fans - how do you know it's secure€¦ · ivy ives (demoivy), a sales director and a security...

FANS - SAS Nordic Users Group, June 2018Paul Homes, Metacoda

PRODUCTIVITY THROUGH METADATA VISIBILITY

How do you know it's secure if you don't test it?

@metacoda #SASFANS #metacodaInNordics

How Do You Know Your SAS Platform is Secure?▪ … if you don’t test it?

▪ … and test it thoroughly?

▪ … and test it regularly?

▪ Not just at the start of a project … changes always happen▪ Small changes can have big (sometimes unexpected) impacts!

» ... in non-obvious locations … drives need for wide-scale testing

▪ How do you know if it’s still secure after changes?

» … if you’re not testing it regularly? – e.g. daily/hourly

» … and thoroughly / widely?


▪ 65% of SAS admins surveyed change security daily/weekly/monthly▪ … are they tested when they are made and how thoroughly?

How Often are Access Controls Changed?

Source: Here’s what 72 SAS admins told us…https://www.metacoda.com/en/2017/11/what-72-sas-admins-told-us/


▪ 80% of SAS admins surveyed conduct testing for an hour at most▪ … which is not much when testing is done manually

How Much Time is Spent Testing?



▪ 35% of those surveyed don’t have time to test thoroughly▪ … we wonder how the others can be so confident ;-)

Is Enough Time Spent Testing?



GDPR: Data Protection By Design & By Default (Art. 25)

“The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement

appropriate technical and organisational measures, …, which are designed to implement

data-protection principle”

“The controller shall implement appropriate technical and organisational measures for

ensuring that, by default, only personal data which are necessary for each specific purpose of

the processing are processed.”

GDPR Privacy/Security by design and default – Metacoda can help!https://www.metacoda.com/en/2017/08/gdpr-privacysecurity-by-design-and-default-metacoda-can-help/


GDPR: Security of Processing (Art. 32)

“implement appropriate technical and organisational measures to ensure a level of security appropriate to

the risk”

“the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing

systems and services”

“a process for regularly testing, assessing and evaluating the effectiveness of technical and

organisational measures for ensuring the security of the processing”

GDPR Privacy/Security by design and default – Metacoda can help!https://www.metacoda.com/en/2017/08/gdpr-privacysecurity-by-design-and-default-metacoda-can-help/


SAS Metadata Security Testing Types▪ In order of least to most effort …

▪ Best Practice Testing▪ Is security following practices / styles known to work?

▪ Little regard to organizational specifics – easy/quick

▪ Implementation Testing▪ Has security been implemented as required?▪ Who? / What? / Where? – organization specific – needs design

▪ Outcome Testing for Candidate Users & Objects▪ Is security giving the end result the way we expect?▪ Implementation doesn’t always give us what we expect – conflicts etc

▪ Safety net / improves confidence


SAS Metadata Security Testing Strategies▪ DevOps: Test Driven Design (TDD)

▪ … write automated tests before you implement the security

▪ DevOps: Continuous Testing (CT)▪ … run the tests automatically to continuously test changes

▪ Consider Independent Testing▪ Who designs, creates and runs the tests?

▪ Implementors / SAS admins?

▪ Independent Internal QA/Test/Audit team?

▪ Independent 3rd party organization?


Manual or Automatic Testing?▪ From our experience:

▪ It’s almost exclusively an ad-hoc manual process

▪ It takes too long, it’s inconsistent & it’s error-prone

▪ Consequently it’s not done …

▪ with enough coverage & reliability to detect problems

▪ with enough frequency to detect them promptly

▪ So we looked at how we could automate it ….

SAS Global Forum 2014 Paperhttps://support.sas.com/resources/papers/proceedings14/1761-2014.pdf


About Metacoda

• .

• Provide add-ons to SAS® Software for enhanced metadatavisibility and exploitation• Metacoda Identity Sync

• Metacoda Security Plug-ins

• Metacoda Testing Framework

• Metacoda Utility Plug-ins - free

• Custom Tasks (for SAS Enterprise Guide & AMO) - free

• Goals:• Improve your productivity through enhanced metadata visibility

• Helping to keep your SAS platform secure

… since 2007


Metadata Security Testing Framework▪ An optional automated SAS metadata security testing

framework includes:▪ Test Runner: a Metacoda plug-in used to interactively run metadata

security test specifications from XML files.

▪ Batch Interface: automated scheduled metadata security tests with HTML results and alert emails.

▪ Test Exports: several Metacoda plug-ins can export metadata security test specifications, as XML files, from an existing known-good metadata server.

SAS Metadata Security Testinghttps://platformadmin.com/blogs/paul/2014/03/sas-metadata-security-testing/


Metadata Security Testing: Run Tests

An engine that tests metadata against XML Test Specifications

• Implementation:• ACTs• Users (& Logins)• Groups (& Logins)• Roles• Capabilities• Applied Access Controls

(Protected Objects)• Internal Logins

• Outcome: Effective Permissions• Best / Recommended Practices

• Interactive• Batch


Metadata Security Testing: Run Tests

ACTs.xml


Metadata Security Testing: Export Tests

An engine that exports metadata as XML Test Specifications

• Implementation Tests:• ACTs• Users (& Logins)• Groups (& Logins)• Roles• Capabilities• Applied Access Controls

(Protected Objects)• Internal Logins

• Outcome / Effective Permission Tests

Set of

Starter Tests


Metadata Security Testing: Export Tests

ACTs.xml


Consistency Testing Different Environments

Export Metadata Security Test XML files from source environment to test for consistency in target environment.


Metadata Security Testing: Cross-Environment

▪ Test for consistency across multiple environments …

Production

(Lev1)

Test

(Lev2)Development

(Lev3)

Test


SAS 9.3

(Lev1)

SAS 9.2

(Lev1)

Metadata Security Testing: Cross-Version

▪ Test for consistency during SAS version upgrades …

SAS 9.4

(Lev1)

Test Test


1: Best Practice Testing

… is security following practices known to work?


Benefits of Best Practice Testing▪ Ensure your SAS metadata security implementation conforms to

well-known best practice approaches or rules

▪ Faster on-boarding of future employees / contractors

▪ Deviation from best practices is often a quick way to identity areas of inadequate / ineffective security:▪ Higher likelihood of conflicts

▪ People with less access than required (will usually let you know)

▪ People with more access than required (will rarely let you know) <<!!


Testing SAS Metadata Security Best Practices▪ Several Models/Examples: similar with differences…

▪ SAS 9.4 Intelligence Platform Security Administration GuideAccess to Metadata Foldershttp://documentation.sas.com/?cdcId=bicdc&cdcVersion=9.4&docsetId=bisecag&docsetTarget=n1ve38xbqyt4mmn1lzjef4ldglob.htm&locale=en

▪ GEL Model (8 Golden Rules)Five papers on Recommended SAS 9.4 Security Model Design (2017)David Stern, Principal Technical Architect, SAS Global Enablement and Learning (GEL)https://bit.ly/SASUKMetacodaWebinar

▪ Danish Model (6 Golden Rules)SAS Global Forum 2011 Paper 376-2011Best Practice Implementation of SAS Metadata Security at Customer Sites in DenmarkCecily Hoffritz & Johannes Jørgensen, SAS Institute Inc., Copenhagen, Denmarkhttps://support.sas.com/resources/papers/proceedings11/376-2011.pdf

▪ US ModelSAS Global Forum 2017 Paper SAS709-2017Getting Started with Designing and Implementing a SAS® 9.4 Metadata and File System Security DesignAngie Hedberg & Philip Hopkins, SAS Institute Inchttp://support.sas.com/resources/papers/proceedings17/SAS0709-2017.pdf

http://documentation.sas.com/?cdcId=bicdc&cdcVersion=9.4&docsetId=bisecag&docsetTarget=n1ve38xbqyt4mmn1lzjef4ldglob.htm&locale=en

https://bit.ly/SASUKMetacodaWebinar

https://support.sas.com/resources/papers/proceedings11/376-2011.pdf

http://support.sas.com/resources/papers/proceedings17/SAS0709-2017.pdf


Best Practices & Metacoda Testing Framework▪ Testing Framework supports automated scheduled configurable

testing of conformance to various best practices approaches:

▪ Only Groups in ACTs (No Users)

▪ Only Groups in ACEs (No Users)

▪ Only Implicit Group Denials (PUBLIC/SASUSERS)

▪ No (Unexpected) ACEs

▪ No Unprotected ACTs

▪ No Group Membership Loops

▪ … and more …

Testing Recommended Practices with SAS Metadata Securityhttps://platformadmin.com/blogs/paul/2015/06/testing-recommended-practices/


Testing for GEL / Golden Rules

…<AllowNoACEs/><AllowOnlyGroupsInACTs/><AllowOnlyGroupsInACEs/><AllowOnlyImplicitGroupDenials/><AllowNoUnprotectedACTs/><AllowNoGroupMembershipLoops/><AllowNoRoleContributionLoops/><AllowNoGroupsWithImplicitMembers/>…

Following SAS GEL Security Rules with Metacoda Security Testshttps://platformadmin.com/blogs/paul/2017/06/sas-gel-security-rules-with-metacoda-security-tests/

...GEL Rule #1:GEL Rule #2:

…GEL Rule #3:

……………


2: Implementation Testing

… has security been implemented as expected?


Implementation Testing▪ Users: Groups, Roles, Capabilities, Logins (for key users)

▪ Groups: Members, Groups, Roles, Capabilities, Logins

▪ Roles: Members, Capabilities, Contributions

▪ ACTs: Permission Patterns, Objects, Access Controls

▪ Protected Objects: Applied Access Controls▪ ACTs

▪ ACEs (Explicit Permissions) for Groups/Users

▪ Permission Conditions: VA Conditional Grants, OLAP Member Level …


3: Outcome Testing

… is security it working the way we expect?


Outcome Testing: Effective Permissions▪ Verify Effective Permissions …

▪ for candidate users / groups

▪ on candidate objects

▪ The “end result” … sensitive to:

▪ Users identity hierarchy (groups)

▪ Objects inheritance path

▪ ACTs & explicit permissions applied to objects in the path

▪ Repository ACT


<Objects><Object required="true" publicType="ACT" name="Default ACT" >

<EffectivePermissions><Group required="true" name="SASAdministrators" permissions="+RM,+WM"/><Group name="SAS System Services" permissions="+RM,-WM"/><Group name="SASUSERS" permissions="+RM,-WM"/><Group name="PUBLIC" permissions="-RM,-WM"/><User name="sasadm" permissions="+RM,+WM"/><User name="sasdemo" permissions="+RM,-WM"/>

</EffectivePermissions></Object ><Object required="true" publicType="Folder" parentFolder="/" name=“HR">

<EffectivePermissions> … </EffectivePermissions></Object>

…</Objects>

Outcome Testing: Effective Permissions on Objects


Demo


Demo Scenario

▪ 2 users have reported access issues with the HR folder▪ Ian Irons (demoian), a HR Consultant, says he can’t see the folder

when he should have access.

▪ Ivy Ives (demoivy), a Sales Director and a security conscious user, says she can see the folder when she shouldn’t have access.

▪ Investigate to see why and how security testing would have helped avoid this issue with a combination of:▪ Best practice testing

▪ Implementation testing

▪ Outcome testing


Email: [email protected]

Web: www.metacoda.com

Twitter: twitter.com/metacoda

Facebook: facebook.com/Metacoda

LinkedIn: linkedin.com/company/metacoda

YouTube: www.youtube.com/user/metacoda

Questions / Contact Us

mailto:[email protected]

http://www.metacoda.com/

http://twitter.com/metacoda

http://www.facebook.com/Metacoda

http://www.linkedin.com/company/metacoda

http://www.youtube.com/user/metacoda

PRODUCTIVITY THROUGH METADATA VISIBILITY

fans - how do you know it's secure€¦ · ivy ives (demoivy), a sales director and a security...

Documents