fans - how do you know it's secure€¦ · ivy ives (demoivy), a sales director and a security...
TRANSCRIPT
FANS - SAS Nordic Users Group, June 2018Paul Homes, Metacoda
PRODUCTIVITY THROUGH METADATA VISIBILITY
How do you know it's secure if you don't test it?
@metacoda #SASFANS #metacodaInNordics
How Do You Know Your SAS Platform is Secure?▪ … if you don’t test it?
▪ … and test it thoroughly?
▪ … and test it regularly?
▪ Not just at the start of a project … changes always happen▪ Small changes can have big (sometimes unexpected) impacts!
» ... in non-obvious locations … drives need for wide-scale testing
▪ How do you know if it’s still secure after changes?
» … if you’re not testing it regularly? – e.g. daily/hourly
» … and thoroughly / widely?
@metacoda #SASFANS #metacodaInNordics
▪ 65% of SAS admins surveyed change security daily/weekly/monthly▪ … are they tested when they are made and how thoroughly?
How Often are Access Controls Changed?
Source: Here’s what 72 SAS admins told us…https://www.metacoda.com/en/2017/11/what-72-sas-admins-told-us/
@metacoda #SASFANS #metacodaInNordics
▪ 80% of SAS admins surveyed conduct testing for an hour at most▪ … which is not much when testing is done manually
How Much Time is Spent Testing?
Source: Here’s what 72 SAS admins told us…https://www.metacoda.com/en/2017/11/what-72-sas-admins-told-us/
@metacoda #SASFANS #metacodaInNordics
▪ 35% of those surveyed don’t have time to test thoroughly▪ … we wonder how the others can be so confident ;-)
Is Enough Time Spent Testing?
Source: Here’s what 72 SAS admins told us…https://www.metacoda.com/en/2017/11/what-72-sas-admins-told-us/
@metacoda #SASFANS #metacodaInNordics
GDPR: Data Protection By Design & By Default (Art. 25)
“The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement
appropriate technical and organisational measures, …, which are designed to implement
data-protection principle”
“The controller shall implement appropriate technical and organisational measures for
ensuring that, by default, only personal data which are necessary for each specific purpose of
the processing are processed.”
GDPR Privacy/Security by design and default – Metacoda can help!https://www.metacoda.com/en/2017/08/gdpr-privacysecurity-by-design-and-default-metacoda-can-help/
@metacoda #SASFANS #metacodaInNordics
GDPR: Security of Processing (Art. 32)
“implement appropriate technical and organisational measures to ensure a level of security appropriate to
the risk”
“the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing
systems and services”
“a process for regularly testing, assessing and evaluating the effectiveness of technical and
organisational measures for ensuring the security of the processing”
GDPR Privacy/Security by design and default – Metacoda can help!https://www.metacoda.com/en/2017/08/gdpr-privacysecurity-by-design-and-default-metacoda-can-help/
@metacoda #SASFANS #metacodaInNordics
SAS Metadata Security Testing Types▪ In order of least to most effort …
▪ Best Practice Testing▪ Is security following practices / styles known to work?
▪ Little regard to organizational specifics – easy/quick
▪ Implementation Testing▪ Has security been implemented as required?▪ Who? / What? / Where? – organization specific – needs design
▪ Outcome Testing for Candidate Users & Objects▪ Is security giving the end result the way we expect?▪ Implementation doesn’t always give us what we expect – conflicts etc
▪ Safety net / improves confidence
@metacoda #SASFANS #metacodaInNordics
SAS Metadata Security Testing Strategies▪ DevOps: Test Driven Design (TDD)
▪ … write automated tests before you implement the security
▪ DevOps: Continuous Testing (CT)▪ … run the tests automatically to continuously test changes
▪ Consider Independent Testing▪ Who designs, creates and runs the tests?
▪ Implementors / SAS admins?
▪ Independent Internal QA/Test/Audit team?
▪ Independent 3rd party organization?
@metacoda #SASFANS #metacodaInNordics
Manual or Automatic Testing?▪ From our experience:
▪ It’s almost exclusively an ad-hoc manual process
▪ It takes too long, it’s inconsistent & it’s error-prone
▪ Consequently it’s not done …
▪ with enough coverage & reliability to detect problems
▪ with enough frequency to detect them promptly
▪ So we looked at how we could automate it ….
SAS Global Forum 2014 Paperhttps://support.sas.com/resources/papers/proceedings14/1761-2014.pdf
@metacoda #SASFANS #metacodaInNordics
About Metacoda
• .
• Provide add-ons to SAS® Software for enhanced metadatavisibility and exploitation• Metacoda Identity Sync
• Metacoda Security Plug-ins
• Metacoda Testing Framework
• Metacoda Utility Plug-ins - free
• Custom Tasks (for SAS Enterprise Guide & AMO) - free
• Goals:• Improve your productivity through enhanced metadata visibility
• Helping to keep your SAS platform secure
… since 2007
@metacoda #SASFANS #metacodaInNordics
Metadata Security Testing Framework▪ An optional automated SAS metadata security testing
framework includes:▪ Test Runner: a Metacoda plug-in used to interactively run metadata
security test specifications from XML files.
▪ Batch Interface: automated scheduled metadata security tests with HTML results and alert emails.
▪ Test Exports: several Metacoda plug-ins can export metadata security test specifications, as XML files, from an existing known-good metadata server.
SAS Metadata Security Testinghttps://platformadmin.com/blogs/paul/2014/03/sas-metadata-security-testing/
@metacoda #SASFANS #metacodaInNordics
Metadata Security Testing: Run Tests
An engine that tests metadata against XML Test Specifications
• Implementation:• ACTs• Users (& Logins)• Groups (& Logins)• Roles• Capabilities• Applied Access Controls
(Protected Objects)• Internal Logins
• Outcome: Effective Permissions• Best / Recommended Practices
• Interactive• Batch
@metacoda #SASFANS #metacodaInNordics
Metadata Security Testing: Run Tests
ACTs.xml
@metacoda #SASFANS #metacodaInNordics
Metadata Security Testing: Export Tests
An engine that exports metadata as XML Test Specifications
• Implementation Tests:• ACTs• Users (& Logins)• Groups (& Logins)• Roles• Capabilities• Applied Access Controls
(Protected Objects)• Internal Logins
• Outcome / Effective Permission Tests
Set of
Starter Tests
@metacoda #SASFANS #metacodaInNordics
Metadata Security Testing: Export Tests
ACTs.xml
@metacoda #SASFANS #metacodaInNordics
Consistency Testing Different Environments
Export Metadata Security Test XML files from source environment to test for consistency in target environment.
@metacoda #SASFANS #metacodaInNordics
Metadata Security Testing: Cross-Environment
▪ Test for consistency across multiple environments …
Production
(Lev1)
Test
(Lev2)Development
(Lev3)
Test
@metacoda #SASFANS #metacodaInNordics
SAS 9.3
(Lev1)
SAS 9.2
(Lev1)
Metadata Security Testing: Cross-Version
▪ Test for consistency during SAS version upgrades …
SAS 9.4
(Lev1)
Test Test
@metacoda #SASFANS #metacodaInNordics
1: Best Practice Testing
… is security following practices known to work?
@metacoda #SASFANS #metacodaInNordics
Benefits of Best Practice Testing▪ Ensure your SAS metadata security implementation conforms to
well-known best practice approaches or rules
▪ Faster on-boarding of future employees / contractors
▪ Deviation from best practices is often a quick way to identity areas of inadequate / ineffective security:▪ Higher likelihood of conflicts
▪ People with less access than required (will usually let you know)
▪ People with more access than required (will rarely let you know) <<!!
@metacoda #SASFANS #metacodaInNordics
Testing SAS Metadata Security Best Practices▪ Several Models/Examples: similar with differences…
▪ SAS 9.4 Intelligence Platform Security Administration GuideAccess to Metadata Foldershttp://documentation.sas.com/?cdcId=bicdc&cdcVersion=9.4&docsetId=bisecag&docsetTarget=n1ve38xbqyt4mmn1lzjef4ldglob.htm&locale=en
▪ GEL Model (8 Golden Rules)Five papers on Recommended SAS 9.4 Security Model Design (2017)David Stern, Principal Technical Architect, SAS Global Enablement and Learning (GEL)https://bit.ly/SASUKMetacodaWebinar
▪ Danish Model (6 Golden Rules)SAS Global Forum 2011 Paper 376-2011Best Practice Implementation of SAS Metadata Security at Customer Sites in DenmarkCecily Hoffritz & Johannes Jørgensen, SAS Institute Inc., Copenhagen, Denmarkhttps://support.sas.com/resources/papers/proceedings11/376-2011.pdf
▪ US ModelSAS Global Forum 2017 Paper SAS709-2017Getting Started with Designing and Implementing a SAS® 9.4 Metadata and File System Security DesignAngie Hedberg & Philip Hopkins, SAS Institute Inchttp://support.sas.com/resources/papers/proceedings17/SAS0709-2017.pdf
@metacoda #SASFANS #metacodaInNordics
Best Practices & Metacoda Testing Framework▪ Testing Framework supports automated scheduled configurable
testing of conformance to various best practices approaches:
▪ Only Groups in ACTs (No Users)
▪ Only Groups in ACEs (No Users)
▪ Only Implicit Group Denials (PUBLIC/SASUSERS)
▪ No (Unexpected) ACEs
▪ No Unprotected ACTs
▪ No Group Membership Loops
▪ … and more …
Testing Recommended Practices with SAS Metadata Securityhttps://platformadmin.com/blogs/paul/2015/06/testing-recommended-practices/
@metacoda #SASFANS #metacodaInNordics
Testing for GEL / Golden Rules
…<AllowNoACEs/><AllowOnlyGroupsInACTs/><AllowOnlyGroupsInACEs/><AllowOnlyImplicitGroupDenials/><AllowNoUnprotectedACTs/><AllowNoGroupMembershipLoops/><AllowNoRoleContributionLoops/><AllowNoGroupsWithImplicitMembers/>…
Following SAS GEL Security Rules with Metacoda Security Testshttps://platformadmin.com/blogs/paul/2017/06/sas-gel-security-rules-with-metacoda-security-tests/
...GEL Rule #1:GEL Rule #2:
…GEL Rule #3:
……………
@metacoda #SASFANS #metacodaInNordics
2: Implementation Testing
… has security been implemented as expected?
@metacoda #SASFANS #metacodaInNordics
Implementation Testing▪ Users: Groups, Roles, Capabilities, Logins (for key users)
▪ Groups: Members, Groups, Roles, Capabilities, Logins
▪ Roles: Members, Capabilities, Contributions
▪ ACTs: Permission Patterns, Objects, Access Controls
▪ Protected Objects: Applied Access Controls▪ ACTs
▪ ACEs (Explicit Permissions) for Groups/Users
▪ Permission Conditions: VA Conditional Grants, OLAP Member Level …
@metacoda #SASFANS #metacodaInNordics
3: Outcome Testing
… is security it working the way we expect?
@metacoda #SASFANS #metacodaInNordics
Outcome Testing: Effective Permissions▪ Verify Effective Permissions …
▪ for candidate users / groups
▪ on candidate objects
▪ The “end result” … sensitive to:
▪ Users identity hierarchy (groups)
▪ Objects inheritance path
▪ ACTs & explicit permissions applied to objects in the path
▪ Repository ACT
@metacoda #SASFANS #metacodaInNordics
<Objects><Object required="true" publicType="ACT" name="Default ACT" >
<EffectivePermissions><Group required="true" name="SASAdministrators" permissions="+RM,+WM"/><Group name="SAS System Services" permissions="+RM,-WM"/><Group name="SASUSERS" permissions="+RM,-WM"/><Group name="PUBLIC" permissions="-RM,-WM"/><User name="sasadm" permissions="+RM,+WM"/><User name="sasdemo" permissions="+RM,-WM"/>
</EffectivePermissions></Object ><Object required="true" publicType="Folder" parentFolder="/" name=“HR">
<EffectivePermissions> … </EffectivePermissions></Object>
…</Objects>
Outcome Testing: Effective Permissions on Objects
@metacoda #SASFANS #metacodaInNordics
Demo
@metacoda #SASFANS #metacodaInNordics
Demo Scenario
▪ 2 users have reported access issues with the HR folder▪ Ian Irons (demoian), a HR Consultant, says he can’t see the folder
when he should have access.
▪ Ivy Ives (demoivy), a Sales Director and a security conscious user, says she can see the folder when she shouldn’t have access.
▪ Investigate to see why and how security testing would have helped avoid this issue with a combination of:▪ Best practice testing
▪ Implementation testing
▪ Outcome testing
@metacoda #SASFANS #metacodaInNordics
Email: [email protected]
Web: www.metacoda.com
Twitter: twitter.com/metacoda
Facebook: facebook.com/Metacoda
LinkedIn: linkedin.com/company/metacoda
YouTube: www.youtube.com/user/metacoda
Questions / Contact Us
PRODUCTIVITY THROUGH METADATA VISIBILITY