(IHat::hasEarFlaps); That’s it. Under the hood, it uses “Iterator.remove” to accomplish the behavior.\nUse specialized collections # If at the very beginning we decided to use “CopyOnWriteArrayList” instead of “ArrayList”, then there would have been no problem at all, since “CopyOnWriteArrayList” provides modification methods (such as set, add, and remove) that don’t change the backing array of the collection, but rather create a new modified version of it. This allows iteration over the original version of the collection and modifications on it at the same time, without the risk of “ConcurrentModificationException”. The drawback of that collection is obvious - generation of a new collection with each modification.\nThere are other collections tuned for different cases, e.g. “CopyOnWriteSet” and “ConcurrentHashMap”.\nAnother possible mistake with concurrent collection modifications is to create a stream from a collection, and during the stream iteration, modify the backing collection. The general rule for streams is to avoid modification of the underlying collection during stream querying. The following example will show an incorrect way of handling a stream:\n1 2 3 4 5 List\u0026lt;IHat\u0026gt; filteredHats = hats.stream().peek(hat -\u0026gt; { if (hat.hasEarFlaps()) { hats.remove(hat); } }).collect(Collectors.toCollection(ArrayList::new)); The method peek gathers all the elements and performs the provided action on each one of them. Here, the action is attempting to remove elements from the underlying list, which is erroneous. To avoid this, try some of the methods described above.\nCommon Mistake #9: Breaking Contracts # Sometimes, code that is provided by the standard library or by a third-party vendor relies on rules that should be obeyed in order to make things work. For example, it could be hashCode and equals contract that when followed, makes working guaranteed for a set of collections from the Java collection framework, and for other classes that use hashCode and equals methods. Disobeying contracts isn’t the kind of error that always leads to exceptions or breaks code compilation; it’s more tricky, because sometimes it changes application behavior without any sign of danger. Erroneous code could slip into production release and cause a whole bunch of undesired effects. This can include bad UI behavior, wrong data reports, poor application performance, data loss, and more. Fortunately, these disastrous bugs don’t happen very often. I already mentioned the hashCode and equals contract. It is used in collections that rely on hashing and comparing objects, like HashMap and HashSet. Simply put, the contract contains two rules:\nIf two objects are equal, then their hash codes should be equal. If two objects have the same hash code, then they may or may not be equal. Breaking the contract’s first rule leads to problems while attempting to retrieve objects from a hashmap. The second rule signifies that objects with the same hash code aren’t necessarily equal. Let us examine the effects of breaking the first rule:\n1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 public static class Boat { private String name; Boat(String name) { this.name = name; } @Override public boolean equals(Object o) { if (this == o) return true; if (o == null || getClass() != o.getClass()) return false; Boat boat = (Boat) o; return !(name != null ? !name.equals(boat.name) : boat.name != null); } @Override public int hashCode() { return (int) (Math.random() * 5000); } } As you can see, class Boat has overridden equals and hashCode methods. However, it has broken the contract, because hashCode returns random values for the same object every time it’s called. The following code will most likely not find a boat named “Enterprise” in the hashset, despite the fact that we added that kind of boat earlier:\n1 2 3 4 5 6 public static void main(String[] args) { Set\u0026lt;Boat\u0026gt; boats = new HashSet\u0026lt;\u0026gt;(); boats.add(new Boat(\u0026#34;Enterprise\u0026#34;)); System.out.printf(\u0026#34;We have a boat named \u0026#39;Enterprise\u0026#39; : %b\\n\u0026#34;, boats.contains(new Boat(\u0026#34;Enterprise\u0026#34;))); } Another example of contract involves the finalize method. Here is a quote from the official java documentation describing its function:\n”The general contract of finalize is that it is invoked if and when the JavaTM virtual machine has determined that there is no longer any means by which this object can be accessed by any thread (that has not yet died), except as a result of an action taken by the finalization of some other object or class which is ready to be finalized. The finalize method may take any action, including making this object available again to other threads; the usual purpose of finalize, however, is to perform cleanup actions before the object is irrevocably discarded. For example, the finalize method for an object that represents an input/output connection might perform explicit I/O transactions to break the connection before the object is permanently discarded.“\nOne could decide to use the finalize method for freeing resources like file handlers, but that would be a bad idea. This is because there’s no time guarantees on when finalize will be invoked, since it’s invoked during the garbage collection, and GC’s time is indeterminable.\nCommon Mistake #10: Using Raw Type Instead of a Parameterized One # Raw types, according to Java specifications, are types that are either not parametrized, or non-static members of class R that are not inherited from the superclass or superinterface of R. There were no alternatives to raw types until generic types were introduced in Java. It supports generic programming since version 1.5, and generics were undoubtedly a significant improvement. However, due to backward compatibility reasons, a pitfall has been left that could potentially break the type system. Let’s look at the following example:\n1 2 3 4 List listOfNumbers = new ArrayList(); listOfNumbers.add(10); listOfNumbers.add(\u0026#34;Twenty\u0026#34;); listOfNumbers.forEach(n -\u0026gt; System.out.println((int) n * 2)); Here we have a list of numbers defined as a raw ArrayList. Since its type isn’t specified with type parameter, we can add any object into it. But in the last line we cast elements to int, double it, and print the doubled number to standard output. This code will compile without errors, but once running it will raise a runtime exception because we attempted to cast a string to an integer. Obviously, the type system is unable to help us write safe code if we hide necessary information from it. To fix the problem we need to specify the type of objects we’re going to store in the collection:\n1 2 3 4 5 6 List\u0026lt;Integer\u0026gt; listOfNumbers = new ArrayList\u0026lt;\u0026gt;(); listOfNumbers.add(10); listOfNumbers.add(\u0026#34;Twenty\u0026#34;); listOfNumbers.forEach(n -\u0026gt; System.out.println((int) n * 2)); The only difference from the original is the line defining the collection:\n1 List\u0026lt;Integer\u0026gt; listOfNumbers = new ArrayList\u0026lt;\u0026gt;(); The fixed code wouldn’t compile because we are trying to add a string into a collection that is expected to store integers only. The compiler will show an error and point at the line where we are trying to add the string “Twenty” to the list. It’s always a good idea to parametrize generic types. That way, the compiler is able to make all possible type checks, and the chances of runtime exceptions caused by type system inconsistencies are minimized.\nConclusion # Java as a platform simplifies many things in software development, relying both on sophisticated JVM and the language itself. However, its features, like removing manual memory management or decent OOP tools, don’t eliminate all the problems and issues a regular Java developer faces. As always, knowledge, practice and Java tutorials like this are the best means to avoid and address application errors - so know your libraries, read java, read JVM documentation, and write programs. Don’t forget about static code analyzers either, as they could point to the actual bugs and highlight potential bugs.\n","date":"1 January 2016","externalUrl":null,"permalink":"/posts/top-10-most-common-mistakes-that-java-developers-make-a-java-beginners-tutorial/","section":"Posts","summary":"","title":"Top 10 Most Common Mistakes That Java Developers Make: A Java Beginner’s Tutorial","type":"posts"},{"content":"","date":"28 December 2015","externalUrl":null,"permalink":"/categories/html5/","section":"Categories","summary":"","title":"Html5","type":"categories"},{"content":"The following article is a guest post by Demir Selmanovic, the Lead Technical Editor at Toptal. Toptal is an elite network of freelancers that enables businesses to connect with the top 3% of software engineers and designers in the world.\nIt’s been over 20 years since Tim Berners-Lee and Robert Cailliau specified HTML, which became the standard markup language used to build the Internet. Ever since then, the HTML development community has begged for improvements to this language, but this cry was mostly heard by web browser developers who tried to ease the HTML issues of their colleagues. Unfortunately, this led to even more problems causing many cross-browser compatibility issues and duplication of development work. Over these 20 years, HTML was upgraded 4 times, while most of the browsers got double-digit numbers of major updates plus numerous small patches.\nHTML5 was supposed to finally solve our problems and become one standard to rule them all (browsers). This was probably one of the most anticipated technologies since creation of the World Wide Web. Has it happened? Did we finally get one markup language that will be fully cross-browser compatible and will work on all desktop and mobile platforms giving us all of those features we were asking for? I dont know! Just few days ago (Sept. 16th 2014) we received one more call for review by W3C so the HTML5 specification is still incomplete.\nHopefully, when the specification is one day finalized, browsers will not already have significant obsolete code, and they will easily and properly implement great features like Web Workers, Multiple synchronized audio and video elements, and other HTML5 components that we’ve needed for a long time.\nGive hasty developers an incomplete spec, and you\u0026rsquo;ll have a recipe for disaster.\nWe do however have thousands of companies that have based their businesses on HTML5 and are doing great. There are also many great HTML5-based applications and games used by millions of people, so success is obviously possible and HTML5 is, and will continue to be, used regardless on the status of its specification.\nHowever, the recipe I mentioned can easily blow up in our faces, and thus I’ve emphasized some of the most basic HTML5 mistakes that can be avoided. Most of the mistakes listed below are consequence of incomplete or missing implementation of certain HTML5 elements in different browsers, and we should hope that in the near future they will become obsolete. Until this happens, I suggest reading the list and having it in mind when building your next HTML5 application whether you’re an HTML5 beginner or an experienced vet.\nCommon mistake #1: Trusting local storage # Let them eat cake! This approach has been a burden on developers for ages. Due to reasonably sensible fear of security breaches and protection of computers, in the “dark ages” when the Internet was feared by many, web applications were allowed to leave unreasonably small amounts of data on computers. True, there were things like user data that “great browser masters from Microsoft(r)” gave us, or things like Local Shared Objects in Flash, but this was far from perfect.\nIt is therefore reasonable that one of the first basic HTML5 features adopted by developers was Web Storage. However, be alert that Web Storage is not secure. It is better than using cookies because it will not be transmitted over the wire, but it is not encrypted. You should definitely never store security tokens there. Your security policy should never rely on data stored in Web Storage as a malicious user can easily modify her localStorage and sessionStorage values at any time.\nTo get more insight on Web Storage and how to use it, I suggest reading this post.\nCommon mistake #2: Expecting compatibility among browsers # HTML5 is much more than a simple markup language. It has matured enough to combine behavior together with layout, and you should consider HTML5 as extended HTML with advanced JavaScript on top. If you look at all the trouble we had before just to make a static combination of HTML+CSS look identical on all browsers, it is fair to assume that more complexity will just mean more effort assuring cross-browser compatibility.\nHTML5 interpretation on different browsers is far from identical, just like the case was with JavaScript. All major players in the browser wars lended a hand in the HTML5 spec, so it’s fair to assume that deviations between browsers should reduce over time. But even now some browsers decided to fully ignore certain HTML5 elements making it very difficult to follow a baseline and common set of features. If we add more internet connected devices and platforms to the equation, the situation gets even more complicated, causing problems with HTML5.\nFor example Web Animations are great feature that is supported only by Chrome and Opera, while Web Notification feature that allows alerting the user outside the context of a web page of an occurrence, such as the delivery of email, is fully ignored by Internet Explorer.\nTo learn more about HTML5 features and support by different browsers check out the HTML5 guide at www.caniuse.com.\nSo the fact remains that even though HTML5 is new and well specified, we should expect a great deal of cross-browser compatibility issues and plan for them in advance. There are just too many gaps that browsers need to fill in, and it is fair to expect that they cannot overcome all of the differences between platforms well.\nCommon mistake #3: Assuming high performance # Regardless of the fact that HTML5 is still evolving, it is a very powerful technology that has many advantages over alternate platforms used before its existence. But, with great power comes great responsibility, especially for HTML5 beginners. HTML5 has been adopted by all major browsers on desktop and mobile platforms. Having this in mind, many development teams pick HTML5 as their preferred platform, hoping that their applications will run equally on all browsers. However, assuming sensible performance on both desktop and mobile platforms just because HTML5 specification says so, is not sensible. Lots of companies (khm! Facebook khm!) placed their bets on HTML5 for their mobile platform and suffered from HTML5 not working out as they planned.\nAgain, however, there are some great companies that rely heavily on HTML5. Just look at the numerous online game development studios that are doing amazing stuff while pushing HTML5 and browsers to their limits. Obviously, as long as you are aware of the performance issues and are working around these, you can be in a great place making amazing applications.\nCommon mistake #4: Limited accessibility # Web has become a very important part of our lives. Making applications accessible to people who rely upon assistive technology is important topic that is often put aside in software development. HTML5 tries to overcome this by implementing some of the advanced accessibility features. More than a few developers accepted this to be sufficient and haven’t really spent any time implementing additional accessibility options in their applications. Unfortunately, at this stage HTML5 has issues that prevent it from making your applications available to everyone and you should expect to invest additional time if you want to include a broader range of users.\nYou can check this place for more information about accessibility in HTML5 and the current state of the most common accessibility features.\nCommon mistake #5: Not using HTML5 enhancements # HTML5 has extended the standard HTML/XHTML set of tags significantly. In addition to new tags, we got quite a few new rules and behaviors. Too many developers picked up just a few enhancements and have skipped some of the very cool new features of HTML5.\nOne of the coolest things in HTML5 is client-side validation. This feature was probably one of the earliest elements of HTML5 that web browsers picked up. But, unfortunately, you can find more than a few developers who add novalidate attribute to their forms by default. The reasons for doing this _are_reasonable, and I’m quite sure we will have a debate about this one. Due to backward compatibility, many applications implemented custom JavaScript validators and having out-of-the-box validation done by browsers on top of that is inconvenient. However, it is not too difficult to assure that two validation methods will not collide, and standardizing user validation will ensure common experience while helping to resolve accessibility issues that I mentioned earlier.\nAnother great feature is related to the way user input is handled in HTML5. Before HTML5 came, we had to keep all of our form fields contained inside the \u0026lt;form\u0026gt;\u0026lt;/form\u0026gt; tag. New form attributes make it perfectly valid to do something like this:\n1 2 3 4 5 6 \u0026lt;form action=\u0026#34;demo_form.asp\u0026#34; id=\u0026#34;form1\u0026#34;\u0026gt; First name: \u0026lt;input type=\u0026#34;text\u0026#34; name=\u0026#34;fname\u0026#34;\u0026gt;\u0026lt;br\u0026gt; \u0026lt;input type=\u0026#34;submit\u0026#34; value=\u0026#34;Submit\u0026#34;\u0026gt; \u0026lt;/form\u0026gt; Last name: \u0026lt;input type=\u0026#34;text\u0026#34; name=\u0026#34;lname\u0026#34; form=\u0026#34;form1\u0026#34;\u0026gt; Even if lname is not inside the form, it will be posted together with fname.\nFor more information about new form attributes and enhancements, you can check the Mozilla Developer Network.\nWrap up # I understand that web developers are collateral damage in the browser wars as many of the above mistakes are a direct consequence of problematic HTML5 implementation in different browsers. However, it is still crucial that we avoid common HTML5 issues and spend some time understanding the new features of HTML5. Once we have it all under control, our applications will utilize great new enhancements and take the web to the next level.\nWeb developers are collateral damage in the browser wars.\n","date":"28 December 2015","externalUrl":null,"permalink":"/posts/the-5-most-common-mistakes-html5-developers-make-a-beginners-guide/","section":"Posts","summary":"","title":"The 5 Most Common Mistakes HTML5 Developers Make: A Beginner’s Guide","type":"posts"},{"content":"","date":"23 December 2015","externalUrl":null,"permalink":"/categories/anti-malware/","section":"Categories","summary":"","title":"Anti-Malware","type":"categories"},{"content":"","date":"23 December 2015","externalUrl":null,"permalink":"/tags/google/","section":"Tags","summary":"","title":"Google","type":"tags"},{"content":" Preface # If you know me, or have read my previous post, you know that I worked for a very interesting company before joining Toptal. At this company, our payment provider processed transactions in the neighborhood of $500k per day. Part of my job was to make our provider PCI-DSS compliant—that is, compliant with the Payment Card Industry – Data Security Standard.\nIt’s safe to say that this wasn’t a job for the faint of heart. At this point, I’m pretty intimate with Credit Cards (CCs), Credit Card fraud and web security in general. After all, our job was to protect our users’ data, to prevent it from being hacked, stolen or misused.\nYou could imagine my surprise when I saw Bennett Haselton’s 2007 article on Slashdot: Why Are CC Numbers Still So Easy to Find?. In short, Haselton was able to find Credit Card numbers through Google, firstly by searching for a card’s first eight digits in “nnnn nnnn” format, and later using some advanced queries built on number ranges. For example, he could use “4060000000000000..4060999999999999” to find all the 16 digit Primary Account Numbers (PANs) from CHASE (whose cards all begin with 4060). By the way: here’s a full list of Issuer ID numbers.\nAt the time, I didn’t think much of it, as Google immediately began to filter the types of queries that Bennett was using. When you tried to Google a range like that, Google would serve up a page that said something along the lines of “You’re a bad person”.\nAbout six months ago, while reminiscing with an old friend, this credit card number hack came to mind again. Soon-after, I discovered something alarming. Not terribly alarming, but certainly alarming—so I notified Google, and waited. After a month without a response, I notified them again to no avail.\nWith a minor tweak on Haselton’s old trick, I was able to Google Credit Card numbers, Social Security numbers, and any other sensitive information of interest.\nSo I notified Google, and waited. After a month without a response, I notified them again to no avail. With a minor tweak on Haselton\u0026rsquo;s old trick, I was able to Google Credit Card numbers, Social Security numbers, and any other sensitive information.\nBennett # Yesterday, some friends of mine (buhera.blog.hu and _2501) brought a more recent Slashdot post to my attention: Credit Card Numbers Still Google-able.\nThe article’s author, again Bennett Haselton, who wrote the original article back in 2007, claims that credit card numbers can still be Googled. You can’t use the number range query hack, but it still can be done. Instead of using simple ranges, you need to apply specific formatting to your query. Something like: “1234 5678” (notice the space in the middle). A lot of hits come up for this query, but very few are of actual interest. Among the contestants are phone numbers, zip-codes, and such. Not extremely alarming. But here comes the credit card hack twist.\nThe “Methodology” # I was curious if it was still possible to get credit card numbers online the way we could in 2007. As any good Engineer, I usually approach things using a properly construed and intelligent plan that needs to be perfectly executed with the utmost precision. If you have tried that method, you might know that it can fail really hard—in which case your careful planning and effort goes to waste.\nIn IT we have a tendency to over-intellectualize, even when it isn’t exactly warranted. I have seen my friends and colleagues completely break applications using seemingly random inputs. Their success rate was stunning and the effort they put into it was close to zero. That’s when I learned that to open a door, sometimes you just have to knock.\nThe Credit Card “Hack” # The previous paragraph was a cleverly disguised attempt to make me look like less of an idiot when I show off my “elite hacking skills”. Oops.\nFirst, I tried several range-query-based approaches. Then, I looked at advanced queries and pretty much anything you might come up with in an hour or so. None of them yielded significant results.\nAnd then I had a crazy idea.\nWhat if there was a mismatch between the filtering engine and the actual back-end? What if the message I got from Google (“You are a bad person”) wasn’t from the back-end itself, but instead from a designated filtering engine Google had implemented to censor queries like mine?\nIt would make a lot of sense from an architectural perspective. And bugs like that are pretty common—we see them in ITSEC all the time, particularly in IDS/IPS solutions, but also in common software. There’s a filtering procedure that processes data and only gives it to the back-end if it thinks the data is acceptable/non-malicious. However, the back-end and the filtering server almost never parse the input in exactly the same way. Thus, a seemingly valid input can go through the filter and wreak havoc on the back-end, effectively bypassing the filter.\nYou can usually trigger this type of behavior by providing your input in various encodings. For example: instead of using decimal numbers (0-9), how about converting them to hexadecimal or octal or binary? Well, guess what…\nSearch for this and Google will tell you that you’re a bad person: “4060000000000000..4060999999999999”\nSearch for this and Google will be happy to oblige: “0xe6c8c69c9c000..0xe6d753e6ecfff”.\nThe only thing you need to do is to convert credit card numbers from decimal to hexadecimal. That’s it.\nThe results include…\nHumongous CSV files filled with potentially sensitive information. Faulty e-commerce log files. Sensitive information shared on hacker sites (and even Facebook). It’s truly scary stuff.\nI know this bug won’t inspire any security research, but there you have it. Google made this boo-boo and neglected to even write me back. Well, it happens. I don’t envy the security folks at the big G, though. They must have a lot of stuff to look out for. I’m posting about this credit card number hack here because:\nIt’s relatively low impact. Anyone who’s interested and motivated will have figured this out by now. To quote Haselton, if the big players aren’t taking responsibility and acting on these exploits, then “the right thing to do is to shine a light on the problem and insist that they fix it as soon as possible”. This trick can be used to look up phone numbers, SSNs, TFNs, and more. And, as Bennett wrote, these numbers are much much harder to change than your Credit Card, for which you can simply call your bank and cancel the card.\nSample Queries # WARNING: Do NOT Google your own credit card number in full!\nLook for any CC PAN starting with 4060: 4060000000000000..4060999999999999 ? 0xe6c8c69c9c000..0xe6d753e6ecfff\nSome Hungarian phone numbers from the provider ‘Telenor’? No problem: 36200000000..36209999999 ? 0x86db02a00..0x86e48c07f\nLook for SSNs. Thankfully, these don’t return many meaningful results: 100000000..999999999 ? 0x5f5e100..0x3b9ac9ff\nThere are many, many more.\nIf you find anything very alarming, or if you’re curious about credit card hacking, please leave it in the comments or contact me by email at gergely@toptal.com or on Twitter at @synsecblog. Calling the police is usually futile in these cases, but it might be worth a try. The given merchant or the card provider is usually more keen to address the issue.\nWhere to Go From Here # Well, Google obviously has to fix this, possibly with the help of the big players like Visa and Mastercard. In fact, Haselton provides a number of interesting suggestions in the two articles linked above.\nWhat you need to do, however (and why I’ve written this post), is spread the word. Credit Card fraud is a big industry, and simple awareness can save you from becoming a victim. Further, if you have an e-commerce site or handle any credit card processing, please make sure that you’re secure. PCI-DSS is a good guideline, but it is far from perfect. Plus, it is always a good idea to Google your site with the “site:mysite.com” advanced query, looking for sensitive numbers. There’s a very, very slim chance that you’ll find anything—but if you do, you must act on it immediately.\nAlso, a bit of friendly advice: You should never give out your credit card information to anyone. My advice would be to use PayPal or a similar service whenever possible. You can check out these links for further information:\nVisa’s credit card safety tips Citi’s credit card safety tips And a few general tips: don’t download things you didn’t ask for, don’t open spam emails, and remember that your bank will never ask for your password.\nBy the way: If you think there’s no one stupid enough to fall for these credit card hacking techniques or give away their credit card information on the internet, have a look at @NeedADebitCard.\nStay safe people!\nThis post originally posted on The Toptal Engineering Blog\n","date":"23 December 2015","externalUrl":null,"permalink":"/posts/with-a-filter-bypass-and-some-hexadecimal-hacked-credit-card-numbers-are-still-still-google-able/","section":"Posts","summary":"","title":"With a Filter Bypass and Some Hexadecimal, Hacked Credit Card Numbers Are Still, Still Google-able","type":"posts"},{"content":"The Internet of Things (IoT) has been an industry buzzword for years, but sluggish development and limited commercialization have led some industry watchers to start calling it the “Internet of NoThings”.\nDouble puns aside, IoT development is in trouble. Aside from spawning geeky jokes unfit for most social occasions, the hype did not help; and, in fact, I believe it actually caused a lot more harm than good. There are a few problems with IoT, but all the positive coverage and baseless hype are one we could do without. The upside of generating more attention is clear: more investment, more VC funding, more consumer interest.\nHowever, these come with an added level of scrutiny, which has made a number of shortcomings painfully obvious. After a couple of years of bullish forecasts and big promises, IoT security seems to be the biggest concern. The first few weeks of 2015 were not kind to this emerging industry, and most of the negative press revolved around security.\nWas it justified? Was it just “fear, uncertainty and doubt” (FUD), brought about by years of hype? It was a bit of both; although some issues may have been overblown, the problems are very real, indeed.\nFrom “Year Of IoT” To Annus Horribilis For IoT # Many commentators described 2015 as “the year of IoT,” but so far, it has been a year of bad press. Granted, there are still ten months to go, but negative reports keep piling on. Security firm Kaspersky recently ran a damning critique of IoT security challenges, with an unflattering headline, “Internet of Crappy Things”.\nKaspersky is no stranger to IoT criticism and controversy; the firm has been sounding alarm bells for a while, backing them up with examples of hacked smart homes, carwashes and even police surveillance systems. Whether a hacker wants to wash their ride free of charge, or stalk someone using their fitness tracker – IoT security flaws could make it possible.\nWind River published a white paper on IoT security in January 2015, and the report starts off with a sobering introduction. Titled Searching For The Silver Bullet, it summarizes the problem in just three paragraphs, which I will condense into a few points:\nSecurity must be the foundational enabler for IoT. There is currently no consensus on how to implement security in IoT on the device. A prevalent, and unrealistic, expectation is that it is somehow possible to compress 25 years of security evolution into novel IoT devices. There is no silver bullet that can effectively mitigate the threats. However, there is some good news; the knowledge and experience are already here, but they have to be adapted to fit the unique constraints of IoT devices.\nUnfortunately, this is where we as system security developers stumble upon another problem, a hardware problem.\nU.S. Federal Trade Commission chairwoman, Edith Ramirez, addressed the Consumer Electronics Show in Las Vegas earlier this year, warning that embedding sensors into everyday devices, and letting them record what we do, could pose a massive security risk.\nRamirez outlined three key challenges for the future of IoT:\nUbiquitous data collection. Potential for unexpected uses of consumer data. Heightened security risks. She urged companies to enhance privacy and built secure IoT devices by adopting a security-focused approach, reducing the amount of data collected by IoT devices, and increasing transparency and providing consumers with a choice to opt-out of data collection.\nRamirez went on to say that developers of IoT devices have not spent time thinking about how to secure their devices and services from cyberattacks.\n“The small size and limited processing power of many connected devices could inhibit encryption and other robust security measures,” said Ramirez. “Moreover, some connected devices are low-cost and essentially disposable. If a vulnerability is discovered on that type of device, it may be difficult to update the software or apply a patch – or even to get news of a fix to consumers.”\nWhile Ramirez is spot on in most respects, I should note that the Internet went through a similar phase two decades ago. There were a lot of security concerns, and the nineties saw the emergence of the internet-borne malware, DDoS attacks, sophisticated phishing and more. Even though Hollywood depicted a dystopian future in some films, we have ended up with kittens on social networks and a high-profile security breach here and there.\nThe Internet is still not secure, so we can’t expect IoT to be secure, either. However, security is constantly evolving to meet new challenges, we’ve seen it before, and we’ll see it again, with IoT and subsequent connected technologies.\nIoT Hardware Is And Will Remain A Problem # Some of you will be thinking that the hardware issues mentioned by the FTC boss will be addressed; yes, some of them probably will.\nAs the IoT market grows, we will see more investment, and as hardware matures, we will get improved security. Chipmakers like Intel and ARM will be keen to offer better security with each new generation, since security could be a market differentiator, allowing them to grab more design wins and gain a bigger share.\nTechnology always advances, so why not? New manufacturing processes generally result in faster and more efficient processors, and sooner or later, the gap will close, thus providing developers with enough processing power to implement better security features. However, I am not so sure this is a realistic scenario.\nFirst of all IoT chips won’t be big money-makers since they are tiny and usually based on outdated architectures. For example, the first-generation Intel Edison platform is based on Quark processors, which essentially use the same CPU instruction set and much of the design of the ancient Pentium P54C. However, the next-generation Edison microcomputer is based on a much faster processor, based on Atom Silvermont cores, which is in many Windows and Android tablets, today. (Intel shipped ~46m Bay Trail SoCs in 2014.)\nOn the face of it, we could end up with relatively modern 64-bit x86 CPU cores in IoT devices, but they won’t come cheap, they will still be substantially more complex than the smallest ARM cores, and therefore will need more battery power.\nCheap and disposable wearables, which appear to be the FTC’s biggest concern, won’t be powered by such chips, at least, not anytime soon. Consumers may end up with more powerful processors, such as Intel Atoms or ARMv8 chips, in some smart products, like smart refrigerators or washing machines with touchscreens, but they are impractical for disposable devices with no displays and with limited battery capacity.\nSelling complete platforms, or reference designs for various IoT devices, could help chipmakers generate more revenue, while at the same time introduce more standardisation and security. The last thing the industry needs is more unstandardized devices and more fragmentation. This may sound like a logical and sound approach, since developers would end up with fewer platforms and more resources would be allocated for security, however, security breaches would also affect a bigger number of devices.\nMoney Is Pouring In, Analysts Remain Bullish, What Could Possibly Go Wrong? # One of the most common ways of tackling any problem in the tech industry is to simply throw money at it. So, let’s see where we stand right now in terms of funding rather than technology.\nAccording to research firms IDC and Gartner, IoT will grow to such an extent that it will transform the data centre industry by the end of the decade. Gartner expects the IoT market will have 26 billion installed units by 2020, creating huge opportunities for all parties, from data centres and hardware makers, to developers and designers. IDC also expects the IoT industry to end up with “billions of devices and trillions of dollars” by the end of the decade.\nGartner’s latest comprehensive IoT forecast was published in May 2014 and it also includes a list of potential challenges, some of which I’ve already covered:\nSecurity: Increased automation and digitization creates new security concerns. Enterprise: Security issues could pose safety risks. Consumer Privacy: Potential of privacy breaches. Data: Lots of data will be generated, both for big data and personal data. Storage Management: Industry needs to figure out what to do with the data in a cost-effective manner. Server Technologies: More investment in servers will be necessary. Data Centre Network: WAN links are optimised for human interface applications, IoT is expected to dramatically change patterns by transmitting data automatically. All these points (and more) must be addressed sooner or later, often at a substantial cost. We are no longer talking about tiny IoT chips and cheap toys based on such chips, this is infrastructure. This is a lot of silicon in server CPUs, expensive DDR4 ECC RAM and even bigger SSDs, all housed in expensive servers, in even bigger data centres.\nThat’s just the tip of the iceberg; industry must tackle bandwidth concerns, data management and privacy policies, and security. So how much money does that leave for security, which is on top of Gartner’s list of IoT challenges?\nA lot of money is already pouring into the industry, VCs are getting on board and the pace of investment appears to be picking up. There were also a number of acquisitions, often involving big players like Google, Qualcomm, Samsung, Gemalto, Intel and others. There is a list of IoT-related investments on Postscapes. The trouble with many of these investments, especially those coming from VCs, is that they tend to focus on “shiny” things, devices that can be marketed soon, with a potentially spectacular ROI. These investments don’t do much for security or infrastructure, which would basically have to trail IoT demand.\nBig players will have to do the heavy lifting, not VC-backed startups and toymakers. Agile and innovative startups will certainly play a big role by boosting adoption and creating demand, but they can’t do everything.\nSo let’s think of it this way, even a small company can build a car, or tens of thousands of cars, but it can’t build highways, roads, petrol stations and refineries. That same small company can build a safe vehicle using off-the-shelf technology to meet basic road safety standards, but it couldn’t build a Segway-like vehicle that would meet the same safety standards, nor could anyone else. Automotive safety standards could never apply to such vechicles, we don’t see people commuting to work on Segways, so we cannot expect the traditional tech security standard to apply to underpowered IoT devices, either.\nHaving commuters checking their email or playing Candy Crush while riding their Segways through rush hour traffic does not sound very safe, does it? So why should we expect IoT devices to be as safe as other connected devices, with vastly more powerful hardware and mature operating systems? It may be a strange analogy, but the bottom line is that IoT devices cannot be expected to conform to the same security standards as fully fledged computers.\nBut Wait, There Weren’t That Many IoT Security Debacles… # True, we don’t see a lot of headlines about spectacular IoT security breaches, but let me put it this way: how many security related headlines did you see about Android Wear? One? Two? None? It is estimated there are fewer than a million Android Wear devices in the wild, so they’re simply not a prime target for hackers, or a subject for security researchers.\nHow many IoT devices do you own and use right now? How many does your business use? That’s where the “Internet of NoThings” joke comes from, most people don’t have any. The numbers keep going up, but the average consumer is not buying many, so where is that growth coming from? IoT devices are out there and the numbers are booming, driven by enterprise rather than the consumer market.\nVerizon and ABI Research estimate that there were 1.2 billion different devices connected to the internet last year, but by 2020, they expect as many as 5.4 billion B2B IoT connections.\nSmart wristbands, toasters and dog collars aren’t a huge concern from a security perspective, but Verizon’s latest IoT report focuses on something a bit more interesting: enterprise.\nThe number of Verizon’s machine-to-machine (M2M) connections in the manufacturing sector increased by 204 percent from 2013 to 2014, followed by finance and insurance, media and entertainment, healthcare, retail and transportation. The Verizon report includes a breakdown of IoT trends in various industries, so it offers insight into the business side of things.\nThe overall tone of the report is upbeat, but it also lists a number of security concerns. Verizon describes security breaches in the energy industry as “unthinkable,” describes IoT security as “paramount” in manufacturing, and let’s not even bring up potential risks in healthcare and transportation.\nHow And When Will We Get A Secure Internet of Things? # I will not try to offer a definitive answer on how IoT security challenges can be resolved, or when. The industry is still searching for answers and there is a long way to go. Recent studies indicate that the majority of currently available IoT devices have security vulnerabilities. HP found that as many 70 percent of IoT devices are vulnerable to attack.\nWhile growth offers a lot of opportunities, IoT is still not mature, or secure. Adding millions of new devices, hardware endpoints, billions of lines of code, along with more infrastructure to cope with the load, creates a vast set of challenges, unmatched by anything we have experienced over the past two decades.\nThat is why I am not an optimist.\nI don’t believe the industry can apply a lot of security lessons to IoT, at least not quickly enough, not over the next couple of years. In my mind, the Internet analogy is a fallacy, simply because the internet of the nineties did not have to deal with such vastly different types of hardware. Using encryption and wasting clock cycles on security is not a problem on big x86 CPUs or ARM SoCs, but it won’t work the same way with tiny IoT devices with a fraction of the processing power and a much different power consumption envelope.\nMore elaborate processors, with a biger die, need bigger packaging and have to dissipate more heat. They also need more power, which means bigger, heavier, more expensive batteries. To shave off weight and reduce bulk, manufacturers would have to resort to using exotic materials and production techniques. All of the above would entail more R\u0026amp;D spending, longer time-to-market and a bigger bill of materials. With substantially higher prices and a premium build, such devices could hardly be considered disposable.\nSo what has to be done to make IoT secure? A lot. And everyone has a role to play, from tech giants to individual developers.\nLet’s take a look at a few basic points, such as what can be done, and what is being done, to improve IoT security now:\nEmphasise security from day one Lifecycle, future-proofing, updates Access control and device authentication Know your enemy Prepare for security breaches A clear emphasis on security from day one is always a good thing, especially when dealing with immature technologies and underdeveloped markets. If you are planning to develop your own IoT infrastructure, or deploy an existing solution, do your research and stay as informed as possible. This may involve trade-offs, as you could be presented with a choice of boosting security at the cost of compromising the user experience, but it’s worth it as long as you strike the right balance. This cannot be done on the fly, you have to plan ahead, and plan well.\nIn the rush to bring new products and services to market, many companies are likely to overlook long-term support. It happens all the time, even in the big leagues, so we always end up with millions of unpatched and insecure computers and mobile devices. They are simply too old for most companies to bother with, and it is bound to be even worse with disposable IoT devices. Major phone vendors don’t update their software on 2-3 year old phones, so imagine what will happen with $20 IoT devices that might be on your network for years. Planned obsolescence may be a part of it, but the truth is that updating old devices does not make much financial sense for the manufacturer since they have better things to do with their resources. Secure IoT devices would either have to be secure by design and impervious from the start, or receive vital updates throughout their lifecycle, and I’m sure you will agree neither option sounds realistic, at least, not yet.\nImplementing secure access control and device authentication sounds like an obvious thing to bring up, but we are not dealing with your average connected device here. Creating access controls, and authentication methods, that can be implemented on cheap and compact IoT devices without compromising the user experience, or adding unnecessary hardware, is harder than it seems. As I mentioned earlier, lack of processing power is another problem, as most advanced encryption techniques simply wouldn’t work very well, if at all. In a previous post, I looked at one alternative, outsourcing encryption via the blockchain technology; I am not referring to the Bitcoin blockchain, but similar crypto technologies that are already being studied by several industry leaders.\nSi vis pacem, para bellum – if you want peace, prepare for war. It is vital to study threats and potential attackers before tackling IoT security. The threat level is not the same for all devices and there are countless considerations to take into account; would someone rather hack your daughter’s teddy bear, or something a bit more serious? It’s necessary to reduce data risk, keep as much personal data as possible from IoT devices, properly secure necessary data transfers, and so on. However, to do all this, you first need to study the threat.\nIf all else fails, at least be prepared for potential security breaches. Sooner or later they will happen, to you or someone else (well, preferably a competitor). Always have an exit strategy, a way of securing as much data as possible and rendering compromised data useless without wrecking your IoT infrastructure. It is also necessary to educate customers, employees and everyone else involved in the process about the risks of such breaches. Instruct them in what to do in case of a breach, and what to do to avoid one.\nOf course, a good disclaimer and TOS will also help if you end up dealing with the worst-case scenario.\nThe post originaly appeared on the: Toptal Engineering Blog\n","date":"19 December 2015","externalUrl":null,"permalink":"/posts/are-we-creating-an-insecure-internet-of-things-iot-security-challenges-and-concerns/","section":"Posts","summary":"","title":"Are We Creating An Insecure Internet of Things (IoT)? Security Challenges and Concerns","type":"posts"},{"content":"For all too many companies, it’s not until after a breach has occurred that web security becomes a priority. During my years working as an IT Security professional, I have seen time and time again how obscure the world of IT Security is to so many of my fellow programmers.\nAn effective approach to IT security must, by definition, be proactive and defensive. Toward that end, this post is aimed at sparking a security mindset, hopefully injecting the reader with a healthy dose of paranoia.\nIn particular, this guide focuses on 10 common and significant web security pitfalls to be aware of, including recommendations on how they can be avoided. The focus is on the Top 10 Web Vulnerabilities identified by the Open Web Application Security Project (OWASP), an international, non-profit organization whose goal is to improve software security across the globe.\nA little web security primer before we start – authentication and authorization # When speaking with other programmers and IT professionals, I often encounter confusion regarding the distinction between authorization and authentication. And of course, the fact the abbreviation auth is often used for both helps aggravate this common confusion. This confusion is so common that maybe this issue should be included in this post as “Common Web Vulnerability Zero”.\nSo before we proceed, let’s clearly the distinction between these two terms:\nAuthentication: Verifying that a person is (or at least appears to be) a specific user, since he/she has correctly provided their security credentials (password, answers to security questions, fingerprint scan, etc.). Authorization: Confirming that a particular user has access to a specific resource or is granted permission to perform a particular action. Stated another way, authentication is knowing who an entity is, while authorization is knowing what a given entity can do.\nCommon Mistake #1: Injection flaws # Injection flaws result from a classic failure to filter untrusted input. It can happen when you pass unfiltered data to the SQL server (SQL injection), to the browser (XSS – we’ll talk about this later), to the LDAP server (LDAP injection), or anywhere else. The problem here is that the attacker can inject commands to these entities, resulting in loss of data and hijacking clients’ browsers.\nAnything that your application receives from untrusted sources must be filtered, preferably according to a whitelist. You should almost never use a blacklist, as getting that right is very hard and usually easy to bypass. Antivirus software products typically provide stellar examples of failing blacklists. Pattern matching does not work.\nPrevention: The good news is that protecting against injection is “simply” a matter of filtering your input properly and thinking about whether an input can be trusted. But the bad news is that all input needs to be properly filtered, unless it can unquestionably be trusted (but the saying “never say never” does come to mind here).\nIn a system with 1,000 inputs, for example, successfully filtering 999 of them is not sufficient, as this still leaves one field that can serve as the Achilles heal to bring down your system. And you might think that putting an SQL query result into another query is a good idea, as the database is trusted, but if the perimeter is not, the input comes indirectly from guys with malintent. This is called Second Order SQL Injection in case you’re interested.\nSince filtering is pretty hard to do right (like crypto), what I usually advise is to rely on your framework’s filtering functions: they are proven to work and are thoroughly scrutinized. If you do not use frameworks, you really need to think hard about whether not using them really makes sense in your environment. 99% of the time it does not.\nCommon Mistake #2: Broken Authentication # This is a collection of multiple problems that might occur during broken authentication, but they don’t all stem from the same root cause.\nAssuming that anyone still wants to roll their own authentication code in 2014 (what are you thinking??), I advise against it. It is extremely hard to get right, and there are a myriad of possible pitfalls, just to mention a few:\nThe URL might contain the session id and leak it in the referer header to someone else. The passwords might not be encrypted either in storage or transit. The session ids might be predictable, thus gaining access is trivial. Session fixation might be possible. Session hijacking might be possible, timeouts not implemented right or using HTTP (no SSL), etc… Prevention: The most straightforward way to avoid this web security vulnerability is to use a framework. You might be able to implement this correctly, but the former is much easier. In case you do want to roll your own code, be extremely paranoid and educate yourself on what the pitfalls are. There are quite a few.\nCommon Mistake #3: Cross Site Scripting (XSS) # This is a fairly widespread input sanitization failure (essentially a special case of common mistake #1). An attacker gives your web application JavaScript tags on input. When this input is returned to the user unsanitized, the user’s browser will execute it. It can be as simple as crafting a link and persuading a user to click it, or it can be something much more sinister. On page load the script runs and, for example, can be used to post your cookies to the attacker.\nPrevention: There’s a simple web security solution: don’t return HTML tags to the client. This has the added benefit of defending against HTML injection, a similar attack whereby the attacker injects plain HTML content (such as images or loud invisible flash players) – not high-impact but surely annoying (“please make it stop!”). Usually, the workaround is simply converting all HTML entities, so that \u0026lt;script\u0026gt; is returned as \u0026amp;lt;script\u0026amp;gt;. The other often employed method of sanitization is using regular expressions to strip away HTML tags using regular expressions on \u0026lt; and \u0026gt;, but this is dangerous as a lot of browsers will interpret severely broken HTML just fine. Better to convert all characters to their escaped counterparts.\nCommon Mistake #4: Insecure Direct Object References # This is a classic case of trusting user input and paying the price in a resulting security vulnerability. A direct object reference means that an internal object such as a file or database key is exposed to the user. The problem with this is that the attacker can provide this reference and, if authorization is either not enforced (or is broken), the attacker can access or do things that they should be precluded from.\nFor example, the code has a download.php module that reads and lets the user download files, using a CGI parameter to specify the file name (e.g., download.php?file=something.txt). Either by mistake or due to laziness, the developer omitted authorization from the code. The attacker can now use this to download any system files that the user running PHP has access to, like the application code itself or other data left lying around on the server, like backups. Uh-oh.\nAnother common vulnerability example is a password reset function that relies on user input to determine whose password we’re resetting. After clicking the valid URL, an attacker can just modify the username field in the URL to say something like “admin”.\nIncidentally, both of these examples are things I myself have seen appearing often “in the wild”.\nPrevention: Perform user authorization properly and consistently, and whitelist the choices. More often than not though, the whole problem can be avoided by storing data internally and not relying on it being passed from the client via CGI parameters. Session variables in most frameworks are well suited for this purpose.\nCommon Mistake #5: Security misconfiguration # In my experience, web servers and applications that have been misconfigured are way more common than those that have been configured properly. Perhaps this because there is no shortage of ways to screw up. Some examples:\nRunning the application with debug enabled in production. Having directory listing enabled on the server, which leaks valuable information. Running outdated software (think WordPress plugins, old PhpMyAdmin). Having unnecessary services running on the machine. Not changing default keys and passwords. (Happens way more frequently than you’d believe!) Revealing error handling information to the attackers, such as stack traces. Prevention: Have a good (preferably automated) “build and deploy” process, which can run tests on deploy. The poor man’s security misconfiguration solution is post-commit hooks, to prevent the code from going out with default passwords and/or development stuff built in.\nCommon Mistake #6: Sensitive data exposure # This web security vulnerability is about crypto and resource protection. Sensitive data should be encrypted at all times, including in transit and at rest. No exceptions. Credit card information and user passwords should never travel or be stored unencrypted, and passwords should always be hashed. Obviously the crypto/hashing algorithm must not be a weak one – when in doubt, use AES (256 bits and up) and RSA (2048 bits and up).\nAnd while it goes without saying that session IDs and sensitive data should not be traveling in the URLs and sensitive cookies should have the secure flag on, this is very important and cannot be over-emphasized.\nPrevention:\nIn transit: Use HTTPS with a proper certificate and PFS (Perfect Forward Secrecy). Do not accept anything over non-HTTPS connections. Have the secure flag on cookies. In storage: This is harder. First and foremost, you need to lower your exposure. If you don’t need sensitive data, shred it. Data you don’t have can’t be stolen. Do not store credit card information ever, as you probably don’t want to have to deal with being PCI compliant. Sign up with a payment processor such as Stripe or Braintree. Second, if you have sensitive data that you actually do need, store it encrypted and make sure all passwords are hashed. For hashing, use of bcrypt is recommended. If you don’t use bcrypt, educate yourself on salting and rainbow tables. And at the risk of stating the obvious, do not store the encryption keys next to the protected data. That’s like storing your bike with a lock that has the key in it. Protect your backups with encryption and keep your keys very private. And of course, don’t lose the keys!\nCommon Mistake #7: Missing function level access control # This is simply an authorization failure. It means that when a function is called on the server, proper authorization was not performed. A lot of times, developers rely on the fact that the server side generated the UI and they think that the functionality that is not supplied by the server cannot be accessed by the client. It is not as simple as that, as an attacker can always forge requests to the “hidden” functionality and will not be deterred by the fact that the UI doesn’t make this functionality easily accessible. Imagine there’s an /adminpanel, and the button is only present in the UI if the user is actually an admin. Nothing keeps an attacker from discovering this functionality and misusing it if authorization is missing.\nPrevention: On the server side, authorization must always be done. Yes, always. No exceptions or vulnerabilities will result in serious problems.\nCommon Mistake #8: Cross Site Request Forgery (CSRF) # This is a nice example of a confused deputy attack whereby the browser is fooled by some other party into misusing its authority. A 3rd party site, for example, can make the user’s browser misuse it’s authority to do something for the attacker.\nIn the case of CSRF, a 3rd party site issues requests to the target site (e.g., your bank) using your browser with your cookies / session. If you are logged in on one tab on your bank’s homepage, for example, and they are vulnerable to this attack, another tab can make your browser misuse its credentials on the attacker’s behalf, resulting in the confused deputy problem. The deputy is the browser that misuses its authority (session cookies) to do something the attacker instructs it to do.\nConsider this example:\nAttacker Alice wants to lighten target Todd’s wallet by transfering some of his money to her. Todd’s bank is vulnerable to CSRF. To send money, Todd has to access the following URL:\nhttp://example.com/app/transferFunds?amount=1500\u0026destinationAccount=4673243243\nAfter this URL is opened, a success page is presented to Todd, and the transfer is done. Alice also knows, that Todd frequently visits a site under her control at blog.aliceisawesome.com, where she places the following snippet:\n\u0026lt;img src=\u0026quot;http://example.com/app/transferFunds?amount=1500\u0026amp;destinationAccount=4673243243\u0026quot; width=\u0026quot;0\u0026quot; height=\u0026quot;0\u0026quot; /\u0026gt;\nUpon visiting Alice’s website, Todd’s browser thinks that Alice links to an image, and automatically issues an HTTP GET request to fetch the “picture”, but this actually instructs Todd’s bank to transfer $1500 to Alice.\nIncidentally, in addition to demonstrating the CSRF vulnerability, this example also demonstrates altering the server state with an idempotent HTTP GET request which is itself a serious vulnerability. HTTP GET requests must be idempotent (safe), meaning that they cannot alter the resource which is accessed. Never, ever, ever use idempotent methods to change the server state.\nFun fact: CSRF is also the method people used for cookie-stuffing in the past until affiliates got wiser.\nPrevention: Store a secret token in a hidden form field which is inaccessible from the 3rd party site. You of course always have to verify this hidden field. Some sites ask for your password as well when modifying sensitive settings (like your password reminder email, for example), although I’d suspect this is there to prevent the misuse of your abandoned sessions (in an internet cafe for example).\nCommon Mistake #9: Using components with known vulnerabilities # The title says it all. I’d again classify this as more of a maintenance/deployment issue. Before incorporating new code, do some research, possibly some auditing. Using code that you got from a random person on GitHub or some forum might be very convenient, but is not without risk of serious web security vulnerability.\nI have seen many instances, for example, where sites got owned (i.e., where an outsider gains administrative access to a system), not because the programmers were stupid, but because a 3rd party software remained unpatched for years in production. This is happening all the time with WordPress plugins for example. If you think they will not find your hidden phpmyadmin installation, let me introduce you to dirbuster.\nThe lesson here is that software development does not end when the application is deployed. There has to be documentation, tests, and plans on how to maintain and keep it updated, especially if it contains 3rd party or open source components.\nPrevention:\nExercise caution. Beyond obviously using caution when using such components, do not be a copy-paste coder. Carefully inspect the piece of code you are about to put into your software, as it might be broken beyond repair (or in some cases, intentionally malicious). Stay up-to-date. Make sure you are using the latest versions of everything that you trust, and have a plan to update them regularly. At least subscribe to a newsletter of new security vulnerabilities regarding the product. Common Mistake #10: Unvalidated redirects and forwards # This is once again an input filtering issue. Suppose that the target site has a redirect.php module that takes a URL as a GET parameter. Manipulating the parameter can create a URL on targetsite.com that redirects the browser to malwareinstall.com. When the user sees the link, they will see targetsite.com/blahblahblahwhich the user thinks is trusted and is safe to click. Little do they know that this will actually transfer them onto a malware drop (or any other malicious) page. Alternatively, the attacker might redirect the browser to targetsite.com/deleteprofile?confirm=1.\nIt is worth mentioning, that stuffing unsanitized user-defined input into an HTTP header might lead to header injection which is pretty bad.\nPrevention: Options include:\nDon’t do redirects at all (they are seldom necessary). Have a static list of valid locations to redirect to. Whitelist the user-defined parameter, but this can be tricky. Epilogue # I hope that I have managed to tickle your brain a little bit with this post and to introduce a healthy dose of paranoia and web security vulnerability awareness.\nThe core takeaway here is that age-old software practices exist for a reason and what applied back in the day for buffer overflows, still apply for pickled strings in Python today. Security helps you write correct(er) programs, which all programmers should aspire to.\nPlease use this knowledge responsibly, and don’t test pages without permission!\nFor more information and more specific attacks, have a look at: https://www.owasp.org/index.php/Category:Attack.\nFeedback on this post is welcome and appreciated. Future related posts are planned, particularly on the issue of distributed denial-of-service (DDoS) and old-school (not web) IT security vulnerabilities. If you have a specific request on what to write about, please feel free to contact me directly at gergely@toptal.com.\nCheers.\nThis post originally appeared on the Toptal Engineering Blog\n","date":"12 December 2015","externalUrl":null,"permalink":"/posts/10-most-common-web-security-vulnerabilities/","section":"Posts","summary":"","title":"10 Most Common Web Security Vulnerabilities","type":"posts"},{"content":"","date":"12 December 2015","externalUrl":null,"permalink":"/tags/database-security/","section":"Tags","summary":"","title":"Database-Security","type":"tags"},{"content":"Cloud computing is a service that is increasing rapidly in popularity, and companies are expanding to match that demand. Forbes reports that 42 percent of major IT decision makers are planning to increase spending on cloud computing. That spending is expected to reach $32 billion for the year 2015.\nYet while the services are popular, there have been some major breaches in the last few years. While some of them haven’t directly affected you and others only really affected celebrities, it makes one asks questions. Are cloud services really safe? Are they something you can trust your most sensitive data with?\n“Cloud computing” by Dynamicwork under CC BY-SA 3.0\nThis is a basic graphic of what cloud computer is all about, but as you can see there are quite a few thinks that go in and out of the cloud. Do you want your data to be included?\nPros and Cons of the Situation Today\nThe first realization you have to make is that your data is going to be out of your control in a fundamental way. You can make sure there isn’t a leak on your end, but if someone hacks the servers, it is out of your hands. It also isn’t encouraging that cloud service providers have profit in mind as their top priority. This means that they might trim the budget or try to cut corners when it comes to security. They often look to prepare for the next threat, not three threats ahead, as they should.\nBack to a simple question: can you trust them? Take a look at the following pros and cons and decide whether it is right for you.\nPros\nMost hackers attacking cloud systems are only interested in going after major industries and data centers with valuable information. They are unlikely to want your individual information or want to comb through all of your documents to find it. While it is easier to attack an endpoint, such as a user, the price an average hacker could get for your information is simply not worth the time expenditure that the hacker would put in. While governments certainly have not stopped their surveillance in the past year or two, the recent disclosure of the extensive surveillance programs, such as PRISM, conducted by certain countries have forced them to taper off their ambitions. This means that you are less likely to be spied upon during your use of cloud services. Even if it just to maintain a good reputation, all of the major players in cloud computing and storage will agree that security is an important issue. This means that they will be competing with each other for the title of “most secure.” Cons\nIn 2014, Dropbox changed its terms of use to stop class action lawsuits, and then gave everyone 30 days to opt out of arbitration. Note that this Dropbox document is currently (as of August 2015) about 2,000 words, but still very few people read it. Nearly every major service has had one problem or another during its lifetime. This is only counting the ones we know about. How to Make Your Decision\nNow knowing all that you do, take the following steps to determine whether you should use cloud services or an alternative option.\nDetermine your needs. Do you have a lot of items or documents to store, or are you working from home and have vital business interests to protect? If you have some sensitive data, it might be best stored on a flash drive where it is under your control. Determine the service you might use. Try to research more about that company. Read any agreements beforehand and then sleep on it for a day or two. Compare services in terms of both security record and storage space. Consider the costs. If you want to store a great deal of data that you don’t plan on using too often, then you might be better off getting a form of physical storage instead of paying for a cloud service. Are you going to be sharing files or data with people? If so, then cloud solutions are probably best for you. Some services such as Dropbox are optimized for sharing, but you do need to be careful about who you share your folders with. Experts across the board say that human error is the number one cause of data leaks. Additional Considerations\nIn addition to the above factors and tips for deciding whether the security measures put in place by cloud services are enough, there are few other things that you should know about as well.\nCloud security on your end is highly dependent on the general security of your online accounts and your computer. If you have a quality password, such as “Tr!yzxp176,” and have an up to date computer with the best anti-malware you can get, then you will have a significantly lower chance of experiencing a breach. Take this into your account when making your decision (or follow these tips anyway, as they are universally helpful). If you are going to be using cloud services, then you should acquire the services of a Virtual Private Network for your computer. This service will connect your computer to an offsite secure server using an encrypted connection. This will protect you from surveillance and data interception on unprotected public networks.As an example of how this works, imagine that you are using cloud services in a café. Normally a hacker could open their laptop a half a dozen tables away, start up a small device, and intercept either the files being transferred or the username and password data for the account you are using. With a VPN your data will safely travel through and encrypted “tunnel” that is created around your connection, allowing no one access over the network. Cloud computing is said to be secure, but remember that there is always a way to break in, even if it hasn’t been invented yet.\nConclusion\nHave you come to a decision yet? I hope that you have, and while these tips can help you and give you all the facts that you need to make a decision, only you can make the final call about whether to use cloud services or not. Thank you for reading, and regardless of your decision may you never have to deal with a leak of your personal information.\nAbout the Author: Cassie Phillips is an internet security specialist who likes to take a particular focus on the individual and how internet security can affect their day to day life. She loves to blog and is glad that she can share this important information about cloud computing with you.\n","date":"19 October 2015","externalUrl":null,"permalink":"/posts/cloud-security-is-it-safe-enough-for-you/","section":"Posts","summary":"","title":"Cloud Security: Is it Safe Enough for You?","type":"posts"},{"content":"WebRTC technology is rather new (spearheaded by Google in 2012 through the World Wide Web Consortium). It is a free project that provides browsers with Real-Time Communications. The technology is now widely used in live help customer support solutions, webinar platforms, chat rooms for dating, etc. But there are too little solutions for enhanced safety. It\u0026rsquo;s weird. Since this technology offers great opportunities in this field.\nWebRTC opens great opportunities in secure communications online\nIn the case of WebRTC technology to create a communication channel between subscribers is used Peer to Peer method. At the same time, there is no data transfer to any server. It is a great advantage. This ensures the confidentiality of transmitted information.\nThe majority of modern communication services works through central server. It means that all history is stored on the server and third parties can get access to them.\nUsing WebRTC technology security provider Privatoria.net developed a solution for confidential communication online in 2013. The main difference is the absence of data transfer to the server. Only the subscribers’ web browsers are used.\nChat service provides users with an opportunity to exchange messages by establishing a direct connection between their browsers and uses Peer to Peer method to communicate online.\nTo create a communication channel between subscribers it is enough to get a one-time key, and pass it to the called subscriber by any means of communication available. When the communication session is over, the history is deleted and the browser is closed, all correspondence between the subscribers disappears from the system.\nIn such case, no one can gain access to the content of communications.\nA user will benefit from:\nSecure text messaging Secure Voice Call Secure Video Call Secure Data Transfer As WebRTC supports not all browsers, Secure Chat solution works only in Google Chrome, Opera and Mozilla. At now developers are working on beta application for Android which will be available in Google Play Market in the nearest month.\nTherefore, it is good chance for all us today to communicate securely online.\n","date":"9 July 2015","externalUrl":null,"permalink":"/posts/the-role-of-webrtc-technology-in-online-security/","section":"Posts","summary":"","title":"The Role of WebRTC Technology In Online Security","type":"posts"},{"content":"","date":"9 July 2015","externalUrl":null,"permalink":"/tags/web-security/","section":"Tags","summary":"","title":"Web-Security","type":"tags"},{"content":"","date":"9 July 2015","externalUrl":null,"permalink":"/tags/webrtc/","section":"Tags","summary":"","title":"Webrtc","type":"tags"},{"content":"This document explains the process of installation, configuration and hardening of Tomcat 8.x server, based on RedHat 6.5 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from BEAST attack and CRIME attack. Some of the features explained in this document are supported by only some of the Internet browsers:\nTLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0 Installation phase1. Login to the server using Root account. 2. Create a new account: groupadd tomcat useradd -g tomcat -d /home/tomcat -s /bin/sh tomcat 3. Download the lastest JDK8 for Linux from: http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html 4. Upgrade to the latest build of Oracle JDK: rpm -Uvh /tmp/jdk-8u45-linux-x64.rpm 5. Delete the JDK8 source files: rm -rf /tmp/jdk-8u45-linux-x64.rpm rm -rf /usr/java/jdk1.8.0_45/src.zip 6. Download the latest Tomcat 8 source files: cd /opt wget http://apache.spd.co.il/tomcat/tomcat-8/v8.0.21/bin/apache-tomcat-8.0.21.tar.gz 7. Extract Tomcat source files: tar zxf /opt/apache-tomcat-8.0.21.tar.gz -C /opt 8. Rename the Tomcat folder: mv /opt/apache-tomcat-8.0.21 /opt/tomcat 9. Remove default content: rm -rf /opt/apache-tomcat-8.0.21.tar.gz rm -rf /opt/tomcat/webapps/docs rm -rf /opt/tomcat/webapps/examples rm -rf /opt/tomcat/webapps/ROOT/RELEASE-NOTES.txt rm -rf /opt/tomcat/webapps/host-manager rm -rf /opt/tomcat/webapps/manager rm -rf /opt/tomcat/work/Catalina/localhost/docs rm -rf /opt/tomcat/work/Catalina/localhost/examples rm -rf /opt/tomcat/work/Catalina/localhost/host-manager rm -rf /opt/tomcat/work/Catalina/localhost/manager 10. Change folder ownership and permissions: chown -R tomcat.tomcat /opt/tomcat chmod g-w,o-rwx /opt/tomcat chmod g-w,o-rwx /opt/tomcat/conf chmod o-rwx /opt/tomcat/logs chmod o-rwx /opt/tomcat/temp chmod g-w,o-rwx /opt/tomcat/bin chmod g-w,o-rwx /opt/tomcat/webapps chmod 770 /opt/tomcat/conf/catalina.policy chmod g-w,o-rwx /opt/tomcat/conf/catalina.properties chmod g-w,o-rwx /opt/tomcat/conf/context.xml chmod g-w,o-rwx /opt/tomcat/conf/logging.properties chmod g-w,o-rwx /opt/tomcat/conf/server.xml chmod g-w,o-rwx /opt/tomcat/conf/tomcat-users.xml chmod g-w,o-rwx /opt/tomcat/conf/web.xml 11. Move to the folder /opt/tomcat/lib cd /opt/tomcat/lib 12. Extract the file catalina.jar jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties 13. Edit using VI, the file /opt/tomcat/lib/org/apache/catalina/util/ServerInfo.properties Replace the string below from: server.infoerver.info=Apache Tomcat/8.0.21 To: server.infoerver.info=Secure Web serverReplace the string below from: server.number=8.0.21.0 To: server.number=1.0.0.0Replace the string below from: server.built=Mar 23 2015 14:11:21 UTC To: server.built=Jan 01 2000 00:00:00 UTC 14. Move to the folder /opt/tomcat/lib cd /opt/tomcat/lib 15. Repackage the file catalina.jar jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties 16. Remove the folder below: rm -rf /opt/tomcat/lib/org 17. Edit using VI, the file /opt/tomcat/conf/server.xml and make the following changes: Replace the: \u0026lt;Connector port=\u0026quot;8080\u0026quot; protocol=\u0026quot;HTTP/1.1\u0026quot; connectionTimeout=\u0026quot;20000\u0026quot; redirectPort=\u0026quot;8443\u0026quot; /\u0026gt; To: \u0026lt;Connector port=\u0026quot;8080\u0026quot; protocol=\u0026quot;HTTP/1.1\u0026quot; connectionTimeout=\u0026quot;20000\u0026quot; xpoweredBy=\u0026quot;false\u0026quot; allowTrace=\u0026quot;false\u0026quot; redirectPort=\u0026quot;8443\u0026quot; /\u0026gt;Replace the: \u0026lt;Server port=\u0026quot;8005\u0026quot; shutdown=\u0026quot;SHUTDOWN\u0026quot;\u0026gt; To: \u0026lt;Server port=\u0026quot;-1\u0026quot; shutdown=\u0026quot;SHUTDOWN\u0026quot;\u0026gt;Replace the: autoDeploy=\u0026quot;true\u0026quot; To: autoDeploy=\u0026quot;false\u0026quot; 18. Create using VI, the file error.jsp inside the application directory (example: /opt/tomcat/webapps/ROOT/error.jsp) with the following content: \u0026lt;html\u0026gt; \u0026lt;head\u0026gt; \u0026lt;title\u0026gt;404-Page Not Found\u0026lt;/title\u0026gt; \u0026lt;/head\u0026gt; \u0026lt;body\u0026gt; The requested URL was not found on this server. \u0026lt;/body\u0026gt; \u0026lt;/html\u0026gt; 19. Edit using VI, the file /opt/tomcat/conf/web.xml and add the following sections, before the end of the \u0026ldquo;web-app\u0026rdquo; tag: \u0026lt;error-page\u0026gt; \u0026lt;error-code\u0026gt;400\u0026lt;/error-code\u0026gt; \u0026lt;location\u0026gt;/error.jsp\u0026lt;/location\u0026gt; \u0026lt;/error-page\u0026gt; \u0026lt;error-page\u0026gt; \u0026lt;error-code\u0026gt;401\u0026lt;/error-code\u0026gt; \u0026lt;location\u0026gt;/error.jsp\u0026lt;/location\u0026gt; \u0026lt;/error-page\u0026gt; \u0026lt;error-page\u0026gt; \u0026lt;error-page\u0026gt; \u0026lt;error-code\u0026gt;403\u0026lt;/error-code\u0026gt; \u0026lt;location\u0026gt;/error.jsp\u0026lt;/location\u0026gt; \u0026lt;/error-page\u0026gt; \u0026lt;error-code\u0026gt;404\u0026lt;/error-code\u0026gt; \u0026lt;location\u0026gt;/error.jsp\u0026lt;/location\u0026gt; \u0026lt;/error-page\u0026gt; \u0026lt;error-page\u0026gt; \u0026lt;error-code\u0026gt;405\u0026lt;/error-code\u0026gt; \u0026lt;location\u0026gt;/error.jsp\u0026lt;/location\u0026gt; \u0026lt;/error-page\u0026gt; \u0026lt;error-page\u0026gt; \u0026lt;error-code\u0026gt;410\u0026lt;/error-code\u0026gt; \u0026lt;location\u0026gt;/error.jsp\u0026lt;/location\u0026gt; \u0026lt;/error-page\u0026gt; \u0026lt;error-page\u0026gt; \u0026lt;error-code\u0026gt;411\u0026lt;/error-code\u0026gt; \u0026lt;location\u0026gt;/error.jsp\u0026lt;/location\u0026gt; \u0026lt;/error-page\u0026gt; \u0026lt;error-page\u0026gt; \u0026lt;error-code\u0026gt;412\u0026lt;/error-code\u0026gt; \u0026lt;location\u0026gt;/error.jsp\u0026lt;/location\u0026gt; \u0026lt;/error-page\u0026gt; \u0026lt;error-page\u0026gt; \u0026lt;error-code\u0026gt;413\u0026lt;/error-code\u0026gt; \u0026lt;location\u0026gt;/error.jsp\u0026lt;/location\u0026gt; \u0026lt;/error-page\u0026gt; \u0026lt;error-page\u0026gt; \u0026lt;error-code\u0026gt;408\u0026lt;/error-code\u0026gt; \u0026lt;location\u0026gt;/error.jsp\u0026lt;/location\u0026gt; \u0026lt;/error-page\u0026gt; \u0026lt;error-page\u0026gt; \u0026lt;error-code\u0026gt;500\u0026lt;/error-code\u0026gt; \u0026lt;location\u0026gt;/error.jsp \u0026lt;/error-page\u0026gt;\u0026lt;!-- Define a Security Constraint on this Application --\u0026gt; \u0026lt;security-constraint\u0026gt; \u0026lt;web-resource-collection\u0026gt; \u0026lt;web-resource-name\u0026gt;HTMLManger and Manager command\u0026lt;/web-resource-name\u0026gt; \u0026lt;url-pattern\u0026gt;/jmxproxy/*\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/html/*\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/list\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/sessions\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/start\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/stop\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/install\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/remove\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/deploy\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/undeploy\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/reload\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/save\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/serverinfo\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/status/*\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/roles\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/resources\u0026lt;/url-pattern\u0026gt; \u0026lt;/web-resource-collection\u0026gt; \u0026lt;auth-constraint\u0026gt; \u0026lt;role-name\u0026gt;manager\u0026lt;/role-name\u0026gt; \u0026lt;/auth-constraint\u0026gt; \u0026lt;/security-constraint\u0026gt; 20. Create using VI, the file /etc/init.d/tomcat, with the following content: #!/bin/bash # description: Tomcat Start Stop Restart # processname: tomcat # chkconfig: 234 20 80 JAVA_HOME=/usr/java/jdk1.8.0_45 export JAVA_HOME PATH=$JAVA_HOME/bin:$PATH export PATH CATALINA_HOME=/opt/tomcat/bin case $1 in start) /bin/su tomcat $CATALINA_HOME/startup.sh ;; stop) /bin/su tomcat $CATALINA_HOME/shutdown.sh ;; restart) /bin/su tomcat $CATALINA_HOME/shutdown.sh /bin/su tomcat $CATALINA_HOME/startup.sh ;; esac exit 0Note: Update the \u0026ldquo;JAVA_HOME\u0026rdquo; path according to the install JDK build. 21. Change the permission on the tomcat script: chmod 755 /etc/init.d/tomcat 22. To start Tomcat service at server start-up, run the command: chkconfig tomcat on 23. To manually start the Tomcat service, use the command: service tomcat start 24. Configure IPTables: service iptables stop iptables -P INPUT DROP iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 25. Allow SSH access from Internal segment (i.e. 10.0.0.0/8) iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPTNote: Replace 10.0.0.0/8 with the internal segment and subnet mask. 26. Allow HTTP (Port 8080TCP) access from the Internet on the public interface (i.e. eth0) iptables -A INPUT -m state --state NEW -p tcp --dport 8080 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name. 27. Save the IPTables settings: service iptables save\nSSL Configuration Phase1. Login to the server using Root account. 2. Create folder for the SSL certificate files: mkdir -p /opt/tomcat/ssl chown -R tomcat:tomcat /opt/tomcat/ssl chmod -R 755 /opt/tomcat/ssl 3. Run the command below to generate a key store: /usr/java/jdk1.8.0_45/bin/keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -validity 1095 -alias \u0026quot;FQDN_Name\u0026quot;Note 1: The command above should be written as one line. Note 2: Replace ComplexPassword with your own complex password. Note 3: Replace \u0026ldquo;FQDN_Name\u0026rdquo; with the server DNS name. 4. Run the command below to generate a CSR (certificate request): /usr/java/jdk1.8.0_45/bin/keytool -certreq -keyalg \u0026quot;RSA\u0026quot; -file /tmp/tomcat.csr -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -alias \u0026quot;FQDN_Name\u0026quot;Note 1: The command above should be written as one line. Note 2: Replace ComplexPassword with your own complex password. Note 3: Replace \u0026ldquo;FQDN_Name\u0026rdquo; with the server DNS name. 5. Send the file /tmp/tomcat.csr to a Certificate Authority server. 6. As soon as you receive the signed public key from the Certificate Authority server (usually via email), copy all lines starting with \u0026ldquo;Begin\u0026rdquo; and ending with \u0026ldquo;End\u0026rdquo; (include those two lines), into notepad, and save the file as \u0026ldquo;server.crt\u0026rdquo; 7. Copy the file \u0026ldquo;server.crt\u0026rdquo; using SCP into /opt/tomcat/ssl 8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as \u0026ldquo;ca-bundle.crt\u0026rdquo; (Note: The file must be PEM (base64) encoded). 9. Copy the file \u0026ldquo;ca-bundle.crt\u0026rdquo; using SCP into /opt/tomcat/ssl 10. Run the command below to import the trusted root CA public certificate: /usr/java/jdk1.8.0_45/bin/keytool -import -alias \u0026quot;FQDN_Name\u0026quot; -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -trustcacerts -file /opt/tomcat/ssl/ca-bundle.crtNote 1: The command above should be written as one line. Note 2: Replace ComplexPassword with your own complex password. Note 3: Replace \u0026ldquo;FQDN_Name\u0026rdquo; with the server DNS name. 11. Run the command below to import the signed public key into the key store: /usr/java/jdk1.8.0_45/bin/keytool -import -keystore /opt/tomcat/ssl/server.key -storepass ComplexPassword -trustcacerts -file /opt/tomcat/ssl/server.crtNote 1: The command above should be written as one line. Note 2: Replace ComplexPassword with your own complex password. 12. Stop the Tomcat service: service tomcat stop 13. Edit using VI, the file /opt/tomcat/conf/server.xml and add the section below: \u0026lt;Connector port=\u0026quot;8443\u0026quot; protocol=\u0026quot;HTTP/1.1\u0026quot; maxThreads=\u0026quot;150\u0026quot; xpoweredBy=\u0026quot;false\u0026quot; allowTrace=\u0026quot;false\u0026quot; SSLEnabled=\u0026quot;true\u0026quot; scheme=\u0026quot;https\u0026quot; secure=\u0026quot;true\u0026quot; keystoreFile=\u0026quot;/opt/tomcat/ssl/server.key\u0026quot; keystorePass=\u0026quot;ComplexPassword\u0026quot; keyAlias=\u0026quot;FQDN_Name\u0026quot; clientAuth=\u0026quot;false\u0026quot; ciphers=\u0026quot;TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA\u0026quot; sslEnabledProtocols=\u0026quot;TLSv1,TLSv1.1,TLSv1.2\u0026quot; /\u0026gt;Note 1: Replace ComplexPassword with your own complex password. Note 2: Replace \u0026ldquo;FQDN_Name\u0026rdquo; with the server DNS name. 14. Edit using VI, the file /opt/tomcat/conf/web.xml and add the following sections, before the end of the \u0026ldquo;web-app\u0026rdquo; tag: \u0026lt;user-data-constraint\u0026gt; \u0026lt;description\u0026gt; Constrain the user data transport for the whole application \u0026lt;/description\u0026gt; \u0026lt;transport-guarantee\u0026gt;CONFIDENTIAL\u0026lt;/transport-guarantee\u0026gt; \u0026lt;/user-data-constraint\u0026gt; 15. Edit using VI, the file /opt/tomcat/conf/context.xml and add the following parameter inside the context tag: usehttponly=\u0026quot;true\u0026quot; 16. Allow HTTP (Port 8080TCP) access from the Internet on the public interface (i.e. eth0) iptables -A INPUT -m state --state NEW -p tcp --dport 8443 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name. 17. Save the IPTables settings: service iptables save 18. To manually start the Tomcat service, use the command: service tomcat start\n","date":"7 May 2015","externalUrl":null,"permalink":"/posts/hardening-guide-for-tomcat-8-on-redhat-6-5-64bit-edition/","section":"Posts","summary":"","title":"Hardening guide for Tomcat 8 on RedHat 6.5 (64bit edition)","type":"posts"},{"content":"","date":"7 May 2015","externalUrl":null,"permalink":"/categories/redhat/","section":"Categories","summary":"","title":"Redhat","type":"categories"},{"content":"","date":"7 May 2015","externalUrl":null,"permalink":"/categories/tomcat/","section":"Categories","summary":"","title":"Tomcat","type":"categories"},{"content":"","date":"2 April 2015","externalUrl":null,"permalink":"/categories/php/","section":"Categories","summary":"","title":"Php","type":"categories"},{"content":"","date":"2 April 2015","externalUrl":null,"permalink":"/tags/secure-development/","section":"Tags","summary":"","title":"Secure-Development","type":"tags"},{"content":"The internet has contributed a great deal to commerce around the world in the last decade, and of course with a whole new generation of people breaking into the online world we’re starting to see just what computers are capable of accomplishing. Particularly when there is malicious intent on the other side of that keyboard.\nHackers and crackers are one of the biggest threats the world has ever experienced; they can take your money, your products or even destroy your business from the inside out – and you’ll never see them do it, they might not leave a trace at all. That is the terrifying truth about the internet; in most cases those with the skills to take what they want have the skills to hide themselves from detection – so what can you do to stop them.\nThe easiest way of protecting your website is to ensure that your business have a securely developed website. Secure web development is a complex area, and most likely something that you will need the help of a professional in order to fully implement, but it is worth noting that there are three different levels of security to take into consideration for your website and thus three different levels that need to be securely developed in order to ensure the protection of your business.\nConsider these levels almost like doors. If your website was a business property you would have three ways in to the top secret bits; a front door, a side door and a back door.\nThe front door is the user interface; the bit of the website that you yourself work with. Now; the web developer might have made you a big magnificent door, lovely and secure – the sort of user interface that lets you manage your stock, orders, customers and all of the individual aspects of your business effortlessly without giving anything up. However; if your passwords aren’t secure it’s the equivalent of putting a rubbish, rusty old lock on that lovely secure door – completely pointless and insecure. Easy access. This is the first place a hacker is going to look – why would they waste their time hunting down and trying to exploit tiny weaknesses in the back door if they could open the front door with one little shove?\nChange your passwords regularly, select passwords that use upper case, lower case, numbers and punctuation. Do not use the same password for everything.\nThe side door is the programming. The code used to construct your website puts everything in place and says who can do what and when; everything is controlled with the code, so an opening here can cause big problems if a hacker finds it. There are a number of different potential security risks when it comes to the code; there are bugs, which are just general, little faults with the website that occur when something didn’t go quite as planned or something was missed in the development stage. They always happen and there isn’t a single piece of software that doesn’t have bugs, the secure ones are just those that resolve the bugs as soon as they’re found, which stops them from being exploited.\nAnother risk to that side door is an injection; sort of like a fake key. This is something some of the smarter hackers can accomplish by injecting their own instructions into your system when it sends off a command or query – they can intercept your command or query. For example; let’s say you perform a simple PHP query that will fetch the products from the database when your user selects a product category. Normally this sort of script would be accessed through the URL with a category id.\nFor example;\nLet’s say you did a regular sql database select query looking for the category ID, your category information and URL command might look something like;\nc.category_id = ‘ . $_GET\\[‘cat’\\] . ‘LIMIT 10’;\nNow; obviously this example suggests that the clever programmer has included a limit to prevent what is going to happen next – but this won’t protect him. Poor clever programmer is about to be outsmarted.\nFirst of all; the only thing the thing the hacker needs to do is find your product list page and look for everything, example;\nYourwebsite.com/productlist.php?cat=1 or 1=1-\nDoesn’t look like anything special right? Well, with this alone the hacker can now see every single one of your products. Depending on how secure your website is this might let them find faults in the products, but it’s probably still not that dangerous right? Well, what if they did this;\n/productlist.php?cat=1 or error!;#$\nYep – bet you’re horrified now, because this will typically reveal the DBMS version of the query, and sometimes expose your table and column names. Not dangerous enough for you? With the tables and columns are revealed the hacker can move on to attacking the user table, all thanks to exploiting a weakness in the products table.\n/productlist.php?cat=1 and (select count(*) from users) \u0026gt; 0\nCreating a new query inside the existing one means that they don’t need to verify the database connection; they’re using yours. They have access to your database not and their using it to find your user table, which can progress to finding how many users you have, and even finding the information within the user table. I’m quite sure I don’t need to specify why having access to your user database is such a bad thing.\nSo – if you want to avoid the injections you need to ensure that every bit of input data gets validated, reduce the amount of information shown when an error displays, really limit the database permissions to prevent php queries from being able to pull any more information than they absolutely need to and use parameters in your queries.\nFinally – the back door. This is the server. You need to ensure that the server you use to host your information and website is secure. There have been a number of cases where highly secure websites were eventually hacked by first hacking a much lower security website that shared the host server. If you want to avoid this you can consider a dedicated server for your website, you should also consider keeping to companies hosting companies that offer support and security as part of the hosting package. Ask them what software their servers are running; this will give you an idea of how regularly they are updated – up to date servers are the most secure. Older software has had longer to be exploited and thus more of the weaknesses in these are already known to hackers.\nKate Critchlow is a young and enthusiastic writer with a particular interest for technology, covering everything from secure development to the latest gadget releases.\n","date":"2 April 2015","externalUrl":null,"permalink":"/posts/the-basics-of-secure-web-development/","section":"Posts","summary":"","title":"The Basics of Secure Web Development","type":"posts"},{"content":"","date":"8 January 2015","externalUrl":null,"permalink":"/tags/business/","section":"Tags","summary":"","title":"Business","type":"tags"},{"content":"Not all businesses are aware of just how much of their data is potentially at risk within their own systems and even their website; there simply isn’t the education in place to identify the flaws in one’s system before it’s too late in most cases, which results in compromised data, stolen data, loss of trust from customers and potentially a loss of funds or profits for the business in question; usually because of issues that could have easily been avoided.\nFirst of all you need to secure the internal workings of your business; which means users and data storage. One of the biggest threats to your computer and data security systems is actually the people that you give access to those systems; the human element is less predictable so be sure to take the necessary precautions that will prevent or limit damages should an employee choose to act maliciously. Start by ensuring logins are required and are unique to each user, this allows you to control exactly what each person has access to, and means that it is easier to trace who is responsible if damage is caused. You should also be very careful about providing permissions to these users; consider what they absolutely must have access to, and why, and consider whether or not they really need access to everything they can access. Limitations are the first step towards protection.\nOnce you have this much protected you can start to think about how to avoid unauthorised access; password protecting everything is a good start, and encrypting sensitive information can be a fantastic way to avoid giving away data that is particularly valuable to your company. These are generally very easy systems to implement, and most security organisations you may choose to work with will help you to set up systems for encryption, data recovery, remote destruction (allowing you to delete data on a stolen device), as well as other aspects of data protections that can be very important to your business. These are important if your business handles a great deal of sensitive information, and of course if that is the case and security is of particularly importance you will want to get a security firm to help you protect it, however in a lot of cases your own IT department can set up the encryption, passwords, firewalls and defences needed to protect basic levels of data against reasonably tough attacks.\nOf course your online systems can require something a little different in order to keep them safe, and this is true of your website as well as any online content management, project management or other systems you might be using in the day to day running of your business. Again it is important that everything is password protected to keep things safe and secure as far as your users and their access levels are concerned, but you should also ensure that the development of the websites and tools are done with a certain level of security in mind. There are some rules to this, but in general it isn’t too difficult if you can already develop a website.\nNo WordPress. If you want a secure website to handle lots of valuable data then WordPress isn’t for you, no matter how easy you think it makes your life. The problem with WordPress is that literally anyone can get it, and they all get the same version. Within a short time the vulnerabilities of that version will have been discovered and likely shared among hackers and other such people, meaning that you can either update or remain vulnerable – your only hope is that WordPress and you update often enough to stay one step ahead of the hackers. This is an issue that exists with a variety of similar platforms and would be difficult to keep yourself secure using these platforms – the best option is to use a secure platform and your own web development team or company.\nThe variations in the programming that come from using your own team help to create diversity online, which means that it is much harder for hackers and malicious users to find the ways into your system; thus keeping you protected for longer. Of course even with your own website you are likely to be working with systems like Magento for database integration and content management, which will need to be updated every so often but are considerably more secure than systems like WordPress, and you will have to keep certificates up to date, particularly your SSL certificates.\nKate Critchlow is a freelance writer with a passionate interest for technology covering everything from web development to IT security services.\n","date":"8 January 2015","externalUrl":null,"permalink":"/posts/data-and-web-security-in-business-2/","section":"Posts","summary":"","title":"Data and Web Security in Business","type":"posts"},{"content":"","date":"8 January 2015","externalUrl":null,"permalink":"/categories/wordpress/","section":"Categories","summary":"","title":"Wordpress","type":"categories"},{"content":"","date":"6 November 2014","externalUrl":null,"permalink":"/tags/identity-theft/","section":"Tags","summary":"","title":"Identity-Theft","type":"tags"},{"content":"With the technological advancement, new security threats are emerging that could be more devastating than any physical weapons. Identity theft is one of those security threats that should be treated as early as possible. The creative folks at Ecogreen IT have created an infographic that depicts the shocking facts of identity theft and some preventive measures from being the victim of same.\nSource: Ecogreen IT Recycling\n","date":"6 November 2014","externalUrl":null,"permalink":"/posts/protect-yourself-before-being-a-identity-theft-victim/","section":"Posts","summary":"","title":"Protect Yourself Before Being A Identity Theft Victim","type":"posts"},{"content":"","date":"5 August 2014","externalUrl":null,"permalink":"/categories/iis-8-5/","section":"Categories","summary":"","title":"Iis-8-5","type":"categories"},{"content":"","date":"5 August 2014","externalUrl":null,"permalink":"/categories/server-core/","section":"Categories","summary":"","title":"Server-Core","type":"categories"},{"content":"This step-by-step guide explains how to install and configure public key infrastructure, based on:\nWindows 2012 R2 Server core - offline Root CA Windows 2012 R2 domain controller Windows 2012 R2 standard edition - Subordinate Enterprise CA server Offline Root CA - OS installation phase\nBoot the server using Windows 2012 R2 bootable DVD. From the installation option, choose \u0026ldquo;Windows Server 2012 R2 Standard (Server Core Installation)\u0026rdquo; -\u0026gt; click Next. Accept the license agreement -\u0026gt; click Next. Choose \u0026ldquo;Custom: Install Windows Only (Advanced)\u0026rdquo; installation type -\u0026gt; specify the hard drive to install the operating system -\u0026gt; click Next. Allow the installation phase to continue and restart the server automatically. To login to the server for the first time, press CTRL+ALT+DELETE Choose \u0026ldquo;Administrator\u0026rdquo; account -\u0026gt; click OK to replace the account password -\u0026gt; specify complex password and confirm it -\u0026gt; press Enter -\u0026gt; Press OK. From the command prompt window, run the command bellow: sconfig.cmd Press \u0026ldquo;2\u0026rdquo; to replace the computer name -\u0026gt; specify new computer name -\u0026gt; click \u0026ldquo;Yes\u0026rdquo; to restart the server. To login to the server, press CTRL+ALT+DELETE -\u0026gt; specify the \u0026ldquo;Administrator\u0026rdquo; account credentials. From the command prompt window, run the command bellow: sconfig.cmd Press \u0026ldquo;5\u0026rdquo; to configure \u0026ldquo;Windows Update Settings\u0026rdquo; -\u0026gt; select \u0026ldquo;A\u0026rdquo; for automatic -\u0026gt; click OK. Press \u0026ldquo;6\u0026rdquo; to download and install Windows Updates -\u0026gt; choose \u0026ldquo;A\u0026rdquo; to search for all updates -\u0026gt; Choose \u0026ldquo;A\u0026rdquo; to download and install all updates -\u0026gt; click \u0026ldquo;Yes\u0026rdquo; to restart the server. To login to the server, press CTRL+ALT+DELETE -\u0026gt; specify the \u0026ldquo;Administrator\u0026rdquo; account credentials. From the command prompt window, run the command bellow: sconfig.cmd In-case you need to use RDP to access and manage the server, press \u0026ldquo;7\u0026rdquo; to enable \u0026ldquo;Remote Desktop\u0026rdquo; -\u0026gt; choose \u0026ldquo;E\u0026rdquo; to enable -\u0026gt; choose either \u0026ldquo;1\u0026rdquo; or \u0026ldquo;2\u0026rdquo; according to your client settings -\u0026gt; Press OK. Press \u0026ldquo;8\u0026rdquo; to configure \u0026ldquo;Network settings\u0026rdquo; -\u0026gt; select the network adapter by its Index number -\u0026gt; press \u0026ldquo;1\u0026rdquo; to configure the IP settings -\u0026gt; choose \u0026ldquo;S\u0026rdquo; for static IP address -\u0026gt; specify the IP address, subnet mask and default gateway -\u0026gt; press \u0026ldquo;2\u0026rdquo; to configure the DNS servers -\u0026gt; click OK -\u0026gt; press \u0026ldquo;4\u0026rdquo; to return to the main menu. Press \u0026ldquo;9\u0026rdquo; to configure \u0026ldquo;Date and Time\u0026rdquo; -\u0026gt; choose the correct \u0026ldquo;date/time\u0026rdquo; and \u0026ldquo;time zone\u0026rdquo; -\u0026gt; click OK Press \u0026ldquo;11\u0026rdquo; to restart the server to make sure all settings take effect -\u0026gt; click \u0026ldquo;Yes\u0026rdquo; to restart the server. 20. To login to the server, press CTRL+ALT+DELETE -\u0026gt; specify the \u0026ldquo;Administrator\u0026rdquo; account credentials. From the command prompt window, run the command bellow: powershell Run the commands bellow to enable remote management of the Root CA: Enable-NetFirewallRule -DisplayGroup \u0026quot;Remote Service Management\u0026quot;Note: The above command should be written in single line. Enable-NetFirewallRule -DisplayGroup \u0026quot;Remote Desktop\u0026quot; Offline Root CA - Certificate Authority server installation phase\nTo login to the server, press CTRL+ALT+DELETE -\u0026gt; specify the \u0026ldquo;Administrator\u0026rdquo; account credentials. From the command prompt window, run the command bellow: powershell Run the command below to create CA policy file: notepad c:\\windows\\capolicy.inf Specify the following data inside the capolicy.inf file: [Version] Signature=\u0026quot;$Windows NT$\u0026quot; [Certsrv_Server] RenewalKeyLength=4096 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=20 CRLPeriod=Weeks CRLPeriodUnits=26 CRLDeltaPeriod=Days CRLDeltaPeriodUnits=0 LoadDefaultTemplates=0 AlternateSignatureAlgorithm=1 [PolicyStatementExtension] Policies=LegalPolicy [LegalPolicy] OID=1.2.3.4.1455.67.89.5 Notice=\u0026quot;Legal Policy Statement\u0026quot; URL=http://www/CertEnroll/cps.asp Run the commands below to install Certification Authority using Powershell: Import-Module ServerManager``Add-WindowsFeature ADCS-Cert-Authority -IncludeManagementToolsNote: The above command should be written in single line. Run the command below to install the Root CA: Install-AdcsCertificationAuthority -CAType StandaloneRootCA -KeyLength 4096 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 20 -CACommonName **_\u0026lt;CA_Server_Name\u0026gt;_** -CryptoProviderName \u0026quot;RSA#Microsoft Software Key Storage Provider\u0026quot;Note 1: The above command should be written in single line. Note 2: Replace \u0026ldquo;CA_Server_Name\u0026rdquo; with the Root CA NetBIOS name. Run the command below to remove all default CRL Distribution Point (CDP): $crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force};Note: The above command should be written in single line. Run the commands below to configure new CRL Distribution Point (CDP): Add-CACRLDistributionPoint -Uri C:\\Windows\\System32\\CertSrv\\CertEnroll\\%3%8.crl -PublishToServer -ForceNote: The above command should be written in single line. Add-CACRLDistributionPoint -Uri http://www/CertEnroll/%3%8.crl -AddToCertificateCDP -ForceNote: The above command should be written in single line. Run the command below to remove all default Authority Information Access (AIA): $aialist = Get-CAAuthorityInformationAccess; foreach ($aia in $aialist) {Remove-CAAuthorityInformationAccess $aia.uri -Force};Note: The above command should be written in single line. Run the command below to configure new Authority Information Access (AIA): Add-CAAuthorityInformationAccess -AddToCertificateAia -uri http://www/CertEnroll/%1_%3.crtNote: The above command should be written in single line. Run the commands below to configure the Root CA settings: certutil.exe -setreg CA\\CRLPeriodUnits 26 certutil.exe -setreg CA\\CRLPeriod \u0026quot;Weeks\u0026quot; certutil.exe -setreg CA\\CRLDeltaPeriodUnits 0 certutil.exe -setreg CA\\CRLDeltaPeriod \u0026quot;Days\u0026quot; certutil.exe -setreg CA\\CRLOverlapPeriodUnits 12 certutil.exe -setreg CA\\CRLOverlapPeriod \u0026quot;Hours\u0026quot; certutil.exe -setreg CA\\ValidityPeriodUnits 20 certutil.exe -setreg CA\\ValidityPeriod \u0026quot;Years\u0026quot; certutil.exe -setreg CA\\KeySize 4096 certutil.exe -setreg CA\\AuditFilter 127 Run the commands bellow from command line, to configure the Offline Root CA to publish in the active-directory: certutil.exe -setreg ca\\DSConfigDN \u0026quot;CN=Configuration, **_DC=mycompany,DC=com_**\u0026quot;Note 1: The above command should be written in single line. Note 2: Replace \u0026ldquo;DC=mycompany,DC=com\u0026rdquo; according to your domain name. certutil.exe -setreg ca\\DSDomainDN \u0026quot;**_DC=mycompany,DC=com_**\u0026quot;Note: Replace \u0026ldquo;DC=mycompany,DC=com\u0026rdquo; according to your domain name. Run the command bellow to stop the CertSvc service: Restart-Service certsvc Run the command below to publish new CRL\u0026rsquo;s: certutil.exe -CRL Enterprise Subordinate CA - OS installation phase Pre-requirements:\nActive Directory (Forest functional level – Windows 2012 R2) Add \u0026ldquo;A\u0026rdquo; record for the Root CA to the Active Directory DNS. Boot the server using Windows 2012 R2 bootable DVD. From the installation option, choose \u0026ldquo;Windows Server 2012 R2 Standard (Server with a GUI)\u0026rdquo; -\u0026gt; click Next. Accept the license agreement -\u0026gt; click Next. Choose \u0026ldquo;Custom: Install Windows Only (Advanced)\u0026rdquo; installation type -\u0026gt; specify the hard drive to install the operating system -\u0026gt; click Next. Allow the installation phase to continue and restart the server automatically. To login to the server for the first time, press CTRL+ALT+DELETE Choose \u0026ldquo;Administrator\u0026rdquo; account -\u0026gt; click OK to replace the account password -\u0026gt; specify complex password and confirm it -\u0026gt; press Enter -\u0026gt; Press OK. From the \u0026ldquo;Welcome to Server Manager\u0026rdquo;, click on \u0026ldquo;Configure this local server\u0026rdquo; -\u0026gt; replace the \u0026ldquo;Computer name\u0026rdquo; -\u0026gt; restart the server. From the \u0026ldquo;Welcome to Server Manager\u0026rdquo;, click on \u0026ldquo;Configure this local server\u0026rdquo; -\u0026gt; click on Ethernet -\u0026gt; right click on the network interface -\u0026gt; properties -\u0026gt; configure static IP address. Enable \u0026ldquo;Remote Desktop\u0026rdquo; From the command prompt window, run the command bellow: powershell Run the commands bellow to enable remote management of the Root CA: Enable-NetFirewallRule -DisplayGroup \u0026quot;Remote Desktop\u0026quot; Enterprise Subordinate CA - Certificate Authority server installation phase Pre-requirements:\nDNS CNAME record named \u0026ldquo;www\u0026rdquo; for the Enterprise Subordinate CA. Make sure the clocks of the Offline Root CA and the Subordinate CA are synched. To login to the server, press CTRL+ALT+DELETE -\u0026gt; specify the credentials of account member of \u0026ldquo;Schema Admins\u0026rdquo;, \u0026ldquo;Enterprise Admins\u0026rdquo; and \u0026ldquo;Domain Admins\u0026rdquo;. Copy the files bellow from the Offline Root CA server to a temporary folder on the subordinate CA: C:\\Windows\\System32\\CertSrv\\CertEnroll\\*.crt C:\\Windows\\System32\\CertSrv\\CertEnroll\\*.crl Run the command below to publish the Root CA in the Active Directory: certutil.exe -dspublish -f \u0026quot;\u0026lt;**_CACertFileName.crt_**\u0026gt;\u0026quot; RootCANote: Replace \u0026ldquo;CACertFileName\u0026rdquo; with the actual CRT file. Run the commands below to add the Root CA certificate to the subordinate CA certificate store: certutil.exe -addstore -f root \u0026quot;\u0026lt;**_CACertFileName.crt_**\u0026gt;\u0026quot; certutil.exe -addstore -f root \u0026quot;\u0026lt;**_CACertFileName.crl_**\u0026gt;\u0026quot;Note: Replace \u0026ldquo;CACertFileName\u0026rdquo; with the actual CRT and CRL files. From the command prompt window, run the command bellow: powershell Run the command below to create CA policy file: notepad c:\\windows\\capolicy.inf Specify the following data inside the capolicy.inf file: [Version] Signature=\u0026quot;$Windows NT$\u0026quot; [Certsrv_Server] RenewalKeyLength=2048 RenewalValidityPeriod=Years RenewalValidityPeriodUnits=5 LoadDefaultTemplates=0 AlternateSignatureAlgorithm=1 Run the commands below to install Certification Authority using Powershell: Import-Module ServerManager``Add-WindowsFeature ADCS-Cert-Authority -IncludeManagementToolsNote: The above command should be written in single line. Add-WindowsFeature Web-Mgmt-Console Add-WindowsFeature Adcs-Web-Enrollment Open Server Manager -\u0026gt; From the \u0026ldquo;Welcome to Server Manager\u0026rdquo;, click on notification icon -\u0026gt; click on \u0026ldquo;Configure Active Directory Certificate Services on the destination server\u0026rdquo; Specify credentials and click on Next. Select both \u0026ldquo;Certification Authority\u0026rdquo; and \u0026ldquo;Certification Authority Web Enrollment\u0026rdquo; roles and click on Next. Select \u0026ldquo;Enterprise CA\u0026rdquo; -\u0026gt; click on Next. Select \u0026ldquo;Subordinate CA\u0026rdquo; -\u0026gt; click on Next. Select \u0026ldquo;Create a new private key\u0026rdquo; -\u0026gt; click on Next. Cryptography: Cryptographic service provider (CSP): RSA#Microsoft software Key Storage Provider Key length: 2048 Hash algorithm: SHA256 CA Name: Common name: specify here the subordinate server NetBIOS name Distinguished name suffix: leave the default domain settings Select \u0026ldquo;Save a certificate request to file on the target machine\u0026rdquo; -\u0026gt; click Next Specify the database location and click Next. Click on Configure -\u0026gt; wait until the process completes and click on Close. Note: If asked, choose not to configure additional role services. Copy the request file (*.req) to the Offline Root CA. Login to the Offline Root CA using administrative account. Run the command below to approve the subordinate CA certificate request: certreq -submit \u0026quot;\u0026lt;**_CACertFileName_**\u0026gt;.req\u0026quot;Note: Replace \u0026ldquo;CACertFileName\u0026rdquo; with the actual request file. Run the command below to approve the subordinate CA request: certutil -resubmit **_2_**Note: Replace \u0026ldquo;2\u0026rdquo; with the request ID. Run the command below to command to download the new certificate. certreq -retrieve **_2_** \u0026quot;C:\\\u0026lt;**_CACertFileName_**\u0026gt;.cer\u0026quot;Note 1: Replace \u0026ldquo;CACertFileName\u0026rdquo; with the actual CER file. Note 2: Replace \u0026ldquo;2\u0026rdquo; with the request ID. Logoff the Root CA and power it off for up to 179 days (for CRL update). Return to the Subordinate CA. Copy the file \u0026ldquo;c:\\\u0026lt;CACertFileName\u0026gt;.cer\u0026rdquo; from the Offline Root CA to the Subordinate CA. Note: Replace \u0026ldquo;CACertFileName\u0026rdquo; with the actual CER file. Run the commands below to complete the Subordinate CA installation process: powershell Certutil -installcert \u0026quot;\u0026lt;**_CACertFileName_**\u0026gt;.cer\u0026quot;Note: Replace \u0026ldquo;CACertFileName\u0026rdquo; with the actual CER file. Run the command below to restart the CA service: start-service certsvc Run the command below to remove all default CRL Distribution Point (CDP): $crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force};Note: The above command should be written in single line. Run the commands below to configure new CRL Distribution Point (CDP): Add-CACRLDistributionPoint -Uri C:\\Windows\\System32\\CertSrv\\CertEnroll\\%3%8%9.crl -PublishToServer -PublishDeltaToServer -ForceNote: The above command should be written in single line. Add-CACRLDistributionPoint -Uri http://www/CertEnroll/%3%8%9.crl -AddToCertificateCDP -ForceNote: The above command should be written in single line. Add-CACRLDistributionPoint -Uri file://\\\\\u0026lt;**_SubordinateCA_DNS_Name_**\u0026gt;\\CertEnroll\\%3%8%9.crl -PublishToServer -PublishDeltaToServer -ForceNote 1: The above command should be written in single line. Note 2: Replace \u0026quot;\u0026lt;SubordinateCA_DNS_Name\u0026gt;\u0026quot; with the actual Subordinate CA DNS name. Run the command below to remove all default Authority Information Access (AIA): $aialist = Get-CAAuthorityInformationAccess; foreach ($aia in $aialist) {Remove-CAAuthorityInformationAccess $aia.uri -Force};Note: The above command should be written in single line. Run the commands below to configure new Authority Information Access (AIA): Add-CAAuthorityInformationAccess -AddToCertificateAia http://www/CertEnroll/%1_%3%4.crt -ForceNote: The above command should be written in single line. Add-CAAuthorityInformationAccess -AddToCertificateAia \u0026quot;ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\u0026quot;Note: The above command should be written in single line. Add-CAAuthorityInformationAccess -AddToCertificateOcsp http://www/ocsp -ForceNote: The above command should be written in single line. Run the commands below to configure the Root CA settings: Certutil -setreg CA\\CRLPeriodUnits 2 Certutil -setreg CA\\CRLPeriod \u0026quot;Weeks\u0026quot; Certutil -setreg CA\\CRLDeltaPeriodUnits 1 Certutil -setreg CA\\CRLDeltaPeriod \u0026quot;Days\u0026quot; Certutil -setreg CA\\CRLOverlapPeriodUnits 12 Certutil -setreg CA\\CRLOverlapPeriod \u0026quot;Hours\u0026quot; Certutil -setreg CA\\ValidityPeriodUnits 5 Certutil -setreg CA\\ValidityPeriod \u0026quot;Years\u0026quot; certutil -setreg CA\\AuditFilter 127 certutil -setreg CA\\EncryptionCSP\\CNGEncryptionAlgorithm AES certutil -setreg CA\\EncryptionCSP\\SymmetricKeySize 256 certutil -setreg CA\\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE``certutil -setreg policy\\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2Note: The above command should be written in single line. Run the command bellow to stop the CertSvc service: Restart-Service certsvc Run the command below to public new CRL\u0026rsquo;s: certutil.exe -CRL Copy the files bellow from the Root CA to the subordinate CA (same location): C:\\Windows\\System32\\CertSrv\\CertEnroll\\*.crl C:\\Windows\\System32\\CertSrv\\CertEnroll\\*.crt Create CPS (Certificate Practice Statement), save it as \u0026ldquo;cps.asp\u0026rdquo; inside the subordinate CA under the folder below: C:\\Windows\\System32\\CertSrv\\CertEnrollNote: For more information about Certificate Practice Statement, see: http://technet.microsoft.com/en-us/library/cc780454(v=ws.10).aspx Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins. Open Server Manager -\u0026gt; Tools -\u0026gt; Active Directory Users and Computers. From the left pane, expand the domain name -\u0026gt; choose an OU and create the following groups: Group name: CA Admins Group description/purpose: Manage CA server Group name:CA Issuers Group description/purpose: Issue certificates Logoff the domain controller. Login to the Subordinate CA using administrative account, who is also member of the \u0026ldquo;CA Admins\u0026rdquo; group. Open Server Manager -\u0026gt; Tools -\u0026gt; Certification Authority. From the left pane, right click on the CA server name -\u0026gt; Properties -\u0026gt; Security tab -\u0026gt; Add -\u0026gt; add the \u0026ldquo;CA Admins\u0026rdquo; group -\u0026gt; grant the permissions \u0026ldquo;Issue and Manage Certificates\u0026rdquo; and \u0026ldquo;Manage CA\u0026rdquo; and remove all other permissions -\u0026gt; click on OK. Note: As best practices, it is recommended to remove the default permissions of \u0026ldquo;Domain Admins\u0026rdquo; and \u0026ldquo;Enterprise Admins\u0026rdquo;. From the left pane, expand the CA server name -\u0026gt; right click on Certificate Templates -\u0026gt; Manage -\u0026gt; from the main pane, right click on \u0026ldquo;User\u0026rdquo; certificate -\u0026gt; Duplicate Template -\u0026gt; General tab -\u0026gt; rename the template to \u0026ldquo;Custom User Certificate\u0026rdquo; -\u0026gt; Security tab -\u0026gt; click on Add -\u0026gt; add the \u0026ldquo;CA Issuers\u0026rdquo; group -\u0026gt; grant the permission \u0026ldquo;Read\u0026rdquo;, \u0026ldquo;Enroll\u0026rdquo; and \u0026ldquo;Autoenroll\u0026rdquo; -\u0026gt; click on OK. From the main pane, right click on \u0026ldquo;Web Server\u0026rdquo; certificate -\u0026gt; Duplicate Template -\u0026gt; General tab -\u0026gt; rename the template to \u0026ldquo;Custom Web Server Certificate\u0026rdquo; -\u0026gt; Request Handling tab -\u0026gt; select \u0026ldquo;Allow private key to be exported\u0026rdquo; -\u0026gt; Security tab -\u0026gt; click on Add -\u0026gt; add the \u0026ldquo;CA Issuers\u0026rdquo; group -\u0026gt; grant the permission \u0026ldquo;Read\u0026rdquo; and \u0026ldquo;Enroll\u0026rdquo; -\u0026gt; remove the permissions for the built-in Administrator account -\u0026gt; click on OK. Note: All computer accounts requesting the \u0026ldquo;Custom Web Server Certificate\u0026rdquo; certificate must be member of the \u0026ldquo;CA Issuers\u0026rdquo; group. From the main pane, right click on \u0026ldquo;OCSP Response Signing\u0026rdquo; certificate -\u0026gt; Duplicate Template -\u0026gt; General tab -\u0026gt; rename the template to \u0026ldquo;Custom OCSP Response Signing\u0026rdquo; -\u0026gt; Security tab -\u0026gt; add the subordinate CA computer account -\u0026gt; grant \u0026ldquo;Read\u0026rdquo;, \u0026ldquo;Enroll\u0026rdquo; and \u0026ldquo;Autoenroll\u0026rdquo; -\u0026gt; click OK. From the main pane, right click on \u0026ldquo;Web Server\u0026rdquo; certificate -\u0026gt; Properties -\u0026gt; Security tab -\u0026gt; click on Add -\u0026gt; add the \u0026ldquo;CA Issuers\u0026rdquo; group -\u0026gt; grant the permission \u0026ldquo;Read\u0026rdquo; and \u0026ldquo;Enroll\u0026rdquo; -\u0026gt; click OK Close the Certificate Templates Console. From the Certification Authority console left pane, right click on Certificate Templates -\u0026gt; New -\u0026gt; Certificate Template to issue -\u0026gt; select the following certificate templates: \u0026ldquo;Web Server\u0026rdquo; \u0026ldquo;Custom User Certificate\u0026rdquo; \u0026ldquo;Custom Web Server Certificate\u0026rdquo; \u0026ldquo;Custom OCSP Response Signing\u0026rdquo; Click OK. Close the Certification Authority console. Open Server Manager -\u0026gt; Manage -\u0026gt; Add Roles and Features -\u0026gt; click Next 3 times -\u0026gt; expand \u0026ldquo;Active Directory Certificate Services\u0026rdquo; -\u0026gt; select \u0026ldquo;Online Responder\u0026rdquo; -\u0026gt; click on Add Features -\u0026gt; click Next twice -\u0026gt; click on Install -\u0026gt; click on Close From the upper pane, click on notification icon -\u0026gt; click on \u0026ldquo;Configure Active Directory Certificate Services on the destination server\u0026rdquo; Specify credentials and click on Next. Select \u0026ldquo;Online Responder\u0026rdquo; -\u0026gt; click Next -\u0026gt; click on Configure -\u0026gt; click Close. From the left pane, right click on \u0026ldquo;Online Responder\u0026rdquo; -\u0026gt; Responder Properties -\u0026gt; Audit tab -\u0026gt; select \u0026ldquo;Changes to the Online Responder configuration\u0026rdquo;, \u0026ldquo;Changes to the Online Responder security settings\u0026rdquo; and \u0026ldquo;Requests submitted to the Online Responder\u0026rdquo; -\u0026gt; click OK -\u0026gt; close the \u0026ldquo;Online Responder Configuration\u0026rdquo; console. Open Server Manager -\u0026gt; Tools -\u0026gt; Local Security Policy -\u0026gt; from the left pane, expand \u0026ldquo;Advanced Audit Policies\u0026rdquo; -\u0026gt; expand \u0026ldquo;System Audit Policies - Local Group Policy Object\u0026rdquo; -\u0026gt; click on Object Access -\u0026gt; from the main pane, double click on \u0026ldquo;Audit Certification Services\u0026rdquo; -\u0026gt; select \u0026ldquo;Configure the following audit events\u0026rdquo; -\u0026gt; select both Success and Failure -\u0026gt; click OK -\u0026gt; close the Local Security policy console. Run from command line: certutil -CRL Run from command line: certutil -v -setreg policy\\editflags +EDITF_ENABLEOCSPREVNOCHECKNote: The above command should be written in single line. Run the commands bellow to stop the CertSvc service: powershell Restart-Service certsvc Open Server Manager -\u0026gt; Tools -\u0026gt; Online Responder Management From the left pane, right click on \u0026ldquo;Revocation Configuration\u0026rdquo; -\u0026gt; Add revocation configuration -\u0026gt; click Next -\u0026gt; on the name field, specify \u0026ldquo;Custom Revocation Configuration\u0026rdquo; -\u0026gt; click Next -\u0026gt; select \u0026ldquo;Select a certificate for an Existing enterprise CA\u0026rdquo; -\u0026gt; click Next -\u0026gt; click Browse -\u0026gt; select the subordinate CA -\u0026gt; click OK -\u0026gt; Automatically select a signing certificate -\u0026gt; click Next -\u0026gt; click Finish Close the Online Responder Management console Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins. Copy the files bellow from the subordinate CA server to a temporary folder on the domain controller: C:\\Windows\\System32\\CertSrv\\CertEnroll\\*.crtNote: Copy the newest files Open Server Manager -\u0026gt; Tools -\u0026gt; Group Policy Management. From the left pane, expand the forest name -\u0026gt; expand Domains -\u0026gt; expand the relevant domain name -\u0026gt; right click on \u0026ldquo;Default domain policy\u0026rdquo; -\u0026gt; Edit. From the left pane, under \u0026ldquo;Computer Configuration\u0026rdquo; -\u0026gt; expand Policies -\u0026gt; expand \u0026ldquo;Windows Settings\u0026rdquo; -\u0026gt; expand \u0026ldquo;Security Settings\u0026rdquo; -\u0026gt; expand \u0026ldquo;Public Key Policies\u0026rdquo; -\u0026gt; right click on \u0026ldquo;Trusted Root Certification Authorities\u0026rdquo; -\u0026gt; Import -\u0026gt; click Next -\u0026gt; click Browse to locate the CRT file from the Root CA server -\u0026gt; click Open -\u0026gt; click Next twice -\u0026gt; click Finish -\u0026gt; click OK. From the left pane, under \u0026ldquo;Computer Configuration\u0026rdquo; -\u0026gt; expand Policies -\u0026gt; expand \u0026ldquo;Windows Settings\u0026rdquo; -\u0026gt; expand \u0026ldquo;Security Settings\u0026rdquo; -\u0026gt; expand \u0026ldquo;Public Key Policies\u0026rdquo; -\u0026gt; right click on \u0026ldquo;Intermediate Certification Authorities\u0026rdquo; -\u0026gt; Import -\u0026gt; click Next -\u0026gt; click Browse to locate the CRT file from the Subordinate CA server -\u0026gt; click Open -\u0026gt; click Next twice -\u0026gt; click Finish -\u0026gt; click OK. From the main pane, right click on the certificate name -\u0026gt; Properties -\u0026gt; OCSP tab -\u0026gt; inside the empty \u0026ldquo;Add URL\u0026rdquo; field, specify: http://www/ocspClick on Add URL -\u0026gt; Click OK. From the left pane, under \u0026ldquo;Computer Configuration\u0026rdquo; -\u0026gt; expand Policies -\u0026gt; expand \u0026ldquo;Windows Settings\u0026rdquo; -\u0026gt; expand \u0026ldquo;Security Settings\u0026rdquo; -\u0026gt; click on \u0026ldquo;Public Key Policies\u0026rdquo; -\u0026gt; from the main pane, right click on \u0026ldquo;Certificate Services Client - Certificate Enrollment Policy\u0026rdquo; -\u0026gt; Properties -\u0026gt; change the \u0026ldquo;Configuration Model\u0026rdquo; to \u0026ldquo;Enabled\u0026rdquo; and click OK. From the left pane, under \u0026ldquo;Computer Configuration\u0026rdquo; -\u0026gt; expand Policies -\u0026gt; expand \u0026ldquo;Windows Settings\u0026rdquo; -\u0026gt; expand \u0026ldquo;Security Settings\u0026rdquo; -\u0026gt; click on \u0026ldquo;Public Key Policies\u0026rdquo; -\u0026gt; from the main pane, right click on \u0026ldquo;Certificate Services Client - Auto-Enrollment\u0026rdquo; -\u0026gt; Properties -\u0026gt; change the \u0026ldquo;Configuration Model\u0026rdquo; to \u0026ldquo;Enabled\u0026rdquo; -\u0026gt; select \u0026ldquo;Renew expired certificates, update pending certificates, and remove revoked certificates\u0026rdquo; and \u0026ldquo;Update certificates that use certificate templates\u0026rdquo; -\u0026gt; click OK. From the left pane, under \u0026ldquo;Computer Configuration\u0026rdquo; -\u0026gt; expand Policies -\u0026gt; expand \u0026ldquo;Administrative Templates\u0026rdquo; -\u0026gt; expand \u0026ldquo;Windows Components\u0026rdquo; -\u0026gt; expand \u0026ldquo;Internet Explorer\u0026rdquo; -\u0026gt; expand \u0026ldquo;Internet Control Panel\u0026rdquo; -\u0026gt; expand \u0026ldquo;Security Page\u0026rdquo; -\u0026gt; double click on \u0026ldquo;Site to zone assignment list\u0026rdquo; -\u0026gt; click on \u0026ldquo;Enabled\u0026rdquo; -\u0026gt; under Options, click on \u0026ldquo;Show\u0026rdquo; -\u0026gt; inside \u0026ldquo;Value name\u0026rdquo;, specify the Subordinate CA DNS name -\u0026gt; inside \u0026ldquo;Value\u0026rdquo;, specify 2 -\u0026gt; click OK twice. Close the \u0026ldquo;Group Policy Management\u0026rdquo;. Logoff the domain controller. Login to the Subordinate CA using administrative account. Open Server Manager -\u0026gt; Tools -\u0026gt; Internet Information Services (IIS) Manager. From the left pane, expand the server name -\u0026gt; expand Sites -\u0026gt; click on \u0026ldquo;Default Web Site\u0026rdquo; -\u0026gt; from the right pane, click on \u0026ldquo;Bindings\u0026rdquo; -\u0026gt; click on Add -\u0026gt; from the Type, select HTTPS -\u0026gt; under \u0026ldquo;SSL Certificate\u0026rdquo;, select the Subordinate CA certificate -\u0026gt; click OK -\u0026gt; click on Close. From the left pane, expand \u0026ldquo;Default Web Site\u0026rdquo; -\u0026gt; click on \u0026ldquo;CertSrv\u0026rdquo; -\u0026gt; from the main pane, double click on \u0026ldquo;Request Filtering\u0026rdquo; -\u0026gt; click Edit Feature Settings -\u0026gt; select \u0026ldquo;Allow Double Escaping\u0026rdquo; -\u0026gt; click OK From the main pane, double click on \u0026ldquo;SSL Settings\u0026rdquo; -\u0026gt; select \u0026ldquo;Require SSL\u0026rdquo; -\u0026gt; click on Apply. Close the Internet Information Services (IIS) Manager console. Run PKIVIEW.msc to make sure the entire PKI structure is fully functional. Logoff the Subordinate CA. ","date":"5 August 2014","externalUrl":null,"permalink":"/posts/windows-2012-r2-certification-authority-installation-guide/","section":"Posts","summary":"","title":"Windows 2012 R2 Certification Authority installation guide","type":"posts"},{"content":"","date":"5 August 2014","externalUrl":null,"permalink":"/categories/windows-2012/","section":"Categories","summary":"","title":"Windows-2012","type":"categories"},{"content":"","date":"10 April 2014","externalUrl":null,"permalink":"/categories/instagram/","section":"Categories","summary":"","title":"Instagram","type":"categories"},{"content":"In the recent time social networking sites simply becomes a victim of hacking event but today Instagram – A social networking site experienced different face of internet called Social Engineering. You might have heard about spam emails that lure reader to click on emails, offering lottery, and jobs, discount offers, but from the last few days, Symantec has observed a shocking activity on Instagram carried on by hackers.\nInstagram scammers are posting images related to fake lottery winnings. Even spammers have also convinced users for post sharing, surrendering their personal information, and sending money to the scammers.\nThe users who fall victim were mostly belonged to USA and UK. Spammers also offered $1000 to Instagram users for following them, and leaving comment with email addresses. Below is an image of Instagram accounts pretend to be real-life lottery winners.\nAlmost spammers got response from 5,000 to 10,000 followers. After receiving a huge response, they disclose a new Instagram account named “accountant” to deliver $1000 to users. Spammers also asked users to send $0.99 postage charge for a large payment processing. In this case, some users also sent such postage charge and many of users revealed their email addresses to spammers. Below is an image of fake accountant that asked for money from users.\nThe main object of this campaign was to amass account details to be used for personal use or resale. Spammers also changed the avatar, user name, biography for spamming purpose.\nSpammers had spin accounts and after it, the impersonated accounts reappeared with few followers. Though these accounts were bogus, still users hoped that they would get $1000 for following Instagram accounts. Below is an Instagram account that reappeared with few followers.\nSymantec has revealed some precautions against this spamming activity.\nDo not blindly trust everything you see on social media. Raise a question in your mind, when you find such offers. Do not unveil your personal information. Do not send money to the person that you do not know. ","date":"10 April 2014","externalUrl":null,"permalink":"/posts/instagram-lottery-winning-fraud-made-thousands-of-victims/","section":"Posts","summary":"","title":"Instagram Lottery winning fraud made thousands of victims","type":"posts"},{"content":"","date":"10 April 2014","externalUrl":null,"permalink":"/categories/lottery-scam/","section":"Categories","summary":"","title":"Lottery-Scam","type":"categories"},{"content":"Recently, viruses’ manufacturers know now how to penetrate antivirus programs. They do it by changing the virus code a little so it appears to have new “signature”. Signature is the traditional way antivirus programs detect viruses. By having a new signature, the virus is unknown to the antivirus program and it can penetrate the computer easily.\nOnce it is in the computer, it can do several things:\nScan your computer and steal important documents. Act like a bridge head and download other viruses. Implant itself to become operated every time the computer boots. Record every keystroke/conversation/login you make on the computer and transmit it to external criminal use. The life expectancy of such a virus is three weeks – the time it takes to the antivirus program to get updated on every computer in the world. By that time the virus manufacturer releases a new (and unknown) version.\nSince the antivirus has this inherit flow, many solutions are being developed aiming to seal this “zero day virus gap”. The common solutions are placing a monitoring program in the computer that monitors the computer activities and sends suspicious incidents to network administrator attention. The incidents are evaluated based on “behavioral approach” which aims to determine if the incident indicates virus penetration or not. Other solutions put traps on the computer and wait for a virus to trigger the trap alarm. Most of those solutions are aimed for the enterprise market and require professional staff to handle the alerts received.\n“Magen – Malware Vigilance” was developed by programmers for the home market: It alerts the users about possible Malware penetration into their computer and allows them to disable the threat before significant damage is made. Magen is an alarm system, not an antivirus. This means that it does not block/erase/dismantle viruses, but specializes in detecting new program penetration into the computer and conveying the message to the computer owner scrutiny.\nMagen detection algorithm is very efficient and patent pending. It alerts on every program implementation into the computer, which is every program that has configured itself to be automatically operated in the computer.\nUsing the Magen brings to the computer users attention information about significant changes in their computer and allows them to stay in control regarding their computer hygiene. From time to time it reveals legitimate program updates that install new computer services without telling the owner and without a good reason for doing so. I consider such updates to be immoral, and the information Magen convey allow people to remove the undesired intrusion.\n“Decent Spyware” can be used to inflict significant damage to the victim. From pedophiles who are able to get to kids’ bedrooms, to cyber criminals that can take home mortgage on other people’s name.\nIn the following example we can see a sample of Virus that is received using an Email message (Click the Image to enlarge): The virus trigger the following alert: Pressing the “more…” reveals the program properties:\nGoogling for msxurpk.exe does not show any results. With the rest of the properties, it is quite evident that this is most likely a virus. The best way to disable this threat is to click on the “system restore” button and restore the operating system to an earlier date then the detection date (in our case 02/March/2014).\nIn these sophisticated times, when people spend many hours online, it is essential to be “Malware Vigilant” and protect your computer from being infected by “Zero day virus” which can pass through the antivirus.\nTo see some samples of infections and how they are revealed, you can see Cyber-Dome YouTube channel.\nYou can download Magen and test it free for 45 days here.\n","date":"4 March 2014","externalUrl":null,"permalink":"/posts/how-to-defend-from-the-zero-day-viruses-family/","section":"Posts","summary":"","title":"How to defend from the “Zero day viruses” family","type":"posts"},{"content":"This document explains the process of installation, configuration and hardening of NGINX server from source files, based on CentOS 6.4 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from BEAST attack and CRIME attack\nSome of the features explained in this document are supported by only some of the Internet browsers:\nX-Frame-Options – Minimum browser support: IE 8.0, Firefox 3.6.9, Chrome 4.1.249, Opera 10.50, Safari 4.0 TLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0 Installation Phase1. Login to the server using Root account 2. Install pre-requirement packages: yum install policycoreutils-python-* -y yum install setools-libs-* -y yum install libcgroup-* -y yum install audit-libs-python-* -y yum install libsemanage-python-* -y yum install setools-libs-python-* -y yum install gcc* -y 3. Create a new account: groupadd nginx useradd -g nginx -d /dev/null -s /sbin/nologin nginx 4. Upgrade the Openssl build: rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm yum --enablerepo=axivo update openssl -y 5. Download Openssl source files: cd /opt wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz 6. Extract Openssl source files: tar zxvf /opt/openssl-1.0.1e.tar.gz -C /opt 7. Remove Openssl source file: rm -rf /opt/openssl-1.0.1e.tar.gz 8. Download PCRE source file into /tmp, from: http://sourceforge.net/projects/pcre/files/pcre/ 9. Compile PCRE from source file: tar zxvf /tmp/pcre-8.34.tar.gz -C /tmp mv /tmp/pcre-8.34 /usr/local/pcre cd /usr/local/pcre ./configure --prefix=/usr/local/pcre make make install 10. Remove PCRE package: rm -rf /tmp/pcre-8.34.tar.gz 11. Download Nginx 1.5.8: cd /tmp wget http://nginx.org/download/nginx-1.5.8.tar.gz 12. Extract the nginx-1.5.8.tar.gz file: tar -zxvf /tmp/nginx-1.5.8.tar.gz -C /tmp 13. Move to the Nginx source folder: cd /tmp/nginx-1.5.8 14. Edit using VI, the file /tmp/nginx-1.5.8/src/http/ngx_http_header_filter_module.c and replace the following section, from: static char ngx_http_server_string[] = \u0026quot;Server: nginx\u0026quot; CRLF; static char ngx_http_server_full_string[] = \u0026quot;Server: \u0026quot; NGINX_VER CRLF;To: static char ngx_http_server_string[] = \u0026quot;Server: Secure Web Server\u0026quot; CRLF; static char ngx_http_server_full_string[] = \u0026quot;Server: Secure Web Server\u0026quot; NGINX_VER CRLF; 15. Run the commands bellow to compile the Nginx environment: ./configure --with-openssl=/opt/openssl-1.0.1e --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module --with-pcre=/usr/local/pcreNote: The command above should be written as one line. make make install 16. Remove the Nginx source files: cd / rm -rf /tmp/nginx-1.5.8 rm -f /tmp/nginx-1.5.8.tar.gz 17. Remove Default Content rm -rf /usr/local/nginx/html 18. Updating Ownership and Permissions on Nginx folders: chown -R root:root /usr/local/nginx chmod 750 /usr/local/nginx/sbin/nginx chmod -R 640 /usr/local/nginx/conf chmod -R 770 /usr/local/nginx/logs 19. Create folder for the web content: mkdir -p /www 20. Updating Ownership and Permissions on the web content folder: chown -R root /www chmod -R 775 /www 21. Edit using VI the file /usr/local/nginx/conf/nginx.conf and change the following settings: From: #user nobody;To: user nginx nginx;From: #error_log logs/error.log notice;To: error_log logs/error.log notice;From: server_name localhost;To: server_name Server_FQDN;Note: Replace Server_FQDN with the actual server DNS name.\nFrom: `root html;`To: `root /www;` Add the following sections to the end of the /usr/local/nginx/conf/nginx.conf file (before the last \u0026ldquo;}\u0026rdquo; character): ## turn off nginx version number ## server_tokens off; ## Size Limits \u0026amp; Buffer Overflows ## client_body_buffer_size 1K; client_header_buffer_size 1k; client_max_body_size 1k; large_client_header_buffers 2 2k; ## Timeouts ## client_body_timeout 10; client_header_timeout 10; send_timeout 10; Create using VI, the file /etc/init.d/nginx with the following content: #!/bin/sh # # nginx - this script starts and stops the nginx daemon # # chkconfig: - 85 15 # description: Nginx is an HTTP(S) server, HTTP(S) reverse \\ # proxy and IMAP/POP3 proxy server # processname: nginx # config: /usr/local/nginx/conf/nginx.conf # config: /etc/sysconfig/nginx # pidfile: /var/run/nginx.pid # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ \u0026quot;$NETWORKING\u0026quot; = \u0026quot;no\u0026quot; ] \u0026amp;\u0026amp; exit 0 nginx=\u0026quot;/usr/local/nginx/sbin/nginx\u0026quot; prog=$(basename $nginx) NGINX_CONF_FILE=\u0026quot;/usr/local/nginx/conf/nginx.conf\u0026quot; [ -f /etc/sysconfig/nginx ] \u0026amp;\u0026amp; . /etc/sysconfig/nginx lockfile=/var/lock/subsys/nginx start() { [ -x $nginx ] || exit 5 [ -f $NGINX_CONF_FILE ] || exit 6 echo -n $\u0026quot;Starting $prog: \u0026quot; daemon $nginx -c $NGINX_CONF_FILE retval=$? echo [ $retval -eq 0 ] \u0026amp;\u0026amp; touch $lockfile return $retval } stop() { echo -n $\u0026quot;Stopping $prog: \u0026quot; killproc $prog -QUIT retval=$? echo [ $retval -eq 0 ] \u0026amp;\u0026amp; rm -f $lockfile return $retval } restart() { configtest || return $? stop sleep 1 start } reload() { configtest || return $? echo -n $\u0026quot;Reloading $prog: \u0026quot; killproc $nginx -HUP RETVAL=$? echo } force_reload() { restart } configtest() { $nginx -t -c $NGINX_CONF_FILE } rh_status() { status $prog } rh_status_q() { rh_status \u0026gt;/dev/null 2\u0026gt;\u0026amp;1 } case \u0026quot;$1\u0026quot; in start) rh_status_q \u0026amp;\u0026amp; exit 0 $1 ;; stop) rh_status_q || exit 0 $1 ;; restart|configtest) $1 ;; reload) rh_status_q || exit 7 $1 ;; force-reload) force_reload ;; status) rh_status ;; condrestart|try-restart) rh_status_q || exit 0 ;; *) echo $\u0026quot;Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}\u0026quot; exit 2 esac Change the permissions of the file /etc/init.d/nginx chmod +x /etc/init.d/nginx To start Nginx service at server start-up, run the command: chkconfig nginx on To manually start the Nginx service, use the command: /etc/init.d/nginx start Configure IPTables: service iptables stop iptables -P INPUT DROP iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT Allow SSH access from Internal segment (i.e. 10.0.0.0/8) iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPTNote: Replace 10.0.0.0/8 with the internal segment and subnet mask. Allow HTTP access from the Internet on the public interface (i.e. eth0) iptables -A INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name. Save the IPTables settings: service iptables save SSL Configuration Phase1. Login to the server using Root account. 2. Create folder for the SSL certificate files: mkdir -p /usr/local/nginx/ssl chmod 600 /usr/local/nginx/ssl 3. Run the command bellow to generate a key pair: /usr/bin/openssl genrsa -aes256 -out /usr/local/nginx/ssl/server-sec.key 2048Note: Specify a complex pass phrase for the private key (and document it) 4. Run the command bellow to generate the CSR: /usr/bin/openssl req -new -newkey rsa:2048 -nodes -sha256 -days 1095 -key /usr/local/nginx/ssl/server-sec.key -out /tmp/server.csrNote: The command above should be written as one line. 5. Send the file /tmp/server.csr to a Certificate Authority server. 6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with \u0026ldquo;Begin\u0026rdquo; and ending with \u0026ldquo;End\u0026rdquo; (include those two lines), into notepad, and save the file as \u0026ldquo;server.crt\u0026rdquo; 7. Copy the file \u0026ldquo;server.crt\u0026rdquo; using SCP into /usr/local/nginx/ssl 8. Follow the link on the email from the CA server, to create the Root CA chain, and save it as \u0026ldquo;ca-bundle.crt\u0026rdquo; (Note: The file must be PEM (base64) encoded). 9. Copy the file \u0026ldquo;ca-bundle.crt\u0026rdquo; using SCP into /usr/local/nginx/ssl 10. Combine the content of both the public key (server.crt) and the Root CA chain (ca-bundle.crt) into one file: cat /usr/local/nginx/ssl/ca-bundle.crt /usr/local/nginx/ssl/server.crt \u0026gt; /usr/local/nginx/ssl/server.pemNote: The command above should be written as one line. 11. Remove the key store passphrase: /usr/bin/openssl rsa -in /usr/local/nginx/ssl/server-sec.key -out /usr/local/nginx/ssl/server.keyNote: The command above should be written as one line. 12. Remove the original \u0026ldquo;server.crt\u0026rdquo;, \u0026ldquo;server.csr\u0026rdquo; and \u0026ldquo;ca-bundle.crt\u0026rdquo; files: rm -f /tmp/server.csr rm -f /usr/local/nginx/ssl/server.crt rm -f /usr/local/nginx/ssl/ca-bundle.crt 13. Edit using VI the file /usr/local/nginx/conf/nginx.conf and replace the section bellow from: # HTTPS server # #server { # listen 443 ssl; # server_name localhost; # ssl_certificate cert.pem; # ssl_certificate_key cert.key; # ssl_session_cache shared:SSL:1m; # ssl_session_timeout 5m; # ssl_ciphers HIGH:!aNULL:!MD5; # ssl_prefer_server_ciphers on; # location / { # root html; # index index.html index.htm; # } #}To: # HTTPS server # server { listen 443; server_name Server_FQDN; ssl on; ssl_certificate /usr/local/nginx/ssl/server.pem; ssl_certificate_key /usr/local/nginx/ssl/server.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; ssl_prefer_server_ciphers on; # HTTP Strict Transport Security # add_header Strict-Transport-Security \u0026quot;max-age=31536000; includeSubDomains\u0026quot; always; # X-Frame-Options header # add_header X-Frame-Options SAMEORIGIN; location / { root /www; index index.html index.htm; } }Note: Replace Server_FQDN with the actual server DNS name. 14. Configure IPTables – Allow HTTPS access from the Internet on the public interface (i.e. eth0) iptables -A INPUT -m state --state NEW -p tcp --dport 443 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name 15. Remove HTTP access from the Internet on the public interface (i.e. eth0) iptables -D INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPTNote: Replace eth0 with the public interface name 16. Save the IPTables settings: service iptables save 17. Restart the nginx: service nginx restart\n","date":"10 January 2014","externalUrl":null,"permalink":"/posts/hardening-guide-for-nginx-1-5-8-on-redhat-6-4-64bit-edition/","section":"Posts","summary":"","title":"Hardening guide for NGINX 1.5.8 on RedHat 6.4 (64bit edition)","type":"posts"},{"content":"","date":"10 January 2014","externalUrl":null,"permalink":"/categories/nginx/","section":"Categories","summary":"","title":"Nginx","type":"categories"},{"content":"","date":"29 October 2013","externalUrl":null,"permalink":"/categories/apache/","section":"Categories","summary":"","title":"Apache","type":"categories"},{"content":"","date":"29 October 2013","externalUrl":null,"permalink":"/categories/centos/","section":"Categories","summary":"","title":"Centos","type":"categories"},{"content":"This document explains the process of installation, configuration and hardening of Apache server from source files, based on CentOS 6.4 default installation (IPTables and SELinux enabled by default), including support for TLS v1.2 and protection from BEAST attack and CRIME attack. Some of the features explained in this document are supported by only some of the Internet browsers:- X-Frame-Options – Minimum browser support: IE 8.0, Firefox 3.6.9, Chrome 4.1.249, Opera 10.50, Safari 4.0\nTLS 1.2 – Minimum browser support: IE 8.0 on Windows 7/8 (Need to be enabled by default), Firefox 24.0 (Need to be enabled by default), Chrome 30, Opera 17, Safari 5.0 Pre-Requirements\npolicycoreutils-python-* package installed setools-libs-* package installed libcgroup-* package installed audit-libs-python-* package installed libsemanage-python-* package installed setools-libs-python-* package installed gcc* package installed gcc-c++* package installed autoconf* package installed automake* package installed Installation Phase1. Login to the server using Root account 2. Upgrade the Openssl build: rpm -ivh --nosignature http://rpm.axivo.com/redhat/axivo-release-6-1.noarch.rpm yum --enablerepo=axivo update openssl -y 3. Download Apache source file into /tmp, from: http://httpd.apache.org/download.cgi 4. Download APR and APR-Util source files into /tmp, from: https://apr.apache.org/download.cgi 5. Download PCRE source file into /tmp, from: http://sourceforge.net/projects/pcre/files/pcre/ 6. Compile PCRE from source file: tar zxvf /tmp/pcre-8.33.tar.gz -C /tmp mv /tmp/pcre-8.33 /usr/local/pcre cd /usr/local/pcre ./configure --prefix=/usr/local/pcre make make install 7. Extract Apache source files: cd /tmp tar zxvf httpd-2.4.6.tar.gz cd httpd-2.4.6/srclib/ tar zxvf ../../apr-1.4.8.tar.gz ln -s apr-1.4.8/ apr tar zxvf ../../apr-util-1.5.2.tar.gz ln -s apr-util-1.5.2/ apr-util 8. Compile the Apache from source files: cd /tmp/httpd-2.4.6 ./configure --prefix=/opt/httpd --with-included-apr --enable-so --enable-ssl --with-ssl=/opt/openssl-1.0.1e --enable-ssl-staticlib-deps --enable-mods-static=ssl --with-pcre=/usr/local/pcre make make install 9. Remove the source files: rm -rf /tmp/apr-1.4.8.tar.gz rm -rf /tmp/apr-util-1.5.2.tar.gz rm -rf /tmp/httpd-2.4.6.tar.gz rm -rf /tmp/httpd-2.4.6 rm -rf /tmp/pcre-8.33.tar.gz 10. Remove Default Content: rm -rf /opt/httpd/cgi-bin rm -rf /opt/httpd/htdocs rm -rf /opt/httpd/icons rm -rf /opt/httpd/man rm -rf /opt/httpd/manual rm -rf /opt/httpd/conf/extra/httpd-autoindex.conf rm -rf /opt/httpd/conf/extra/httpd-autoindex.conf.in rm -rf /opt/httpd/conf/extra/httpd-dav.conf rm -rf /opt/httpd/conf/extra/httpd-dav.conf.in rm -rf /opt/httpd/conf/extra/httpd-default.conf rm -rf /opt/httpd/conf/extra/httpd-default.conf.in rm -rf /opt/httpd/conf/extra/httpd-info.conf rm -rf /opt/httpd/conf/extra/httpd-info.conf.in rm -rf /opt/httpd/conf/extra/httpd-languages.conf rm -rf /opt/httpd/conf/extra/httpd-languages.conf.in rm -rf /opt/httpd/conf/extra/httpd-manual.conf rm -rf /opt/httpd/conf/extra/httpd-manual.conf.in rm -rf /opt/httpd/conf/extra/httpd-mpm.conf rm -rf /opt/httpd/conf/extra/httpd-mpm.conf.in rm -rf /opt/httpd/conf/extra/httpd-multilang-errordoc.conf rm -rf /opt/httpd/conf/extra/httpd-multilang-errordoc.conf.in rm -rf /opt/httpd/conf/extra/httpd-userdir.conf rm -rf /opt/httpd/conf/extra/httpd-userdir.conf.in rm -rf /opt/httpd/conf/extra/httpd-vhosts.conf rm -rf /opt/httpd/conf/extra/httpd-vhosts.conf.in rm -rf /opt/httpd/conf/extra/proxy-html.conf rm -rf /opt/httpd/conf/extra/proxy-html.conf.in rm -rf /opt/httpd/conf/original 11. Updating Ownership and Permissions on Apache folders: chown root:root /opt/httpd/bin/apachectl chown root:root /opt/httpd/bin/httpd chmod 770 /opt/httpd/bin/apachectl chmod 770 /opt/httpd/bin/httpd chown -R root:root /opt/httpd chmod -R go-r /opt/httpd chown -R root:root /opt/httpd/logs chmod -R 700 /opt/httpd/logs 12. Create folder for the web content: mkdir -p /www 13. Updating Ownership and Permissions on the web content folder: chown -R root /www chmod -R 775 /www 14. Fix the SELinux security context on the new web folder: semanage fcontext -a -t httpd_sys_content_t \u0026quot;/www(/.*)?\u0026quot; restorecon -F -R -v /www 15. Edit using VI the file /opt/httpd/conf/httpd.conf and change the following strings: From: LogLevel warnTo: LogLevel notice\nFrom: `DocumentRoot \u0026quot;/opt/httpd/htdocs\u0026quot;`To: `DocumentRoot \u0026quot;/www\u0026quot;` From: `Listen 80`To: `Listen Server_FQDN:80` Note: Replace Server\\_FQDN with the actual DNS name. From: `ServerAdmin root@localhost`To: `ServerAdmin webmaster@mycompany.com` Note: Replace mycompany.com with the actual Company DNS name. From: `#ServerName www.example.com:80`To: `ServerName Server_FQDN` Note: Replace Server\\_FQDN with the actual DNS name. From: `ScriptAlias /cgi-bin/ \u0026quot;/opt/httpd/cgi-bin/\u0026quot;`To: `# ScriptAlias /cgi-bin/ \u0026quot;/opt/httpd/cgi-bin/\u0026quot;` From: `\u0026lt;Directory /\u0026gt; Options FollowSymLinks AllowOverride None \u0026lt;/Directory\u0026gt;`To: `\u0026lt;Directory /\u0026gt; Options None AllowOverride None Require all denied Order deny,allow deny from all \u0026lt;LimitExcept GET POST\u0026gt; deny from all \u0026lt;/limitexcept\u0026gt; \u0026lt;/Directory\u0026gt;` From: `\u0026lt;Directory \u0026quot;/opt/httpd/htdocs\u0026quot;\u0026gt; Options Indexes FollowSymLinks AllowOverride None \u0026lt;/Directory\u0026gt;`To: `\u0026lt;Directory \u0026quot;/www\u0026quot;\u0026gt; Options None AllowOverride None Require all granted Order allow,deny Allow from all \u0026lt;LimitExcept GET POST\u0026gt; deny from all \u0026lt;/limitexcept\u0026gt; \u0026lt;/Directory\u0026gt;` Comment out all lines inside the /opt/httpd/conf/httpd.conf file, begining with: ScriptAlias IndexOptions AddIconByEncoding AddIconByType AddIcon DefaultIcon ReadmeName HeaderName IndexIgnore LanguagePriority ForceLanguagePriority\nComment out the lines inside the /opt/httpd/conf/httpd.conf file below to disable default modules: LoadModule cgi_module modules/mod_cgi.so LoadModule status_module modules/mod_status.so LoadModule info_module modules/mod_info.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule include_module modules/mod_include.so LoadModule userdir_module modules/mod_userdir.so LoadModule env_module modules/mod_env.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule actions_module modules/mod_actions.so\nComment out the entire section \u0026lt;Directory \u0026ldquo;/opt/httpd/cgi-bin\u0026rdquo;\u0026gt; inside the /opt/httpd/conf/httpd.conf\nAdd the following sections to the end of the /opt/httpd/conf/httpd.conf file: # Configure custom error message: ErrorDocument 400 \u0026quot;The requested URL was not found on this server.\u0026quot; ErrorDocument 401 \u0026quot;The requested URL was not found on this server.\u0026quot; ErrorDocument 403 \u0026quot;The requested URL was not found on this server.\u0026quot; ErrorDocument 404 \u0026quot;The requested URL was not found on this server.\u0026quot; ErrorDocument 405 \u0026quot;The requested URL was not found on this server.\u0026quot; ErrorDocument 408 \u0026quot;The requested URL was not found on this server.\u0026quot; ErrorDocument 410 \u0026quot;The requested URL was not found on this server.\u0026quot; ErrorDocument 411 \u0026quot;The requested URL was not found on this server.\u0026quot; ErrorDocument 412 \u0026quot;The requested URL was not found on this server.\u0026quot; ErrorDocument 413 \u0026quot;The requested URL was not found on this server.\u0026quot; ErrorDocument 414 \u0026quot;The requested URL was not found on this server.\u0026quot; ErrorDocument 415 \u0026quot;The requested URL was not found on this server.\u0026quot; ErrorDocument 500 \u0026quot;The requested URL was not found on this server.\u0026quot; # Configure Server Tokens ServerTokens Prod # Disable Server Signature ServerSignature Off # Disable Tracing TraceEnable Off # Maximum size of the request body. LimitRequestBody 25000 # Maximum number of request headers in a request. LimitRequestFields 40 # Maximum size of request header lines. LimitRequestFieldSize 4000 # Maximum size of the request line. LimitRequestLine 4000 MaxRequestsPerChild 10000 # Configure clickjacking protection Header always append X-Frame-Options SAMEORIGIN\nEdit using VI the file /opt/httpd/include/ap_release.h and replace the following strings: From: #define AP_SERVER_BASEVENDOR \u0026quot;Apache Software Foundation\u0026quot;To: #define AP_SERVER_BASEVENDOR \u0026quot;Restricted server\u0026quot;\nFrom: #define AP_SERVER_BASEPROJECT \u0026quot;Apache HTTP Server\u0026quot;To: #define AP_SERVER_BASEPROJECT \u0026quot;Secure Web Server\u0026quot;\nFrom: #define AP_SERVER_BASEPRODUCT \u0026quot;Apache\u0026quot;To: #define AP_SERVER_BASEPRODUCT \u0026quot;Secure Web Server\u0026quot;\nDownload the Apache boot script into /tmp from: http://www.linuxfromscratch.org/blfs/downloads/svn/blfs-bootscripts-20131023.tar.bz2\nExtract and install the Apache boot script: cd /tmp/ tar xvjf blfs-bootscripts-20131023.tar.bz2 cd /tmp/blfs-bootscripts-20131023 make install-httpd\nEdit using VI, the file /etc/init.d/httpd, and replace the strings below: From: /usr/sbin/apachectlTo: /opt/httpd/bin/apachectl\nFrom: log_info_msgTo: echo\nFrom: evaluate_retvalTo: #evaluate_retval\nConfigure the Apache to start automatically: chkconfig httpd on\nConfigure IPTables: service iptables stop iptables -P INPUT DROP iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\nAllow SSH access from Internal segment (i.e. 10.0.0.0/8) iptables -A INPUT -m state --state NEW -p tcp --dport 22 -s 10.0.0.0/8 -j ACCEPT Note: Replace 10.0.0.0/8 with the internal segment and subnet mask\nAllow HTTP access from the Internet on the public interface (i.e. eth0) iptables -A INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT Note: Replace eth0 with the public interface name\nSave the IPTables settings: service iptables save\nStart the Apache daemon: service httpd start\nSSL Configuration Phase1. Login to the server using Root account. 2. Create folder for the SSL certificate files: mkdir -p /opt/httpd/conf/ssl chmod 600 /opt/httpd/conf/ssl 3. Run the command bellow to generate a key pair: /usr/bin/openssl genrsa -des3 -out /opt/httpd/conf/ssl/server.key 2048 Note: Specify a complex pass phrase for the private key (and document it) 4. Run the command bellow to generate the CSR: /usr/bin/openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout /opt/httpd/conf/ssl/server.key -out /tmp/apache.csr Note: The command above should be written as one line. 5. Send the file /tmp/apache.csr to a Certificate Authority server. 6. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as /opt/httpd/conf/ssl/server.crt 7. Follow the link on the email from the CA server, to create the Root CA chain, and save it as /opt/httpd/conf/ssl/server-ca.crt (Note: The file must be PEM (base64) encoded). 8. Edit using VI the file /opt/httpd/conf/httpd.conf and change the following strings: From: Listen Server_FQDN:80To: Listen Server_FQDN:443 Note: Replace Server_FQDN with the actual DNS name.\nFrom: `ServerName Server_FQDN`To: `ServerName Server_FQDN:443` Note: Replace Server\\_FQDN with the actual DNS name. From: `#Include conf/extra/httpd-ssl.conf`To: `Include conf/extra/httpd-ssl.conf` From: `#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so`To: `LoadModule socache_shmcb_module modules/mod_socache_shmcb.so` Edit using VI the file /opt/httpd/conf/extra/httpd-ssl.conf and change the following strings: From: SSLCertificateFile \u0026quot;/opt/httpd/conf/server.crt\u0026quot;To: SSLCertificateFile /opt/httpd/conf/ssl/server.crt\nFrom: SSLCertificateKeyFile \u0026quot;/opt/httpd/conf/server.key\u0026quot;To: SSLCertificateKeyFile /opt/httpd/conf/ssl/server.key\nFrom: #SSLCertificateChainFile \u0026quot;/opt/httpd/conf/server-ca.crt\u0026quot;To: SSLCertificateChainFile /opt/httpd/conf/ssl/server-ca.crt\nFrom: SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5To: SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:!aNULL:!EDH:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS\nFrom: #SSLHonorCipherOrder onTo: SSLHonorCipherOrder On\nFrom: Listen @@SSLPort@@To: Listen Server_FQDN:443 Note: Replace Server_FQDN with the actual DNS name.\nFrom: DocumentRoot \u0026quot;/opt/httpd/htdocs\u0026quot;To: DocumentRoot \u0026quot;/www\u0026quot;\nFrom: ServerName www.example.com:@@SSLPort@@To: #ServerName www.example.com:@@SSLPort@@ From: ServerAdmin you@example.comTo: ServerAdmin webmaster@mycompany.com Note: Replace mycompany.com with the actual Company DNS name.\nFrom: \u0026lt;VirtualHost _default_:@@SSLPort@@\u0026gt;To: \u0026lt;VirtualHost _default_:443\u0026gt;\nAdd the following sections to the end of the /opt/httpd/conf/extra/httpd-ssl.conf file: # Disable SSLv2 SSLProtocol ALL -SSLv2 +TLSv1 +TLSv1.1 +TLSv1.2 # Disable SSL Compression SSLCompression Off\nComment out the entire section \u0026lt;Directory \u0026ldquo;/opt/httpd/cgi-bin\u0026rdquo;\u0026gt; inside the /opt/httpd/conf/extra/httpd-ssl.conf\nConfigure IPTables - Allow HTTPS access from the Internet on the public interface (i.e. eth0) iptables -A INPUT -m state --state NEW -p tcp --dport 443 -i eth0 -j ACCEPT Note: Replace eth0 with the public interface name\nRemove HTTP access from the Internet on the public interface (i.e. eth0) iptables -D INPUT -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT Note: Replace eth0 with the public interface name\nSave the IPTables settings: service iptables save\nRestart the Apache service: service httpd restart\n","date":"29 October 2013","externalUrl":null,"permalink":"/posts/hardening-guide-for-apache-2-4-6-on-centos-6-4-64bit-edition/","section":"Posts","summary":"","title":"Hardening guide for Apache 2.4.6 on CentOS 6.4 (64bit edition)","type":"posts"},{"content":"","date":"23 August 2013","externalUrl":null,"permalink":"/categories/debian/","section":"Categories","summary":"","title":"Debian","type":"categories"},{"content":"","date":"23 August 2013","externalUrl":null,"permalink":"/categories/dns/","section":"Categories","summary":"","title":"Dns","type":"categories"},{"content":" Make sure the Bind is running with non-root account: ps aux | grep bind | grep -v '^root' Change permissions and ownership on the destinations below: chown -R root:bind /etc/bind chown root:bind /etc/bind/named.conf* chmod 640 /etc/bind/named.conf* Edit using VI, the file /etc/bind/named.conf.options and add the following settings under the \u0026ldquo;Options\u0026rdquo; section: Add the line below to replace DNS version banner: version \u0026quot;Secured DNS server\u0026quot;; Note: In-order to test, run the command below: dig +short @localhost version.bind chaos txt Add the line below to restrict recursive queries to trusted clients: allow-recursion { localhost; 192.168.0.0/24; }; Note 1: Replace 192.168.0.0/24 with the trusted internal segments and subnet mask. Note 2: In-order to test, run the command below: nslookup www.google.com Add the line below to restrict query origins to trusted clients: allow-query { localhost; 192.168.0.0/24; }; Note: Replace 192.168.0.0/24 with the trusted internal segments and subnet mask. Add the line below to Nameserver ID: server-id none; Add the line below to restrict which hosts can perform zone transfers: allow-transfer { 192.168.1.1; }; Note: Replace 192.168.1.1 with the trusted DNS server. Add the line below to restrict the DNS server to listen to specific interfaces: listen-on port 53 { 127.0.0.1; 192.168.1.1; }; Note: Replace 192.168.1.1 with the IP address of the DNS server. Restart the DNS daemon: service bind9 restart ","date":"23 August 2013","externalUrl":null,"permalink":"/posts/hardening-guide-for-bind9-debian-platform/","section":"Posts","summary":"","title":"Hardening guide for BIND9 (Debian platform)","type":"posts"},{"content":" Make sure the Postfix is running with non-root account: ps aux | grep postfix | grep -v '^root' Change permissions and ownership on the destinations below: chmod 755 /etc/postfix chmod 644 /etc/postfix/*.cf chmod 755 /etc/postfix/postfix-script* chmod 755 /var/spool/postfix chown root:root /var/log/mail* chmod 600 /var/log/mail* Edit using VI, the file /etc/postfix/main.cf and add make the following changes: Modify the myhostname value to correspond to the external fully qualified domain name (FQDN) of the Postfix server, for example: myhostname = myserver.example.com Configure network interface addresses that the Postfix service should listen on, for example: inet_interfaces = 192.168.1.1 Configure Trusted Networks, for example: mynetworks = 10.0.0.0/16, 192.168.1.0/24, 127.0.0.1 Configure the SMTP server to masquerade outgoing emails as coming from your DNS domain, for example: myorigin = example.com Configure the SMTP domain destination, for example: mydomain = example.com Configure to which SMTP domains to relay messages to, for example: relay_domains = example.com Configure SMTP Greeting Banner: smtpd_banner = $myhostname Limit Denial of Service Attacks: default_process_limit = 100 smtpd_client_connection_count_limit = 10 smtpd_client_connection_rate_limit = 30 queue_minfree = 20971520 header_size_limit = 51200 message_size_limit = 10485760 smtpd_recipient_limit = 100 Restart the Postfix daemon: service postfix restart ","date":"23 August 2013","externalUrl":null,"permalink":"/posts/hardening-guide-for-postfix-2-x/","section":"Posts","summary":"","title":"Hardening guide for Postfix 2.x","type":"posts"},{"content":"","date":"23 August 2013","externalUrl":null,"permalink":"/categories/postfix/","section":"Categories","summary":"","title":"Postfix","type":"categories"},{"content":"thought that SSL + TLS are the magic words?? think again! http://www.isg.rhul.ac.uk/tls/\nRoy Coren Security Specialist Roy Coren AT gmail\n","date":"9 February 2013","externalUrl":null,"permalink":"/posts/lucky-thirteen-breaking-the-tls-and-dtls-record-protocols/","section":"Posts","summary":"","title":"Lucky Thirteen: Breaking the TLS and DTLS Record Protocols","type":"posts"},{"content":"hello again! with that live list you can search various sites for MD5 file names and keep updated regarding what and how those malware are spreading in your network. this site is my bible regarding malware searching and fighting.\nhttp://mtc.sri.com/live_data/binaries/\nHAPPY NEW YEAR! Roy Coren Security Specialist Roycoren AT gmail.com\n","date":"12 January 2013","externalUrl":null,"permalink":"/posts/most-aggressively-spreading-malware-binaries/","section":"Posts","summary":"","title":"Most Aggressively Spreading Malware Binaries","type":"posts"},{"content":"Before we start – I just want to declare that the thing I publish here are Based on my experience only and in no means you should understand to buy or not to buy specific products. After understanding the essentials of CISO’s work, I’ll expand on how I did the research work from part1 alongside with my incident response team from part 2. Regarding the tools I have mentioned earlier , those needs to give you FULL view from the bottom up on every request \\ connection to the internet starting from the users endpoint to firewall\\proxy and DNS requests and cross dissect the findings to give you positive catch. C\u0026amp;C life cycle:\nHostile Downloaded from “some” website or using exposed browser holes to get into a computer. BTW – the hostile file can be an innocent legitimate skype.exe file that has been downloaded NOT from skype website…\nIf section 1 succeeded and no AV engine has stopped it , the hostile file is trying to “sniff” it’s way inside your organization , trying to elevate privileges and get as much as information as he can before going into phase II.\nAfter getting some idea of how your organization “works” - the hostile file trying to get out and connect to the operator site , this phase usually known as domain fluxing and expressed by multiple burst random DNS searches to sites like \\[aabbccdd.your company domain extension \\] or any other random sequence. At this step – if you have implemented the right products, the hostile activity should be block at your gateway via IDS\\IPS \\FW \\proxy\\url filtering\\DLP or any other PREVENTION product. If it doesn’t and you need to look at step 4 – chances are you are in deep trouble…\nAlso known as Phase II, in which the hostile file –using it’s operator, are evolving into one unit that is fully aware of your organization methods and can exploit almost any aspect on your INTERNAL network. This includes admin users, passwords, emails, internal ip’s ,DC’s, DNS ,AD and even firewall changing data. This allows the attacker or shell we say “your commander” , to do whatever he likes in your data. 1-0 to the bad guys…. The first question you might ask is: if my AV vendor is not discovering the bad guys , what can I do? Well – a good one…this brings me back to my friend original request once again. And the answer is: No AV vendor is “the one” , enough to look at sites like Virus total or URL Query to see that even 10 AV engines together can miss…therefore you need special tools for this special jobs. Or worst , if you trust your AV vendor as your sole solution for security – change your job… It has got to be a BEST OF BREAD solutions that will answer your dynamic organization’s requests and whims.. They MUST be able to do the following in order to crossfire any hostile file in your environment.\nAlso make sure you IRT team are Using them and their results on a daily bases, in fact – base your security protocols and procedures on their output.\nSecurity Event Management (SIEM): \\[ Such As Arcsight ,Symantec,RSA \\]Connect every available and relevant device to your SIEM and write basic rules . Improve those rules as you go and remember, those devices can archive almost everything that happened on your network fairly easily, it is the correlation between those events that makes your life easier. A cross stream line analyzer: \\[ Such As Damballa FailSafe , Fire Eye , websense Full Suite, advanced Proxy\\\\URL filtering \\]This device sole purpose is to analyze the data from the endpoint to the DNS server \\ Proxy \\ FW and correlate them to one valid event. As I explained in the C\u0026amp;C life cycle , it is essential to expose the hostile before phase II , meaning if you can catch one machine \\[or Asset\\]trying to contact hostile URL or doing a Domain fluxing –than phase II won’t be an issue for you. Hell , you can even make these connections terminate automatically or have an event based action to your remediate device. Investigating tool: \\[ Such As : Sillicium ECAT , HBGARY responder or even GMER or Comodo CCE \\]MUST HAVE The “cross platform approach” , meaning running in your whole enterprise as a natural endpoint agent , collecting ALL your computers\\servers files into one place ,analyzing them and give you suspected or convicted files. The methods should be as follow : a) Compare your files through several MD5 signatures databases such as BIT9, NIST, MSDN, or any other Cloud based comparison engine(HITMAN\\CCE) This will bring UP all the files that has no valid or Root CA or No Company embedded in them -so only sealed authentic files can reside on your machines. Any other result such as unknown files or broken CA – can imply that the file has been compromised by another hostile that may take additional steps, such as injecting DLL\u0026rsquo;s into other processes\\Services and loading a rootkit, or connecting to additional C\u0026amp;C sites.\nb) Use Several AV engines or upload your suspicious files from section A to sites like VirusTotal and similar. You can even upload the MD5 string to the web , you can consult with other findings on your specific hash.\nc) Analyze Floating codes and memory Hash in live mode.\nd) Create your OWN white list of files that has been created by your organization software developers – and direct them to work as methodically as they can.\ne) Check your current network connection from the process and up. Meaning if you can see EXCEL.exe reaching out to the internet – it is NOT looking to be updated from microsoft… Even Simple NETSTAT –NAB can give you desired results.\nf) Use a good URL filtering engine\\Anti Bot - this actually should be the first DOT in the line of crossfire since you will most probably have an alert from your URL filtering device saying on machine tried to reach a hostile website. You can advise many other Online URL Checking tools. a good tool in this section has to be one that updates as quickly as he can – since automated cleaning processes are happening on those websites almost whithin the hour – so before you block an access to it from your domain – make sure the danger hasn’t passed already…\nFrom there you can start your query using all the tools and methods I have mentioned the more conclusive results on an evil residing on a machine you’ll get – the better.\nthis approach is the NOT bullet proof - but it will defiantly filter out above 95+% of your hostile files..therefore keep up with the technology and bring the human resource to the game.\nGOOD LUCK!\nRoy Coren\nSecurity Specialist\nRoycoren@gmail.com\n","date":"11 December 2012","externalUrl":null,"permalink":"/posts/malware-fighting-toolsguides-part-3-down-and-dirty/","section":"Posts","summary":"","title":"Malware Fighting Tools/Guides – Part 3 :Down and Dirty","type":"posts"},{"content":"If one of my customers would come today and ask me to design a full method to eliminate unwanted or dangerous files in his domain, I would say \u0026ldquo;No such thing\u0026rdquo;.\nOne of the reasons is that you can\u0026rsquo;t keep your sensitive enviroment clean enough without damaging the users freedom and productivity. Especially VP’s.\nMost of the time CISO and IT managers come to me AFTER somebody has made a 207 or 207A on their domain (that’s the police code for Kidnapping) , in that case you have a legal and usually a very big Go! From the CTO\\CEO to do everything you can to stop it from happening again.\nThose are the good time for software vendors \\integrators who can celebrate a 100% sell rate on those companies.\nBut – as you guessed, those time pressed CISO’s are not always aware on which products to implement and most important which technology will give them the best results per dime for the longest time…having that said without the right consultant the will take Pain and turn it to Gain, they usually invest in the wrong methods.\nGetting back to the original “bug free” request, on those special cases I would recommend a full revision in the company approach to data security, starting from bottom up.\nImplementing a good solid, management backed, data security policy is not something that happened in a day, but it is worth putting a lot of effort and starts something good and harvest those applause later\nIssues to consider:\n- Have every user to sign that the computer\\software he gets from the company are NOT his own.\n- Publish a list of allowed software in your organization-saying that anything besides that list will cause issues with the HR department…\n- Start by classifying and identifying your:\n1) Sensitive data – “Show me your data and I’ll tell you how to protect it”\nIn most cases you will find that they DO NO know the location and the amount of it…this step alone take several months to complete\n2) Weakest points in the LAN \\WAN\\DMZ\n3) Everyday use data flow – this is the stream that all problems are starting from.\n4) Gather and estimate your human resources, see if the team needs additional knowledge and if he can handle 911 calls and everyday tasks.\nIn most cases you will find 1 or 2 persons doing 5 persons jobs – this is not the kind of situation you would want to be when implementing a large DLP or SIEM project and realize your team can’t decrypt the results or lack of time to do it.\n- Harden security policies on Mobile users – have smartphones and laptops use hard rules and policies without losing the dynamic of work productivity.\n- Offer well known , dumb proof, productive solutions for the issues above, you can start by drilling down your AD GPO and dead users, continue with AV kill rate to start ,along with your main firewalls rules and block ratio.\n- Keep your software up to date – probably the best tip I can give , no holes ,no foxes…\n- Assign virtual “Data owners” – have them to take responsibility on their data in terms of backup and unwanted access.\n- Pick less tools and solutions as possible for all the scenarios you can imagine – if the 911 call will arrive , the first thing you need is to act as fast as possible and you would want the best results \\outcomes\\ logs\\ products refined and stilled to your desktop.\nNow you can start thinking on wide projects like DLP, Endpoint security, SIEM, virtual security, IDS\\IPS and most important – a descent monitoring system Or any other solutions that your organization needs – just make sure it fits your gold rules above.\nWith the outcomes of those products , you can assign an incident response team to be the task force for all kinds of alarms and events.\nAnd since you will get tens of millions events per day, if this team can handle 10 REAL security events per day , you have scored it! Ace!\nSee you on part 3..\nRoy Coren\nSecurity Specialist\nRoycoren@gmail.com\n","date":"8 December 2012","externalUrl":null,"permalink":"/posts/malware-fighting-toolsguides-part-2-how-to-be-an-ace-ciso/","section":"Posts","summary":"","title":"Malware Fighting Tools/Guides - Part 2 , How to be an Ace CISO","type":"posts"},{"content":"I have done some massive research and long term deep investigations - and this Checkpoint AntiBot module has got a very high percentage of accuracy on live Malware and C\u0026amp;C communications residing on machines. Those tools helped me along the way to deal and remove those evils in a haystack (besides the obvious Format c: /q ). It has also a knowledge base containing everything you need to know about those evils and their families. For more information on what was my methodology of my research and with what tools i used -you can write to my email https://www.checkpoint.com/solutions/malware-portal/fighting-tools-guides.html\nN-Joy Roy Coren, Security Specialist roycoren@gmail.com\n","date":"4 December 2012","externalUrl":null,"permalink":"/posts/malware-fighting-toolsguides/","section":"Posts","summary":"","title":"Malware Fighting Tools/Guides","type":"posts"},{"content":"One of the most common definitions for the term DLP (Data Loss Prevention or Data Leakage Prevention) is “systems that identify, monitor, and protect data through deep content inspection, contextual security analysis of transaction (attributes of originator, data object, medium, timing and recipient/destination and so on) and with a centralized management framework.”\nPurpose of this article Organizations are interested to protect their sensitive data, and DLP provides them with the framework to do that. So far no news… However, the DLP world is a bit more complicated than that and the purpose of this article is to highlight few basic domains and areas that are worth thinking about when considering DLP solutions.\nCommon Data Locations and States\nData in motion – Any data that is moving through the network to destinations outside the local / corporate LAN via the Internet Data at rest – Data that resides in files systems, databases and other storage methods Data at the endpoint – Data at the endpoints of the network (e.g. data on USB devices, external drives, MP3 players, laptops, and other highly-mobile devices) Examples of sensitive data:\nConfidential and/or proprietary data, for example: processes, methodologies, development code and etc. Customer and employee data Financial data Data that is regulated by regional and national laws such as HIPAA, SOX and GLBA Common Data Leakage Channels: Technical side:\nEmail Traffic - SMTP from mail servers Web mail (Gmail, Yahoo, etc) Uploading files to internet destinations (HTTP, HTTPS, FTP) Posting on internet sites (blogs, social media, forums) Instant messaging (gTalk, MSN, Yahoo, Skype) P2P networks Wi-Fi networks Key loggers, Trojan horses Multiple platform (Windows, Linux, MAC, etc) Application permissions (ERP, database, SaaS platforms, SharePoint) Physical:\nMobile devices Non-encrypted hard drives USB drives (Disk on key, external hard drives) Portable media (CD/DVD, floppy drive, backup tapes) Physical security (hard copy of documents) Human factor:\nLack of employee awareness to security risks Partners, suppliers, temporary employees and visitors Working from home, remote locations, internet cafe Company’s needs to protect themselves from scenarios as mentioned below:\nInadvertent forwarding of email containing product development or business plans to another email recipient An employee extracts data from a secure system and conducts the analysis on a less secure system Sending unreleased pricing information to the wrong email address Customer or competitive information sent by an employee to a third-party for financial gain A disgruntled employee with privileged access to sensitive information acts maliciously and steals information Proprietary information sent to a distributor, who might then forward it on to competitors Backup tapes are stored in a non-secure environment and curious intruder removes the tape to examine the content Incorrect settings of permissions of file and directory structure could allow anyone access the information DLP solutions prevent confidential data loss by:\nMonitoring communications going outside of the organization Encrypting email containing confidential content Enabling compliance with global privacy and data security mandates Securing outsourcing and partner communications Protecting intellectual property Preventing malware-related data harvesting Enforcing acceptable use policies Providing a deterrent for malicious users (by creating the possibility of being caught) How to implement DLP solution:\nPerform risk assessment to find out: What type of data exists in the organization? Where is the data located/saved? How valuable is the data to the organization? What type of loss is the organization willing to accept? What are the regulatory and privacy gaps for the organization? Classify the organization data: Top secret Secret Confidential Restricted Unclassified Decide what information does the organization would like to search and protect: Pattern, keyword matching and dictionaries Document fingerprinting Database fingerprinting Prepare data loss prevention plan: How to limit the damage to the organization How to avoid similar incidents from happening in the future How to report to the management, stock holders and media on the current data loss incident Prepare policies, standards and procedures for handling data loss incidents: Scan HTTPS traffic on the gateway Block data from leaving the organization Encrypt sensitive information inside database Full disk encryption Encrypt data before sending to partners/suppliers Prevent use of portable media Employee awareness training Deploy the DLP solution: Install a product on the gateway Configure SSL termination – recommended Configure encryption gateway for SMTP traffic – recommended Deploy agents on the end-points – highly recommended Ongoing monitoring: Review incidents on regular basis (daily/weekly) Fine-tune the product to raise alerts on important incidents and collect all other incidents. Create reports on regular basis to locate top senders/targets Perform data discovery on regular basis (daily/weekly/month) on network shares, servers, end-points, etc. ","date":"14 January 2012","externalUrl":null,"permalink":"/posts/dlp/","section":"Posts","summary":"","title":"DLP","type":"posts"},{"content":"OS installation phase\nBoot the server using Windows 2008 R2 bootable DVD. Specify the product ID -\u0026gt; click Next. From the installation option, choose \u0026ldquo;Windows Server 2008 R2 (Server Core Installation)\u0026rdquo; -\u0026gt; click Next. Accept the license agreement -\u0026gt; click Next. Choose \u0026ldquo;Custom (Advanced)\u0026rdquo; installation type -\u0026gt; specify the hard drive to install the operating system -\u0026gt; click Next. Allow the installation phase to continue and restart the server automatically. To login to the server for the first time, press CTRL+ALT+DELETE Choose \u0026ldquo;Administrator\u0026rdquo; account -\u0026gt; click OK to replace the account password -\u0026gt; specify complex password and confirm it -\u0026gt; press Enter -\u0026gt; Press OK. From the command prompt window, run the command bellow: sconfig.cmd Press \u0026ldquo;2\u0026rdquo; to replace the computer name -\u0026gt; specify new computer name -\u0026gt; click \u0026ldquo;Yes\u0026rdquo; to restart the server. To login to the server, press CTRL+ALT+DELETE -\u0026gt; specify the \u0026ldquo;Administrator\u0026rdquo; account credentials. From the command prompt window, run the command bellow: sconfig.cmd Press “1” to join the server to the domain -\u0026gt; press “D” to join to domain -\u0026gt; specify the domain name -\u0026gt; click “Yes” to restart the server. To login to the server, press CTRL+ALT+DELETE -\u0026gt; supply credentials of Domain admin account. From the command prompt window, run the command bellow: sconfig.cmd Press \u0026ldquo;5\u0026rdquo; to configure \u0026ldquo;Windows Update Settings\u0026rdquo; -\u0026gt; select \u0026ldquo;A\u0026rdquo; for automatic -\u0026gt; click OK. Press \u0026ldquo;6\u0026rdquo; to download and install Windows Updates -\u0026gt; choose \u0026ldquo;A\u0026rdquo; to search for all updates -\u0026gt; Choose \u0026ldquo;A\u0026rdquo; to download and install all updates -\u0026gt; click \u0026ldquo;Yes\u0026rdquo; to restart the server. To login to the server, press CTRL+ALT+DELETE -\u0026gt; supply credentials of Domain admin account. From the command prompt window, run the command bellow: sconfig.cmd In-case you need to use RDP to access and manage the server, press \u0026ldquo;7\u0026rdquo; to enable \u0026ldquo;Remote Desktop\u0026rdquo; -\u0026gt; choose \u0026ldquo;E\u0026rdquo; to enable -\u0026gt; choose either \u0026ldquo;1\u0026rdquo; or \u0026ldquo;2\u0026rdquo; according to your client settings -\u0026gt; Press OK. Press \u0026ldquo;8\u0026rdquo; to configure \u0026ldquo;Network settings\u0026rdquo; -\u0026gt; select the network adapter by its Index number -\u0026gt; press \u0026ldquo;1\u0026rdquo; to configure the IP settings -\u0026gt; choose \u0026ldquo;S\u0026rdquo; for static IP address -\u0026gt; specify the IP address, subnet mask and default gateway -\u0026gt; press \u0026ldquo;2\u0026rdquo; to configure the DNS servers -\u0026gt; click OK -\u0026gt; press \u0026ldquo;4\u0026rdquo; to return to the main menu. Press \u0026ldquo;9\u0026rdquo; to configure \u0026ldquo;Date and Time\u0026rdquo; -\u0026gt; choose the correct \u0026ldquo;date/time\u0026rdquo; and \u0026ldquo;time zone\u0026rdquo; -\u0026gt; click OK Press \u0026ldquo;11\u0026rdquo; to restart the server to make sure all settings take effect -\u0026gt; click \u0026ldquo;Yes\u0026rdquo; to restart the server. To login to the server, press CTRL+ALT+DELETE -\u0026gt; supply credentials of Domain admin account. To install the Hyper-V role, run the command bellow: start /w ocsetup Microsoft-Hyper-V Click “Yes” to allow the server to restart. To login to the server, press CTRL+ALT+DELETE -\u0026gt; supply credentials of Domain admin account. To check that the installation completed, run the command: oclist | find /i \u0026quot;Microsoft-Hyper-V\u0026quot; Run the commands bellow to enable remote management of the Hyper-V: netsh advfirewall firewall set rule group=\u0026quot;Remote Service Management\u0026quot; new enable=yes netsh advfirewall firewall set rule group=\u0026quot;Windows Management Instrumentation (WMI)\u0026quot; new enable=yes In case you install antivirus for Server Core, add the following to the antivirus exclusions: Virtual machine configuration files directory. By default, it is C:\\ProgramData\\Microsoft\\Windows\\Hyper-V. Virtual machine virtual hard disk files directory. By default, it is C:\\Users\\Public\\Documents\\Hyper-V\\Virtual Hard Disks. Snapshot files directory. By default, it is %systemdrive%\\ProgramData\\Microsoft\\Windows\\Hyper-V\\Snapshots. Vmms.exe Vmwp.exe Manage Hyper-V VMs from Windows 7\nLogin to a Windows 7 client using administrative account. Download and install the Remove Server Administration (RSAT) tools for Windows 7 from: http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D\u0026amp;displaylang=en Open Control Panel and click Programs. Click Turn Window features on or off. Under Remote Server Administration Tools Role -\u0026gt; Administration Tools check Hyper-V Tools. Launch to tools by either typing Hyper-V Manager at the Start menu or go to Start -\u0026gt;Administrative Tools -\u0026gt;Hyper-V Manager. Virtual Machine Servicing Tool 3.0\nVirtual Machine Servicing Tool 3.0 helps to update offline virtual machines, templates, and virtual hard disks with the latest operating system and application patches. Download link: http://www.microsoft.com/download/en/details.aspx?displaylang=en\u0026amp;id=23300\nUsing Authorization Manager for Hyper-V Security\nAuthorization Manager provides a flexible framework for integrating role-based access control into applications. It enables administrators who use those applications to provide access through assigned user roles that relate to job functions. Link for more information: http://technet.microsoft.com/en-us/library/cc726036.aspx\n","date":"29 October 2011","externalUrl":null,"permalink":"/posts/hardening-guide-for-hyper-v-on-windows-2008-r2-server-core-platform/","section":"Posts","summary":"","title":"Hardening guide for Hyper-V on Windows 2008 R2 server core platform","type":"posts"},{"content":"","date":"29 October 2011","externalUrl":null,"permalink":"/categories/hyper-v/","section":"Categories","summary":"","title":"Hyper-V","type":"categories"},{"content":"","date":"29 October 2011","externalUrl":null,"permalink":"/categories/windows-2008/","section":"Categories","summary":"","title":"Windows-2008","type":"categories"},{"content":"","date":"3 September 2011","externalUrl":null,"permalink":"/categories/drupal/","section":"Categories","summary":"","title":"Drupal","type":"categories"},{"content":"Pre-installation notes The guide bellow is based on CentOS 5.5 (i386), Apache 2.2.19, MySQL 5.5.15\nThe guide bellow is based on the previous guides:\nHardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition) Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition) Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4) PHP installation phase\nLogin to the server using Root account.\nBefore compiling the PHP environment, install the following RPM from the CentOS 5.5 DVD source folder: rpm -ivh kernel-headers-2.6.18-194.el5.i386.rpm rpm -ivh glibc-headers-2.5-49.i386.rpm rpm -ivh glibc-devel-2.5-49.i386.rpm rpm -ivh gmp-4.1.4-10.el5.i386.rpm rpm -ivh libgomp-4.4.0-6.el5.i386.rpm rpm -ivh gcc-4.1.2-48.el5.i386.rpm rpm -ivh libxml2-2.6.26-2.1.2.8.i386.rpm rpm -ivh zlib-devel-1.2.3-3.i386.rpm rpm -ivh libxml2-devel-2.6.26-2.1.2.8.i386.rpm rpm -ivh pkgconfig-0.21-2.el5.i386.rpm rpm -ivh libpng-devel-1.2.10-7.1.el5_3.2.i386.rpm rpm -ivh libjpeg-devel-6b-37.i386.rpm\nDownload MySQL development RPM from: http://download.softagency.net/MySQL/Downloads/MySQL-5.5/\nDownload PHP 5.3.8 source files from: http://php.net/downloads.php\nDownload the latest libxml2 for PHP from: http://xmlsoft.org/sources/\nCopy the MySQL development RPM using PSCP (or SCP) into /tmp\nCopy the PHP 5.3.8 source files using PSCP (or SCP) into /tmp\nMove to /tmp cd /tmp\nInstall the MySQL development RPM: rpm -ivh MySQL-devel-5.5.15-1.rhel5.i386.rpm\nRemove MySQL development RPM: rm -f MySQL-devel-5.5.15-1.rhel5.i386.rpm\nExtract the php-5.3.8.tar.gz file: tar -zxvf php-5.3.8.tar.gz\nExtract the libxml2 source file: tar -zxvf libxml2-2.7.7.tar.gz\nMove the libxml2-2.7.7 folder: cd /tmp/libxml2-2.7.7\nRun the commands bellow to compile the libxml2: ./configuremakemake install\nMove to the PHP source folder: cd /tmp/php-5.3.8\nRun the commands bellow to compile the PHP environment: `./configure --with-mysql=mysqlnd --with-libdir=lib --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlib --with-gd --with-jpeg-dir=/usr/lib --with-png-dir=/usr/lib --enable-pdo --with-pdo-mysql=mysqlnd --enable-ftp`makemake install\nEdit using VI, the file /usr/local/apache2/conf/httpd.conf Add the following string, to the end of the AddType section: AddType application/x-httpd-php .php Replace the line from: DirectoryIndex index.htmlTo: DirectoryIndex index.php index.html index.htm Replace the value of the string, from: LimitRequestBody 10000To: LimitRequestBody 600000\nCopy the PHP.ini file cp /tmp/php-5.3.8/php.ini-development /etc/php.ini\nChange the permissions on the php.ini file: chmod 640 /etc/php.ini\nEdit using VI, the file /etc/php.ini Replace the value of the string, from: mysql.default_host =To: mysql.default_host = 127.0.0.1:3306Replace the value of the string, from: pdo_mysql.default_socket=To: pdo_mysql.default_socket=127.0.0.1Replace the value of the string, from: allow_url_fopen = OnTo: allow_url_fopen = OffReplace the value of the string, from: expose_php = OnTo: expose_php = OffReplace the value of the string, from: memory_limit = 128MTo: memory_limit = 64MReplace the value of the string, from: ;open_basedir =To: open_basedir = \u0026quot;/www\u0026quot;Replace the value of the string, from: post_max_size = 8MTo: post_max_size = 2MReplace the value of the string, from: disable_functions =To: disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuidReplace the value of the string, from: ;include_path = \u0026quot;.:/php/includes\u0026quot;To: include_path = \u0026quot;/usr/local/lib/php;/usr/local/apache2/include/php\u0026quot;Replace the value of the string, from: display_errors = OnTo: display_errors = OffReplace the value of the string, from: display_startup_errors = OnTo: display_startup_errors = Off\nReplace the value of the string, from: ;gd.jpeg_ignore_warning = 0To: gd.jpeg_ignore_warning = 1\nRun the commands bellow to restart the Apache service: `/usr/local/apache2/bin/apachectl stop`/usr/local/apache2/bin/apachectl start\nRemove the PHP source and test files: rm -f /tmp/php-5.3.8.tar.gz rm -f /tmp/libxml2-2.7.7.tar.gz rm -rf /tmp/php-5.3.8 rm -rf /tmp/libxml2-2.7.7 rm -rf /tmp/pear rm -rf /usr/local/apache2/lib/php/test rm -rf /usr/local/lib/php/test\nDrupal installation phase\nLogin to the server using Root account.\nRun the command bellow to login to the MySQL: /usr/bin/mysql -uroot -pnew-passwordNote: Replace the string “new-password” with the actual password for the root account.\nRun the following commands from the MySQL prompt: CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2'; SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2'); CREATE DATABASE Z5J6Dw1; GRANT ALL PRIVILEGES ON Z5J6Dw1.* TO \u0026quot;blgusr\u0026quot;@\u0026quot;localhost\u0026quot; IDENTIFIED BY \u0026quot;password2\u0026quot;; FLUSH PRIVILEGES; quitNote 1: Replace “blgusr” with your own MySQL account to access the database. Note 2: Replace “password2” with complex password (at least 14 characters). Note 3: Replace “Z5J6Dw1” with your own Drupal database name.\nDownload Drupal 7.7 from: http://drupal.org/project/drupal\nCopy the Drupal 7.7 source files using PSCP (or SCP) into /www\nMove to /www cd /www\nExtract the file bellow: tar -zxvf drupal-7.7.tar.gz\nRemove Drupal source file: rm -f /www/drupal-7.7.tar.gz\nRename the Drupal folder: mv /www/drupal-7.7 /www/drupal\nRemove default content: rm -f /www/drupal/CHANGELOG.txt rm -f /www/drupal/COPYRIGHT.txt rm -f /www/drupal/INSTALL.pgsql.txt rm -f /www/drupal/LICENSE.txt rm -f /www/drupal/UPGRADE.txt rm -f /www/drupal/INSTALL.mysql.txt rm -f /www/drupal/INSTALL.sqlite.txt rm -f /www/drupal/INSTALL.txt rm -f /www/drupal/MAINTAINERS.txt rm -f /www/drupal/sites/example.sites.php\nEdit using VI, the file /usr/local/apache2/conf/httpd.conf Replace the line from: DocumentRoot \u0026quot;/www\u0026quot;To: DocumentRoot \u0026quot;/www/drupal\u0026quot;\nRun the commands bellow to restart the Apache service: `/usr/local/apache2/bin/apachectl stop`/usr/local/apache2/bin/apachectl start\nCreate the following folders: mkdir /www/drupal/sites/default/filesmkdir /www/private\nCopy the settings.php file: cp /www/drupal/sites/default/default.settings.php /www/drupal/sites/default/settings.php\nChange permissions on the settings.php file: chmod a+w /www/drupal/sites/default/settings.phpchmod -R 777 /www/drupal/sites/default/fileschmod -R 777 /www/private\nOpen a web browser from a client machine, and enter the URL bellow: http://Server_FQDN/install.php\nSelect “Standard” installation and click “Save and continue”.\nChoose the default “English” and click “Save and continue”.\nSpecify the following details:\nDatabase type: MySQL Database name: Z5J6Dw1 Database username: blgusr Database password: password2 Click on Advanced Options Database host: 127.0.0.1 Table prefix: Z5J6Dw1_ Note 1: Replace “Z5J6Dw1” with your own Drupal database name. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters).\nClick \u0026ldquo;Save and Continue\u0026rdquo;.\nSpecify the following information:\nSite name Site e-mail address (for automated e-mails, such as registration information) Username (for the default administrator account) E-mail address Password Select \u0026ldquo;Default country\u0026rdquo; and \u0026ldquo;Default time zone\u0026rdquo;.\nUnselect the \u0026ldquo;Update Notifications\u0026rdquo; checkboxes.\nClick \u0026ldquo;Save and Continue\u0026rdquo;.\nClose the web browser.\nCreate using VI the file /www/config.php with the following content: \u0026lt;?php $databases = array ( 'default' =\u0026gt; array ( 'default' =\u0026gt; array ( 'driver' =\u0026gt; 'mysql', 'database' =\u0026gt; 'Z5J6Dw1', 'username' =\u0026gt; 'blgusr', 'password' =\u0026gt; 'password2', 'host' =\u0026gt; '127.0.0.1', 'port' =\u0026gt; '', 'prefix' =\u0026gt; 'Z5J6Dw1_', ), ), ); ?\u0026gt;Note 1: Make sure there are no spaces, newlines, or other strings before an opening \u0026lsquo;\u0026lt; ?php\u0026rsquo; tag or after a closing \u0026lsquo;?\u0026gt;\u0026rsquo; tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters). Note 4: Replace “Z5J6Dw1” with your own Drupal database name.\nEdit using VI, the file /www/drupal/sites/default/settings.php Add the following line: include('/www/config.php');Remove the following section: $databases = array ( 'default' =\u0026gt; array ( 'default' =\u0026gt; array ( 'driver' =\u0026gt; 'mysql', 'database' =\u0026gt; 'Z5J6Dw1', 'username' =\u0026gt; 'blgusr', 'password' =\u0026gt; 'password2', 'host' =\u0026gt; '127.0.0.1', 'port' =\u0026gt; '', 'prefix' =\u0026gt; 'Z5J6Dw1_', ), ), );Replace the string from: ini_set('session.cookie_lifetime', 2000000);To: ini_set('session.cookie_lifetime', 0);\nChange permissions on the settings.php file: chmod a-w /www/drupal/sites/default/settings.php\nAdd the following lines to the /www/drupal/.htaccess file: # Block any file that starts with \u0026quot;.\u0026quot; \u0026lt;FilesMatch \u0026quot;^\\..*$\u0026quot;\u0026gt; Order allow,deny \u0026lt;/FilesMatch\u0026gt; \u0026lt;FilesMatch \u0026quot;^.*\\..*$\u0026quot;\u0026gt; Order allow,deny \u0026lt;/FilesMatch\u0026gt; # Allow \u0026quot;.\u0026quot; files with safe content types \u0026lt;FilesMatch \u0026quot;^.*\\.(css|html?|txt|js|xml|xsl|gif|ico|jpe?g|png)$\u0026quot;\u0026gt; Order deny,allow \u0026lt;/FilesMatch\u0026gt;\nRun the command bellow to change permissions on the /www/drupal/.htaccess file: chmod 444 /www/drupal/.htaccess\nDownload into /www/drupal/sites/all/modulesthe latest build of the modules bellow:\nDrupal Firewall - http://drupal.org/project/dfw SpamSpan filter - http://drupal.org/project/spamspan Content Security Policy - http://drupal.org/project/content_security_policy GoAway - http://drupal.org/project/goaway IP anonymize - http://drupal.org/project/ip_anon Flood control - http://drupal.org/project/flood_control Password policy - http://drupal.org/project/password_policy Persistent Login - http://drupal.org/project/persistent_login Secure Permissions - http://drupal.org/project/secure_permissions Security Review - http://drupal.org/project/security_review System Permissions - http://drupal.org/project/system_perm Block anonymous links - http://drupal.org/project/blockanonymouslinks From SSH session, move to the folder /www/drupal/sites/all/modules.\nExtract the downloaded above modules: `tar zxvf dfw-7.x-1.1.tar.gz`tar zxvf spamspan-7.x-1.1-beta1.tar.gztar zxvf content_security_policy-7.x-1.x-dev.tar.gztar zxvf goaway-7.x-1.2.tar.gztar zxvf ip_anon-7.x-1.0.tar.gztar zxvf flood_control-7.x-1.0.tar.gztar zxvf password_policy-7.x-1.0-beta1.tar.gztar zxvf persistent_login-7.x-1.x-dev.tar.gztar zxvf secure_permissions-7.x-1.5.tar.gztar zxvf security_review-7.x-1.x-dev.tar.gztar zxvf system_perm-7.x-1.x-dev.tar.gztar zxvf blockanonymouslinks-7.x-1.1.tar.gz\nRemove the modules source files: `rm -f /www/drupal/sites/all/modules/dfw-7.x-1.1.tar.gz`rm -f /www/drupal/sites/all/modules/spamspan-7.x-1.1-beta1.tar.gzrm -f /www/drupal/sites/all/modules/content_security_policy-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/goaway-7.x-1.2.tar.gzrm -f /www/drupal/sites/all/modules/ip_anon-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/flood_control-7.x-1.0.tar.gzrm -f /www/drupal/sites/all/modules/password_policy-7.x-1.0-beta1.tar.gzrm -f /www/drupal/sites/all/modules/persistent_login-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/secure_permissions-7.x-1.5.tar.gzrm -f /www/drupal/sites/all/modules/security_review-7.x-1.x-dev.tar.gzrm -f /www/drupal/sites/all/modules/system_perm-7.x-1.x-dev.tar.gz\nrm -f /www/drupal/sites/all/modules/blockanonymouslinks-7.x-1.1.tar.gz\nOpen a web browser from a client machine, and enter the URL bellow: [http://Server_FQDN/?q=user/login](http://Server_FQDN/?q=user/login)\nFrom the upper menu, click on Configuration -\u0026gt; People -\u0026gt; Account Settings -\u0026gt; \u0026ldquo;Who can register accounts\u0026rdquo;: select Administrators only -\u0026gt; click on \u0026ldquo;Save configuration\u0026rdquo;.\nFrom the upper menu, click on Configuration -\u0026gt; Media -\u0026gt; File system -\u0026gt; \u0026ldquo;Private file system path\u0026rdquo;: specify /www/private -\u0026gt; click on \u0026ldquo;Save configuration\u0026rdquo;.\nFrom the upper menu, click on Configuration -\u0026gt; Development -\u0026gt; Logging and errors -\u0026gt; \u0026ldquo;Error messages to display\u0026rdquo;: select None -\u0026gt; click on \u0026ldquo;Save configuration\u0026rdquo;.\nFrom the upper menu, click on Modules -\u0026gt; from the list of modules, select “Update manager” -\u0026gt; click on “Save configuration”.\nFrom the upper menu, click on Modules -\u0026gt; from the main page, select the following modules:\nDrupal firewall SpamSpan Content Security Policy Content Security Policy Reporting GoAway IP anonymize Flood control Password change tab Password policy Persistent Login Secure Permissions Security Review System Perms BlockAnonymousLinks Click on Save configuration.\nDrupal SSL configuration phase\nAdd the following line to the /www/drupal/sites/default/settings.php file: $conf['https'] = TRUE; Download into /www/drupal/sites/all/modulesthe latest build of the modules bellow: Secure Pages - http://drupal.org/project/securepages Secure Login - http://drupal.org/project/securelogin From SSH session, move to the folder /www/drupal/sites/all/modules. Extract the downloaded above modules: tar zxvf securepages-7.x-1.x-dev.tar.gztar zxvf securelogin-7.x-1.2.tar.gz Remove the modules source files: `rm -f /www/drupal/sites/all/modules/securepages-7.x-1.x-dev.tar.gz`rm -f /www/drupal/sites/all/modules/securelogin-7.x-1.2.tar.gz Open a web browser from a client machine, and enter the URL bellow: [https://Server_FQDN/?q=user/login](https://Server_FQDN/?q=user/login) From the upper menu, click on Modules -\u0026gt; from the main page, select the following modules: Secure Login Secure Pages Click on Save configuration. From the upper menu, click on Configuration -\u0026gt; from the main page, click on the link Secure Pages -\u0026gt; under Enable Secure Pages -\u0026gt; choose Enabled -\u0026gt; click on Save configuration. ","date":"3 September 2011","externalUrl":null,"permalink":"/posts/hardening-guide-for-drupal-7-7/","section":"Posts","summary":"","title":"Hardening guide for Drupal 7.7","type":"posts"},{"content":"","date":"29 October 2010","externalUrl":null,"permalink":"/categories/kickstart/","section":"Categories","summary":"","title":"Kickstart","type":"categories"},{"content":"This guide explain how to install and configure kickstart server for network based deployments of CentOS, from an NFS share. The instructions should work the same on RedHat and Fedora.\nPre-requirement\nCentOS 5.5 DVD Static IP address for the Kickstart/DHCP server /data partition In case using CISCO switches, \u0026ldquo;Spanning tree port fast\u0026rdquo; must be enabled. Installation phase\nLogin to the CentOS server using Root account. Mount the CentOS DVD: mount /dev/cdrom /media Move to the CentOS RPM folder inside the DVD: cd /media/CentOS Run the command bellow to install the TFTP-Server: rpm -ivh xinetd-2.3.14-10.el5.i386.rpm rpm -ivh tftp-server-0.49-2.el5.centos.i386.rpm Run the command bellow to install the DHCP server: rpm -ivh dhcp-3.0.5-23.el5.i386.rpm Create new folder for the Kickstart server: mkdir -p /data/kickstart Edit using VI, the file /etc/xinetd.d/tftp and change the following settings: From: disable = yesTo: disable = noFrom: server_args = -s /tftpbootTo: server_args = -s /data/kickstart Run the command bellow to start the TFTP server: /sbin/service xinetd start Run the command bellow to start the TFTP server run at startup: chkconfig xinetd on Edit using VI, the file /etc/dhcpd.conf and add the following lines: ddns-update-style none; allow bootp; allow booting; subnet 10.1.1.0 netmask 255.255.255.0 { option routers 10.1.1.254; option domain-name-servers 10.1.1.2; next-server 10.1.1.1; filename \u0026quot;pxelinux.0\u0026quot;; range dynamic-bootp 10.1.1.200 10.1.1.210; }Note 1: Replace 10.1.1.0 with the correct network ID. Note 2: Replace 255.255.255.0 with the correct subnet mask. Note 3: Replace 10.1.1.254 with the correct default gateway. Note 4: Replace 10.1.1.1 with the Kickstart server IP address. Note 5: Replace 10.1.1.200 with the first IP of the DHCP pool. Note 6: Replace 10.1.1.210 with the last IP of the DHCP pool. Note 7: Replace 10.1.1.2 with the correct DNS server. Start the DHCP server service dhcpd start Run the command bellow to start the DHCP server run at startup: chkconfig dhcpd on Copy Boot Files cp /usr/lib/syslinux/{pxelinux.0,menu.c32,memdisk,mboot.c32,chain.c32} /data/kickstart Create a folder for the PXE menu files: mkdir -p /data/kickstart/pxelinux.cfg Move to the CentOS DVD root folder: cd /media Copy vmlinuz and initrd.img from the DVD to the images directory: cp /media/images/pxeboot/{vmlinuz,initrd.img} /data/kickstart/images Create the CentOS DVD structure: cp -r CentOS /data/kickstart/ cp -r isolinux /data/kickstart/ cp -r repodata /data/kickstart/ cp -r images /data/kickstart/ Create using VI, the file /data/kickstart/pxelinux.cfg/default with the following content: default menu.c32 prompt 0 MENU TITLE PXE Menu LABEL CentOS MENU LABEL CentOS KERNEL images/vmlinuz append initrd=images/initrd.img vga=normal network ks=nfs:10.1.1.1:/data/kickstart/ks.cfg textNote: Replace 10.1.1.1 with the Kickstart server IP address. Create an unattended installation script /data/kickstart/ks.cfg Note: Make sure the file starts with the following lines: install nfs --server=10.1.1.1 --dir=/data/kickstartNote 1: Replace 10.1.1.1 with the Kickstart server IP address. Note 2: Make sure the lines beginning with \u0026ldquo;cdrom\u0026rdquo; and \u0026ldquo;url\u0026rdquo; does not exist on the file. Note 3: To review ks.cfg file options, see the link: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.4/html/Installation_Guide/s1-kickstart2-options.html Edit using VI, the file /etc/exports and add the following line: /data/kickstart *(ro,no_root_squash) Start the NFS service: service portmap start service nfs start chkconfig nfs on ","date":"29 October 2010","externalUrl":null,"permalink":"/posts/kickstart-installation-guide-for-centos-5-5/","section":"Posts","summary":"","title":"Kickstart installation guide for CentOS 5.5","type":"posts"},{"content":" Login to the server using Root account. Create a new account: groupadd squid useradd -g squid -d /var/spool/squid -s /sbin/nologin squid Install the following RPM files from the CentOS DVD: rpm -ivh kernel-headers-2.6.18-194.el5.i386.rpm rpm -ivh glibc-headers-2.5-49.i386.rpm rpm -ivh glibc-devel-2.5-49.i386.rpm rpm -ivh gmp-4.1.4-10.el5.i386.rpm rpm -ivh libgomp-4.4.0-6.el5.i386.rpm rpm -ivh cpp-4.1.2-48.el5.i386.rpm rpm -ivh gcc-4.1.2-48.el5.i386.rpm rpm -ivh libstdc++-devel-4.1.2-48.el5.i386.rpm rpm -ivh gcc-c++-4.1.2-48.el5.i386.rpm Download the latest Squid source files from: http://www.squid-cache.org/Versions/ Copy using SCP (or PSCP), Squid source files into /tmp Move to /tmp cd /tmp Extract Squid source file: tar zxvf squid-3.1.8.tar.gz Move to the Squid source folder: cd /tmp/squid-3.1.8 Run the commands bellow to compile Squid from source files: ./configure --bindir=/usr/sbin --sbindir=/usr/sbin --libexecdir=/usr/lib/squid --with-logdir=/var/log/squid --with-pidfile=/var/run/squid.pid --with-default-user=squid --sysconfdir=/etc/squid --datarootdir=/usr/share/squid --enable-http-violations make all make install Move one folder up and remove Squid source files and default content: cd .. rm -rf /tmp/squid-3.1.8 rm -f /tmp/squid-3.1.8.tar.gz rm -rf /usr/share/squid/man rm -f /etc/squid/cachemgr.conf.default rm -f /etc/squid/errorpage.css.default rm -f /etc/squid/mime.conf.default rm -f /etc/squid/msntauth.conf.default rm -f /etc/squid/squid.conf.default rm -f /etc/squid/squid.conf.documented Change ownership and permissions on the log folder: chown squid:root /var/log/squid chmod 770 /var/log/squid Edit using VI, the file /etc/squid/squid.conf and add the following lines to the end of the file: cache_access_log /var/log/squid/access.log cache_store_log none shutdown_lifetime 1 second icp_port 0 htcp_port 0 icp_access deny all htcp_access deny all forwarded_for off request_header_access Allow allow all request_header_access Authorization allow all request_header_access WWW-Authenticate allow all request_header_access Proxy-Authorization allow all request_header_access Proxy-Authenticate allow all request_header_access Cache-Control allow all request_header_access Content-Encoding allow all request_header_access Content-Length allow all request_header_access Content-Type allow all request_header_access Date allow all request_header_access Expires allow all request_header_access Host allow all request_header_access If-Modified-Since allow all request_header_access Last-Modified allow all request_header_access Location allow all request_header_access Pragma allow all request_header_access Accept allow all request_header_access Accept-Charset allow all request_header_access Accept-Encoding allow all request_header_access Accept-Language allow all request_header_access Content-Language allow all request_header_access Mime-Version allow all request_header_access Retry-After allow all request_header_access Title allow all request_header_access Connection allow all request_header_access Proxy-Connection allow all request_header_access User-Agent allow all request_header_access Cookie allow all request_header_access All deny all visible_hostname server1 maximum_object_size 4096 KB minimum_object_size 1 KB dns_nameservers DNS_value client_lifetime 360 minutes pconn_timeout 360 minutes Note 1: Replace “server1” with the Squid server DNS name. Note 2: Replace “DNS_value” with IP addresses of DNS servers Run the command bellow to initialize the Squid: /usr/sbin/squid -z In-order to manually start the Squid service, run the command bellow: /usr/sbin/squid In-order to start the Squid service at server startup, add the command bellow to the /etc/rc.local file: /usr/sbin/squid Uninstall the following RPM: rpm -e gcc-c++-4.1.2-48.el5 rpm -e libstdc++-devel-4.1.2-48.el5 rpm -e gcc-4.1.2-48.el5 rpm -e cpp-4.1.2-48.el5 rpm -e libgomp-4.4.0-6.el5 rpm -e gmp-4.1.4-10.el5 rpm -e glibc-devel-2.5-49 rpm -e glibc-headers-2.5-49 rpm -e kernel-headers-2.6.18-194.el5 ","date":"19 September 2010","externalUrl":null,"permalink":"/posts/hardening-guide-for-squid-3-1-8-on-centos-5-5/","section":"Posts","summary":"","title":"Hardening guide for Squid 3.1.8 on CentOS 5.5","type":"posts"},{"content":"","date":"19 September 2010","externalUrl":null,"permalink":"/categories/squid/","section":"Categories","summary":"","title":"Squid","type":"categories"},{"content":"This guide explains how to install and configure Domain Controller and DNS server based on Windows 2008 R2 platform, for a new forest in a new domain.\nInstallation phase\nInstall Windows 2008 R2 server (either standard of enterprise edition). Important note: The first domain controller in the forest root domain must be installed on physical hardware and not as a virtual server.2. Login for the first time to the new server, using administrator account. Start -\u0026gt; Run -\u0026gt; dcpromo.exe Click Next twice -\u0026gt; select \u0026ldquo;Create a new domain in a new forest\u0026rdquo; -\u0026gt; click Next -\u0026gt; specify the FQDN of the new forest root domain -\u0026gt; click Next -\u0026gt; on the forest functional level, choose \u0026ldquo;Windows Server 2008 R2\u0026rdquo; -\u0026gt; click Next -\u0026gt; leave \u0026ldquo;DNS server\u0026rdquo; select and click Next -\u0026gt; click \u0026ldquo;Yes\u0026rdquo; on the warning message -\u0026gt; choose a location for the database, logs and sysvol folders -\u0026gt; click Next -\u0026gt; specify complex password for the Directory Services Restore Mode administrator password (and document the password) -\u0026gt; click Next twice -\u0026gt; select \u0026ldquo;Reboot on completion\u0026rdquo;. Allow the server to restart when the installation process completes. Login to the new domain controller for the first time using domain administrator account. Start -\u0026gt; Run -\u0026gt; cmd.exe Write the commands bellow to synchronize the PDC emulator with external reliable time source: w32tm /config /computer:\u0026lt;\u0026gt; /manualpeerlist:time.windows.com /syncfromflags:manual /update exit Start -\u0026gt; Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator. Write the commands bellow to protect all OUs in the domain from accidental deletion: import-module activedirectory Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true exit Server Manager -\u0026gt; right click on Features -\u0026gt; Add Features -\u0026gt; select \u0026ldquo;Windows Server Backup Features\u0026rdquo; -\u0026gt; click Next -\u0026gt; click Install -\u0026gt; click Close. Start -\u0026gt; Administrative Tools -\u0026gt; Windows Server Backup -\u0026gt; from the Actions pane, click on \u0026ldquo;Backup Schedule\u0026rdquo; -\u0026gt; click Next -\u0026gt; choose \u0026ldquo;Full server\u0026rdquo; -\u0026gt; Specify a backup time -\u0026gt; click Next -\u0026gt; click the check box for your destination disk -\u0026gt; click Next -\u0026gt; click Yes to confirm that the destination disk will be reformatted -\u0026gt; verify the label for the destination disk -\u0026gt; click Next -\u0026gt; verify the information on the Summary page -\u0026gt; click Finish -\u0026gt; On the Confirmation page -\u0026gt; click Close. Server Manager -\u0026gt; expand Roles -\u0026gt; expand DNS Server -\u0026gt; expand DNS -\u0026gt; expand the server name -\u0026gt; right click on \u0026ldquo;Reverse Lookup Zones\u0026rdquo; -\u0026gt; New Zone -\u0026gt; click Next -\u0026gt; choose \u0026ldquo;Primary zone\u0026rdquo; -\u0026gt; leave \u0026ldquo;Store the zone in Active Directory\u0026rdquo; checked -\u0026gt; click Next -\u0026gt; select \u0026ldquo;To all DNS Servers running on domain controllers in this forest\u0026rdquo; -\u0026gt; click Next -\u0026gt; choose \u0026ldquo;IPv4 Reverse Lookup Zone\u0026rdquo; -\u0026gt; click Next -\u0026gt; on the \u0026ldquo;Network ID\u0026rdquo; field, put the first 3 octats of the network segment the Domain controller resides in -\u0026gt; click Next -\u0026gt; select \u0026ldquo;Allow only secure dynamic updates\u0026rdquo; -\u0026gt; click Next -\u0026gt; click Finish. Perform the above step for all other network segments reside in your organization. From the left pane, expand the server name -\u0026gt; expand \u0026ldquo;Forward Lookup Zones\u0026rdquo; -\u0026gt; right click on each zone name -\u0026gt; Properties -\u0026gt; Name Servers tab -\u0026gt; make sure all Windows 2008 R2 DNS servers appear on this list (assuming you have installed more Windows 2008 R2 domain controllers with DNS service) -\u0026gt; Zone Transfers tab -\u0026gt; select \u0026ldquo;Allow zone transfers\u0026rdquo; -\u0026gt; select \u0026ldquo;Only to servers listed on the Name Servers tab\u0026rdquo; -\u0026gt; click OK. Perform the above step for all other \u0026ldquo;Forward Lookup zones\u0026rdquo; and \u0026ldquo;Reverse Lookup zones\u0026rdquo; in your forest. IPv6 DNS settings\nIn-order to configure IPv6 address for the DNS server, start -\u0026gt; Control Panel -\u0026gt; under “Network and Internet”, click on “View network status and tasks” -\u0026gt; click “Change adapter settings” -\u0026gt; right click on the relevant “Local Area Connection” icon -\u0026gt; Properties -\u0026gt; click on “Internet Protocol Version 6 (TCP/IPv6) -\u0026gt; Properties -\u0026gt; select “Use the following IPv6 address” -\u0026gt; if you are not familiar with IP addressing, you can use 2001:0db8:29cd:1a0f:857b:455b:b4ec:7403 -\u0026gt; enter a Subnet prefix length of 64 -\u0026gt; click OK -\u0026gt; click close. Server Manager -\u0026gt; expand Roles -\u0026gt; expand DNS Server -\u0026gt; expand DNS -\u0026gt; expand the server name -\u0026gt; expand “Reverse Lookup Zones” -\u0026gt; right click on “Reverse Lookup Zones” -\u0026gt; New Zone -\u0026gt; click Next -\u0026gt; choose “Primary Zone” -\u0026gt; click Next -\u0026gt; choose “To all DNS servers running on domain controllers in this forest” -\u0026gt; click Next -\u0026gt; choose “IPv6 Reverse Lookup Zone” -\u0026gt; click Next -\u0026gt; on the “IPv6 Address Prefix” field type the IPv6 subnet prefix (in this example: 2001:0db8:29cd:1a0f::/64) -\u0026gt; click Next -\u0026gt; select “Allow only secure dynamic updates” -\u0026gt; click Next -\u0026gt; click Finish. Right click on the new “Reverse Lookup Zone” -\u0026gt; properties -\u0026gt; Zone Transfers tab -\u0026gt; select \u0026ldquo;Allow zone transfers\u0026rdquo; -\u0026gt; select \u0026ldquo;Only to servers listed on the Name Servers tab\u0026rdquo; -\u0026gt; click OK. ","date":"12 September 2010","externalUrl":null,"permalink":"/posts/hardening-guide-for-windows-2008-r2-domain-controller-and-dns-server/","section":"Posts","summary":"","title":"Hardening guide for Windows 2008 R2 Domain Controller and DNS Server","type":"posts"},{"content":"Cloud computing is the latest buzz on the Internet this days. What does it mean to us and where does the future of Cloud computing goes?\nSome background In the mid 90\u0026rsquo;s, we had Citrix, with its vision for server based-computing. Works similar to the Mainframe idea who came couple of decades before - you put all your resources on one server, and thin clients connect to receive resources. Couple of years later, we had new buzz, called ASP (Application service provider), which according to Wikipedia is a business that provides computer-based services to customers over a network. Few years later, ASP changed its name to SaaS (Software as a service), which also referred to as software on demand. In between, we had VMware who presented to world (at least the most famous) server virtualization.\nWhat is Cloud Computing? According to Wikipedia, Cloud computing is Internet-based computing, whereby shared resources, software, and information are provided to computers and other devices on demand, like the electricity grid. The idea of Cloud computing, enables the customers to avoid investing money on hardware and network equipment, and instead, renting usage from third-party provider.\nCloud computing has the following key features:\nAgility improves with users\u0026rsquo; ability to rapidly and inexpensively re-provision technological infrastructure resources. Cost is claimed to be greatly reduced. Device and location independence enable users to access systems using a web browser regardless of their location or what device they are using (e.g., PC, mobile). Multi-tenancy enables sharing of resources and costs across a large pool of users. Reliability is improved if multiple redundant sites are used, which makes well designed cloud computing suitable for business continuity and disaster recovery. Scalability via dynamic (\u0026ldquo;on-demand\u0026rdquo;) provisioning of resources on a fine-grained, self-service basis near real-time, without users having to engineer for peak loads. Maintenance cloud computing applications are easier to maintain, since they don\u0026rsquo;t have to be installed on each user\u0026rsquo;s computer. Metering cloud computing resources usage should be measurable and should be metered per client and application on daily, weekly, monthly, and annual basis. The confusion point and vision People tend to confuse between companies moving their data-centers and applications toward the cloud, and actual Cloud computing providers. A real Cloud computing provider is built from large-scale data centers around the world. Each rack is built from cheap (to manufacture) hot-swappable hardware - it\u0026rsquo;s time to say goodbye to 1U-4U servers from all major vendors (HP, IBM, DELL, SUN, etc). Each blade has many core CPU (4-core, 6-core and above), with allot of memory (as much as the hardware supports). Each blade is connected to large-scale storage grid. Everything must be redundant - you must be able to add new racks on-demand, without affecting any customer. Servers, network equipment and storage devices must be configured in active-active clusters. Data should be replicated on the fly between data centers across the world, in-order to provide 24/7 availability. Guest operating system must be able to move between physical servers, transparently, as VMware introduced in its VMotion technology. Server maintenance should be performed on schedule basis - since everything is transparent to the customer, firmware upgrades, patch management and software/application upgrades will not affect any customer. The hardware/network/storage layer should be separated from the application layer, so that current SaaS companies will be able to integrate their current applications to the cloud era, and work transparently with Cloud computing infrastructure.\nCloud computing Achilles The thing that drives most people off the cloud is security. Customers can\u0026rsquo;t physically protect their hardware, since they don\u0026rsquo;t own it. Customers having troubles protecting their data, since everything is built on virtual machines, connected to shared virtual storage. I hope that in the near future information security professionals will be able to close this gap, and enable customers transparent, cheap and secure solutions.\n","date":"22 August 2010","externalUrl":null,"permalink":"/posts/cloud-computing-vision/","section":"Posts","summary":"","title":"Cloud computing vision","type":"posts"},{"content":"OpenSSL allows you to request, sign, generate, export and convert digital certificates. OpenSSL comes by-default in Unix platform as an RPM or package file (RedHat, Solaris, etc). The guide bellow explains how to generate a key store for digital certificates, generate private and self-signed SSL certificate for web servers, and export/convert the key store to PFX file (for importing to Windows platform). The guide bellow was tested on common Linux platform web servers (Apache, Lighttpd, Nginx, Resin) however the same syntax should work the same on Windows platform.\nDownload link for Windows binaries: http://www.slproweb.com/products/Win32OpenSSL.html Download link for Linux source files (pre-compiled): http://www.openssl.org/source/\nInstall OpenSSL. Run the command bellow to generate a new key store called “server.key” openssl genrsa -des3 -out /tmp/server.key 1024 Run the commands bellow to request a new SSL certificate: openssl req -new -x509 -nodes -sha1 -days 1095 -key /tmp/server.key \u0026gt; /tmp/server.crt openssl x509 -noout -fingerprint -text \u0026lt; /tmp/server.crt \u0026gt; /tmp/server.info Run the command bellow to backup the key store file that has a password: cp /tmp/server.key /tmp/server.key.bak Run the command bellow to generate a new key store without a password: openssl rsa -in /tmp/server.key -out /tmp/no.pwd.server.key Run the command bellow only if you need to generate a PEM file that contains a chain of both the key store and the public key in one file: cat /tmp/no.pwd.server.key /tmp/server.crt \u0026gt; /tmp/no.pwd.server.pem Run the command bellow only if you need to export a key store (without a password) to a PFX file (for importing to Windows platform) openssl pkcs12 -export -in /tmp/server.crt -inkey /tmp/no.pwd.server.key -certfile /tmp/no.pwd.server.pem -out /tmp/server.pfx Appendix:\nserver.key - Key store file server.crt - Server SSL public key file no.pwd.server.key - Key store file (without a password) no.pwd.server.pem - Key store file + server SSL public key file (without a password) server.pfx - Private key + public key, exportable for Windows platform (i.e IIS server) ","date":"13 August 2010","externalUrl":null,"permalink":"/posts/generating-self-signed-ssl-certificate-using-openssl/","section":"Posts","summary":"","title":"Generating self-signed SSL certificate using OpenSSL","type":"posts"},{"content":"","date":"13 August 2010","externalUrl":null,"permalink":"/categories/iis-7-5/","section":"Categories","summary":"","title":"Iis-7-5","type":"categories"},{"content":"","date":"13 August 2010","externalUrl":null,"permalink":"/categories/lighttpd/","section":"Categories","summary":"","title":"Lighttpd","type":"categories"},{"content":"","date":"13 August 2010","externalUrl":null,"permalink":"/categories/resin/","section":"Categories","summary":"","title":"Resin","type":"categories"},{"content":"","date":"13 August 2010","externalUrl":null,"permalink":"/categories/solaris/","section":"Categories","summary":"","title":"Solaris","type":"categories"},{"content":"Pre-installation notes The guide bellow is based on the previous guide Hardening guide for Resin Professional 4.0.8 on RHEL 5.4\nLogin to the server using Root account. Change permissions on the keys folder: chmod 640 /usr/local/resin/keys Run the command bellow to generate a key pair: /usr/bin/openssl genrsa -des3 -out /usr/local/resin/keys/server.key 1024Specify a complex pass phrase for the private key (and document it) Run the command bellow to generate the CSR: /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/resin/keys/server.key -out /tmp/resin.csrNote: The command above should be written as one line. Send the file /tmp/resin.csr to a Certificate Authority server. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as \u0026ldquo;server.crt\u0026rdquo; Copy the file \u0026ldquo;server.crt\u0026rdquo; using SCP into /usr/local/resin/keys/ Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded). Copy the file \u0026ldquo;ca-bundle.crt\u0026rdquo; using SCP into /usr/local/resin/keys/ Edit using VI, the file /usr/local/resin/conf/resin.xml and replace the section bellow from: \u0026lt;!-- SSL port configuration: --\u0026gt; \u0026lt;http address=\u0026quot;*\u0026quot; port=\u0026quot;8443\u0026quot;\u0026gt; \u0026lt;jsse-ssl self-signed-certificate-name=\u0026quot;resin@localhost\u0026quot;/\u0026gt; \u0026lt;/http\u0026gt; To: \u0026lt;http address=\u0026quot;Server_DNS_Name\u0026quot; port=\u0026quot;443\u0026quot;\u0026gt; \u0026lt;openssl\u0026gt; \u0026lt;certificate-key-file\u0026gt;/usr/local/resin/keys/server.key\u0026lt;/certificate-key-file\u0026gt; \u0026lt;certificate-file\u0026gt;/usr/local/resin/keys/server.crt\u0026lt;/certificate-file\u0026gt; \u0026lt;certificate-chain-file\u0026gt;/usr/local/resin/keys/ca-bundle.crt\u0026lt;/certificate-chain-file\u0026gt; \u0026lt;password\u0026gt;my-password\u0026lt;/password\u0026gt; \u0026lt;/openssl\u0026gt; \u0026lt;/http\u0026gt; Note: Replace “my-password” with the password for the “server.key” file. Restart the Resin services: /etc/init.d/resin restart Backup the file /usr/local/resin/keys/server.key ","date":"10 August 2010","externalUrl":null,"permalink":"/posts/how-to-implement-ssl-on-resin-4-0-8/","section":"Posts","summary":"","title":"How to implement SSL on Resin 4.0.8","type":"posts"},{"content":"All data and information provided on this site is for informational purposes only.\nSecurity-24-7.com makes no representations as to accuracy, completeness, correctness, suitability, or validity of any information on this site and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.\nAll information is provided on an as-is basis.\nReaders are entitled to use the materials on this site on production environments, at their own risk.\nCopying or translating full or partial materials from this site into other web sites is forbidden.\n","date":"10 August 2010","externalUrl":null,"permalink":"/posts/pages/legal-disclaimer/","section":"Posts","summary":"","title":"Legal Disclaimer","type":"posts"},{"content":"","date":"10 August 2010","externalUrl":null,"permalink":"/categories/policy/","section":"Categories","summary":"","title":"Policy","type":"categories"},{"content":"Overview: In order to maintain high security standards, identify potential vulnerabilities and evaluate the effectiveness of various security controls that were implemented within the infrastructure, it is crucial to perform periodic security assessments.\nGoal: This procedure defines the controls and steps that are required for identifying security vulnerabilities and ensuring reasonable level of security for the infrastructure and application levels.\nProcess:\nExternal Facing:\nPerform automated external application level scans on a daily basis for website and application. (e.g. McAfee Secure, Acunetix). Perform automated external network level scans on a weekly basis (e.g. McAfee Secure) Perform in-house, half automated scans with a vulnerability assessment tool (e.g. Qualys) Execute a dedicated application level and network penetration test by a professional third party. This should be executed twice a year or on every major application release. Internal:\nDiscovery: run NMAP scan on all VLANs to identify all the devices and create an asset inventory that outlines devices and services. \\[weekly / monthly\\] Network and Infra vulnerabilities: Run a weekly scan with NESSUS or similar tool to identify infrastructure gap and non hardened devices. Purchase and run vulnerability scanner (such as Qualys or NetIQ) – every week. Patch Management: Install Microsoft WSUS server to maintain security patches for Windows infrastructure. Install Linux YUM server to maintain security patches for RedHat infrastructure. Generate reports on weekly basis to find vulnerable systems. Penetration test: run an annual internal pen-test to identify internal gaps with orientation to threats from within the organization. Implement a Production Change Management policy that includes a hardening and implementation clearance process for new devices (e.g. addition of new network device, operating system, web server, DB server, etc).\n","date":"10 August 2010","externalUrl":null,"permalink":"/posts/security-vulnerability-assessment-process-and-policy/","section":"Posts","summary":"","title":"Security Vulnerability Assessment Process and Policy","type":"posts"},{"content":"Join the team of information security professionals and share your knowledge and expertise in the field of information security.\nIf you wish to write with us, simply send an email to webmaster@security-24-7.com and you will receive username and password.\nImportant notes: All posts must be written in English, and will be reviewed before publishing in-order to avoid spam.\n","date":"10 August 2010","externalUrl":null,"permalink":"/posts/pages/write-with-us/","section":"Posts","summary":"","title":"Write with us","type":"posts"},{"content":"","date":"9 August 2010","externalUrl":null,"permalink":"/categories/cisco/","section":"Categories","summary":"","title":"Cisco","type":"categories"},{"content":"","date":"9 August 2010","externalUrl":null,"permalink":"/categories/ftp/","section":"Categories","summary":"","title":"Ftp","type":"categories"},{"content":"Pre-requirements:\nJDK 1.6 source file Resin Professional 4.0.8 source file Installation phase\nLogin to the server using Root account.\nCreate a new account: groupadd resin useradd -g resin -d /home/resin -s /bin/bash resin\nCreate folder for the web content: mkdir -p /www\nUpdating Ownership and Permissions on the web content folder: chown -R root /www chmod -R 775 /www\nCopy JDK 1.6 into /tmp\nChange the permissions on the JDK 1.6: chmod +x /tmp/jdk-6u20-linux-i586-rpm.bin\nRun the command bellow to install JDK 1.6: /tmp/jdk-6u20-linux-i586-rpm.bin\nRemove the JDK 1.6 source files: rm -f /tmp/jdk-6u20-linux-i586-rpm.bin rm -f /usr/java/jdk1.6.0_20/src.zip rm -rf /usr/java/jdk1.6.0_20/demo rm -rf /usr/java/jdk1.6.0_20/sample rm -rf /opt/sun/javadb/demo rm -rf /opt/sun/javadb/docs\nBefore compiling the Resin environment, install the following RPM from the RHEL DVD: rpm -ivh kernel-headers-2.6.18-164.el5.i386.rpm rpm -ivh glibc-headers-2.5-42.i386.rpm rpm -ivh glibc-devel-2.5-42.i386.rpm rpm -ivh gmp-4.1.4-10.el5.i386.rpm rpm -ivh libgomp-4.4.0-6.el5.i386.rpm rpm -ivh gcc-4.1.2-46.el5.i386.rpm rpm -ivh pcre-devel-6.6-2.el5_1.7.i386.rpm rpm -ivh e2fsprogs-devel-1.39-23.el5.i386.rpm rpm -ivh keyutils-libs-devel-1.2-1.el5.i386.rpm rpm -ivh libsepol-devel-1.15.2-2.el5.i386.rpm rpm -ivh libselinux-devel-1.33.4-5.5.el5.i386.rpm rpm -ivh krb5-devel-1.6.1-36.el5.i386.rpm rpm -ivh zlib-devel-1.2.3-3.i386.rpm rpm -ivh openssl-devel-0.9.8e-12.el5.i386.rpm\nCopy the Resin 4.0.8 source file using PSCP (or SCP) into /tmp\nMove to /tmp cd /tmp\nExtract the resin-pro-4.0.8.tar.gz file: tar -zxvf resin-pro-4.0.8.tar.gz\nMove to the Resin 4.0.8 source folder: cd /tmp/resin-pro-4.0.8\nRun the commands bellow to compile the Resin 4.0.8 environment: ./configure --with-resin-conf=/usr/local/resin/conf --with-resin-root=/www --with-resin-log=/var/log/resin --enable-ssl --with-java-home=/usr/java/jdk1.6.0_20 Note: The command above should be written as one line.\nmake make install\nEdit using VI, the file /usr/local/resin/conf/resin.xml and change the string bellow: From: \u0026lt;resin:if test=\u0026quot;${resin.userName == 'root'}\u0026quot;\u0026gt;To: \u0026lt;resin:if test=\u0026quot;${resin.userName == 'resin'}\u0026quot;\u0026gt;\nFrom: \u0026lt;user-name\u0026gt;www-data\u0026lt;/user-name\u0026gt;To: \u0026lt;user-name\u0026gt;resin\u0026lt;/user-name\u0026gt;\nFrom: \u0026lt;group-name\u0026gt;www-data\u0026lt;/group-name\u0026gt;To: \u0026lt;group-name\u0026gt;resin\u0026lt;/group-name\u0026gt;\nFrom: \u0026lt;server id=\u0026quot;\u0026quot; address=\u0026quot;127.0.0.1\u0026quot; port=\u0026quot;6800\u0026quot;\u0026gt;To: \u0026lt;server id=\u0026quot;\u0026quot; address=\u0026quot;Server_DNS_Name\u0026quot; port=\u0026quot;6800\u0026quot;\u0026gt;\nFrom: \u0026lt;http address=\u0026quot;*\u0026quot; port=\u0026quot;8080\u0026quot;/\u0026gt;To: \u0026lt;http address=\u0026quot;Server_DNS_Name\u0026quot; port=\u0026quot;8080\u0026quot;/\u0026gt;\nFrom: \u0026lt;dependency-check-interval\u0026gt;2s\u0026lt;/dependency-check-interval\u0026gt;To: \u0026lt;dependency-check-interval\u0026gt;600s\u0026lt;/dependency-check-interval\u0026gt;\nFrom: \u0026lt;host id=\u0026quot;\u0026quot; root-directory=\u0026quot;.\u0026quot;\u0026gt;To: \u0026lt;host id=\u0026quot;Server_DNS_Name\u0026quot; root-directory=\u0026quot;/www\u0026quot;\u0026gt;\nFrom: \u0026lt;root-directory\u0026gt;.\u0026lt;/root-directory\u0026gt;To: \u0026lt;root-directory\u0026gt;/www\u0026lt;/root-directory\u0026gt;\nFrom: \u0026lt;resin:set var=\u0026quot;resin_admin_external\u0026quot; value=\u0026quot;false\u0026quot;/\u0026gt;To: \u0026lt;resin:set var=\u0026quot;resin_admin_external\u0026quot; value=\u0026quot;true\u0026quot;/\u0026gt;\nChange the ownership on the folder bellow: chown resin:root -R /www/*\nManually start the Resin service: /usr/local/resin/bin/resin.sh start -root-directory /www --log-directory /var/log/resin\nManually stop the Resin service: /usr/local/resin/bin/resin.sh stop\nCopy the Resin license file into /usr/local/resin/licenses\nChange the ownership and permissions on the folders bellow: chmod 664 -R /www/watchdog-data/ chmod 777 /www/watchdog-data/default/ chown resin:root -R /www/watchdog-data/*\nRemove the Resin 4.0.8 source folder: rm -rf /tmp/resin-pro-4.0.8\nRemove default documents: rm -rf /www/doc/resin-doc\nTo start Resin service at server start-up, run the commands bellow: chkconfig --add resin chkconfig resin on /etc/init.d/resin start\nFrom a client machine, open an internet browser and login to the address: http://Server_DNS_Name:8080/resin-admin/\nEnter a username and password in the lower half of the page, then click \u0026ldquo;Create Configuration File\u0026rdquo;. The recommended username is \u0026ldquo;admin\u0026rdquo;.\nRename the admin-users.xml file: mv /usr/local/resin/conf/admin-users.xml.generated /usr/local/resin/conf/admin-users.xml\nBrowse back to http://Server_DNS_Name:8080/resin-admin/. The change you made should force Resin to restart and return a 503 error. Just hit refresh in a few moments to bring up the page again.\n","date":"9 August 2010","externalUrl":null,"permalink":"/posts/resin-professional-4-0-8-installation-procedure-for-rhel-5-4/","section":"Posts","summary":"","title":"Hardening guide for Resin Professional 4.0.8 on RHEL 5.4","type":"posts"},{"content":"The guide bellow instruct how to install, configure and secure FTP server called VSFTP, based on RHEL 5.4, enabling only SFTP access to the server.\nInstallation phase\nLogin to the server using Root account.\nInstall from the RHEL 5.4 DVD the following RPM: rpm -ivh vsftpd-2.0.5-16.el5.i386.rpm\nCreate a group for FTP users: groupadd ftp-users\nCreate folder for the FTP: mkdir -p /ftp\nChange ownership and permissions on the FTP folder: chown root:ftp-users /ftp chmod 777 -R /ftp\nExample of user creation: useradd -g ftp-users -d /ftp user1 passwd user1\nEdit using VI, the file /etc/vsftpd/vsftpd.conf Change from: anonymous_enable=YESTo: anonymous_enable=NO\nChange from: xferlog_std_format=YESTo: xferlog_std_format=NO\nChange from: #tftpd_banner=Welcome to blah FTP service.To: tftpd_banner=Secure FTP server\nAdd the lines bellow: local_root=/ftp userlist_file=/etc/vsftpd/user_list userlist_deny=NO vsftpd_log_file=/var/log/vsftpd.log ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO ssl_ciphers=ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP rsa_cert_file=/etc/vsftpd/vsftpd.pem\nRun the command bellow to create VSFTP SSL key: openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem Note: The command above should written as one line.\nEdit using VI, the file /etc/vsftpd/user_list and add members of the FTP-Users group to this list.\nRun the command bellow to manually start the VSFTP service: /etc/init.d/vsftpd start\nRun the command bellow to configure the VSFTP to start at server startup: chkconfig vsftpd on\n","date":"9 August 2010","externalUrl":null,"permalink":"/posts/hardening-guide-for-vsftpd-on-rhel-5-4/","section":"Posts","summary":"","title":"Hardening guide for VSFTPD on RHEL 5.4","type":"posts"},{"content":"Pre-installation notes The guide bellow is based on the previous guides:\nHardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition) Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition) Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4) Installation and configuration phase\nLogin to the server using Root account.\nCreate a new account for uploading files using SSH: groupadd sshaccount useradd -g sshaccount -d /home/sshaccount -m sshaccount\nRun the commands bellow to switch to the SSH account: su sshaccount\nRun the command bellow to generate SSH keys: ssh-keygen Note: Leave deafult values for the ssh-keygen.\nCopy the SSH keys: cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys\nChange permissions for the SSH keys: chmod 755 /home/sshaccount/.ssh chmod 644 /home/sshaccount/.ssh/*\nExit the SSH account shell and return to the Root account: exit\nRun the command bellow to login to the MySQL: /usr/bin/mysql -uroot -pnew-password Note: Replace the string “new-password” with the actual password for the root account.\nRun the following commands from the MySQL prompt: CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2'; SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2'); CREATE DATABASE m6gf42s; GRANT ALL PRIVILEGES ON m6gf42s.* TO \u0026quot;blgusr\u0026quot;@\u0026quot;localhost\u0026quot; IDENTIFIED BY \u0026quot;password2\u0026quot;; FLUSH PRIVILEGES; quit Note 1: Replace “blgusr” with your own MySQL account to access the database. Note 2: Replace “password2” with complex password (at least 14 characters). Note 3: Replace “m6gf42s” with your own WordPress database name.\nDownload WordPress 3.0 from: http://wordpress.org/download\nCopy the WordPress 3.0 source files using PSCP (or SCP) into /www\nMove to /www cd /www\nExtract the wordpress-3.0.zip file: unzip wordpress-3.0.zip\nRemove WordPress source file: rm -f /www/wordpress-3.0.zip\nCreate using VI the file /www/config.php with the following content: \u0026lt;?php define('DB_NAME', 'm6gf42s'); define('DB_USER', 'blgusr'); define('DB_PASSWORD', 'password2'); define('DB_HOST', '127.0.0.1'); $table_prefix = 'm6gf42s_'; define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); define('FS_METHOD', 'direct'); define('FS_CHMOD_DIR', 0777); define('FS_CHMOD_FILE', 0777); define('FTP_BASE', '/www/wordpress/'); define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/'); define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/'); define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub'); define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa'); define('FTP_USER', 'sshaccount'); define('FTP_HOST', '127.0.0.1:22'); ?\u0026gt; Note 1: Make sure there are no spaces, newlines, or other strings before an opening \u0026lsquo;\u0026lt; ?php\u0026rsquo; tag or after a closing \u0026lsquo;?\u0026gt;\u0026rsquo; tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters). Note 4: Replace “m6gf42s” with your own WordPress database name. Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow: http://api.wordpress.org/secret-key/1.1/\nCopy the wp-config.php file: cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php\nEdit using VI, the file /www/wordpress/wp-config.php Add the following line: include('/www/config.php');\nRemove the following sections: define('DB_NAME', 'putyourdbnamehere'); define('DB_USER', 'usernamehere'); define('DB_PASSWORD', 'yourpasswordhere'); define('DB_HOST', 'localhost'); $table_prefix = 'wp_'; define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here');\nRemove default content: rm -f /www/wordpress/license.txt rm -f /www/wordpress/readme.html rm -f /www/wordpress/wp-config-sample.php rm -f /www/wordpress/wp-content/plugins/hello.php\nEdit using VI the file /usr/local/apache2/conf/httpd.conf Replace the value of the string, from: DocumentRoot \u0026quot;/www\u0026quot;To: DocumentRoot \u0026quot;/www/wordpress\u0026quot;\nReplace the value of the string, from: LimitRequestBody 10000To: LimitRequestBody 200000\nRestart the Apache service.\nOpen a web browser from a client machine, and enter the URL bellow: http://Server_FQDN/wp-admin/install.php\nSpecify the following information:\nSite Title Username - replace the default \u0026ldquo;admin\u0026rdquo; Password E-mail Click on “Install WordPress” button, and close the web browser.\nCreate using VI the file /www/wordpress/.htaccess with the following content: \u0026lt;files wp-config.php\u0026gt; Order deny,allow deny from all \u0026lt;/files\u0026gt; \u0026lt;Files wp-login.php\u0026gt; AuthUserFile /dev/null AuthGroupFile /dev/null AuthName \u0026quot;Access Control\u0026quot; AuthType Basic Order deny,allow Deny from All Allow from 1.1.1.0 \u0026lt;/Files\u0026gt; RewriteEngine On RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} .wp-comments-post\\.php* RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR] RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]Note 1: Replace 1.1.1.0 with the internal network IP address. Note 2: Replace Server_FQDN with the server FQDN (DNS name).\nCreate using VI the file /www/wordpress/wp-admin/.htaccess with the following content: AuthUserFile /dev/null AuthGroupFile /dev/null AuthName “Access Control” AuthType Basic \u0026lt;LIMIT GET POST\u0026gt; order deny,allow deny from all Allow from 1.1.1.0 \u0026lt;/LIMIT\u0026gt; \u0026lt;IfModule mod_security.c\u0026gt; SecFilterInheritance Off \u0026lt;/IfModule\u0026gt; Note: Replace 1.1.1.0 with the internal network IP address.\nCreate using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content: AuthUserFile /dev/null AuthGroupFile /dev/null AuthName \u0026quot;Access Control\u0026quot; AuthType Basic Order deny,allow Deny from All Allow from 1.1.1.0 Note: Replace 1.1.1.0 with the internal network IP address.\nCreate the following folders: mkdir -p /www/wordpress/wp-content/cache mkdir -p /www/wordpress/wp-content/uploads mkdir -p /www/wordpress/wp-content/upgrade\nChange the file permissions: chown -R root:root /www/wordpress chown daemon:root /www/wordpress/wp-content/plugins chmod 644 /www/config.php chmod 644 /www/wordpress/wp-config.php chmod 644 /www/wordpress/.htaccess chmod 644 /www/wordpress/wp-admin/.htaccess chmod 644 /www/wordpress/wp-content/plugins/.htaccess chmod -R 777 /www/wordpress/wp-content/cache chmod -R 777 /www/wordpress/wp-content/uploads chmod -R 777 /www/wordpress/wp-content/upgrade\nDownload \u0026ldquo;Login Lockdown\u0026rdquo; plugin from: http://www.bad-neighborhood.com/login-lockdown.html\nDownload \u0026ldquo;Limit Login\u0026rdquo; plugin from: http://wordpress.org/extend/plugins/limit-login-attempts/\nDownload \u0026ldquo;WP-Secure Remove Wordpress Version\u0026rdquo; plugin from: http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/\nDownload \u0026ldquo;WP Security Scan\u0026rdquo; plugin from: http://wordpress.org/extend/plugins/wp-security-scan/\nDownload \u0026ldquo;KB Robots.txt\u0026rdquo; plugin from: http://wordpress.org/extend/plugins/kb-robotstxt/\nDownload \u0026ldquo;WordPress Database Backup\u0026rdquo; plugin from: http://austinmatzko.com/wordpress-plugins/wp-db-backup/\nDownload \u0026ldquo;WordPress Firewall\u0026rdquo; plugin from: http://www.seoegghead.com/software/wordpress-firewall.seo\nCopy the \u0026ldquo;WordPress Firewall\u0026rdquo; plugin file \u0026ldquo;wordpress-firewall.php\u0026rdquo; using PSCP (or SCP) into /www/wordpress/wp-content/plugins\nCreate a folder for the \u0026ldquo;WordPress Database Backup\u0026rdquo; plugin: mkdir -p /www/wordpress/wp-content/backup-ed602\nSet permissions for the \u0026ldquo;WordPress Database Backup\u0026rdquo; plugin: chmod 777 /www/wordpress/wp-content/backup-ed602\nOpen a web browser from a client machine, and enter the URL bellow: http://Server_FQDN/wp-login.php\nFrom WordPress dashboard, click on \u0026ldquo;settings\u0026rdquo; -\u0026gt; make sure that \u0026ldquo;Anyone can register\u0026rdquo; is left unchecked -\u0026gt; put a new value inside the \u0026ldquo;Tagline\u0026rdquo; field -\u0026gt; click on \u0026ldquo;Save changes\u0026rdquo;.\nFrom WordPress dashboard, click on \u0026ldquo;settings\u0026rdquo; -\u0026gt; click on \u0026ldquo;Media\u0026rdquo; -\u0026gt; \u0026ldquo;Store uploads in this folder\u0026rdquo; -\u0026gt; specify: wp-content/uploads\nClick on \u0026ldquo;Save changes\u0026rdquo;.\nFrom WordPress dashboard, click on \u0026ldquo;Plugins\u0026rdquo; -\u0026gt; Add New -\u0026gt; choose \u0026ldquo;Upload\u0026rdquo; -\u0026gt; click Browse to locate the plugin -\u0026gt; click \u0026ldquo;Install Now\u0026rdquo; -\u0026gt; click \u0026ldquo;Proceed\u0026rdquo; -\u0026gt; click on \u0026ldquo;Activate Plugin\u0026rdquo;. Note: Install and activate all the above downloaded plugins.\nFrom WordPress dashboard, click on \u0026ldquo;settings\u0026rdquo; -\u0026gt; click on \u0026ldquo;KB Robots.txt\u0026rdquo; -\u0026gt; add the following content into the Robots.txt editor field: Disallow: /wp-* Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins Disallow: /wp-content/cache Disallow: /wp-content/themes Disallow: /wp-login.php Disallow: /wp-register.php\nClick \u0026ldquo;Submit\u0026rdquo;.\nFrom the upper pane, click on \u0026ldquo;Log Out\u0026rdquo;.\nDelete the file /wp-admin/install.php\nIn-case the server was configured with SSL certificate, add the following line to the /www/config.php file: define('FORCE_SSL_LOGIN', true);\n","date":"9 August 2010","externalUrl":null,"permalink":"/posts/hardening-guide-for-wordpress-3-0/","section":"Posts","summary":"","title":"Hardening guide for WordPress 3.0","type":"posts"},{"content":"Important note: Make sure your hosting provider is using the most up-to-date build of WordPress.\nRequest from your hosting provider access through SSH.\nLogin to the hosted server using SSH.\nEdit using VI the file ~/html/wp-config.php and write down the data of the following values:\nDB_NAME DB_USER DB_PASSWORD Create using VI the file ~/config.php with the following content: \u0026lt;?php define('DB_NAME', 'm6gf42s'); define('DB_USER', 'blgusr'); define('DB_PASSWORD', 'password2'); define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); ?\u0026gt;Note 1: Make sure there are no spaces, newlines, or other strings before an opening \u0026lsquo;\u0026lt; ?php\u0026rsquo; tag or after a closing \u0026lsquo;?\u0026gt;\u0026rsquo; tag. Note 2: Replace “blgusr” with the MySQL account to access the database. Note 3: Replace “password2” with the MySQL account password. Note 4: Replace “m6gf42s” with the WordPress database name. Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow: http://api.wordpress.org/secret-key/1.1/\nEdit using VI, the file ~/html/wp-config.php Add the following line: include('/path/config.php');Note: Replace /path/ with the full path to the config.php file.\nRemove the following sections: define('DB_NAME', 'putyourdbnamehere'); define('DB_USER', 'usernamehere'); define('DB_PASSWORD', 'yourpasswordhere'); define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here');\nRemove default content: rm -f ~/html/license.txt rm -f ~/html/readme.html rm -f ~/html/wp-config-sample.php rm -f ~/html/wp-content/plugins/hello.php\nCreate using VI the file ~/html/.htaccess with the following content: \u0026lt;files wp-config.php\u0026gt; Order deny,allow deny from all \u0026lt;/files\u0026gt; \u0026lt;Files wp-login.php\u0026gt; AuthUserFile /dev/null AuthGroupFile /dev/null AuthName \u0026quot;Access Control\u0026quot; AuthType Basic \u0026lt;/Files\u0026gt;\nCreate using VI the file ~/html/wp-content/plugins/.htaccess with the following content: AuthUserFile /dev/null AuthGroupFile /dev/null AuthName \u0026quot;Access Control\u0026quot; AuthType Basic\nCreate the following folders: mkdir -p ~/html/wp-content/cache mkdir -p ~/html/wp-content/uploads mkdir -p ~/html/wp-content/upgrade\nChange the file permissions: chmod -R 777 ~/html/wp-content/cache chmod -R 777 ~/html/wp-content/uploads chmod -R 777 ~/html/wp-content/upgrade\nDownload \u0026ldquo;Login Lockdown\u0026rdquo; plugin from: http://www.bad-neighborhood.com/login-lockdown.html\nDownload \u0026ldquo;Limit Login\u0026rdquo; plugin from: http://wordpress.org/extend/plugins/limit-login-attempts/\nDownload \u0026ldquo;WP-Secure Remove Wordpress Version\u0026rdquo; plugin from: http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/\nDownload \u0026ldquo;WP Security Scan\u0026rdquo; plugin from: http://wordpress.org/extend/plugins/wp-security-scan/\nDownload \u0026ldquo;KB Robots.txt\u0026rdquo; plugin from: http://wordpress.org/extend/plugins/kb-robotstxt/\nDownload \u0026ldquo;WordPress Firewall\u0026rdquo; plugin from: http://www.seoegghead.com/software/wordpress-firewall.seo\nCopy the \u0026ldquo;WordPress Firewall\u0026rdquo; plugin file \u0026ldquo;wordpress-firewall.php\u0026rdquo; using PSCP (or SCP) into /html/wp-content/plugins\nOpen a web browser from a client machine, and enter the URL bellow: http://Server_FQDN/wp-login.php\nFrom WordPress dashboard, click on \u0026ldquo;settings\u0026rdquo; -\u0026gt; make sure that \u0026ldquo;Anyone can register\u0026rdquo; is left unchecked -\u0026gt; put a new value inside the \u0026ldquo;Tagline\u0026rdquo; field -\u0026gt; click on \u0026ldquo;Save changes\u0026rdquo;.\nClick on \u0026ldquo;Save changes\u0026rdquo;.\nFrom WordPress dashboard, click on \u0026ldquo;Plugins\u0026rdquo; -\u0026gt; Add New -\u0026gt; choose \u0026ldquo;Upload\u0026rdquo; -\u0026gt; click Browse to locate the plugin -\u0026gt; click \u0026ldquo;Install Now\u0026rdquo; -\u0026gt; click \u0026ldquo;Proceed\u0026rdquo; -\u0026gt; click on \u0026ldquo;Activate Plugin\u0026rdquo;. Note: Install and activate all the above downloaded plugins.\nFrom WordPress dashboard, click on \u0026ldquo;settings\u0026rdquo; -\u0026gt; click on \u0026ldquo;KB Robots.txt\u0026rdquo; -\u0026gt; add the following content into the Robots.txt editor field: Disallow: /wp-* Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins Disallow: /wp-content/cache Disallow: /wp-content/themes Disallow: /wp-login.php Disallow: /wp-register.php\nClick \u0026ldquo;Submit\u0026rdquo;.\nFrom the upper pane, click on \u0026ldquo;Log Out\u0026rdquo;.\nDelete the file /wp-admin/install.php\nIn-case the server was configured with SSL certificate, add the following line to the config.php file: define('FORCE_SSL_LOGIN', true);\n","date":"9 August 2010","externalUrl":null,"permalink":"/posts/hardening-guide-for-wordpress-3-0-for-hosted-web-sites/","section":"Posts","summary":"","title":"Hardening guide for WordPress 3.0 for hosted web sites","type":"posts"},{"content":"The Internet is about to face one of its most serious issues in its history: experts have warned that the Internet is running out of addresses, and may run out by 2011. At issue is slow adoption of a new system intended to vastly increase the available pool, further complicating matters. Currently, the web uses IPv4 (Internet Protocol version 4). 32-bit numbers are used; meaning about 4 billion addresses are available. About 94 percent of them have already been allocated. There is a new system, however, called IPv6. That uses 128-bit numbers, and the number of available addresses skyrocket. It is time to start migration from IPv4 to IPv6.\nHere is couple of articles about the problem: http://www.betanews.com/article/Internet-has-less-than-a-years-worth-of-IP-addresses-left-say-experts/1279816984\nhttp://www.neowin.net/news/iana-ipv4-addresses-will-dry-up-in-a-year\nI have searched the web, and found articles about support and configuration of IPv6 on popular operating systems and applications: Microsoft Announces IPv6 Technical Preview for Windows 2000: http://www.microsoft.com/presspass/press/2000/Mar00/IPv6PR.mspx\nInstalling IPv6 on Windows XP http://forums.techarena.in/networking-security/1098260.htm\nHow IIS 6.0 Supports IPv6 (IIS 6.0) http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/1ecff3af-36c2-41b5-957a-8bcc6fac8abc.mspx?mfr=true\nChanges to IPv6 in Windows Vista and Windows Server 2008 http://technet.microsoft.com/en-us/library/bb878121.aspx\nNext Generation TCP/IP Stack in Windows Vista and Windows Server 2008 http://technet.microsoft.com/en-us/library/bb878108.aspx\nDNS Enhancements in Windows Server 2008 http://technet.microsoft.com/en-us/magazine/2008.01.cableguy.aspx\nSupport for IPv6 in Windows Server 2008 R2 and Windows 7 http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx\nUsing IPv6 with IIS7 http://blogs.iis.net/nazim/archive/2008/05/03/using-ipv6-with-iis7.aspx\nIPv6 Support in Exchange 2007 SP1 and SP2 http://technet.microsoft.com/en-us/library/bb629624(EXCHG.80).aspx\nRed Hat / CentOS IPv6 Network Configuration http://www.cyberciti.biz/faq/rhel-redhat-fedora-centos-ipv6-network-configuration/\nIPv6 on Fedora Core mini-HOWTO http://linux.yyz.us/ipv6-fc2-howto.html\nAdding IPv6 to Ubuntu systems http://knowledgelayer.softlayer.com/questions/468/Adding+IPv6+to+Ubuntu+systems\nEnabling IPv6 on a Network (Solaris 10) http://docs.sun.com/app/docs/doc/819-3000/ipv6-config-tasks-1?a=view\nBuilding a Linux IPv6 DNS Server http://www.linuxjournal.com/article/6541\nNetworking IPv6 User Guide for J2SDK/JRE 1.4 http://download.oracle.com/docs/cd/E17476_01/javase/1.4.2/docs/guide/net/ipv6_guide/index.html\nNetworking IPv6 User Guide for JDK/JRE 5.0 http://download.oracle.com/docs/cd/E17476_01/javase/1.5.0/docs/guide/net/ipv6_guide/index.html\nApache Talking IPv6 http://www.linuxjournal.com/article/5451\nHow-to IPv6 in Globus Toolkit 3 http://www.cs.ucl.ac.uk/staff/sjiang/webpage/how-to-IPv6-Globus.htm\nEnabling IPv6 Support in Nginx http://kovyrin.net/2010/01/16/enabling-ipv6-support-in-nginx/\nIPv6 Support in iOS 4 http://isc.sans.edu/diary.html?storyid=9058\nIPv6 - Cisco Systems http://www.cisco.com/en/US/products/ps6553/products_ios_technology_home.html\nCisco - IP version 6 Introduction http://ciscosystems.com/en/US/tech/tk872/tk373/tsd_technology_support_sub-protocol_home.html\nHewlett-Packard Next Generation Internet Protocol version 6 (IPv6) web sites http://h10026.www1.hp.com/netipv6/Ipv6.htm\nEMC Product Support for IPv6 http://india.emc.com/products/interoperability/ipv6.htm\nNokia IPv6 How To http://www.nokia.com/NOKIA_COM_1/About_Nokia/Press/White_Papers/pdf_files/techwhitepaper_ipv6_howto.pdf\n","date":"9 August 2010","externalUrl":null,"permalink":"/posts/ipv6-problem-and-some-solutions/","section":"Posts","summary":"","title":"IPv6 - Problem and some solutions","type":"posts"},{"content":"","date":"9 August 2010","externalUrl":null,"permalink":"/categories/sftp/","section":"Categories","summary":"","title":"Sftp","type":"categories"},{"content":"","date":"9 August 2010","externalUrl":null,"permalink":"/categories/vsftp/","section":"Categories","summary":"","title":"Vsftp","type":"categories"},{"content":"This step-by-step guide explains how to install and configure public key infrastructure, based on:\nWindows 2008 R2 Server core - offline Root CA Windows 2008 R2 domain controller Windows 2008 R2 enterprise edition - Subordinate Enterprise CA server Offline Root CA - OS installation phase\nBoot the server using Windows 2008 R2 bootable DVD. Specify the product ID -\u0026gt; click Next. From the installation option, choose \u0026ldquo;Windows Server 2008 R2 (Server Core Installation)\u0026rdquo; -\u0026gt; click Next. Accept the license agreement -\u0026gt; click Next. Choose \u0026ldquo;Custom (Advanced)\u0026rdquo; installation type -\u0026gt; specify the hard drive to install the operating system -\u0026gt; click Next. Allow the installation phase to continue and restart the server automatically. To login to the server for the first time, press CTRL+ALT+DELETE Choose \u0026ldquo;Administrator\u0026rdquo; account -\u0026gt; click OK to replace the account password -\u0026gt; specify complex password and confirm it -\u0026gt; press Enter -\u0026gt; Press OK. From the command prompt window, run the command bellow: sconfig.cmd Press \u0026ldquo;2\u0026rdquo; to replace the computer name -\u0026gt; specify new computer name -\u0026gt; click \u0026ldquo;Yes\u0026rdquo; to restart the server. To login to the server, press CTRL+ALT+DELETE -\u0026gt; specify the \u0026ldquo;Administrator\u0026rdquo; account credentials. From the command prompt window, run the command bellow: sconfig.cmd Press \u0026ldquo;5\u0026rdquo; to configure \u0026ldquo;Windows Update Settings\u0026rdquo; -\u0026gt; select \u0026ldquo;A\u0026rdquo; for automatic -\u0026gt; click OK. Press \u0026ldquo;6\u0026rdquo; to download and install Windows Updates -\u0026gt; choose \u0026ldquo;A\u0026rdquo; to search for all updates -\u0026gt; Choose \u0026ldquo;A\u0026rdquo; to download and install all updates -\u0026gt; click \u0026ldquo;Yes\u0026rdquo; to restart the server. To login to the server, press CTRL+ALT+DELETE -\u0026gt; specify the \u0026ldquo;Administrator\u0026rdquo; account credentials. From the command prompt window, run the command bellow: sconfig.cmd In-case you need to use RDP to access and manage the server, press \u0026ldquo;7\u0026rdquo; to enable \u0026ldquo;Remote Desktop\u0026rdquo; -\u0026gt; choose \u0026ldquo;E\u0026rdquo; to enable -\u0026gt; choose either \u0026ldquo;1\u0026rdquo; or \u0026ldquo;2\u0026rdquo; according to your client settings -\u0026gt; Press OK. Press \u0026ldquo;8\u0026rdquo; to configure \u0026ldquo;Network settings\u0026rdquo; -\u0026gt; select the network adapter by its Index number -\u0026gt; press \u0026ldquo;1\u0026rdquo; to configure the IP settings -\u0026gt; choose \u0026ldquo;S\u0026rdquo; for static IP address -\u0026gt; specify the IP address, subnet mask and default gateway -\u0026gt; press \u0026ldquo;2\u0026rdquo; to configure the DNS servers -\u0026gt; click OK -\u0026gt; press \u0026ldquo;4\u0026rdquo; to return to the main menu. Press \u0026ldquo;9\u0026rdquo; to configure \u0026ldquo;Date and Time\u0026rdquo; -\u0026gt; choose the correct \u0026ldquo;date/time\u0026rdquo; and \u0026ldquo;time zone\u0026rdquo; -\u0026gt; click OK Press \u0026ldquo;11\u0026rdquo; to restart the server to make sure all settings take effect -\u0026gt; click \u0026ldquo;Yes\u0026rdquo; to restart the server. Offline Root CA - Certificate Authority server installation phase\nTo login to the server, press CTRL+ALT+DELETE -\u0026gt; specify the \u0026ldquo;Administrator\u0026rdquo; account credentials. Install Certificate services: start /w ocsetup.exe CertificateServices /norestart /quiet To check that the installation completed, run the command: oclist find /i \u0026quot;CertificateServices\u0026quot; Download the file “setupca.vbs” from: http://blogs.technet.com/b/pki/archive/2009/09/18/automated-ca-installs-using-vb-script-on-windows-server-2008-and-2008r2.aspx To: C:\\Windows\\system32 Run the command bellow to configure the Root CA: Cscript /nologo C:\\Windows\\System32\\setupca.vbs /is /sn \u0026lt;ca_server_name\u0026gt; /sk 4096 /sp \u0026quot;RSA#Microsoft Software Key Storage Provider\u0026quot; /sa SHA256 In-order to verify that the installation completed successfully, open using Notepad, the file “_SetupCA.log” located in the current running directory, and make sure the last line is: Install complete! Passed Run the command bellow to enable remote management of the Root CA: netsh advfirewall firewall set rule group=\u0026quot;Remote Service Management\u0026quot; new enable=yes Run the command bellow to stop the CertSvc service: Net stop CertSvc Run the command bellow to change new certificate validity period time: reg add HKLM\\SYSTEM\\CurrentControlSet\\services\\CertSvc\\Configuration\\\u0026lt;rootca_netbios_name\u0026gt; /v ValidityPeriodUnits /t REG_DWORD /d 5 /fNote: The command above should be written in one line. Run the command bellow to start the CertSvc service: Net start CertSvc Enterprise Subordinate CA - OS installation phase Pre-requirements:\nActive Directory (Forest functional level – Windows 2008 R2) Add “A” record for the Root CA to the Active Directory DNS. Boot the server using Windows 2008 R2 Enterprise Edition bootable DVD. Specify the product ID -\u0026gt; click Next. From the installation option, choose \u0026ldquo;Windows Server 2008 R2 Enterprise Edition Full installation\u0026rdquo; -\u0026gt; click Next. Accept the license agreement -\u0026gt; click Next. Choose \u0026ldquo;Custom (Advanced)\u0026rdquo; installation type -\u0026gt; specify the hard drive to install the operating system -\u0026gt; click Next. Allow the installation phase to continue and restart the server automatically. To login to the server for the first time, press CTRL+ALT+DELETE Choose \u0026ldquo;Administrator\u0026rdquo; account -\u0026gt; click OK to replace the account password -\u0026gt; specify complex password and confirm it -\u0026gt; press Enter -\u0026gt; Press OK. From the “Initial Configuration Tasks” window, configure the following settings: Set time zone Configure networking – specify static IP address, netmask, gateway, DNS Provide computer name and domain – add the server to the domain Enable Remote Desktop In-order to be able to remotely manage the Root CA, run the command bellow: cmdkey /add:\u0026lt;RootCA_Hostname\u0026gt; /user:Administrator /pass:\u0026lt;RootCA_Admin_Password\u0026gt; Enterprise Subordinate CA - Certificate Authority server installation phase Pre-requirements:\nDNS CNAME record named \u0026ldquo;wwwca\u0026rdquo; for the Enterprise Subordinate CA. To login to the server, press CTRL+ALT+DELETE -\u0026gt; specify the credentials of account member of “Schema Admins”, “Enterprise Admins” and “Domain Admins”. Start -\u0026gt; Administrative Tools -\u0026gt; Server Manager. From the left pane, right click on Roles -\u0026gt; Add Roles -\u0026gt; Next -\u0026gt; select “Web Server (IIS)” -\u0026gt; click Next twice -\u0026gt; select the following role services: Web Server Common HTTP Features Static Content Default Document Directory Browsing HTTP Errors HTTP Redirection Application Development .NET Extensibility ASP ISAPI Extensions Health and Diagnostics HTTP Logging Logging Tools Tracing Request Monitor Security Windows Authentication Client Certificate Mapping Authentication IIS Client Certificate Mapping Authentication Request Filtering Performance Static Content Compression Management Tools IIS Management Console IIS Management Scripts and Tools IIS 6 Management Compatibility IIS 6 Metabase Compatibility Click Next -\u0026gt; click Install -\u0026gt; click Close. From the left pane, right click on Features -\u0026gt; Add Features -\u0026gt; Next -\u0026gt; expand “Windows Process Activation Service” -\u0026gt; select “.NET Environment” and “Configuration APIs” -\u0026gt; select the feature “.NET Framework 3.5.1 Features” -\u0026gt; click Next -\u0026gt; click Install -\u0026gt; click Close. From the left pane, right click on Roles -\u0026gt; Add Roles -\u0026gt; Next -\u0026gt; select “Active Directory Certificate Services” -\u0026gt; click Next twice -\u0026gt; select the following role services: Certification Authority Certification Authority Web Enrollment Certificate Enrollment Policy Web Service Click Next. Configure the following settings: Specify Setup Type: Enterprise CA Type: Subordinate CA Private Key: Create a new private key Cryptography: Cryptographic service provider (CSP): RSA#Microsoft software Key Storage Provider Key length: 2048 Hash algorithm SHA256 CA Name: Common name: specify here the subordinate server NetBIOS name Distinguished name suffix: leave the default domain settings Certificate Request: Save a certificate to file and manually send it later Certificate Database: leave the default settings Authentication Type: Windows Integrated Authentication Server Authentication Certificate: Choose and assign a certificate for SSL later Click Next twice -\u0026gt; click Install -\u0026gt; click Close. Close the Server Manager. Start -\u0026gt; Administrative Tools -\u0026gt; Certification Authority From the left pane, right click on “Certification Authority (Local)” -\u0026gt; “Retarget Certification Authority” -\u0026gt; choose “Another computer” -\u0026gt; specify the RootCA hostname -\u0026gt; click Finish. Right click on the RootCA server name -\u0026gt; Properties -\u0026gt; -\u0026gt; Extensions tab -\u0026gt; extension type: CRL Distribution Point (CDP): Uncheck \u0026ldquo;Publish Delta CRLs to this location\u0026rdquo;. Mark the line begins with \u0026ldquo;LDAP\u0026rdquo;, and click remove. Mark the line begins with \u0026ldquo;HTTP\u0026rdquo;, and click remove. Mark the line begins with \u0026ldquo;file\u0026rdquo;, and click remove. Click on Add -\u0026gt; on the location, put: http://wwwca/CertEnroll/\u0026lt;RootCA_Server_Name\u0026gt;****.crl Click on the line begins with \u0026ldquo;HTTP\u0026rdquo;, and make sure the only option checked is: \u0026ldquo;Include in CDP extension of issued certificates\u0026rdquo;. Click on the line begins with \u0026ldquo;C:\\Windows\u0026rdquo;, and make sure the only option checked is: \u0026ldquo;Publish CRLs to this location\u0026rdquo; Extensions tab -\u0026gt; extension type: Authority Information Access (AIA): Mark the line begins with \u0026ldquo;LDAP\u0026rdquo;, and click remove. Mark the line begins with \u0026ldquo;HTTP\u0026rdquo;, and click remove. Mark the line begins with \u0026ldquo;file\u0026rdquo;, and click remove. Click on Add -\u0026gt; on the location, put: http://wwwca/CertEnroll/\u0026lt;RootCA_Server_Name\u0026gt;.crt Click OK and allow the CA server to restart its services. From the \u0026ldquo;Certification Authority\u0026rdquo; left pane, right click on \u0026ldquo;Revoked certificates\u0026rdquo;-\u0026gt; Properties: CRL publication interval: 180 days Make sure \u0026ldquo;Publish Delta CRLs\u0026rdquo; is not checked Click OK Right click on the CA name -\u0026gt; All tasks -\u0026gt; Stop service Right click on the CA name -\u0026gt; All tasks -\u0026gt; Start service Run the commands bellow from command line, to configure the Offline Root CA to publish in the active-directory: certutil.exe -setreg ca\\DSConfigDN \u0026quot;CN=Configuration,DC=mycompany,DC=com\u0026quot; certutil.exe -setreg ca\\DSDomainDN \u0026quot;DC=mycompany,DC=com\u0026quot;Note: Replace \u0026ldquo;DC=mycompany,DC=com\u0026rdquo; according to your domain name. From the \u0026ldquo;Certification Authority\u0026rdquo; left pane, right click on \u0026ldquo;Revoked certificates\u0026rdquo;-\u0026gt; All tasks -\u0026gt; Publish -\u0026gt; click OK. Close the \u0026ldquo;Certification Authority\u0026rdquo; snap-in and logoff the subordinate CA server. Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins. Copy the file bellow from the Offline Root CA server to a temporary folder on the domain controller: C:\\Windows\\System32\\CertSrv\\CertEnroll\\*.crt Start -\u0026gt; Administrative Tools -\u0026gt; Group Policy Management. From the left pane, expand the forest name -\u0026gt; expand Domains -\u0026gt; expand the relevant domain name -\u0026gt; right click on “Default domain policy” -\u0026gt; Edit. From the left pane, under “Computer Configuration” -\u0026gt; expand Policies -\u0026gt; expand “Windows Settings” -\u0026gt; expand “Security Settings” -\u0026gt; expand “Public Key Policies” -\u0026gt; right click on “Trusted Root Certification Authorities” -\u0026gt; Import -\u0026gt; click Next -\u0026gt; click Browse to locate the CRT file from the Root CA -\u0026gt; click Open -\u0026gt; click Next twice -\u0026gt; click Finish -\u0026gt; click OK. Logoff the domain controller. Return to the subordinate enterprise CA server. Start -\u0026gt; Administrative Tools -\u0026gt; Certification Authority. From the left pane, right click on “Certification Authority (Local)” -\u0026gt; “Retarget Certification Authority” -\u0026gt; choose “Another computer” -\u0026gt; specify the RootCA hostname -\u0026gt; click Finish. Right click on the RootCA server name -\u0026gt; All Tasks -\u0026gt; Submit new request -\u0026gt; locate the subordinate CA request file (.req) -\u0026gt; Open. Expand the RootCA server name -\u0026gt; right click on “Pending Requests” -\u0026gt; locate the subordinate CA request ID according to the date -\u0026gt; right click on the request -\u0026gt; All Tasks -\u0026gt; Issue. From the left pane, click on “Issued Certificates” -\u0026gt; locate the subordinate CA request ID -\u0026gt; right click on the request -\u0026gt; All Tasks -\u0026gt; “Export Binary Data” -\u0026gt; choose “Binary Certificate” -\u0026gt; click “Save binary data to a file” -\u0026gt; click OK -\u0026gt; specify location and the file name - \u0026lt;****subordinate_ca_server_name_signed_certificate\u0026gt;.p7b -\u0026gt; click Save. Run the command bellow from command line to avoid offline CRL errors: Certutil.exe -setreg ca\\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE From the left pane, right click on “Certificate Authority” -\u0026gt; “Retarget Certification Authority” -\u0026gt; choose “Local computer” -\u0026gt; click Finish. Right click on the subordinate CA server name -\u0026gt; All Tasks -\u0026gt; “Install CA Certificate” -\u0026gt; locate the file \u0026lt;****Subordinate_CA_Server_Name_Signed_Certificate\u0026gt;.p7b -\u0026gt; click Open. Right click on the subordinate CA server name -\u0026gt; All Tasks -\u0026gt; Start Service. Right click on the subordinate CA server name -\u0026gt; Properties -\u0026gt; -\u0026gt; Extensions tab -\u0026gt; extension type: CRL Distribution Point (CDP): Mark the line begins with \u0026ldquo;HTTP\u0026rdquo; -\u0026gt; click Remove -\u0026gt; click Yes. Mark the line begins with \u0026ldquo;file\u0026rdquo; -\u0026gt; click Remove -\u0026gt; click Yes. Click on Add -\u0026gt; on the location, put: http://wwwca/CertEnroll/\u0026lt;subordinate_CA_Server_Name\u0026gt;.crl Click on the line begins with \u0026ldquo;HTTP\u0026rdquo;, and make sure the following options are checked: \u0026ldquo;Include in CRLs\u0026rdquo; and \u0026ldquo;Include in the CDP\u0026rdquo;. Extensions tab -\u0026gt; extension type: Authority Information Access (AIA): Mark the line begins with \u0026ldquo;HTTP\u0026rdquo; -\u0026gt; click Remove -\u0026gt; click Yes. Mark the line begins with \u0026ldquo;file\u0026rdquo; -\u0026gt; click Remove -\u0026gt; click Yes. Click on Add -\u0026gt; on the location, put: http://wwwca/CertEnroll/\u0026lt;SubordinateCA-FQDN_Subordinate_NetBIOS_Name\u0026gt;.crt Example: http://wwwca/CertEnroll/MyCA.mydomain.com_MyCA.crt- Click on the line begins with \u0026ldquo;HTTP\u0026rdquo;, and make sure the following option is checked: \u0026ldquo;Include in the AIA\u0026rdquo;. Click OK and allow the CA server to restart its services. From the \u0026ldquo;Certification Authority\u0026rdquo; left pane, right click on \u0026ldquo;Revoked certificates\u0026rdquo;-\u0026gt; All tasks -\u0026gt; Publish -\u0026gt; click OK. Close the \u0026ldquo;Certification Authority\u0026rdquo; snap-in Copy the files bellow from the Root CA to the subordinate CA (same location): C:\\Windows\\System32\\CertSrv\\CertEnroll\\*.crl C:\\Windows\\System32\\CertSrv\\CertEnroll\\*.crt Logoff the subordinate CA server. Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins. Copy the file bellow from the subordinate CA server to a temporary folder on the domain controller: C:\\Windows\\System32\\CertSrv\\CertEnroll\\*.crt – copy the newest file Start -\u0026gt; Administrative Tools -\u0026gt; Group Policy Management. From the left pane, expand the forest name -\u0026gt; expand Domains -\u0026gt; expand the relevant domain name -\u0026gt; right click on “Default domain policy” -\u0026gt; Edit. From the left pane, under “Computer Configuration” -\u0026gt; expand Policies -\u0026gt; expand “Windows Settings” -\u0026gt; expand “Security Settings” -\u0026gt; expand “Public Key Policies” -\u0026gt; right click on “Intermediate Certification Authorities” -\u0026gt; Import -\u0026gt; click Next -\u0026gt; click Browse to locate the CRT file from the subordinate CA server -\u0026gt; click Open -\u0026gt; click Next twice -\u0026gt; click Finish -\u0026gt; click OK. Logoff the domain controller. ","date":"9 August 2010","externalUrl":null,"permalink":"/posts/windows-2008-r2-certification-authority-installation-guide/","section":"Posts","summary":"","title":"Windows 2008 R2 Certification Authority installation guide","type":"posts"},{"content":"","date":"8 August 2010","externalUrl":null,"permalink":"/categories/asa/","section":"Categories","summary":"","title":"Asa","type":"categories"},{"content":"","date":"8 August 2010","externalUrl":null,"permalink":"/categories/fwsm/","section":"Categories","summary":"","title":"Fwsm","type":"categories"},{"content":"Important note The guide bellow instructs how to secure Cisco Firewall (PIX, ASA, FWSM). Not all commands will work on every device series or on every IOS version. It is highly recommended to test each setting in a test lab before implementing changes to production systems.\nHardening phase Configure AAA Authentication for Enable Mode (ASA, FWSM, PIX): aaa authentication enable console LOCAL\nConfigure AAA Authentication for Console and VTY Lines (ASA, FWSM, PIX): aaa authentication serial console LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL\nConfigure Local Password (ASA, FWSM, PIX): passwd \u0026lt;login_password\u0026gt; encrypted\nConfigure ASDM Access Control (ASA, FWSM, PIX): **_http \u0026lt;remote_ip_address\u0026gt; \u0026lt;remote_subnet_mask\u0026gt; \u0026lt;interface_name\u0026gt;_****\nConfiguring SSH (ASA, FWSM, PIX): hostname \u0026lt;device_hostname\u0026gt; domain-name \u0026lt;domain-name\u0026gt; crypto key generate rsa modulus 2048\nConfigure SSH for Remote Device Access (ASA, PIX): no telnet 0.0.0.0 0.0.0.0 \u0026lt;interface_name\u0026gt; ssh \u0026lt;remote_ip_address\u0026gt; \u0026lt;remote_subnet_mask\u0026gt; \u0026lt;interface_name\u0026gt; ssh version 2\nConfigure Timeout for Login Sessions (ASA, FWSM, PIX): console timeout 10 ssh timeout 10\nConfigure Local User and Encrypted Password (ASA, FWSM, PIX): username \u0026lt;local_username\u0026gt; password \u0026lt;local_password\u0026gt; encrypted\nConfigure Enable Password (ASA, FWSM, PIX): enable password \u0026lt;enable_password\u0026gt; encrypted\nDisable SNMP Read Access (ASA, FWSM, PIX): clear configure snmp-server no snmp-server host \u0026lt;interface_name\u0026gt; \u0026lt;remote_ip_address\u0026gt;\nDisable SNMP Traps (ASA, FWSM, PIX): no snmp-server enable traps all\nConfigure Clock Time Zone (ASA, PIX): clock timezone GMT \u0026lt;hours offset\u0026gt;\nDisable DHCP Server Service (ASA, FWSM, PIX): clear configure dhcpd no dhcpd enable \u0026lt;interface_name\u0026gt;\nDisable HTTP Service (ASA, FWSM, PIX) - in-case not in use: no http server enable \u0026lt;port\u0026gt;\nConfigure Console Logging Severity Level (ASA, FWSM, PIX): logging console critical\nConfigure Timestamps in Log Messages (ASA, FWSM, PIX): logging timestamp\nConfigure AAA Flood Guard (FWSM, PIX): floodguard enable\nConfigure Fragment Chain Fragmentation Checks (ASA, FWSM, PIX): fragment chain 1 \u0026lt;interface_name\u0026gt;\nConfigure Protocol Inspection (FWSM, PIX): fixup protocol ftp \u0026lt;port\u0026gt; fixup protocol http \u0026lt;port\u0026gt; fixup protocol smtp \u0026lt;port\u0026gt;\nConfigure Protocol Inspection (ASA): inspect ftp [map_name] inspect http [map_name] inspect esmtp [map_name]\nConfigure Unicast Reverse-Path Forwarding (ASA, FWSM, PIX): interface \u0026lt;interface_id\u0026gt; ip verify reverse-path interface \u0026lt;interface_name\u0026gt; exit\nSave the changes: wr**\n","date":"8 August 2010","externalUrl":null,"permalink":"/posts/hardening-guide-for-cisco-firewall-pix-asa-fwsm/","section":"Posts","summary":"","title":"Hardening guide for Cisco Firewall (PIX, ASA, FWSM)","type":"posts"},{"content":"Important note The guide bellow instructs how to secure Cisco router/switch. Not all commands will work on every device series (router/switch) or on every IOS version. It is highly recommended to test each setting in a test lab before implementing changes to production systems.\nHardening phase Configure AAA service: aaa new-model\nConfigure AAA Authentication for Login: aaa authentication login default local-case\nConfigure AAA Authentication for Enable Mode: aaa authentication enable default enable\nConfigure AAA Authentication for Local Console Line: line console 0 login authentication default exit\nConfigure AAA Authentication for VTY Lines: line vty 0 4 login authentication default exit line vty 5 15 login authentication default exit\nSet and secure passwords: service password-encryption enable secret 0 \u0026lt;password\u0026gt;\nConfigure Local User and Encrypted Password: username \u0026lt;username\u0026gt; password \u0026lt;password\u0026gt; Note: Use the following syntax for version after 12.0(18)S, 12.1(8a)E, 12.2(8)T: username \u0026lt;username\u0026gt; secret \u0026lt;password\u0026gt;\nConfigure SSH: hostname \u0026lt;device_hostname\u0026gt; domain-name \u0026lt;domain-name\u0026gt; crypto key generate rsa modulus 2048\nConfigure SSH for Remote Device Access: ip ssh timeout 60 ip ssh authentication-retries 3\nConfigure VTY Transport SSH: line console 0 transport input ssh exit line vty 0 4 transport input ssh exit line vty 5 15 transport input ssh exit\nConfigure Timeout for Login Sessions: line vty 0 4 exec-timeout 5 0 exit line vty 5 15 exec-timeout 5 0 exit\nDisable Auxiliary Port: line aux 0 no exec exec-timeout 0 10 transport input none exit\nDisable SNMP server (in-case not in use): no snmp-server\nDisable SNMP Community Strings private and public: no snmp-server community private no snmp-server community public\nConfigure Clock Timezone - GMT: clock timezone GMT \u0026lt;hours\u0026gt;\nDisable Router Name and DNS Name Resolution (in-case not in use): no ip domain-lookup\nDisable CDP Run Globally: no cdp run\nDisable PAD service (in-case not in use): no service pad\nDisable Finger Service: no service finger\nDisable Maintenance Operations Protocol (MOP): interface \u0026lt;interface-id\u0026gt; no mop enabled exit\nDisable DHCP server (in-case not in use): no service dhcp\nDisable IP BOOTP server (in-case not in use): no ip bootp server\nDisable Identification Service: no identd\nDisable IP HTTP Server (in-case not in use): no ip http server\nDisable Remote Startup Configuration: no boot network no service config\nConfigure TCP keepalives Services: service tcp-keepalives-in service tcp-keepalives-out\nDisable small-servers: no service tcp-small-servers no service udp-small-servers\nDisable TFTP Server: no tftp-server\nConfigure Logging: logging on logging buffered 16000 logging console critical\nConfigure Service Timestamps for Debug and Log Messages: service timestamps debug datetime msec show-timezone localtime service timestamps log datetime msec show-timezone localtime\nDisable IP source-route: no ip source-route\nDisable Directed Broadcast: interface \u0026lt;interface-id\u0026gt; no ip directed-broadcast exit\nConfigure Unicast Reverse-Path Forwarding: interface \u0026lt;interface-id\u0026gt; ip verify unicast reverse-path exit\nDisable IP Proxy ARP: interface \u0026lt;interface-id\u0026gt; no ip proxy-arp exit\nDisable Gratuitous-Arps: no ip gratuitous-arps\nConfigure switch port-security: switchport port-security switchport port-security violation shutdown switchport port-security maximum 1 switchport port-security mac-address sticky\nSave the changes: wr\n","date":"8 August 2010","externalUrl":null,"permalink":"/posts/hardening-guide-for-cisco-routers-and-switches/","section":"Posts","summary":"","title":"Hardening guide for Cisco Routers and Switches","type":"posts"},{"content":" Login to the server using Root account.\nCreate a new account: groupadd lighttpd useradd -g lighttpd -d /dev/null -s /sbin/nologin lighttpd\nMount RHEL 5.4 DVD, and move to the RPM folder: mount /dev/hdc /media cd /media/Server\nBefore compiling the Lighttpd environment, install the following RPM: rpm -ivh kernel-headers-2.6.18-194.el5.x86_64.rpm rpm -ivh glibc-headers-2.5-49.x86_64.rpm rpm -ivh glibc-devel-2.5-49.x86_64.rpm rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm rpm -ivh gcc-4.1.2-48.el5.x86_64.rpm rpm -ivh pcre-devel-6.6-2.el5_1.7.x86_64.rpm rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm rpm -ivh libsepol-devel-1.15.2-3.el5.x86_64.rpm rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm rpm -ivh krb5-devel-1.6.1-36.el5_4.1.x86_64.rpm rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm rpm -ivh openssl-devel-0.9.8e-12.el5_4.6.x86_64.rpm\nDownload Lighttpd 1.4.26 from: http://www.lighttpd.net/download/\nCopy the Lighttpd 1.4.26 source files using PSCP (or SCP) into /tmp\nMove to /tmp cd /tmp\nExtract the lighttpd-1.4.26.tar.gz file: tar -zxvf lighttpd-1.4.26.tar.gz\nDownload into the folder /tmp/lighttpd-1.4.26/src, the file bellow: http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2716/raw/branches/lighttpd-1.4.x/src/network.c\nMove to the Lighttpd source folder: cd /tmp/lighttpd-1.4.26\nRun the commands bellow to compile the Lighttpd environment: ./configure --with-openssl --without-bzip2 make make install\nCreate the following folders: mkdir -p /etc/lighttpd mkdir -p /var/log/lighttpd mkdir -p /var/cache/lighttpd/compress\nCopy the lighttpd.conf file: cp /tmp/lighttpd-1.4.26/doc/lighttpd.conf /etc/lighttpd/lighttpd.conf\nUpdating Ownership and Permissions on Lighttpd folders: chown lighttpd:lighttpd /var/log/lighttpd chown lighttpd:root /etc/lighttpd/lighttpd.conf chown lighttpd:lighttpd /var/cache/lighttpd/compress chmod o-r /etc/lighttpd/lighttpd.conf chmod -R o-r /var/log/lighttpd\nCreate folder for the web content: mkdir -p /www\nUpdating Ownership and Permissions on the web content folder: chown -R root /www chmod -R 775 /www\nEdit using VI the file /etc/lighttpd/lighttpd.conf and change the following strings: From: server.document-root = \u0026quot;/srv/www/htdocs/\u0026quot;To: server.document-root = \u0026quot;/www\u0026quot;\nFrom: #server.bind = \u0026quot;127.0.0.1\u0026quot;To: server.bind = \u0026quot;Server_FQDN\u0026quot;\nFrom: # server.tag = \u0026quot;lighttpd\u0026quot;To: server.tag = \u0026quot;Secure Web Server\u0026quot;\nFrom: #server.username = \u0026quot;wwwrun\u0026quot;To: server.username = \u0026quot;lighttpd\u0026quot;\nFrom: #server.groupname = \u0026quot;wwwrun\u0026quot;To: server.groupname = \u0026quot;lighttpd\u0026quot;\nFrom: #dir-listing.activate = \u0026quot;enable\u0026quot;To: dir-listing.activate = \u0026quot;disable\u0026quot;\nCreate using VI, a file called /etc/sysconfig/lighttpd with the following content: LIGHTTPD_CONF_PATH=/etc/lighttpd/lighttpd.conf\nTo manually start Lighttpd use the command: /usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf\nTo start Lighttpd service at server start-up, edit using VI, the file /etc/rc.local and add the line bellow: /usr/local/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf\nRemove the Lighttpd source files: rm -rf /tmp/lighttpd-1.4.26 rm -f /tmp/lighttpd-1.4.26.tar.gz\nUninstall the following RPM: rpm -e gcc-4.1.2-48.el5 rpm -e libgomp-4.4.0-6.el5 rpm -e gmp-4.1.4-10.el5 rpm -e glibc-devel-2.5-49 rpm -e glibc-headers-2.5-49 rpm -e kernel-headers-2.6.18-194.el5\n","date":"8 August 2010","externalUrl":null,"permalink":"/posts/hardening-guide-for-lighttpd-1-4-26-on-redhat-5-5-64bit-edition/","section":"Posts","summary":"","title":"Hardening guide for Lighttpd 1.4.26 on RedHat 5.5 (64bit edition)","type":"posts"},{"content":" Login to the server using Root account.\nCreate a new account: groupadd nginx useradd -g nginx -d /dev/null -s /sbin/nologin nginx\nMount RHEL 5.4 DVD, and move to the RPM folder: mount /dev/hdc /media cd /media/Server\nBefore compiling the Nginx environment, install the following RPM: rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm rpm -ivh glibc-headers-2.5-42.x86_64.rpm rpm -ivh glibc-devel-2.5-42.x86_64.rpm rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm rpm -ivh pcre-devel-6.6-2.el5_1.7.x86_64.rpm rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm rpm -ivh libsepol-devel-1.15.2-2.el5.x86_64.rpm rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm rpm -ivh krb5-devel-1.6.1-36.el5.x86_64.rpm rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm rpm -ivh openssl-devel-0.9.8e-12.el5.x86_64.rpm\nDownload Nginx 0.7.65 from: http://wiki.nginx.org/NginxInstall\nCopy the Nginx 0.7.65 source files using PSCP (or SCP) into /tmp\nMove to /tmp cd /tmp\nExtract the nginx-0.7.65.tar.gz file: tar -zxvf nginx-0.7.65.tar.gz\nMove to the Nginx source folder: cd /tmp/nginx-0.7.65\nEdit using VI, the file /tmp/nginx-0.7.65/src/http/ngx_http_header_filter_module.c and replace the following section, from: static char ngx_http_server_string[] = \u0026quot;Server: nginx\u0026quot; CRLF; static char ngx_http_server_full_string[] = \u0026quot;Server: \u0026quot; NGINX_VER CRLF; To: static char ngx_http_server_string[] = \u0026quot;Server: Secure Web Server\u0026quot; CRLF; static char ngx_http_server_full_string[] = \u0026quot;Server: Secure Web Server\u0026quot; CRLF;\nRun the commands bellow to compile the Nginx environment: ./configure --with-http_ssl_module --without-http_autoindex_module --without-http_ssi_module make make install\nRemove the Nginx source files: rm -rf /tmp/nginx-0.7.65 rm -f /tmp/nginx-0.7.65.tar.gz\nRemove Default Content rm -rf /usr/local/nginx/html\nUpdating Ownership and Permissions on Nginx folders: chown -R root:root /usr/local/nginx chmod 750 /usr/local/nginx/sbin/nginx chmod -R 640 /usr/local/nginx/conf chmod -R 770 /usr/local/nginx/logs\nCreate folder for the web content: mkdir -p /www\nUpdating Ownership and Permissions on the web content folder: chown -R root /www chmod -R 775 /www\nEdit using VI the file /usr/local/nginx/conf/nginx.conf and change the following settings: From: #user nobody;To: user nginx nginx;\nFrom: #error_log logs/error.log notice;To: error_log logs/error.log notice;\nFrom: server_name localhost;To: server_name Server_FQDN;\nFrom: root html;To: root /www;\nAdd the following sections to the end of the /usr/local/nginx/conf/nginx.conf file: server_tokens off; client_body_buffer_size 1K; client_header_buffer_size 1k; client_max_body_size 1k; large_client_header_buffers 2 1k; client_body_timeout 10; client_header_timeout 10; send_timeout 10;\nCreate using VI, the file /etc/init.d/nginx with the following content: #!/bin/sh # # nginx - this script starts and stops the nginx daemon # # chkconfig: - 85 15 # description: Nginx is an HTTP(S) server, HTTP(S) reverse \\ # proxy and IMAP/POP3 proxy server # processname: nginx # config: /etc/nginx/nginx.conf # config: /etc/sysconfig/nginx # pidfile: /var/run/nginx.pid # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ \u0026quot;$NETWORKING\u0026quot; = \u0026quot;no\u0026quot; ] \u0026amp;\u0026amp; exit 0 nginx=\u0026quot;/usr/local/nginx/sbin/nginx\u0026quot; prog=$(basename $nginx) NGINX_CONF_FILE=\u0026quot;/usr/local/nginx/conf/nginx.conf\u0026quot; [ -f /etc/sysconfig/nginx ] \u0026amp;\u0026amp; . /etc/sysconfig/nginx lockfile=/var/lock/subsys/nginx start() { [ -x $nginx ] exit 5 [ -f $NGINX_CONF_FILE ] exit 6 echo -n $\u0026quot;Starting $prog: \u0026quot; daemon $nginx -c $NGINX_CONF_FILE retval=$? echo [ $retval -eq 0 ] \u0026amp;\u0026amp; touch $lockfile return $retval } stop() { echo -n $\u0026quot;Stopping $prog: \u0026quot; killproc $prog -QUIT retval=$? echo [ $retval -eq 0 ] \u0026amp;\u0026amp; rm -f $lockfile return $retval } restart() { configtest return $? stop sleep 1 start } reload() { configtest return $? echo -n $\u0026quot;Reloading $prog: \u0026quot; killproc $nginx -HUP RETVAL=$? echo } force_reload() { restart } configtest() { $nginx -t -c $NGINX_CONF_FILE } rh_status() { status $prog } rh_status_q() { rh_status \u0026gt;/dev/null 2\u0026gt;\u0026amp;1 } case \u0026quot;$1\u0026quot; in start) rh_status_q \u0026amp;\u0026amp; exit 0 $1 ;; stop) rh_status_q exit 0 $1 ;; restartconfigtest) $1 ;; reload) rh_status_q exit 7 $1 ;; force-reload) force_reload ;; status) rh_status ;; condrestarttry-restart) rh_status_q exit 0 ;; *) echo $\u0026quot;Usage: $0 {startstopstatusrestartcondrestarttry-restartreloadforce-reloadconfigtest}\u0026quot; exit 2 esac\nChange the permissions of the file /etc/init.d/nginx chmod +x /etc/init.d/nginx\nTo start Nginx service at server start-up, run the command: chkconfig nginx on\nTo manually start the Nginx service, use the command: /etc/init.d/nginx start\nUninstall the following RPM: rpm -e gcc-4.1.2-46.el5 rpm -e libgomp-4.4.0-6.el5 rpm -e gmp-4.1.4-10.el5 rpm -e glibc-devel-2.5-42 rpm -e glibc-headers-2.5-42 rpm -e kernel-headers-2.6.18-164.el5\n","date":"8 August 2010","externalUrl":null,"permalink":"/posts/hardening-guide-for-nginx-0-7-65-on-redhat-5-4-64bit-edition/","section":"Posts","summary":"","title":"Hardening guide for Nginx 0.7.65 on RedHat 5.4 (64bit edition)","type":"posts"},{"content":"Pre-installation notes The guide bellow is based on the previous guide Hardening guide for Lighttpd 1.4.26 on RedHat 5.5 (64bit edition)\nSSL implementation phase\nLogin to the server using Root account. Create folder for the SSL certificate files: mkdir -p /etc/lighttpd/ssl chmod 600 /etc/lighttpd/ssl Run the command bellow to generate a key pair: /usr/bin/openssl genrsa -des3 -out /etc/lighttpd/ssl/server.key 1024 Note: Specify a complex pass phrase for the private key (and document it) Run the command bellow to generate the CSR: /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /etc/lighttpd/ssl/server.key -out /tmp/lighttpd.csr Note: The command above should be written as one line. Send the file /tmp/lighttpd.csr to a Certificate Authority server. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as \u0026ldquo;server.crt\u0026rdquo; Copy the file \u0026ldquo;server.crt\u0026rdquo; using SCP into /etc/lighttpd/ssl/ Combine the content of both the private key (server.key) and the public key (server.crt) into one file: cat /etc/lighttpd/ssl/server.key /etc/lighttpd/ssl/server.crt \u0026gt; /etc/lighttpd/ssl/server.pemNote: The command above should be written as one line. Remove the original server.crt file: rm -f /etc/lighttpd/ssl/server.crt Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded). Copy the file \u0026ldquo;ca-bundle.crt\u0026rdquo; using SCP into /etc/lighttpd/ssl Edit using VI the file /etc/lighttpd/lighttpd.conf and add the following strings: $SERVER[\u0026quot;socket\u0026quot;] == \u0026quot;Server_FQDN:443\u0026quot; { ssl.engine = \u0026quot;enable\u0026quot; ssl.pemfile = \u0026quot;/etc/lighttpd/ssl/server.pem\u0026quot; ssl.ca-file = \u0026quot;/etc/lighttpd/ssl/ca-bundle.crt\u0026quot; server.name = \u0026quot;Server_FQDN\u0026quot; server.document-root = \u0026quot;/www\u0026quot; server.errorlog = \u0026quot;/var/log/lighttpd/serror.log\u0026quot; accesslog.filename = \u0026quot;/var/log/lighttpd/saccess.log\u0026quot; ssl.use-sslv2 = \u0026quot;disable\u0026quot; ssl.cipher-list =\u0026quot;HIGH:!MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH\u0026quot; } Restart the Lighttpd service. ","date":"8 August 2010","externalUrl":null,"permalink":"/posts/how-to-implement-ssl-on-lighttpd-1-4-26/","section":"Posts","summary":"","title":"How to implement SSL on Lighttpd 1.4.26","type":"posts"},{"content":"Pre-installation notes The guide bellow is based on the previous guide Hardening guide for Nginx 0.7.65 on RedHat 5.4 (64bit edition)\nSSL implementation phase\nLogin to the server using Root account. Create folder for the SSL certificate files: mkdir -p /usr/local/nginx/ssl chmod 600 /usr/local/nginx/ssl Run the command bellow to generate a key pair: /usr/bin/openssl genrsa -des3 -out /usr/local/nginx/ssl/server.key 1024 Specify a complex pass phrase for the private key (and document it) Run the command bellow to generate the CSR: /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/nginx/ssl/server.key -out /tmp/nginx.csr Note: The command above should be written as one line. Send the file /tmp/nginx.csr to a Certificate Authority server. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as \u0026ldquo;server.crt\u0026rdquo; Copy the file \u0026ldquo;server.crt\u0026rdquo; using SCP into /usr/local/nginx/ssl Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded). Copy the file \u0026ldquo;ca-bundle.crt\u0026rdquo; using SCP into /usr/local/nginx/ssl Combine the content of both the public key (server.crt) and the Root CA chain (ca-bundle.crt) into one file: cat /usr/local/nginx/ssl/ca-bundle.crt /usr/local/nginx/ssl/server.crt \u0026gt; /usr/local/nginx/ssl/server.pem Note: The command above should be written as one line. Remove the original server.crt and ca-bundle.crt files: rm -f /usr/local/nginx/ssl/server.crt rm -f /usr/local/nginx/ssl/ca-bundle.crt Edit using VI the file /usr/local/nginx/conf/nginx.conf and replace the section bellow from: # HTTPS server # #server { # listen 443; # server_name localhost; # ssl on; # ssl_certificate cert.pem; # ssl_certificate_key cert.key; # ssl_session_timeout 5m; # ssl_protocols SSLv2 SSLv3 TLSv1; # ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; # ssl_prefer_server_ciphers on; # location / { # root html; # index index.html index.htm; # } #} To: server { listen 443; server_name Server_FQDN; ssl on; ssl_certificate /usr/local/nginx/ssl/server.pem; ssl_certificate_key /usr/local/nginx/ssl/server.key; ssl_session_timeout 5m; ssl_protocols SSLv3; ssl_ciphers HIGH:!ADH:!MD5; ssl_prefer_server_ciphers on; location / { root /www; index index.html index.htm; } } Restart the Nginx service: /etc/init.d/nginx restart ","date":"8 August 2010","externalUrl":null,"permalink":"/posts/how-to-implement-ssl-on-nginx-0-7-65/","section":"Posts","summary":"","title":"How to implement SSL on Nginx 0.7.65","type":"posts"},{"content":"","date":"8 August 2010","externalUrl":null,"permalink":"/categories/pix/","section":"Categories","summary":"","title":"Pix","type":"categories"},{"content":"","date":"8 August 2010","externalUrl":null,"permalink":"/categories/router/","section":"Categories","summary":"","title":"Router","type":"categories"},{"content":"","date":"8 August 2010","externalUrl":null,"permalink":"/categories/switch/","section":"Categories","summary":"","title":"Switch","type":"categories"},{"content":"Feel free to subscribe to one of my mailing lists:\nApplication Security Malware Security Security - Patch Management Cloud Cloud FinOps Microsoft Azure Cloud Development and Architecture Machine Learning, Deep Learning and AI Linux Hardware Messaging \u0026amp; Collaboration Scripts MSSQL Virtualization Windows 11 Windows Server ","date":"6 August 2010","externalUrl":null,"permalink":"/posts/pages/subscription/","section":"Posts","summary":"","title":"Subscription","type":"posts"},{"content":"","date":"22 July 2010","externalUrl":null,"permalink":"/categories/backup/","section":"Categories","summary":"","title":"Backup","type":"categories"},{"content":" Login to the server using Root account.\nCreate a new account: groupadd apache useradd -g apache -d /dev/null -s /bin/false apache passwd apache passwd -l apache\nMount Solaris 10 DVD, and move to the packages folder: cd /cdrom/sol_10_1008_x86/Solaris_10/Product\nRun the command bellow to install Apache2 packages: pkgadd -d . SUNWapch2r SUNWapch2u\nRemove Default Content rm -r /var/apache2/htdocs/ rm -r /var/apache2/cgi-bin/ rm -r /var/apache2/icons/\nUpdating Ownership and Permissions on Apache2 folders: chown -R root:root /usr/apache2 chmod -R 770 /usr/apache2/bin chown -R root:root /etc/apache2 chmod -R go-r /etc/apache2 chmod -R 770 /etc/apache2 chown -R root:root /var/apache2/logs chmod -R 700 /var/apache2/logs\nCreate folder for the web content: mkdir -p /www\nUpdating Ownership and Permissions on the web content folder: chown -R root /www chmod -R 775 /www\nCopy the configuration file in-order to edit it: cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf\nEdit using VI the file /etc/apache2/httpd.conf and change the following strings: From: # LockFile /var/apache2/logs/accept.lockTo: LockFile /var/apache2/logs/accept.lock\nFrom: User webservdTo: User apache From: Group webservdTo: Group apache From: PidFile /var/run/apache2/httpd.pidTo: PidFile /var/apache2/logs/httpd.pid From: DocumentRoot \u0026quot;/var/apache2/htdocs\u0026quot;To: DocumentRoot \u0026quot;/www\u0026quot;\nFrom: ServerSignature OnTo: ServerSignature Off HostnameLookups Off\nFrom: # ServerTokensTo: ServerTokens Prod\nFrom: ServerAdmin you@yourhost.comTo: _ServerAdmin_ [_webmaster@yourcompany.com_](mailto:webmaster@yourcompany.com)\nFrom: ServerName 127.0.0.1To: _ServerName Server_FQDN_ From: Timeout 300To: Timeout 60\nFrom: LogLevel warnTo: LogLevel notice\nFrom: IndexOptions FancyIndexing VersionSortTo: # IndexOptions FancyIndexing VersionSort\nFrom: ReadmeName README.htmlTo: # ReadmeName README.html\nFrom: HeaderName HEADER.htmlTo: # HeaderName HEADER.html\nFrom: AddIconTo: # AddIcon\nFrom: DefaultIcon /icons/unknown.gifTo: # DefaultIcon /icons/unknown.gif\nFrom: Alias /icons/ \u0026quot;/var/apache2/icons/\u0026quot;To: # Alias /icons/ \u0026quot;/var/apache2/icons/\u0026quot;\nFrom: AliasMatchTo: # AliasMatch\nFrom: ScriptAliasTo: # ScriptAlias\nFrom: LoadModule proxy_ftp_module libexec/mod_proxy_ftp.soTo: # LoadModule proxy_ftp_module libexec/mod_proxy_ftp.so\nFrom LoadModule imap_module libexec/mod_imap.soTo: # LoadModule imap_module libexec/mod_imap.so\nFrom: LoadModule cgi_module libexec/mod_cgi.soTo: # LoadModule cgi_module libexec/mod_cgi.so\nFrom: LoadModule suexec_module libexec/mod_suexec.soTo: # LoadModule suexec_module libexec/mod_suexec.so\nFrom: LoadModule autoindex_module libexec/mod_autoindex.soTo: # LoadModule autoindex_module libexec/mod_autoindex.so\nFrom: LoadModule info_module libexec/mod_info.soTo: # LoadModule info_module libexec/mod_info.so\nFrom: LoadModule status_module libexec/mod_status.soTo: # LoadModule status_module libexec/mod_status.so\nFrom: LoadModule status_module libexec/mod_status.soTo: # LoadModule status_module libexec/mod_status.so\nFrom: LoadModule userdir_module libexec/mod_userdir.soTo: # LoadModule userdir_module libexec/mod_userdir.so\nFrom: LoadModule cern_meta_module modules/mod_cern_meta.soTo: # LoadModule cern_meta_module modules/mod_cern_meta.so\nFrom: LoadModule dav_module modules/mod_dav.soTo: # LoadModule dav_module modules/mod_dav.so\nFrom: \u0026lt;Directory /\u0026gt; Options FollowSymLinks AllowOverride None \u0026lt;/Directory\u0026gt; To: \u0026lt;Directory /\u0026gt; Options None AllowOverride None Order deny,allow deny from all \u0026lt;/Directory\u0026gt;\nFrom: \u0026lt;Directory \u0026quot;/var/apache2/htdocs\u0026quot;\u0026gt;To: \u0026lt;Directory \u0026quot;/www\u0026quot;\u0026gt; \u0026lt;Limitexcept GET POST\u0026gt; deny from all \u0026lt;/Limitexcept\u0026gt;\nFrom: Options Indexes FollowSymLinksTo: Options -FollowSymLinks -Includes -Indexes -MultiViews\nAdd the following sections to the end of the httpd.conf file: LimitRequestBody 10000 LimitRequestFields 40 LimitRequestFieldSize 100 LimitRequestLine 500\nRemove the sections bellow from the file httpd.conf \u0026lt;Directory \u0026quot;/usr/apache2/manual\u0026quot;\u0026gt; \u0026lt;Directory \u0026quot;/var/apache2/cgi-bin\u0026quot;\u0026gt;\nEdit using VI the file /usr/apache2/include/ap_release.h and change the following strings: From: #define AP_SERVER_BASEVENDOR \u0026quot;Apache Software Foundation\u0026quot;To: #define AP_SERVER_BASEVENDOR \u0026quot;Restricted server\u0026quot; From: #define AP_SERVER_BASEPRODUCT \u0026quot;Apache\u0026quot;To: #define AP_SERVER_BASEPRODUCT \u0026quot;Secure Web Server\u0026quot;\nStarting Apache from command line: /usr/apache2/bin/apachectl start\nRun the command bellow to start the Apache service at server start-up: svcadm enable apache2\n","date":"22 July 2010","externalUrl":null,"permalink":"/posts/hardening-guide-for-apache-2-0-on-solaris-10-platform/","section":"Posts","summary":"","title":"Hardening guide for Apache 2.0 on Solaris 10 platform","type":"posts"},{"content":" Login to the server using Root account.\nCreate a new account: groupadd apache useradd -g apache -d /dev/null -s /bin/false apache\nMount RHEL 5.4 DVD, and move to the RPM folder: mount /dev/hdc /media cd /media/Server\nBefore compiling the Apache environment, install the following RPM: rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm rpm -ivh glibc-headers-2.5-42.x86_64.rpm rpm -ivh glibc-devel-2.5-42.x86_64.rpm rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm rpm -ivh e2fsprogs-devel-1.39-23.el5.x86_64.rpm rpm -ivh keyutils-libs-devel-1.2-1.el5.x86_64.rpm rpm -ivh libsepol-devel-1.15.2-2.el5.x86_64.rpm rpm -ivh libselinux-devel-1.33.4-5.5.el5.x86_64.rpm rpm -ivh krb5-devel-1.6.1-36.el5.x86_64.rpm rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm rpm -ivh openssl-devel-0.9.8e-12.el5.x86_64.rpm\nCopy the Httpd 2.2.15 source files using PSCP (or SCP) into /tmp\nMove to /tmp cd /tmp\nExtract the httpd-2.2.15.tar.gz file: tar -zxvf httpd-2.2.15.tar.gz\nMove to the Apache source folder: cd httpd-2.2.15\nRun the commands bellow to compile the Apache environment: ./configure --prefix=/usr/local/apache2 --enable-so --enable-ssl make make install\nRemove the Apache source files: rm -rf /tmp/httpd-2.2.15rm -f /tmp/httpd-2.2.15.tar.gz\nRemove Default Content rm -rf /usr/local/apache2/cgi-bin rm -rf /usr/local/apache2/htdocs rm -rf /usr/local/apache2/icons rm -rf /usr/local/apache2/man rm -rf /usr/local/apache2/manual rm -rf /usr/local/apache2/conf/extra rm -rf /usr/local/apache2/conf/original\nUpdating Ownership and Permissions on Apache2 folders: chown root:root /usr/local/apache2/bin/apachectl chown root:root /usr/local/apache2/bin/httpd* chmod 770 /usr/local/apache2/bin/apachectl chmod 770 /usr/local/apache2/bin/httpd* chown -R root:root /usr/local/apache2 chmod -R go-r /usr/local/apache2 chown -R root:root /usr/local/apache2/logs chmod -R 700 /usr/local/apache2/logs\nCreate folder for the web content: mkdir -p /www\nUpdating Ownership and Permissions on the web content folder: chown -R root /www chmod -R 775 /www\nEdit using VI the file /usr/local/apache2/conf/httpd.conf and change the following strings: From: DocumentRoot \u0026quot;/var/www/html\u0026quot;To: DocumentRoot \u0026quot;/www\u0026quot;\nFrom: Listen 80To: Listen Server_FQDN:80\nFrom: ServerAdmin root@localhost To: ServerAdmin webmaster@mycompany.com\nFrom: #ServerName www.example.com:80To: ServerName Server_FQDN\nFrom: LogLevel warnTo: LogLevel notice\nFrom: ScriptAlias /cgi-bin/ \u0026quot;/usr/local/apache2/cgi-bin/\u0026quot;To: # ScriptAlias /cgi-bin/ \u0026quot;/usr/local/apache2/cgi-bin/\u0026quot;\nFrom: \u0026lt;Directory /\u0026gt; Options FollowSymLinks AllowOverride None Order deny,allow Deny from all \u0026lt;/Directory\u0026gt;To: \u0026lt;Directory /\u0026gt; Options None AllowOverride None Order deny,allow deny from all \u0026lt;/Directory\u0026gt;\nFrom: \u0026lt;Directory \u0026quot;/usr/local/apache2/htdocs\u0026quot;\u0026gt;To: \u0026lt;Directory \u0026quot;/www\u0026quot;\u0026gt; \u0026lt;LimitExcept GET POST\u0026gt; deny from all \u0026lt;/limitexcept\u0026gt;\nFrom: Options Indexes FollowSymLinksTo: Options -FollowSymLinks -Includes -Indexes -MultiViews\nAdd the following sections to the end of the httpd.conf file: ServerSignature Off ServerTokens Prod Timeout 60 # Maximum size of the request body. LimitRequestBody 10000 # Maximum number of request headers in a request. LimitRequestFields 40 # Maximum size of request header lines. LimitRequestFieldSize 4094 # Maximum size of the request line. LimitRequestLine 500\nRemove the sections bellow from the file httpd.conf \u0026lt;Directory \u0026quot;/usr/local/apache2/cgi-bin\u0026quot;\u0026gt;\nEdit using VI the file /usr/local/apache2/include/ap_release.h and change the following strings: From: #define AP_SERVER_BASEVENDOR \u0026quot;Apache Software Foundation\u0026quot;To: #define AP_SERVER_BASEVENDOR \u0026quot;Restricted server\u0026quot;\nFrom: #define AP_SERVER_BASEPRODUCT \u0026quot;Apache\u0026quot;To: #define AP_SERVER_BASEPRODUCT \u0026quot;Secure Web Server\u0026quot;\nStarting Apache from command line: /usr/local/apache2/bin/apachectl start\nTo start Apache service at server start-up, edit using VI, the file /etc/rc.local and add the line bellow: /usr/local/apache2/bin/apachectl start\nUninstall the following RPM: rpm -e gcc-4.1.2-46.el5 rpm -e libgomp-4.4.0-6.el5 rpm -e gmp-4.1.4-10.el5 rpm -e glibc-devel-2.5-42 rpm -e glibc-headers-2.5-42 rpm -e kernel-headers-2.6.18-164.el5\nPrevious guides:\nHardening guide for Apache 2.0 on Solaris 10 platform How to implement SSL on Apache 2.0 ","date":"22 July 2010","externalUrl":null,"permalink":"/posts/hardening-guide-for-apache-2-2-15-on-redhat-5-4-64bit-edition/","section":"Posts","summary":"","title":"Hardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition)","type":"posts"},{"content":"OS installation phase\nBoot the server using Windows 2008 R2 bootable DVD.\nSpecify the product ID -\u0026gt; click Next.\nFrom the installation option, choose \u0026ldquo;Windows Server 2008 R2 (Server Core Installation)\u0026rdquo; -\u0026gt; click Next.\nAccept the license agreement -\u0026gt; click Next.\nChoose \u0026ldquo;Custom (Advanced)\u0026rdquo; installation type -\u0026gt; specify the hard drive to install the operating system -\u0026gt; click Next.\nAllow the installation phase to continue and restart the server automatically.\nTo login to the server for the first time, press CTRL+ALT+DELETE\nChoose \u0026ldquo;Administrator\u0026rdquo; account -\u0026gt; click OK to replace the account password -\u0026gt; specify complex password and confirm it -\u0026gt; press Enter -\u0026gt; Press OK.\nFrom the command prompt window, run the command bellow: sconfig.cmd\nPress \u0026ldquo;2\u0026rdquo; to replace the computer name -\u0026gt; specify new computer name -\u0026gt; click \u0026ldquo;Yes\u0026rdquo; to restart the server.\nTo login to the server, press CTRL+ALT+DELETE -\u0026gt; specify the \u0026ldquo;Administrator\u0026rdquo; account credentials.\nFrom the command prompt window, run the command bellow: sconfig.cmd\nPress \u0026ldquo;5\u0026rdquo; to configure \u0026ldquo;Windows Update Settings\u0026rdquo; -\u0026gt; select \u0026ldquo;A\u0026rdquo; for automatic -\u0026gt; click OK.\nPress \u0026ldquo;6\u0026rdquo; to download and install Windows Updates -\u0026gt; choose \u0026ldquo;A\u0026rdquo; to search for all updates -\u0026gt; Choose \u0026ldquo;A\u0026rdquo; to download and install all updates -\u0026gt; click \u0026ldquo;Yes\u0026rdquo; to restart the server.\nTo login to the server, press CTRL+ALT+DELETE -\u0026gt; specify the \u0026ldquo;Administrator\u0026rdquo; account credentials.\nFrom the command prompt window, run the command bellow: sconfig.cmd\nIn-case you need to use RDP to access and manage the server, press \u0026ldquo;7\u0026rdquo; to enable \u0026ldquo;Remote Desktop\u0026rdquo; -\u0026gt; choose \u0026ldquo;E\u0026rdquo; to enable -\u0026gt; choose either \u0026ldquo;1\u0026rdquo; or \u0026ldquo;2\u0026rdquo; according to your client settings -\u0026gt; Press OK.\nPress \u0026ldquo;8\u0026rdquo; to configure \u0026ldquo;Network settings\u0026rdquo; -\u0026gt; select the network adapter by its Index number -\u0026gt; press \u0026ldquo;1\u0026rdquo; to configure the IP settings -\u0026gt; choose \u0026ldquo;S\u0026rdquo; for static IP address -\u0026gt; specify the IP address, subnet mask and default gateway -\u0026gt; press \u0026ldquo;2\u0026rdquo; to configure the DNS servers -\u0026gt; click OK -\u0026gt; press \u0026ldquo;4\u0026rdquo; to return to the main menu.\nPress \u0026ldquo;9\u0026rdquo; to configure \u0026ldquo;Date and Time\u0026rdquo; -\u0026gt; choose the correct \u0026ldquo;date/time\u0026rdquo; and \u0026ldquo;time zone\u0026rdquo; -\u0026gt; click OK\nPress \u0026ldquo;11\u0026rdquo; to restart the server to make sure all settings take effect -\u0026gt; click \u0026ldquo;Yes\u0026rdquo; to restart the server.\nWeb server installation phase\nTo login to the server, press CTRL+ALT+DELETE -\u0026gt; specify the \u0026ldquo;Administrator\u0026rdquo; account credentials. For minimal installation of IIS7.5 features, run the command bellow from command prompt: start /w pkgmgr /l:log.etw /iu:IIS-WebServerRole;WAS-WindowsActivationService;WAS-ProcessModel;WAS-NetFxEnvironment;WAS-ConfigurationAPI For full installation of IIS7.5 (not recommended on production environments), run the command bellow from command prompt: start /w PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;WAS-WindowsActivationService;WAS-ProcessModel;IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility;IIS-WebDAV;IIS-ASPNET;IIS-NetFxExtensibility;WAS-NetFxEnvironment;WAS-ConfigurationAPI;IIS-ManagementService;MicrosoftWindowsPowerShell For full installation of IIS7.5, including .NET framework (not recommended on production environments), run the command bellow from command prompt: start /w PKGMGR.EXE /l:log.etw /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-DirectoryBrowsing;IIS-HttpErrors;IIS-HttpRedirect;IIS-ApplicationDevelopment;IIS-ASP;IIS-CGI;IIS-ISAPIExtensions;IIS-ISAPIFilter;IIS-ServerSideIncludes;IIS-HealthAndDiagnostics;IIS-HttpLogging;IIS-LoggingLibraries;IIS-RequestMonitor;IIS-HttpTracing;IIS-CustomLogging;IIS-ODBCLogging;IIS-Security;IIS-BasicAuthentication;IIS-WindowsAuthentication;IIS-DigestAuthentication;IIS-ClientCertificateMappingAuthentication;IIS-IISCertificateMappingAuthentication;IIS-URLAuthorization;IIS-RequestFiltering;IIS-IPSecurity;IIS-Performance;IIS-HttpCompressionStatic;IIS-HttpCompressionDynamic;IIS-WebServerManagementTools;IIS-ManagementScriptingTools;IIS-IIS6ManagementCompatibility;IIS-Metabase;IIS-WMICompatibility;IIS-LegacyScripts;WAS-WindowsActivationService;WAS-ProcessModel;IIS-FTPServer;IIS-FTPSvc;IIS-FTPExtensibility;IIS-WebDAV;IIS-ASPNET;IIS-NetFxExtensibility;WAS-NetFxEnvironment;WAS-ConfigurationAPI;IIS-ManagementService;MicrosoftWindowsPowerShell;NetFx2-ServerCore;NetFx2-ServerCore-WOW64 Create a new folder for the WWW content, in a different partition then the operating system, for example: md D:\\WWW Copy the content of the web site to the newly created folder. Use the Cacls.exe command to configure the required NTFS permissions for the new WWW folder (according to the principle of least privilege). Run the command bellow to configure IIS metadata to use the new folder: %windir%\\system32\\inetsrv\\appcmd set vdir \u0026quot;Default Web Site/\u0026quot; -physicalPath:D:\\WWW Create a new folder for the LogFiles content, in a different partition then the operating system, for example: md D:\\LogFiles Use the Cacls.exe command to configure the required NTFS permissions for the new LogFiles folder (according to the principle of least privilege). Run the commands bellow to configure IIS metadata to use the new folder: %windir%\\system32\\inetsrv\\appcmd set config -section:system.applicationHost/sites -siteDefaults.logfile.directory:\u0026quot;D:\\LogFiles\u0026quot; %windir%\\system32\\inetsrv\\appcmd set config -section:system.applicationHost/log -centralBinaryLogFile.directory:\u0026quot;D:\\LogFiles\u0026quot; %windir%\\system32\\inetsrv\\appcmd set config -section:system.applicationHost/log -centralW3CLogFile.directory:\u0026quot;D:\\LogFiles\u0026quot; Run the command bellow to configure the newly created WWW folder for service packs and other installers: reg add HKLM\\Software\\Microsoft\\inetstp /v PathWWWRoot /t REG_SZ /d D:\\WWW ","date":"22 July 2010","externalUrl":null,"permalink":"/posts/hardening-guide-for-iis-7-5-on-windows-2008-r2-server-core-platform/","section":"Posts","summary":"","title":"Hardening guide for IIS 7.5 on Windows 2008 R2 server core platform","type":"posts"},{"content":" Login to the server using Root account. Create a new account: groupadd mysql useradd -d /dev/null -g mysql -s /bin/false mysql Download MySQL server and client RPM from: http://download.softagency.net/MySQL/Downloads/MySQL-5.1/ Copy the MySQL 5.1.47 source files using PSCP (or SCP) into /tmp Move to /tmp cd /tmp Install the MySQL packages: rpm -ivh MySQL-server-community-5.1.47-1.rhel5.x86_64.rpm rpm -ivh MySQL-client-community-5.1.47-1.rhel5.x86_64.rpm Delete the MySQL source files: rm -f /tmp/MySQL-server-community-5.1.47-1.rhel5.x86_64.rpm rm -f /tmp/MySQL-client-community-5.1.47-1.rhel5.x86_64.rpm Run the commands bellow to set ownership and permissions: chown -R root /usr/bin/mysql* chown -R mysql:root /var/lib/mysql chmod -R go-rwx /var/lib/mysql mkdir -p /var/log/mysql chown -R mysql:root /var/log/mysql Run the command bellow to copy the main configuration file: cp /usr/share/mysql/my-medium.cnf /etc/my.cnf Run the commands bellow to remove default folder: rm -rf /var/lib/mysql/test rm -f /usr/share/mysql/*.cnf Run the command bellow to set ownership and permissions for my.cnf file: chown root /etc/my.cnf chmod 644 /etc/my.cnf Edit using VI, the file /etc/my.cnf Add the strings bellow under the \\[mysqld\\]section pid-file = /var/lib/mysql/mysqld.pid log = /var/log/mysql/mysql.log bind-address = 127.0.0.1 Add the section bellow: [safe_mysqld] err-log = /var/log/mysql/mysql.err Run the command bellow to restart the target server: reboot Login to the server using Root account. Run the commands bellow to set password for the MySQL root user: /usr/bin/mysqladmin -u root password 'new-password' /usr/bin/mysqladmin -u root -h hostname password 'new-password' Note 1: Specify complex password (at least 14 characters) and document it. Note 2: Replace “hostname” with the server FQDN (DNS name) Run the command bellow to login to the MySQL: /usr/bin/mysql -uroot -pnew-password Note: Replace the string “new-password” with the actual password for the root account. Run the following commands from the MySQL prompt: use mysql; DELETE FROM mysql.user WHERE user = ''; DELETE FROM mysql.user WHERE user = 'root' AND host = '%'; DELETE FROM mysql.user WHERE User='root' AND Host!='localhost'; DROP DATABASE test; DELETE FROM mysql.db WHERE Db='test' OR Db='test\\\\_%'; FLUSH PRIVILEGES; quit Run the command bellow to stop the MySQL service: /etc/init.d/mysql stop Run the command bellow to start the MySQL service: /etc/init.d/mysql start ","date":"22 July 2010","externalUrl":null,"permalink":"/posts/hardening-guide-for-mysql-5-1-47-on-redhat-5-4-64bit-edition/","section":"Posts","summary":"","title":"Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition)","type":"posts"},{"content":"Pre-installation notes The guide bellow is based on the previous guides:\nHardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition) Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition) Installation and configuration phase\nLogin to the server using Root account.\nBefore compiling the PHP environment, install the following RPM from the RHEL 5.4 (64bit) DVD source folder: rpm -ivh kernel-headers-2.6.18-164.el5.x86_64.rpm rpm -ivh glibc-headers-2.5-42.x86_64.rpm rpm -ivh glibc-devel-2.5-42.x86_64.rpm rpm -ivh gmp-4.1.4-10.el5.x86_64.rpm rpm -ivh libgomp-4.4.0-6.el5.x86_64.rpm rpm -ivh gcc-4.1.2-46.el5.x86_64.rpm rpm -ivh libxml2-2.6.26-2.1.2.8.x86_64.rpm rpm -ivh zlib-devel-1.2.3-3.x86_64.rpm rpm -ivh libxml2-devel-2.6.26-2.1.2.8.x86_64.rpm\nDownload MySQL development RPM from: http://download.softagency.net/MySQL/Downloads/MySQL-5.1/\nDownload PHP 5.3.2 source files from: http://php.net/downloads.php\nCopy the MySQL development RPM using PSCP (or SCP) into /tmp\nCopy the PHP 5.3.2 source files using PSCP (or SCP) into /tmp\nMove to /tmp cd /tmp\nInstall the MySQL development RPM: rpm -ivh MySQL-devel-community-5.1.47-1.rhel5.x86_64.rpm\nRemove MySQL development RPM: rm -f MySQL-devel-community-5.1.47-1.rhel5.x86_64.rpm\nExtract the php-5.3.2.tar.gz file: tar -zxvf php-5.3.2.tar.gz\nMove to the PHP source folder: cd /tmp/php-5.3.2\nRun the commands bellow to compile the PHP environment: ./configure --with-mysql=/var/lib/mysql --with-libdir=lib64 --prefix=/usr/local/apache2 --with-apxs2=/usr/local/apache2/bin/apxs --with-openssl --with-zlib make make install\nEdit using VI, the file /usr/local/apache2/conf/httpd.conf Make sure the following string exists at the end of the LoadModule section: LoadModule php5_module modules/libphp5.so Add the following string, to the end of the AddType section: AddType application/x-httpd-php .php Replace the line from: DirectoryIndex index.htmlTo: DirectoryIndex index.php index.html index.htm\nCopy the PHP.ini file cp /tmp/php-5.3.2/php.ini-development /etc/php.ini\nChange the permissions on the php.ini file: chmod 640 /etc/php.ini\nEdit using VI, the file /etc/php.ini and replace the following values: From: mysql.default_host =To: mysql.default_host = 127.0.0.1:3306\nFrom: allow_url_fopen = OnTo: allow_url_fopen = Off\nFrom: expose_php = OnTo: expose_php = Off\nFrom: memory_limit = 128MTo: memory_limit = 8M\nFrom: ;open_basedir =To: open_basedir = \u0026quot;/www\u0026quot;\nFrom: post_max_size = 8MTo: post_max_size = 2M\nFrom: upload_max_filesize = 2MTo: upload_max_filesize = 1M\nFrom: disable_functions =To: disable_functions = fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict, psockopen,php_ini_scanned_files,shell_exec,chown,hell-exec,dl,ctrl_dir,phpini,tmp,safe_mode,systemroot,server_software, get_current_user,HTTP_HOST,ini_restore,popen,pclose,exec,suExec,passthru,proc_open,proc_nice,proc_terminate, proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid, posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,posix_ctermid,posix_getcwd,posix_getegid,posix_geteuid,posix_getgid,posix_getgrgid, posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid,posix_getrlimit,system,posix_getsid,posix_getuid,posix_isatty, posix_setegid,posix_seteuid,posix_setgid,posix_times,posix_ttyname,posix_uname,posix_access,posix_get_last_error,posix_mknod, posix_strerror,posix_initgroups,posix_setsidposix_setuid\nFrom: ;include_path = \u0026quot;.:/php/includes\u0026quot;To: include_path = \u0026quot;/usr/local/lib/php;/usr/local/apache2/include/php\u0026quot;\nFrom: display_errors = OnTo: display_errors = Off\nFrom: display_startup_errors = OnTo: display_startup_errors = Off\nRun the commands bellow to restart the Apache service: /usr/local/apache2/bin/apachectl stop /usr/local/apache2/bin/apachectl start\nRemove the PHP source and test files: rm -rf /tmp/php-5.3.2 rm -f /tmp/php-5.3.2.tar.gz rm -rf /usr/local/apache2/lib/php/test rm -rf /usr/local/lib/php/test\nUninstall the following RPM: rpm -e libxml2-devel-2.6.26-2.1.2.8 rpm -e gcc-4.1.2-46.el5 rpm -e libgomp-4.4.0-6.el5 rpm -e gmp-4.1.4-10.el5 rpm -e glibc-devel-2.5-42 rpm -e glibc-headers-2.5-42 rpm -e kernel-headers-2.6.18-164.el5\n","date":"22 July 2010","externalUrl":null,"permalink":"/posts/hardening-guide-for-php-5-3-2-on-apache-2-2-15-mysql-5-1-47-rhel-5-4/","section":"Posts","summary":"","title":"Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4)","type":"posts"},{"content":"Pre-installation notes This guide instruct how to install SUN JDK 1.6 build 15 and Tomcat 5.5 on SUN Solaris 10.\nInstallation phase\nLogin to the server using Root account. Make sure the folder /usr/jdk exists: ls /ad /usr/jdk If the folder /usr/jdk doesn’t exists, manually create it: mkdir /usr/jdk Copy JDK 1.6 scripts (32bit and x64) into /usr/jdk Move to /usr/jdk folder cd /usr/jdk Change the permissions on the JDK 1.6 (32bit) script: chmod +x jdk-6u15-solaris-i586.sh Run the command bellow to install JDK 1.6 (32bit): ./jdk-6u15-solaris-i586.sh Change the permissions on the JDK 1.6 (x64) script: chmod +x jdk-6u15-solaris-x64.sh Run the command bellow to install JDK 1.6 (x64): ./jdk-6u15-solaris-x64.sh Delete the file /usr/jdk/jdk-6u15-solaris-i586.sh and samples: rm /usr/jdk/jdk-6u15-solaris-i586.sh rm /usr/jdk/jdk-6u15-solaris-x64.sh rm /usr/jdk/jdk1.6.0_15/src.zip rm -r /usr/jdk/jdk1.6.0_15/demo rm -r /usr/jdk/jdk1.6.0_15/sample Remove the link for the Java rm /usr/bin/java Create new link for the Java (for x64 servers): ln -s /usr/jdk/jdk1.6.0_15/bin/amd64/java /usr/bin Reload the links into memory: rehash Mount Solaris 10 DVD, and move to the packages folder: cd /cdrom/sol_10_1008_x86/Solaris_10/Product Run the command bellow to install Tomcat packages: pkgadd -d . SUNWtcatr SUNWtcatu Remove the following default folders: rm -r /usr/apache/tomcat55/webapps/tomcat-docs rm /var/apache/tomcat55/webapps/tomcat-docs rm /var/apache/tomcat55/webapps/ROOT/RELEASE-NOTES.txt rm -r /var/apache/tomcat55/webapps/jsp-examples rm -r /var/apache/tomcat55/webapps/servlets-examples rm -r /var/apache/tomcat55/webapps/webdav rm -r /var/apache/tomcat55/webapps/balancer Copy the server.xml configuration file: cp /var/apache/tomcat55/conf/server.xml-example /var/apache/tomcat55/conf/server.xmlNote: The above command should be written as one line. Edit using VI, the file /var/apache/tomcat55/conf/server.xml Uncomment the section bellow: org.apache.catalina.valves.AccessLogValveReplace the non-SSL HTTP/1.1 Connector: From: \u0026lt;!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --\u0026gt; \u0026lt;connector port=\u0026quot;8080\u0026quot; maxthreads=\u0026quot;150\u0026quot; minsparethreads=\u0026quot;25\u0026quot; maxsparethreads=\u0026quot;75\u0026quot; enablelookups=\u0026quot;false\u0026quot; redirectport=\u0026quot;8443\u0026quot; acceptcount=\u0026quot;100\u0026quot; connectiontimeout=\u0026quot;20000\u0026quot; disableuploadtimeout=\u0026quot;true\u0026quot; /\u0026gt;To: \u0026lt;!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --\u0026gt; \u0026lt;connector port=\u0026quot;8080\u0026quot; debug=\u0026quot;off\u0026quot; maxthreads=\u0026quot;150\u0026quot; minsparethreads=\u0026quot;25\u0026quot; maxsparethreads=\u0026quot;75\u0026quot; enablelookups=\u0026quot;false\u0026quot; redirectport=\u0026quot;8443\u0026quot; acceptcount=\u0026quot;100\u0026quot; connectiontimeout=\u0026quot;20000\u0026quot; disableuploadtimeout=\u0026quot;true\u0026quot; tcpnodelay=\u0026quot;true\u0026quot; /\u0026gt; Edit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following sections, before the end of the “web-app” tag: \u0026lt;!-- Define a Security Constraint on this Application --\u0026gt; \u0026lt;security-constraint\u0026gt; \u0026lt;web-resource-collection\u0026gt; \u0026lt;web-resource-name\u0026gt;HTMLManger and Manager command\u0026lt;/web-resource-name\u0026gt; \u0026lt;url-pattern\u0026gt;/jmxproxy/*\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/html/*\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/list\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/sessions\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/start\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/stop\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/install\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/remove\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/deploy\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/undeploy\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/reload\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/save\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/serverinfo\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/status/*\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/roles\u0026lt;/url-pattern\u0026gt; \u0026lt;url-pattern\u0026gt;/resources\u0026lt;/url-pattern\u0026gt; \u0026lt;/web-resource-collection\u0026gt; \u0026lt;auth-constraint\u0026gt; \u0026lt;role-name\u0026gt;manager\u0026lt;/ROLE-NAME\u0026gt; \u0026lt;/auth-constraint\u0026gt; \u0026lt;/security-constraint\u0026gt; Edit using VI, the file /var/apache/tomcat55/conf/tomcat-users.xml and add the following lines: \u0026lt;role rolename=\u0026quot;admin\u0026quot;\u0026gt; \u0026lt;role rolename=\u0026quot;manager\u0026quot;\u0026gt; \u0026lt;user roles=\u0026quot;admin,manager\u0026quot; password=\u0026quot;adminpass\u0026quot; username=\u0026quot;admin\u0026quot;\u0026gt;Note: Specify complex password for the admin account (and document it). Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/admin.xml Uncomment the section bellow: org.apache.catalina.valves.RemoteAddrValveReplace the data of the value bellow: From: allow=\u0026quot;127.0.0.1\u0026quot;To: allow=\u0026quot;172.16.*.*\u0026quot;Note: You may replace “172.16.*.*” with internal network segment. Example: allow=\u0026ldquo;128.117.140.62, 128.117.140.63, 128.117.140.99\u0026rdquo; Edit using VI, the file /var/apache/tomcat55/conf/Catalina/localhost/manager.xml Inside the “Context” section, add the following line: \u0026lt;valve allow=\u0026quot;172.16.*.*\u0026quot; classname=\u0026quot;org.apache.catalina.valves.RemoteAddrValve\u0026quot;\u0026gt;Note: You may replace “172.16.*.*” with internal network segment. Example: allow=\u0026ldquo;128.117.140.62, 128.117.140.63, 128.117.140.99\u0026rdquo; Move to the folder /usr/apache/tomcat55/server/lib cd /usr/apache/tomcat55/server/lib Extract the file catalina.jar jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties Edit using VI, the file _/usr/apache/tomcat55/server/lib/org/apache/catalina/util/ServerInfo.properties_Replace the string bellow from: server.infoerver.info=Apache Tomcat/5.5.26To: server.infoerver.info=Secure Web serverReplace the string bellow from: server.number=5.5.26.0To: server.number=1.0.0.0 Move to the folder /usr/apache/tomcat55/server/lib cd /usr/apache/tomcat55/server/lib Repackage the file catalina.jar jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties Remove the folder bellow: rm -r /usr/apache/tomcat55/server/lib/org Create a user account for the Tomcat service: mkdir /home/tomcatgroupadd tomcat useradd -s /bin/sh -d /home/tomcat -g tomcat tomcat chown tomcat:tomcat /home/tomcat/ passwd tomcat passwd -l tomcat Create using VI, the file /etc/init.d/tomcat with the following content: #!/bin/sh # # Startup script for Tomcat # case \u0026quot;$1\u0026quot; in start) echo -n \u0026quot;Starting Tomcat\u0026quot; JAVA_HOME=\u0026quot;/usr/jdk/jdk1.6.0_15\u0026quot; ; export JAVA_HOME \u0026amp;\u0026amp; su - tomcat -c /usr/apache/tomcat55/bin/startup.sh -security ;; stop) echo -n \u0026quot;Stopping Tomcat\u0026quot; JAVA_HOME=\u0026quot;/usr/jdk/jdk1.6.0_15\u0026quot; ; export JAVA_HOME \u0026amp;\u0026amp; su - tomcat -c /usr/apache/tomcat55/bin/shutdown.sh ;; restart) $0 stop $0 start ;; *) echo \u0026quot;Usage: $0 {startstoprestart}\u0026quot; exit 1 esac Change the permissions on the file /etc/init.d/tomcat chmod u+x /etc/init.d/tomcat Create soft link/symoblic links for system level startup ln -s /etc/init.d/tomcat /etc/rc3.d/K01tomcat ln -s /etc/init.d/tomcat /etc/rc3.d/S99tomcat Reload the links into memory: rehash Change ownership of all server files to the tomcat user: chown -R tomcat:tomcat /var/apache/tomcat55/* chown -R tomcat:tomcat /usr/apache/tomcat55/* ","date":"22 July 2010","externalUrl":null,"permalink":"/posts/hardening-guide-for-tomcat-5-5-on-solaris-10-platform/","section":"Posts","summary":"","title":"Hardening guide for Tomcat 5.5 on Solaris 10 platform","type":"posts"},{"content":"Pre-installation notes The guide bellow is based on the previous guides:\nHardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition) Hardening guide for MySQL 5.1.47 on RedHat 5.4 (64bit edition) Hardening guide for PHP 5.3.2 on Apache 2.2.15 / MySQL 5.1.47 (RHEL 5.4) Installation and configuration phase\nLogin to the server using Root account. Create a new account for uploading files using SSH: groupadd sshaccount useradd -g sshaccount -d /home/sshaccount -m sshaccount Run the commands bellow to switch to the SSH account: su sshaccount Run the command bellow to generate SSH keys: ssh-keygen Note: Leave deafult values for the ssh-keygen. Copy the SSH keys: cp /home/sshaccount/.ssh/id_rsa.pub /home/sshaccount/.ssh/authorized_keys Change permissions for the SSH keys: chmod 755 /home/sshaccount/.ssh chmod 644 /home/sshaccount/.ssh/* Exit the SSH account shell and return to the Root account: exit Run the command bellow to login to the MySQL: /usr/bin/mysql -uroot -pnew-password Note: Replace the string “new-password” with the actual password for the root account. Run the following commands from the MySQL prompt: CREATE USER 'blgusr'@'localhost' IDENTIFIED BY 'password2'; SET PASSWORD FOR 'blgusr'@'localhost' = OLD_PASSWORD('password2'); CREATE DATABASE m6gf42s; GRANT ALL PRIVILEGES ON m6gf42s.* TO \u0026quot;blgusr\u0026quot;@\u0026quot;localhost\u0026quot; IDENTIFIED BY \u0026quot;password2\u0026quot;; FLUSH PRIVILEGES; quit Note 1: Replace “blgusr” with your own MySQL account to access the database. Note 2: Replace “password2” with complex password (at least 14 characters). Note 3: Replace “m6gf42s” with your own WordPress database name. Download WordPress 2.9.2 from: http://wordpress.org/download Copy the WordPress 2.9.2 source files using PSCP (or SCP) into /www Move to /www cd /www Extract the wordpress-2.9.2.tar.gz file: tar -zxvf wordpress-2.9.2.tar.gz Remove WordPress source file: rm -f /www/wordpress-2.9.2.tar.gz Create using VI the file /www/config.php with the following content: \u0026lt;?php define('DB_NAME', 'm6gf42s'); define('DB_USER', 'blgusr'); define('DB_PASSWORD', 'password2'); define('DB_HOST', '127.0.0.1'); $table_prefix = 'm6gf42s_'; define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('FS_METHOD', 'direct'); define('FS_CHMOD_DIR', 0777); define('FS_CHMOD_FILE', 0777); define('FTP_BASE', '/www/wordpress/'); define('FTP_CONTENT_DIR', '/www/wordpress/wp-content/'); define('FTP_PLUGIN_DIR ', '/www/wordpress/wp-content/plugins/'); define('FTP_PUBKEY', '/home/sshaccount/.ssh/id_rsa.pub'); define('FTP_PRIKEY', '/home/sshaccount/.ssh/id_rsa'); define('FTP_USER', 'sshaccount'); define('FTP_HOST', '127.0.0.1:22'); ?\u0026gt; Note 1: Make sure there are no spaces, newlines, or other strings before an opening \u0026lsquo;\u0026lt; ?php\u0026rsquo; tag or after a closing \u0026lsquo;?\u0026gt;\u0026rsquo; tag. Note 2: Replace “blgusr” with your own MySQL account to access the database. Note 3: Replace “password2” with complex password (at least 14 characters). Note 4: Replace “m6gf42s” with your own WordPress database name. Note 5: In-order to generate random values for the AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, use the web site bellow: http://api.wordpress.org/secret-key/1.1/ Copy the wp-config.php file: cp /www/wordpress/wp-config-sample.php /www/wordpress/wp-config.php Edit using VI, the file /www/wordpress/wp-config.php Add the following line: include('/www/config.php');Remove the following sections: define('DB_NAME', 'putyourdbnamehere'); define('DB_USER', 'usernamehere'); define('DB_PASSWORD', 'yourpasswordhere'); define('DB_HOST', 'localhost'); $table_prefix = 'wp_'; define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); Remove default content: rm -f /www/wordpress/license.txt rm -f /www/wordpress/readme.html rm -f /www/wordpress/wp-config-sample.php rm -f /www/wordpress/wp-content/plugins/hello.php Edit using VI the file /usr/local/apache2/conf/httpd.conf Replace the value of the string, from: DocumentRoot \u0026quot;/www\u0026quot; To: DocumentRoot \u0026quot;/www/wordpress\u0026quot; Replace the value of the string, from: LimitRequestBody 10000 To: LimitRequestBody 200000 Restart the Apache service. Open a web browser from a client machine, and enter the URL bellow: http://Server_FQDN/wp-admin/install.php Specify the following information: Blog Title E-Mail Click on “Install WordPress” button, and close the web browser. Run the command bellow to login to the MySQL: /usr/bin/mysql -uroot -pnew-password Note: Replace the string “new-password” with the actual password for the root account. Run the following commands from the MySQL prompt: use m6gf42s; UPDATE m6gf42s_users SET user_login='johnd' WHERE user_login='admin'; UPDATE m6gf42s_users SET user_pass=MD5('password3') WHERE user_login='johnd'; FLUSH PRIVILEGES; quit Note 1: Replace “m6gf42s” with your own WordPress database name. Note 1: Replace “johnd” with your own new WordPress admin. Note 2: Replace “password3” with complex password (at least 14 characters). Edit using VI, the file /www/wordpress/wp-includes/http.php and replace the following line from: 'timeout' =\u0026gt; apply_filters( 'http_request_timeout', 5), To: 'timeout' =\u0026gt; apply_filters( 'http_request_timeout', 30), Create using VI the file /www/wordpress/.htaccess with the following content: \u0026lt;files wp-config.php\u0026gt; Order deny,allow deny from all \u0026lt;/files\u0026gt; \u0026lt;Files wp-login.php\u0026gt; AuthUserFile /dev/null AuthGroupFile /dev/null AuthName \u0026quot;Access Control\u0026quot; AuthType Basic Order deny,allow Deny from All Allow from 1.1.1.0 \u0026lt;/Files\u0026gt; RewriteEngine On RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} .wp-comments-post\\.php* RewriteCond %{HTTP_REFERER} !.*Server_FQDN.* [OR] RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]Note 1: Replace 1.1.1.0 with the internal network IP address. Note 2: Replace Server_FQDN with the server FQDN (DNS name). Create using VI the file /www/wordpress/wp-admin/.htaccess with the following content: AuthUserFile /dev/null AuthGroupFile /dev/null AuthName “Access Control” AuthType Basic \u0026lt;LIMIT GET POST\u0026gt; order deny,allow deny from all Allow from 1.1.1.0 \u0026lt;/LIMIT\u0026gt; \u0026lt;IfModule mod_security.c\u0026gt; SecFilterInheritance Off \u0026lt;/IfModule\u0026gt; Note: Replace 1.1.1.0 with the internal network IP address. Create using VI the file /www/wordpress/wp-content/plugins/.htaccess with the following content: AuthUserFile /dev/null AuthGroupFile /dev/null AuthName \u0026quot;Access Control\u0026quot; AuthType Basic Order deny,allow Deny from All Allow from 1.1.1.0Note: Replace 1.1.1.0 with the internal network IP address. Create the following folders: mkdir -p /www/wordpress/wp-content/cache mkdir -p /www/wordpress/wp-content/uploads mkdir -p /www/wordpress/wp-content/upgrade Change the file permissions: chown -R root:root /www/wordpress chown daemon:root /www/wordpress/wp-content/plugins chmod 644 /www/config.php chmod 644 /www/wordpress/wp-config.php chmod 644 /www/wordpress/.htaccess chmod 644 /www/wordpress/wp-admin/.htaccess chmod 644 /www/wordpress/wp-content/plugins/.htaccess chmod -R 777 /www/wordpress/wp-content/cache chmod -R 777 /www/wordpress/wp-content/uploads chmod -R 777 /www/wordpress/wp-content/upgrade Download \u0026ldquo;Login Lockdown\u0026rdquo; plugin from: http://www.bad-neighborhood.com/login-lockdown.html Download \u0026ldquo;WP-Secure Remove Wordpress Version\u0026rdquo; plugin from: http://wordpress.org/extend/plugins/wp-secure-remove-wordpress-version/ Download \u0026ldquo;WP Security Scan\u0026rdquo; plugin from: http://wordpress.org/extend/plugins/wp-security-scan/ Download \u0026ldquo;KB Robots.txt\u0026rdquo; plugin from: http://wordpress.org/extend/plugins/kb-robotstxt/ Download \u0026ldquo;WordPress Database Backup\u0026rdquo; plugin from: http://austinmatzko.com/wordpress-plugins/wp-db-backup/ Download \u0026ldquo;WordPress Firewall\u0026rdquo; plugin from: http://www.seoegghead.com/software/wordpress-firewall.seo Copy the \u0026ldquo;WordPress Firewall\u0026rdquo; plugin file \u0026ldquo;wordpress-firewall.php\u0026rdquo; using PSCP (or SCP) into /www/wordpress/wp-content/plugins Create a folder for the \u0026ldquo;WordPress Database Backup\u0026rdquo; plugin: mkdir -p /www/wordpress/wp-content/backup-ed602 Set permissions for the \u0026ldquo;WordPress Database Backup\u0026rdquo; plugin: chmod 777 /www/wordpress/wp-content/backup-ed602 Open a web browser from a client machine, and enter the URL bellow: http://Server_FQDN/wp-login.php From WordPress dashboard, click on \u0026ldquo;settings\u0026rdquo; -\u0026gt; make sure that \u0026ldquo;Anyone can register\u0026rdquo; is left unchecked -\u0026gt; click on \u0026ldquo;Save changes\u0026rdquo;. From WordPress dashboard, click on \u0026ldquo;settings\u0026rdquo; -\u0026gt; click on \u0026ldquo;Miscellaneous\u0026rdquo; -\u0026gt; \u0026ldquo;Store uploads in this folder\u0026rdquo; -\u0026gt; specify: wp-content/uploads Click on \u0026ldquo;Save changes\u0026rdquo;. From WordPress dashboard, click on \u0026ldquo;Plugins\u0026rdquo; -\u0026gt; Add New -\u0026gt; choose \u0026ldquo;Upload\u0026rdquo; -\u0026gt; click Browse to locate the plugin -\u0026gt; click \u0026ldquo;Install Now\u0026rdquo; -\u0026gt; click \u0026ldquo;Proceed\u0026rdquo; -\u0026gt; click on \u0026ldquo;Activate Plugin\u0026rdquo;. Note: Install and activate all the above downloaded plugins. From WordPress dashboard, click on \u0026ldquo;settings\u0026rdquo; -\u0026gt; click on \u0026ldquo;KB Robots.txt\u0026rdquo; -\u0026gt; add the following content into the Robots.txt editor field: Disallow: /wp-* Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins Disallow: /wp-content/cache Disallow: /wp-content/themes Disallow: /wp-login.php Disallow: /wp-register.php Click \u0026ldquo;Submit\u0026rdquo;. From the upper pane, click on \u0026ldquo;Log Out\u0026rdquo;. In-case the server was configured with SSL certificate, add the following line to the /www/config.php file: define('FORCE_SSL_LOGIN', true); ","date":"22 July 2010","externalUrl":null,"permalink":"/posts/hardening-guide-for-wordpress-2-9-2/","section":"Posts","summary":"","title":"Hardening guide for WordPress 2.9.2","type":"posts"},{"content":"Pre-installation notes The guide bellow is based on the previous guide Hardening guide for Apache 2.0 on Solaris 10 platform\nSSL implementation phase\nLogin to the server using Root account.\nMount Solaris 10 DVD, and move to the packages folder: cd /cdrom/sol_10_1008_x86/Solaris_10/Product\nRun the command bellow to install OpenSSL packages: pkgadd -d . SUNWopensslr SUNWopenssl-commands SUNWopenssl-include SUNWopenssl-libraries\nCreate folder for the SSL certificate files: mkdir -p /etc/apache2/ssl.crt\nCreate folder for the SSL private key: mkdir -p /etc/apache2/ssl.key\nRun the command bellow to generate a key pair: /usr/sfw/bin/openssl genrsa -des3 -out /etc/apache2/ssl.key/server.key 1024 Specify a complex pass phrase for the private key (and document it)\nChange the permissions on the private key file: chmod 600 /etc/apache2/ssl.key/server.key\nRun the command bellow to generate the CSR: /usr/sfw/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /etc/apache2/ssl.key/server.key -out /tmp/apache.csr Note: The command above should be written as one line.\nSend the file /tmp/apache.csr to a Certificate Authority server.\nAs soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as \u0026ldquo;server.crt\u0026rdquo;\nCopy the file \u0026ldquo;server.crt\u0026rdquo; using SCP into /etc/apache2/ssl.crt/\nFollow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).\nCopy the file \u0026ldquo;ca-bundle.crt\u0026rdquo; using SCP into /etc/apache2/ssl.crt/\nEdit using VI the file /etc/apache2/ssl.conf and change the following strings: From: SSLSessionCache dbm:/var/run/apache2/ssl_scacheTo: SSLSessionCache dbm:/var/ apache2/ssl_scache\nFrom: SSLMutex file:/var/run/apache2/ssl_mutexTo: SSLMutex file:/var/apache2/ssl_mutex\nFrom: ServerName 127.0.0.1:443To: ServerName Server_FQDN:443\nFrom: DocumentRoot \u0026quot;/var/apache2/htdocs\u0026quot;To: DocumentRoot \u0026quot;/www\u0026quot;\nFrom: #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crtTo: SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt\nFrom: SSLCipherSuite ALL:!ADH:!EXPORT56:-AES256-SHA:-DHE-RSA-AES256-SHA:-DHE-DSS-AES256-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULLTo: SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP\nRemove the section bellow: \u0026lt;Directory \u0026quot;/var/apache2/cgi-bin\u0026quot;\u0026gt;\nStopping Apache from command line: /usr/apache2/bin/apachectl stop\nStarting Apache from command line: /usr/apache2/bin/apachectl startssl\n","date":"22 July 2010","externalUrl":null,"permalink":"/posts/how-to-implement-ssl-on-apache-2-0/","section":"Posts","summary":"","title":"How to implement SSL on Apache 2.0","type":"posts"},{"content":"Pre-installation notes The guide bellow is based on the previous guide\nHardening guide for Apache 2.2.15 on RedHat 5.4 (64bit edition) SSL implementation phase\nLogin to the server using Root account. Create folder for the SSL certificate files: mkdir -p /usr/local/apache2/ssl chmod 600 /usr/local/apache2/ssl Run the command bellow to generate a key pair: /usr/bin/openssl genrsa -des3 -out /usr/local/apache2/ssl/server.key 1024Specify a complex pass phrase for the private key (and document it) Run the command bellow to generate the CSR: /usr/bin/openssl req -new -newkey rsa:1024 -nodes -keyout /usr/local/apache2/ssl/server.key -out /tmp/apache.csr Note: The command above should be written as one line. Send the file /tmp/apache.csr to a Certificate Authority server. As soon as you receive the signed public key from the CA server via email, copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as \u0026ldquo;server.crt\u0026rdquo; Copy the file \u0026ldquo;server.crt\u0026rdquo; using SCP into /usr/local/apache2/ssl/ Follow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded). Copy the file \u0026ldquo;ca-bundle.crt\u0026rdquo; using SCP into /usr/local/apache2/ssl/ Edit using VI the file /usr/local/apache2/conf/httpd.conf and add the following lines: Listen Server_FQDN:443 SSLEngine on SSLCertificateKeyFile /usr/local/apache2/ssl/server.key SSLCertificateFile /usr/local/apache2/ssl/server.crt SSLCACertificateFile /usr/local/apache2/ssl/ca-bundle.crt SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP Note: Replace Server_FQDN with the server DNS name (as written on the certificate). Restart the Apache services: /usr/local/apache2/bin/apachectl restart Backup the file /usr/local/apache2/ssl/server.key ","date":"22 July 2010","externalUrl":null,"permalink":"/posts/how-to-implement-ssl-on-apache-2-2-15/","section":"Posts","summary":"","title":"How to implement SSL on Apache 2.2.15","type":"posts"},{"content":"Pre-installation notes The guide bellow is based on the previous guide Hardening guide for Tomcat 5.5 on Solaris 10 platform\nSSL implementation phase\nLogin to the server using Root account.\nCreate folder for the SSL certificate files: mkdir -p /var/apache/tomcat55/conf/ssl.crt\nCreate folder for the SSL private key: mkdir -p /var/apache/tomcat55/conf/ssl.key\nChange ownership of all server files to the tomcat user: chown -R tomcat:tomcat /var/apache/tomcat55/conf/*\nRun the command bellow to generate a key store: For 32bit operating system: /usr/jdk/jdk1.6.0_15/bin/keytool -genkey -keyalg \u0026quot;RSA\u0026quot; -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730 Note: The command above should be written as one line. For x64 operating system: /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -genkey -keyalg \u0026quot;RSA\u0026quot; -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -validity 730 Note: The command above should be written as one line.\nRun the command bellow to generate a CSR (certificate request): For 32bit operating system: /usr/jdk/jdk1.6.0_15/bin/keytool -certreq -keyalg \u0026quot;RSA\u0026quot; -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword Note: The command above should be written as one line. For x64 operating system: /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -certreq -keyalg \u0026quot;RSA\u0026quot; -file /tmp/tomcat.csr -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword Note: The command above should be written as one line.\nSend the file /tmp/tomcat.csr to a Certificate Authority server.\nAs soon as you receive the signed public key from the Certificate Authority server (usually via email), copy all lines starting with “Begin” and ending with “End” (include those two lines), into notepad, and save the file as \u0026ldquo;server.crt\u0026rdquo;\nCopy the file \u0026ldquo;server.crt\u0026rdquo; using SCP into /var/apache/tomcat55/conf/ssl.crt\nFollow the link on the email from the CA server, to create the Root CA chain, and save it as “ca-bundle.crt” (Note: The file must be PEM (base64) encoded).\nCopy the file \u0026ldquo;ca-bundle.crt\u0026rdquo; using SCP into /var/apache/tomcat55/conf/ssl.crt\nRun the command bellow to import the trusted root CA public certificate: For 32bit operating system: /usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt Note: The command above should be written as one line.\nFor x64 operating system: /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts -storepass changeit -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/ca-bundle.crt Note: The command above should be written as one line.\nRun the command bellow to import the signed public key into the key store: For 32bit operating system: /usr/jdk/jdk1.6.0_15/bin/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt Note: The command above should be written as one line.\nFor x64 operating system: /usr/jdk/jdk1.6.0_15/bin/amd64/keytool -import -keystore /var/apache/tomcat55/conf/ssl.key/server.key -storepass ComplexPassword -trustcacerts -file /var/apache/tomcat55/conf/ssl.crt/server.crt Note: The command above should be written as one line.\nStop the Tomcat service: /etc/init.d/tomcat stop\nEdit using VI, the file /var/apache/tomcat55/conf/server.xml and add the section bellow: \u0026lt;Connector port=\u0026quot;8443\u0026quot; maxHttpHeaderSize=\u0026quot;8192\u0026quot; maxThreads=\u0026quot;150\u0026quot; minSpareThreads=\u0026quot;25\u0026quot; maxSpareThreads=\u0026quot;75\u0026quot; enableLookups=\u0026quot;false\u0026quot; disableUploadTimeout=\u0026quot;true\u0026quot; acceptCount=\u0026quot;100\u0026quot; scheme=\u0026quot;https\u0026quot; secure=\u0026quot;true\u0026quot; clientAuth=\u0026quot;false\u0026quot; sslProtocol=\u0026quot;SSLv3\u0026quot; keystoreFile=\u0026quot;/var/apache/tomcat55/conf/ssl.key/server.key\u0026quot; keystorePass=\u0026quot;ComplexPassword\u0026quot; truststoreFile=\u0026quot;/usr/jdk/jdk1.6.0_15/jre/lib/security/cacerts\u0026quot; truststorePass=\u0026quot;changeit\u0026quot; ciphers=\u0026quot;ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP\u0026quot; tcpNoDelay=\u0026quot;true\u0026quot; /\u0026gt;\nEdit using VI, the file /var/apache/tomcat55/conf/web.xml and add the following section, inside the tag: \u0026lt;user-data-constraint\u0026gt; \u0026lt;description\u0026gt; Constrain the user data transport for the whole application \u0026lt;/description\u0026gt; \u0026lt;transport-guarantee\u0026gt;CONFIDENTIAL\u0026lt;/transport-guarantee\u0026gt; \u0026lt;/user-data-constraint\u0026gt;\nStart the Tomcat service: /etc/init.d/tomcat start -security\n","date":"22 July 2010","externalUrl":null,"permalink":"/posts/how-to-implement-ssl-on-tomcat-5-5/","section":"Posts","summary":"","title":"How to implement SSL on Tomcat 5.5","type":"posts"},{"content":"Information is all around us. We don\u0026rsquo;t even realize how much information we share with everyone, and I have two examples to think about.\nBusiness cards We use to give away our business cards to colleagues and potential customers without realizing how much people can learn about us. We put our mobile phone number, so now people can reach us 24/7. We put our phone number, something such as 917-999-6666 and now the potential attacker knows that most of our company phone extensions (and maybe our fax and modem lines) begins with 917-999xxxx and that our extension is probably 6666 (wonder whom will I reach trying 6665 or 6667\u0026hellip;) We put our fax number, which can be used by spammers and advertisers we once met at a commercial fair. We put our email address, something such as johnd@somecompany.com (in most cases, our username to the internal company assets will be something such as Johnd)\nVoicemail / out-of-the-office message We tend to leave a message on our voice mail or on our company mailbox, information such as: \u0026ldquo;Hi, you\u0026rsquo;ve reached John Doe, from the sales department. I will be out of the office between July 28th and August 2nd. In case of emergency, you may contact Linda Smith, at 5435742, ext. 2\u0026rdquo; If I was a potential hacker, I now know that John will be out of the office, I know his department name, I know the dates he will not be available, I know who replaces him while he is out of the office, and I know how to reach her. Instead of giving away all this information, why not use something polite and simple, such as: \u0026ldquo;Hi, I will be out of the office. You may send me emails and I will get back to you as soon as I will return to the office.\u0026rdquo;\nThink about it, the next time you share information, and don\u0026rsquo;t forget that everyone on the internet can see it, the next time you share photos from your wonderful vacation on facebook, or what a great day you had, on twitter, just after you told your boss, you are not coming to the office today since you are not feeling well.\n","date":"22 July 2010","externalUrl":null,"permalink":"/posts/information-leakage/","section":"Posts","summary":"","title":"Information leakage","type":"posts"},{"content":"Andy Grove, the former Intel CEO used to say \u0026ldquo;Only the paranoid survive\u0026rdquo;.\nAs an information security with more than 7 years in the field, I can tell you that even though I don\u0026rsquo;t consider myself paranoid, people expect me to think out of the box and the only way I see it, to see the world from the eyes of the potential attacker, is to be paranoid.\nI have opened this blog, in-order to share with you, my point of view and my experience in the security and technology field, looking at the world in a holistic and non-vendor oriented point of view as much as possible.\n","date":"22 July 2010","externalUrl":null,"permalink":"/posts/introduction/","section":"Posts","summary":"","title":"Introduction","type":"posts"},{"content":"One of the things many companies fail to put enough attention is proper protection to their backups. I recently read an article about large American bank that sent a notification to its customers of losing a backup-tape, with customer\u0026rsquo;s personal information. I guess the only reason the bank reveal the information about the security breach is because he had to do so, under a federal law - just think about how many companies keep this sort of information to themselves in-order to avoid lawsuits.\nAlmost every company perform backup of its data. It can be using commercial software, file copy to a remote site, backup to tape, and now it is becoming more and more common to perform backup to disk, into a large storage device.\nUsually, when performing backup to tape, most companies use to move the tapes into offsite storage, such as remote site. While moving the backup to remote site might be considered as a good security practice against site disaster, there are 2 important things to think about. The first thing is physical protection during the move, and while storing them on a safe at the remote site. In this case I strongly recommend document the process - document the labels and dates of the tapes, and maybe even have the person transporting the tapes sign a form, so you\u0026rsquo;ll have more confidence that the tapes were actually being transported to their destination.\nAnother thing you should consider is encryption to the data itself. You don\u0026rsquo;t want to be in a situation where somebody steals a suitcase full of backup tapes, where all your data is in clear text. I guess most commercial products allow you to encrypt your backups, but it raises a question about maintaining the encryption. If you encrypt your backups using the same password or passphrase year after year, and some ex-employee knows the password, it can harm the whole idea behind encryption. On the other hand, if you change the password from time to time, you need to manage a list of old passwords against list of dates of backup-tape labels, which might become a headache since it is another thing to maintain.\nToday more and more companies are moving to backup-to-disk, because the cost of hard disks is very low, and it\u0026rsquo;s a fast media. While performing backup to a remote site, you need to consider moving the data over secure or encrypted VPN lines in-order to avoid someone intercepting the data and stealing sensitive files. Another good practice is to store the data on an encrypted file system. This way you don\u0026rsquo;t need to worry about some will be able to review your files, but you will have the overhead of maintaining the encryption key, and the copy to the encrypted file system might become a little bit slower on slow machines or slow storage devices.\nRemember, keeping your backup safe and secure, enables you to overcome site disaster while protecting from data breach and law suites.\n","date":"22 July 2010","externalUrl":null,"permalink":"/posts/protecting-your-backup/","section":"Posts","summary":"","title":"Protecting your backup","type":"posts"},{"content":"One of the most important rules of server hardening is limiting the exposure surface.\nI guess it\u0026rsquo;s ok to install a product (from operating system to office applications) on a developer or users desktop using the default installation method (in many cases it means full product installation, since most of us don\u0026rsquo;t bother to read what it means and just click next to continue).\nHowever, on a production environment, any additional component means additional exposure surface, additional disk space and additional CPU and memory usage, which are very critical on production environments. It is time to read the product documentation, and understand what does each and every component is doing on the system. Customize or minimal installation is the best practice on this case. We don\u0026rsquo;t need any sample pages, product documentation or help files, or even demo scripts/web application/databases.\nAnother best practice is to limit anonymous, guest or any other non-authenticated access to sensitive areas of our application, such as administrative sections in web applications. The best practice is to configure authentication for administrative sections, using built-in application capabilities such as strong passwords, dedicated accounts with privileges to certain parts of the application, certificate authentication or if nothing else is possible, using file system permissions according to the hosted operating system.\nAnother crucial part, for applications that start their own service to listen to outside requests, is to use the least-privileges security model, which means, non-administrative/root account to load the service, with limitation for running the specific application and least amount of privileges to the operating system. The reason for that is if I am using an application that depends on JAVA for example, and there is a flaw in the JAVA runtime that allows it to break the JAVA security mechanism, your server might be vulnerable as well.\nAnother point to think about is software upgrades. You may be doing a good job during application installation and configuration, but the next product upgrade or security hotfix, might bring back sample applications or change the file system privileges.\n","date":"22 July 2010","externalUrl":null,"permalink":"/posts/software-installation/","section":"Posts","summary":"","title":"Software installation","type":"posts"},{"content":"I’m Eyal Estrin — a Cloud \u0026amp; Information Security Architect with over 25 years of IT experience. I specialize in sharing real-world insights across AWS, Azure, and Google Cloud, helping organizations adopt cloud technologies with confidence in industries such as banking, academia, and healthcare.\nWhat truly motivates me is seeing organizations fully embrace cloud adoption without hesitation or fear. Too often, cloud initiatives slow down because security feels heavy, unclear, or disconnected from real work. I care deeply about removing that friction so teams can move faster, make better decisions, and trust the platforms they build. My focus is on designing architectures where cost, efficiency, sustainability, and security are built in from the start—so teams can scale responsibly without slowing down their day-to-day work.\nCertifications \u0026amp; Community Contributions\nSince 2020, I’ve been an AWS Community Builder, actively sharing real-world experience and cloud-native security insights with the global technical community. I maintain a rigorous portfolio of industry certifications to stay at the forefront of the evolving threat landscape. You can find my currently active credentials below: AWS Knowledge: Security Champion - Training Badge\nFinOps Certified Practitioner\nZero Trust Training (ZTT) Contributor\nCertificate of Cloud Security Knowledge v.3\nAWS Certified Cloud Practitioner\nCertified Data Privacy Solutions Engineer™ (CDPSE™)\nCertified Cloud Security Professional (CCSP)\nCertified Information Security Manager® (CISM)\nCertified Information Systems Auditor® (CISA)\nCompTIA Security\u0026#43; Certification\nCertified Information Systems Security Professional (CISSP)\nAuthor \u0026amp; Content Creator\nI’m the author of Cloud Security Handbook and Security for Cloud Native Applications, both focused on turning complex topics into clear, practical guidance. Through blogs and professional platforms, I prioritize transparency and knowledge sharing—openly discussing lessons learned, trade-offs, and what actually works in the field.\nWhat Makes Me Different\nI value openness, clarity, and collaboration. I believe in learning through experimentation—using hands-on exploration of new technologies to build real experience, while always keeping business value and practical outcomes in focus.\nWhy Connect?\nAlways open to non-commercial connections and thoughtful conversations around cloud adoption, cybersecurity, and practical approaches to AI.\nThe purpose of this web site is to share knowledge with other professionals around the world.\nFill free to follow me on social networks - https://linktr.ee/eyalestrin\nOpinions are my own and not the views of my employer.\n","date":"20 July 2010","externalUrl":null,"permalink":"/posts/pages/about/","section":"Posts","summary":"","title":"About Me","type":"posts"},{"content":"","externalUrl":null,"permalink":"/authors/","section":"Authors","summary":"","title":"Authors","type":"authors"},{"content":"","externalUrl":null,"permalink":"/series/","section":"Series","summary":"","title":"Series","type":"series"}]