Security Archives - Business Intelligence Info

Tag Archives: Security

Why Millennials Prefer the Security of Microsoft Dynamics Over Other CRM Systems

May 16, 2020 CRM News and Info

With so many privacy scandals making headlines, the current workforce well understands the importance of security. Choosing a system that provides this protection for employees and customers is essential for Millennials, who make up the majority of modern employees.

Microsoft Dynamics is a leader in global security. Microsoft delivers layered security in all applications to allow workers to do their best work anywhere with full confidence. Consider briefly how Microsoft Dynamics provides the security needed for any company:

Security anywhere

Microsoft Dynamics provides physical and virtual security. These include access control, encryption, and authentication. This helps protect data on all devices whether it be mobile phones, tablets, or computers. Role-based security defines access to system data no matter where they are working.

Intelligent security

As security risks continue to rapidly grow, modern workers not only want but expect the systems they work with to be protected. Microsoft Dynamics meets these expectations by using billions of data points globally to engineer techniques and apply intelligence to progressively improve security.

Protect customer data

Employees today want to be confident that the data they collect from customers is secure and fully protected. Microsoft Dynamics keeps this data safe by preventing the disclosure of all personal and financial information. This makes it easy to maintain customer loyalty and comply with industry regulations.

Thomas Berndorfer, CEO of Connecting Software trusts Microsoft Dynamics to be completely secure in handling his company’s sensitive information. He says: “Dynamics 365 provides a robust data security model, and add-on products ensure data protection between D365 and other Microsoft apps.”

Would you like to see how they use Microsoft Dynamics’ security could benefit your business?

Read this and 18 other reasons why Millennials prefer Microsoft Dynamics in the workspace by downloading the full eBook “21 Reasons Millennials Prefer Microsoft Dynamics” at www.crmsoftwareblog.com/millennials to read 17 more reasons why Millennials prefer Microsoft Dynamics in the workspace.

Find a Microsoft Dynamics 365 Partner

By CRM Software Blog Writer, www.crmsoftwareblog.com

Let’s block ads! (Why?)

CRM Software Blog | Dynamics 365

Get User Security Role Name from context in Dynamics 365 CE

April 20, 2020 Microsoft Dynamics CRM

Microsoft Dynamics 365 CE/CRM now has a more streamlined method to get the running users security role name without having to make a client-side API call. In the spring of 2020 there has been an update to the SDK to mark the deprecation of userSettings.securityRoles. It has been replaced with userSettings.roles.

Get User Security Role Name from context in Dynamics 365 CE

userSettings.roles provides not only the security role guids from the global context, but the security role names as well.

A common design pattern in use today is to enable/disable or hide/show client-side form attributes as a part of controlling a business logic form flow. This has been achieved with a JavaScript WebResource in several different patterns. The challenge is that quite a few patterns can cause poor client-side performance, especially in high latency environments. Here are some example conversations from the Microsoft Dynamics CRM Forum community on the subject:

If you are fortunate enough to have engaged with a Dynamics 365 CE/CRM DSE or a Microsoft in a Performance Delivery, you may have been provided a sample JavaScript pattern using browser caching that alleviated unnecessary Web API calls.

Hiccup Note: While writing this blog I uncovered a bug where the name values are incorrect when an Owner Team is providing additional security roles. There is already a bug in place and is targeting the 4.4 train (end of May 2020) release. In mean time feel test on a development environment in preparation for the bug fix release. I will be updating this blog to remove this statement one the the fix has reached North America. Please check back and/or follow this blog post for updates.

So let’s take a look at a JavaScript sample that uses the new userSettings.roles

Get User Security Role Name from context in Dynamics 365 CE

Add a JavaScript web resource.

Add the web resource as a reference on a Case form.

Publish the changes.

Identify a test user with security roles for testing.

Open a Case record.

Now we can inspect the Developer Tools (F12) in the browser (example here in Microsoft Edge based on Chromium). Note: you might need to refresh the form with a Shift+F5 to replay the form load.

We see we get the global context and inspect userSettings.roles by hovering the cursor over roles.

5857 Get User Security Role Name from context in Dynamics 365 CE

By expanding _collection: we see the running user security role guids …

8585 Get User Security Role Name from context in Dynamics 365 CE

And if we scroll to the right we see the corresponding security role name …

1185 Get User Security Role Name from context in Dynamics 365 CE

Let’s block ads! (Why?)

Dynamics 365 Customer Engagement in the Field

SQL Server Machine Learning 2019: Working with Security Changes

February 24, 2020 BI News and Info

I have a confession to make. Why, in my last article about shortest_path in SQL Server 2019, have I used Gephi in order to illustrate the relationships, instead of using a script in R for the same purpose and demonstrate Machine Learning Services as well?

The initial plan was to use an R script; however, the R script which works perfectly in SQL Server 2017 doesn’t work in SQL Server 2019.

This is the original R script I had planned to use:

EXEC Sp_execute_external_script

@language = N‘R’,

@script = N‘ require(igraph)

g <- graph.data.frame(graphdf)

V(g)$ label.cex <- 2

png(filename = “c:\R\plot1.png”, height = 1200, width = 1200, res = 100);

plot(g, vertex.label.family = “sans”, vertex.size = 40)

dev.off() ‘,

@input_data_1 = N‘select LikeMember.MemberName as LikeMember,

LikedMember.MemberName as LikedMember

from dbo.ForumMembers as LikeMember, dbo.ForumMembers as LikedMember,

Likes

where Match(LikeMember-(Likes)->LikedMember)’,

@input_data_1_name = N‘graphdf’

The purpose of the script was only to create an image file with the relationships stored in graph tables, but in SQL Server 2019, it results in an access denied message.

If you would like to reproduce this demonstration, you can use this script file to create the database in a SQL Server 2017. You must also install the R packages needed by the script. There are many ways to do it. My favourite is this:

Open windows explorer
Browse to the SQL Server R folder, usually is this one: C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\R_SERVICES\bin
Execute the R.EXE application
Execute the instruction install.packages(“igraph”) , where “igraph” is the name of the package to be installed

When you try and run the above R script. It will work well in SQL Server 2017, and fail in SQL Server 2019 with the error message you can see in the image below:

a screenshot of a cell phone description automati 14 SQL Server Machine Learning 2019: Working with Security Changes

During PASS Summit, I was able to ask questions to the Microsoft employees in the Data Clinic, and they explained the differences between the two versions. The explanation hasn’t solved all the problems, but I was able to find a solution and create a workaround for this script.

While researching the workaround, I saw many examples of R scripts manipulating files and all these examples may fail in SQL Server 2019. Highlighting this problem, solution, and workaround in this article will be important to everyone using SQL Server Machine Learning and planning to migrate to SQL Server 2019.

First, I’ll review how Machine Learning in SQL Server works: it involves the execution of an external script, in R or Python, but has a flexible structure, you could create your own external language. The execution itself is started by a service called SQL Server Launchpad, isolating the execution from SQL Server itself. The image below (from What is the Machine Learning Server) illustrates how the execution architecture works, although this article will not go so deep into the architecture.

a screenshot of a cell phone description automati 15 SQL Server Machine Learning 2019: Working with Security Changes

Launchpad in SQL Server 2017

In SQL Server 2017 the Launchpad starts processes for each execution. The processes need an identity, so SQL Server dynamically creates users inside the group SQLRUserGroup. In the following image, you can see two groups, SQLRUserGroup, for SQL Server 2019 and SQLRUserGroupSQL2017 for SQL Server 2017, since I have both in the same machine.

The difference in the name is due to the instance name; SQL Server 2019 is the default instance in my machine. Due to that, its user group name has only the core name, while SQL Server 2017 is in an instance called SQL2017, so the instance name is attached to the core group name.

The processes have access to the machine resources, limited by the permissions given to the SQLRUserGroup. Since SQL Server 2017 creates many users, you shouldn’t grant permissions directly to the users, only to the group.

In order to be able to manipulate files in the file system, you only need to give the correct permissions to the group SQLRUserGroup. The image below shows the group and users for SQL Server 2017

a screenshot of a cell phone description automati 16 SQL Server Machine Learning 2019: Working with Security Changes

Launchpad in SQL Server 2019

In SQL Server 2019, the Launchpad was improved. Instead of using processes for each execution, it uses app containers. The app containers need only a single identity, so they use the same identity as the Launchpad service.

While the 2017 version, the SQLRUserGroup, had many users; in the 2019 version, it has only one, the Launchpad service account. The image below shows the group for SQL Server 2019.

a screenshot of a cell phone description automati 17 SQL Server Machine Learning 2019: Working with Security Changes

Nowadays, when talking about containers immediately, we think about Docker, but not in this case. The app containers I’m mentioning here are a sandbox set of APIs introduced in Windows 8. These allow any application to create app containers and start an execution inside an app container.

The app containers work as isolated virtual machines (but much more lightweight, of course). This means that you can’t access the file system of the host (your SQL Server), neither for reading or to save files. You save any files inside the app container, and they are destroyed after the app container is released. In fact, the container is redirected to save files in a temporary folder inside the host hard drive. This increases the security, no doubt about that, but any script dealing with the file system may need changes to work in SQL Server 2019.

These app containers are created by Launchpad using the windows Sandbox API. The Launchpad doesn’t offer any way to customize the app containers creation, which could solve the problem.

You can learn more about app containers with these two links:

https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849
https://www.malwaretech.com/2015/09/advanced-desktop-application-sandboxing.html

Proving this Concept

In order to determine this concept, you can use a script in R to access the disk and list the files. You can execute the script below in both SQL Server versions, 2017 and 2019, and compare the results. In SQL Server 2017, the script will have access to the host disk. In SQL Server 2019, the script will have access only to a fake disk, which is, in fact, a temporary folder in the host disk and will be deleted after its use by the app container.

EXEC Sp_execute_external_script

@language = N‘R’,

@script = N‘data <- list.files()

data2 <- data.frame(data)’,

@output_data_1_name = N‘data2′

EXEC Sp_execute_external_script

@language = N‘R’,

@script = N‘data <- list.dirs(“..\”)

data2 <- data.frame(data)’,

@output_data_1_name = N‘data2′

EXEC Sp_execute_external_script

@language = N‘R’,

@script = N‘data <- list.dirs(“..\..”)

data2 <- data.frame(data)’,

@output_data_1_name = N‘data2′

The image below the script shows the result in SQL Server 2019.

Solutions

The app containers are created during the SQL Server Machine Learning services setup. They are objects inside the Windows local directory, and such as all the objects in the local directory, they have a unique SID to identify the app container.

You can define file system permissions directly for the SIDs. The problem is: How to identify the SID’s of the app containers since they are not listed as user or groups.

Analyse two possible solutions:

Easy and tempting: You can give permission to the object called All Application Containers. The R scripts will have the file system permission; however, any other app container eventually running on the same machine will have the file system permission as well.
Secure: You can identify the SIDs of the app containers installed by SQL Server and give permissions directly to them. In this way, only the app containers used by the SQL Server Machine Learning Services will receive these permissions

You can test both solutions using a straightforward script. First, create a folder called C:\testFolder and copy some files, any files, to the folder. Try to list the files in this folder using the script below.

EXEC Sp_execute_external_script

@language = N‘R’,

@script = N‘data <- list.files(“c:\testFolder”)

data2 <- data.frame(data)’,

@output_data_1_name = N‘data2′

All Application Containers

The All Application Container object has a fixed SID in the local directory, which is S-1-15-2-1 . You can use the application icacls to grant permission

Execute the R script above against the 2019 instance using SSMS. The script will return no result
Press Win+R and type CMD to open a command prompt as administrator
Type the following instruction and press ENTER

icacls c:\testFolder /grant *S-1-15-2-1:(OI)(CI)F /t

Using Windows Explorer, right-click the testFolder and select Properties in the context menu
In the Properties window, click the Security tab. You will be able to confirm the permission, like the image below.

Open SQL Server Configuration Manager
On the left side of SQL Server Configuration Manager, select SQL Server Services
In the right-side of SQL Server Configuration Manager, right-click the Launchpad service and select Restart item in the context menu
Execute the same R script again in SSMS. This time it will work and list the files in the folder.

a screenshot of a cell phone description automati 18 SQL Server Machine Learning 2019: Working with Security Changes

Delete the testFolder folder so that you can continue with the other solution below

Using the App Containers SID

The challenge you will face when giving permissions to the App Containers SID is to discover which are the App Containers SID. There is not a direct solution for that, although, after knowing where to look, it becomes easy. SQL Server installs firewall rules in Windows Firewall in order to forbid app containers from making external contact to the network. These firewall rules are created precisely to block the app containers SID from using the network, so you can identify these SIDs by analysing these firewall rules.

If you look at the firewall rules, you can see that the app containers are blocked.

word image 81 SQL Server Machine Learning 2019: Working with Security Changes

The firewall UI doesn’t provide the SIDs, however. You need to dig deeper using PowerShell to retrieve the SIDs from the firewall rules.

The PowerShell command is a combination of the cmdlet Get-NetFirewallRule, to retrieve the firewall rules and the cmdlet Get-NetFirewallApplicationFilter in order to retrieve, from each rule, the app container filter information.

The complete PowerShell command line is this:

(Get-NetFirewallRule | Where-Object { ($ _.Direction -eq “Outbound”) -and ($ _.DisplayName -like “*appcontainer*”)}) | %{ ($ _ | Get-NetFirewallApplicationFilter) | %{Write-Output $ _.Package } }

Analyse this command line in more detail:

Get-NetFirewallRule will retrieve all the firewall rules in Windows Firewall
Where-Object filters the firewall rules, retrieving only the outbound rules which contains ‘appcontainer’ in the name
The expression %{ } is a shortcut to foreach-object so that the instructions will be executed for each firewall rule
Get-NetFirewallApplicationFilter is executed for each firewall rule, having the firewall rule ($ _ ) as a parameter
The expression % { } is used again to run one line for each application filter found
The Write-Output shows the value of the Package property on each application filter

a black and blue text description automatically g 1 SQL Server Machine Learning 2019: Working with Security Changes

Having discovered the SIDs, you need to set the permission to the folder. The instruction will look like the one below for each SID.

ICACLS “C:\testFolder” /grant “*S-1-15-2-1853514363-3573294594-1452771951-225645021-3819702349-824866239-3302992986″:(OI)(CI)F /t

You could copy and paste all the sids returned to create a batch file to set the permissions, but PowerShell can do all of this you as well. The following script prompts you for a file path, the one where you want Machine Learning to have access, and sets the permissions:

Param (

[Parameter(

Mandatory)]

[string]

$ FolderName

)

Get-NetFirewallRule |

Where-Object {

$ _.Direction -eq “Outbound” -and

$ _.DisplayName -like “*appcontainer*”

} |

ForEach-Object {

$ _ |

Get-NetFirewallApplicationFilter |

ForEach-Object {

$ Acl = Get-Acl $ FolderName

$ Sec= New-Object System.Security.Principal.SecurityIdentifier($ _.Package)

$ AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule(

$ Sec,

“FullControl”,

(1 -bor 2),

“Allow”

)

$ Acl.SetAccessRule($ AccessRule)

$ Acl |

Set-Acl $ FolderName

} # end 2nd FE-O

} # end 1st FE-O

The script is using COM objects System.Security.Principal.SecurityIdentifier and System.Security.AccessControl.FileSystemAccessRule in order to set the access rule on the folder.

After running the script, take a look at the security properties of the folder, and the R script should now work from SQL Server 2019.

word image 82 SQL Server Machine Learning 2019: Working with Security Changes

Workaround with a FileTable

Although I have identified two solutions, it’s interesting to notice Microsoft is moving SQL Server Machine Learning towards a more secure environment, avoiding network and file system access. Considering this, you may like to use an alternative solution.

There are some options, all based on returning the image as an output parameter to SQL Server. Here is one of the options.

A filetable can map a disk folder as a table in SQL Server. This a very good solution when you need to deal with files. The script in R will see the table as a regular table. While reading or inserting into the table, the script will be reading and inserting from/to the disk.

It’s a very good solution for a permanent environment, however, it has some problems:

You can’t define the final location of each file using SQL Server configuration. The filetable will be exposed from the server as a sharing folder, not a disk folder, so there is a slight difference in relation to the initial planning.
Filetable is not supported in Azure PaaS cloud solutions, so you will be tied to IaaS solutions, which means creating and maintaining a virtual machine in Azure, or an on-premise environment.

The Filetable technology was created in SQL Server 2016, based on the filestream technology which was built on the previous version.

Enabling Filetable in SQL Server

A filetable solution needs some administrative care; for this reason, this solution can only be used after enabling it on a server configuration level. Follow these steps to enable this solution:

Open SQL Server Configuration Manager
On the left side of SQL Server Configuration Manager, select SQL Server Services
On the right side, double click the SQL Server service you are using
On the SQL Server properties window, select the FileStream tab

a screenshot of a cell phone description automati 19 SQL Server Machine Learning 2019: Working with Security Changes

In the filestream tab, check the box Enable filestream for Transact-SQL Access
In the filestream tab, check the box Enable filestream for I/O Access
The textbox Windows Share Name will be filled with the default value MSSQLSERVER. You can change it, but leave this default for now
In the filestream tab, check the box Allow remote clients to access filestream data.
Click the Ok button in the SQL Server Properties window
In the right-side of SQL Server Configuration Manager, right-click the SQL Server service and select Restart item in the context menu

a screenshot of a cell phone description automati 20 SQL Server Machine Learning 2019: Working with Security Changes

In SSMS, change the FileStream access level configuration using the following code:

EXEC sp_configure ‘filestream access level’, 2

RECONFIGURE

Value 1 enables filestream only for T-SQL access, which is not enough for filetable. Value 2 enables filestream for T-SQL and I/O access.

Preparing the Database to Support Filetable

In order to support filetable, you need to make some changes to the database. You need to create a filegroup to contain the filestream data, configure a special file, which will point to a folder and change some database settings.

Here is the T-SQL to execute for the database. Be sure to delete the c:\R folder before running this code:

ALTER DATABASE graphdemo ADD filegroup filestreamgroup

CONTAINS filestream

ALTER DATABASE graphdemo ADD FILE (NAME=fs, filename=‘c:\R’)

TO filegroup filestreamgroup

In SSMS, Object Explorer, right-click the GraphDemo database and select Properties in the context menu

In the database properties window, set the property Filestream Directory Name to RFiles. During further steps, you will better understand what this means.
In the database properties window, set the property Filestream Non-Transaction access to Full

In the database properties window, click the Ok button
Confirm the close of database connections clicking the Ok button in the dialog box that will appear

a screenshot of a cell phone description automati 21 SQL Server Machine Learning 2019: Working with Security Changes

Create the filetable using the following T-SQL:

CREATE TABLE images AS filetable WITH

(

filetable_directory = ‘Images’

);

The filetable you created, Images, is linked to a folder. Which folder? If you check the path c:\R, which was used to configure the database file, you will find some files and folders, but it’s not easy to understand them. So, what’s missing?

Follow these steps to see:

Click win+R
Type \localhost and click Ok You will find the share MSSQLSERVER, that’s the name you configured in SQL Server Configuration Manager. Now that you know how the name is used, you can choose a better name if needed.

Open the share MSSQLSERVER You will find a folder called RFiles. That’s the configuration made for the database. Each database configured to use filestream will have a share inside \Localhost\MSSQLSERVER

a screenshot of a cell phone description automati 22 SQL Server Machine Learning 2019: Working with Security Changes

Open the folder Rfiles You will find another folder called Images, the name used for the filetable. Each filetable in the database GraphDemo will have its own folder inside \localhost\MSSQLSERVER\RFILES

a screenshot of a cell phone description automati 23 SQL Server Machine Learning 2019: Working with Security Changes

Open the folder Images. The folder is empty.
In SSMS, execute the following query:

select * from Images

The filetable is empty.
Copy a file, any file, to the Images folder, \localhost\MSSQLServer\RFILES\Images
Execute the select again in SSMS:

select * from Images

This time the table has one row, exactly the row for the new file you copied. The filetable is linked with the folder. So, if you insert a record inside the filetable, the record will be a file available in the folder, in this way you can save to disk the image generated by the R script

New R Script for Filetable

After preparing the filetable environment, the new script will be this one:

DECLARE @img VARBINARY(max)

EXEC Sp_execute_external_script

@language = N‘R’,

@script = N‘ require(igraph)

require(hexView)

g <- graph.data.frame(graphdf)

V(g)$ label.cex <- 2 png(filename = “plot1.png”, height = 1200, width = 1200, res = 100);

plot(g, vertex.label.family = “sans”, vertex.size = 40)

dev.off()

img <- readRaw(“plot1.png”)

imageContent <- img$ fileRaw’,

@input_data_1 = N‘select LikeMember.MemberName as LikeMember,

LikedMember.MemberName as LikedMember

from dbo.ForumMembers as LikeMember, dbo.ForumMembers as LikedMember,

Likes

where Match(LikeMember-(Likes)->LikedMember)’,

@input_data_1_name = N‘graphdf’,

@params = N‘@imageContent varbinary(max) OUTPUT’

@imageContent = @img output;

INSERT INTO images (NAME, file_stream)

VALUES (‘test.png’, @img)

The script is very similar to the initial one; however, this time, it results in an output variable with the image.

Here are the differences between this script and the original:

A varbinary(max) variable which will be used as an output
A new R library, hexView, must be installed in order to do additional manipulations in the file (yes, you will still use a file)
After saving the plot to disk, it’s read back, reading the raw file content
The variable where you stored the raw image (imageContent) is defined as a parameter using the @params argument of the sp_execute_external_script
You need to link this script variable with a variable outside the script to get the content
Finally, you insert the variable into the filetable

The result of the execution of the script above will be a new file in the folder, you can check by accessing \localhost\MSSQLSERVER\RFILES\Images

a screenshot of a cell phone description automati 25 SQL Server Machine Learning 2019: Working with Security Changes

Conclusion

During my research on the web, I saw many examples of R scripts dealing with the file system. These scripts which are running nowadays in SQL Server 2017 will break in SQL Server 2019 unless one of the changes explained in this article is applied.

You can choose to fix the file system permission or start to avoid direct file system access from the R script. I believe Microsoft will provide a fix for this problem soon, what probably will be an easier way to give permissions to the app container SIDs

Let’s block ads! (Why?)

SQL – Simple Talk

Rudy Giuliani, Security Threat

February 20, 2020 Humor

Like his boss, Rudy Giuliani loves Twitter, but he has a problem. Rudy is a poor typist, and often mistypes URLs in his tweets (along with inserting other spelling errors). A director for a cybersecurity company noted that Giuliani creates these bad URLs regularly. His mistyped URLs have become so common that hackers have started buying up the erroneous URLs and redirecting people unfortunate (or stupid) enough to click on those links to fake pages designed to spread malware.

For example, Giuliani meant to tweet a link to his own website RudyGiulianics.com, but by mistake inserted a space after Rudy. This created a link to Giulianics.com, which didn’t exist until a hacker set up a website for it. That website redirects about six times through websites that collect tracking data on visitors, and then lands on an unsecured website that prompts visitors to download a Google Chrome extension that steals their browsing history and changes their default search engine.

In another example, Giuliani tweeted a link to his website (again), but left out one letter to make it RudyGiuliancs.com. In this case, the hacker who created that domain merely used it to redirect the visitor to the Wikipedia page about Trump’s impeachment.

In yet another example, he left out a space between “G-20” and “.ln”, and Twitter mistook it for a URL and created a link out of it. Just fifteen minutes later a Twitter user had registered the domain and pointed it at an anti-Trump website.

These fat fingered typos can have serious consequences. New York Daily News editorial board member Laura Nahmias admitted that she had clicked on a link in a tweet that was supposedly to Giuliani’s website, but instead was sent to a website that installed malware. Once her computer was infected, she started receiving constant pop-ups for fake antivirus software.

As a high-level journalist, Nahmias takes extra precautions to avoid malware. She brought in the Daily News IT department, who tried several times to remove the bad software, but to no avail. Without any way to stop the malware, she ended up buying a new computer.

Apparently Giuliani doesn’t care about his dangerous mistakes, because he keeps making them. What makes this truly ironic is that at one point, Giuliani was named the Trump administration’s cybersecurity advisor. But of course, Donald Trump hires only the best people.

Let’s block ads! (Why?)

Political Irony

AI Weekly: Announcing our AI and security special issue

February 7, 2020 Big Data

VentureBeat’s second special issue is nigh. Following our first special issue, Power in AI, this next one focuses on AI and security. Each special issue is a package of articles that explores a central topic from a variety of angles, from voices in industry, academia, and our newsroom.

Whether we’re aware of it or not, both AI and cybersecurity are nearly omnipresent in our daily lives at this point, and together they’re of increasing importance as our world becomes more connected, more “intelligent,” and more reliant on online or automated systems. Yet both can seem intractably technical, even for tech-savvy people. Because their significance is pitched against their opaqueness, each has an ominous gravity that only multiplies at the intersection of their Venn diagrams. The easy metaphor is that cybersecurity is a never ending, escalating arms race between good guys and bad guys, and the advent of AI is proverbial nuclear warfare.

Some of that’s true, but the reality is far more illuminating, nuanced, and accessible. There are huge threats posed by cybersecurity that AI technologies may amplify, and so cybersecurity experts need to employ them to protect us — and they are. In this issue, we’ll discuss how the threats are sometimes more sophisticated than ever, but often not. We’ll learn that even as attack and defense systems are more supercharged by technology than ever, the need for human expertise becomes more imperative, not less. And we’ll see that some of the seemingly most onerous threats, like deepfakes and the increasing presence of AI-powered cameras, have practical and political solutions.

Cybersecurity is a battlefield, and AI is creating new fronts in that war, with new weapons and means of defense. But in this special issue, we took a less charged approach, pulling from dozens of interviews with vendors and researchers to understand what’s really going on with AI and security and how we should think about it.

Because after all, even with the added layer of AI technologies, in security there’s nothing new under the sun, or at least very little. It remains an endless cycle of emerging technology that begets both threats and defenses. That’s simultaneously frightening and reassuring.

To get the VentureBeat AI and Security special issue in your inbox on Tuesday morning, February 11, sign up here.

Let’s block ads! (Why?)

Big Data – VentureBeat

Meet the new twist on data encryption that promises better privacy and security for AI

January 16, 2020 Big Data

Presented by Intel

AI and privacy needn’t be mutually exclusive. After a decade in the labs, homomorphic encryption (HE) is emerging as a top way to help protect data privacy in machine learning (ML) and cloud computing. It’s a timely breakthrough: Data from ML is doubling yearly. At the same time, concern about related data privacy and security is growing among industry, professionals and the public.

“It doesn’t have to be a zero-sum game,” says Casimir Wierzynski, senior director, office of the CTO, AI Products Group at Intel. HE allows AI computation on encrypted data, enabling data scientists and researchers to gain valuable insights without decrypting the underlying data or models. This is particularly important for sensitive medical, financial, and customer data.

Meet the new twist on data encryption that promises better privacy and security for AI

Above: Casimir Wierzynski, Senior Director, Office of the CTO, AI Products Group at Intel

Wierzynski leads Intel’s privacy preserving machine learning efforts, including HE work and in developing industry standards for the technology’s use. In this interview, he talks about why HE is needed, its place as a building block of improved privacy, and how the breakthrough technology helps create new business opportunities and data bridges to previously “untrusted partners.”

What and why

Q: What’s does “homomorphic” mean?

In Greek, homo is the same, morphic is the shape. So it captures the idea that if you do encryption in the right way, you can transform ordinary numbers into encrypted numbers, then do the same computations you would do with regular numbers. Whatever you do in this encrypted domain has the same shape as what you’re doing in the regular domain. When you bring your results back, you decrypt back to ordinary numbers, and you’ll get the answer you wanted.

Q: What big problem is the technology is solving?

We live in amazing times, when we have all these new AI products and services, like being able to unlock your phone with your face, or systems that enable radiologists to detect diseases at earlier stages. These products rely on machine learning systems, which are fed and shaped by data that are very sensitive and personal. It’s important for us as an industry — and I would argue as a society — to figure out how we can keep unlocking all the power of AI while still helping protect the privacy of the underlying data. That’s the overarching problem.

Q: Why is HE creating buzz now?

The technique itself has been around for more than 20 years as a theoretical construct. The criticism has been, okay, you can operate on encrypted data, but it takes you a million times longer than using regular data. It was an academic curiosity. But in the last five years, and especially the last two years, there have been huge advances in the performance of these techniques. We’re not talking about a factor of a million anymore. It’s more like a factor of 10 to 100.

Q: Certainly, there’s no shortage of data privacy and protection technologies…

We’ve all gotten good about encrypting data at rest, when it’s on our hard drives, or sending data back and forth over encrypted channels. But when you’re dealing with ML and AI, at some point those data have to be operated on. You need to do some math on those data. And to do that you need to decrypt them. While you’re using the data, the data are decrypted, and that creates a potential issue. We work to provide better protection on both these fronts, anonymization and encryption.

Above: Simple model of secure inference with HE.

Q: In ML with multiple partners, trust is a big issue. How does HE help here?

Whenever you’re dealing with digital assets, you have this phenomenon: When you share a digital asset with another party, it’s completely equivalent to giving it to them, then trusting they’re not going to do something unintended with it.

Now add the fact that ML is fundamentally an operation that involves multiple stakeholders. For example, one entity owns the training data. Another entity owns data they want to do some inference on. They want to use ML service provided by a third entity. Further, they to use an ML model owned by another party. And they want to run all this on infrastructure from some supply chain.

With all these different parties, and because of the nature of digital data, all must trust each other in a complex way. This is becoming harder and harder to manage.

HE in action

Q: Can you give an example of homomorphic encryption at work?

Say you have a hospital doing a scan on a patient, working with a remote radiology service. The hospital encrypts the scan and sends it over to the radiologist. The radiologist does all the processing in the encrypted domain, so they never see the underlying data. The answer comes back, which is also encrypted, and finally the hospital decrypts it to learn the diagnosis.

Q: In the example above, where does HE actually happen? At the scanner?

It could live in multiple places. There are two major components: encryption and decryption. But then there’s also the actual processing of the encrypted data. Encryption typically happens where the sensitive data are first captured, for example, in a camera or edge device. Processing encrypted data happens wherever the AI system needs to operate on sensitive data, typically in a data center. And finally, decryption happens only at the point where you need to reveal the results to a trusted party.

Powerful with other emerging techs

Q: When you speak and write on HE, you also talk about adjacent technologies. Please explain briefly the roles these other building blocks play in preserving privacy.

There are several very promising and rapidly developing technologies that use tricks from cryptography and statistics to do operations on data that seem magical.

All these technologies can be further accelerated and enhanced by hardware security measures called trusted execution environments, such as Intel SGX.

New bridges to partners in AI and ML

Q: So what opportunities are created when these technologies are combined?

One of the questions we’ve been asking at Intel is, what would happen if you could enable ML in these multi-stakeholder operations between parties that don’t necessarily trust each other, like we described earlier? What would that enable?

You could have banks that normally are rivals. But they may decide it’s in their interest to cooperate around certain risks that they all face in common, like fraud and money laundering. They could pool their data to jointly build anti-money laundering models while keeping their sensitive customer data private.

Another example is in the retail sector. Retailers want to make the most out of the data that they’ve collected on shoppers, so they can personalize certain experiences. What if there were a way to enable that and still provide quantifiable protections around the privacy of that data?

New business opportunities

Q: Are there new revenue models and opportunities being created?

One thing that’s exciting about this area is that you start to enable new business models around data that would have previously been impossible. For example, (HE) can be a way to monetize data while helping maintain security. At the same time, it addresses one of the biggest problems in ML, namely, access to large, diverse data sets for building models. So you can imagine a whole ecosystem that brings together people who hold data with people who need data. And very importantly, it’s all done in a way that preserves security and privacy of the data. That’s an exciting possibility.

Q: How advanced is that concept in implementation? Any other or many real-life instances like that?

I would say it’s beyond theory, and in early stages of commercial deployment.

Data is becoming a much bigger asset class than ever before, sometimes in surprising ways. For example, in corporate bankruptcy cases, creditors can end up owning large data sets unrelated to banking in any way. They’re just leftovers of a loan that went sour. So they’re looking for a way to monetize these assets and provide them to data scientists who seek additional training data to make their AI systems more reliable, all while keeping the underlying data private and secure.

Or imagine a bunch of hospitals that have patient data. For various reasons, they can’t share it. But they know if they could, and could get lawyers in the room to hammer out an agreement, they would potentially be able to jointly build a model with much more statistical power than one any could build individually. Using privacy-preserving ML techniques, they can essentially form a consortium and say: “In exchange for all of us owning this improved model that will improve our patients’ outcomes, we’ll be a part of this consortium, and we can still keep all of our patient data private and secure.”

Key role of developers

Q: Where do developers fit in?

As it is now, if you’re an AI data scientist and you want to build a machine learning model that operates on encrypted data, you have to be some magical person, simultaneously an expert in software engineering and data science and post-quantum cryptography.

One of the major efforts that my team has been working on is making these technologies much more accessible and performant for the data science and developer communities so that they can scale up. This is a priority for Intel. Today we’re offering tools like The Intel HE transformer for nGraph, which is a Homomorphic Encryption (HE) backend to Intel’s graph compiler for Artificial Neural Networks.

Above: The nGraph-HE software stack supports the SEAL encryption library and underlying cryptosystems.

Standards and Intel

Q: Some people will ask: Why is Intel active here? The answer is…

For starters, homomorphic encryption is very compute-intensive. This is an area where Intel can really shine in terms of building optimized silicon to handle this fundamentally new way of computing.

But more broadly, those examples from health care, retail, and finance — sectors representing about a quarter of GDP in the United States. These are very economically important problems. At Intel, we are obsessed with helping customers solve their problems around data. And privacy is at the heart of any data-centric business.

We are in a unique position, because Intel works closely with hyperscale, data-centric users of hardware who are building all kinds of exciting AI applications. At the same time, we are a neutral party with respect to data. To make these technologies perform at scale is going to require the kinds of complex software and hardware co-design that Intel is uniquely positioned to provide. We get to collaborate actively with a fascinating range of players across industry.

Above: The 2019 HomoEncyption.org standards group meeting gathered top private and public sector participants from around the globe in Santa Clara, CA.

Q: Intel has taken a leadership role in developing HE standards. Why are they important? Status?

As with any crypto scheme, people will use it when there’s interoperability and trust in the underlying math and technology. We recognize that to really scale up, to bring all the homomorphic encryption goodness to the world, we need to have standards around it.

As interest in privacy preserving methods for machine learning grows, it’s essential for standards to be debated and agreed upon by the community, spanning business, government, and academia. So in August, Intel co-hosted an industry gathering of individuals from Microsoft, IBM, Google, and 15 other companies interested in this space.

We’ve identified many points of broad agreement. Now we’re trying to figure out the right approach to bring it to standards bodies, like ISO, IEEE, ITU, and others. They all have different structures and timelines. We’re strategizing on how best to move that forward.

Final word

Q: Any thoughts you’d like to leave ringing in people’s ears?

Privacy and security technologies for machine learning like homomorphic encryption are ready for prime time. These are not academic exercises anymore. These are real market-ready ideas. The day is coming when the idea of doing machine learning on someone else’s raw data will seem quite strange. We’re at the start of a new and exciting era where machine learning will enable us to explore new opportunities unlike anything before.

Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. Content produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact sales@venturebeat.com.

Let’s block ads! (Why?)

Big Data – VentureBeat

Database Security, People and Processes

December 28, 2019 BI News and Info

Database developers and DBAs can use many “mechanical” security mechanisms to safeguard corporate data. Robert Sheldon has written an excellent six part Introduction to SQL Server Security covering most of them. However, DBAs know that these alone are not enough, because they cannot fully secure data while ignoring human frailties: they should not merely operate a hermit kingdom.

No matter how good the mechanical security, the corporate database is vulnerable to the people and processes within the organization. Often the risks of breaches to sensitive data come not through intention or malice, but ignorance or expedience.

It is easy to deal with ignorance, but the lure of expedient decisions can be harder to resist. They are, by definition, a convenient way to deliver the desired results, in the short term, when it feels like the detrimental consequences don’t matter. It is, for example, tiresome for people to have only the ‘minimum required’ permissions to access the data, just enough for the role they are supposed to fulfil. How much more convenient it would be for a member of staff to have an elevated level of access. What could go wrong?

To meet the demands of society for the curation of personal data, and the vital need of a business for the security of its data, security must take precedence to convenience. Any expediency in dealing with matters of data curation and security must be cleared with the business, even when it is legal. It must be an explicit business decision at a senior level because it comes with a quantifiable risk in monetary and reputational terms.

Addressing ignorance

The key to dealing with a lack of knowledge about data curation and security is to ask questions.

What information do I need in order to be able to secure the data resource for which I am responsible and accountable?

Where is that information within the organization?

Who are the stewards of that information?

Am I a steward of any information that would help other employees to secure the resources for which they are responsible and accountable?

How can I, as a steward, keep others up to date with the information they need?

Is the data for which I am responsible secure, and how can I be sure?

The answers to these questions provide a checklist that should form part of an operational playbook, to be applies at the start of any new project or business initiative. These checklists and playbooks will ensure the consistency and completeness of a security assessment. The checklists are auditable artifacts that demonstrate compliance with organizational security policies. Under EU GDPR Article 35, organizations handling personal data are compelled to carry out a Data Protection Impact Assessment (DPIA). There will be a large overlap between the organizational security assessment and the DPIA. The UK information commissioner’s office provides handy checklists for awareness, screening, process and evaluation of DPIAs.

Communication and collaboration

Data curation requires that data is kept secure, that only the people who should access the data can do so, and that only the data that they need for their role is provided to them. It also requires information integrity. Is the data correct, can it be checked and corrected if necessary, and is it properly disposed of when no longer needed?

Data security and information integrity are closely linked, and they are both team sports. An effective data security regime needs communication and collaboration between technical and non-technical functions within the business. This is far easier in an Agile/DevOps culture, where a team should already comprise of most of the disciplines needed for that team to operate autonomously, although there will always be a few specialist functions that need to be accessed from outside the team. Rather than be embedded in a team, these specialist functions will work generically across teams. Examples of these are HR, legal, risk and compliance.

Information integrity also requires reconciliation of information between those disciplines or functions. Each discipline or function validates the information it receives from every other discipline or function. The organization is required to know where all copies of data are held and why, and what steps are taken to ensure that it is correct. The officers of any organization are responsible for legal compliance.

The diagram below focusses on the main communication paths necessary for a good security regime. The exact functions and boundaries may differ or blur from organization to organization. As a general principle every function shown in the diagram should be listening and talking to every other function. For simplicity’s sake, non-technical business functions are not represented (except for Human Resources).

word image 72 Database Security, People and Processes

For any of these functions, security by obscurity is not a good strategy. If the way in which information is secured is opaque, then it is as opaque to people who should be guarding that information as it is to those people we wish to guard against: possibly more so. We must consider what artefacts are useful to help each function build systems that are secure. The following table provides examples but does not represent a definitive list of useful security artefacts:

Artefact	Description
Employee directory	Current employees with their job roles Organizational hierarchy Data stewardship/ownership
Database roles and permissions documentation	A list of the database roles and what they are intended to represent. Thanks to Dr Codd’s rule 4 this does not have to be a static or offline document; it can be a dashboard or report driven directly from the database server.
Database access log	A facility to allow the analysis of patterns of behavior that are potential indicators of undesirable activity. Who accessed the data? Using what application? When? How much data was accessed? From what location (geography, IP address)? If data was changed then what was the change?
Data Catalog	Where the data resides Business description of the data artefacts, down to the attribute level Information type and sensitivity Stewards and owners Retention policy Applicable regulations Data lineage
Applications catalog	The current technical state of the organization: Application versions and patch levels Libraries and frameworks versions and patch levels Authentication requirements Infrastructure requirements Database requirements Service level agreements Recovery time & point objectives
Active Directory structure	Active Directory groups and their intended purpose Service account logins Machine registrations
Network and infrastructure diagram	Subnets with their CIDR ranges, Network access control lists (ACLs) Security groups Routing tables Etc.
Architectural road map	Represents the future technical state of the organization. In effect this is what the future applications catalogue is intended to be.
Software vulnerability log	A collated list of software vulnerabilities for items in either the applications catalogue or architectural roadmap.
Security policies and procedures	Policies must be clear, unambiguous and written to help employees comply with any regulatory regime. These are most helpful when in the form of checklists or operational playbooks.

Having identified business functions and useful artefacts that will help those functions secure the information within the organization, we can now explore the roles each function plays in maintaining those artefacts.

Human Resources

HR are important actors in any security theatre. They are the first to know if an employee’s status has changed and they are privy to several items of information that are useful in securing data.

A list of current and active employees
A list of, and process for, starters, leavers and job changers. Mandatory for PCI-DSS and/or ISO27001 compliance.
A list of employees who are absent, sick or on holiday (ASH)
A list of employees on “Gardening Leave”
Organizational structure, job roles and line management

There must be a reconciliation process between HR’s records and the logins in the following systems:

Active Directory
Email systems
Databases
Applications including SaaS

Another important HR role in information security is to ensure that there is ongoing staff education. GDPR article 47 “Binding Corporate Rules” states that rules should specify that appropriate data protection training should be given to personnel having permanent or regular access to personal data. There must be dialogue between HR and the security and governance function to determine what form security training should take, and to provide an audit trail of who has had such training, the recency of that training, and the level of training provided.

As HR has access to some of the most personal of data, they must include themselves in any training. The other technical areas should be able to signal what training they require to ensure that what they build is secure.

It may be beneficial for HR to have the capability to deactivate user accounts given they will be the first to know if an employee has left the organization. It may also be judicious to disable logins when employees take annual leave or have extended periods of absence. This would not just be for security purposes but to help to safeguard the mental health of the employees on leave.

Development teams and infrastructure

The consequences of not having an application catalog were demonstrated back in 2003 by the SQL Slammer worm. Organizations with patched and up-to-date SQL Servers found their networks brought to a standstill by network traffic caused by the worm trying to propagate. Their suffering was caused by unpatched applications, of which they knew nothing, acting as attack vectors. If there had been a catalog, these applications could have been patched.

In an organization that has adopted a DevOps culture, most of the attributes mentioned earlier as part of an application catalogue are part of the software build. Practices that make the job of assembling such a catalog far easier, and even automatic, include:

Infrastructure as code
Configuration management
Continuous integration and delivery
Use of source control

A DevOps culture also addresses the consequences of involving network and infrastructure specialists too little and too late. Such late involvement threatens security because it means that the security infrastructure must be put together with avoidably imperfect knowledge, and in unnecessary haste.

Just as HR has a “starters and leavers” process, so an application catalog needs an “adopters and deprecators” process for the applications it holds. Applications need attention at all stages in their lifecycle. If an application is deprecated, then this represents an opportunity to reduce the attack surface area for the organization:

Removal of database logins for the application and possibly even databases
Removal of service accounts from Active Directory
Deprecation of infrastructure
Tightening of firewalls, network rules

Architects and architecture

In an Agile organization many of the disciplines that have traditionally been part of the architect role have been devolved, so they become part of the day to day tasks of the development teams.

Even so, it remains a primary duty of anyone aspiring to be an architect to control the technical diversity within an organization. The application catalog provides the means to monitor whether this is being achieved. For example, it will reveal that the organization is running multiple versions of the same application, library or framework, or ‘different’ libraries or frameworks that do more-or-less the same thing.

All complex systems have vulnerabilities. If you are using three ORM frameworks, then you have three sets of vulnerabilities to worry about. You also limit your internal pool of expertise to help address those vulnerabilities.

There is a cyclic relationship between the architectural roadmap and the applications catalog:

Architects use the applications catalog to form an architectural roadmap for the organization and to help design and plan future systems.
When implementing the architectural roadmap, much of the underlying detail that emerges should propagate through to the applications catalog.

The roadmap will also inform all parties as to what training needs to be incorporated into the plan.

Discussions regarding security tend to focus on blocking illegitimate activity. However, security also means ensuring that legitimate activity continues to take place. The architects also need to think about what performance metrics need to be available to ensure that applications, database and infrastructure folk build a system that is both secure and reliable.

Security and governance

In a post GDPR world, a new business idea may seem to be technically easy to execute, but will be on shaky ground, or maybe even quicksand, regarding laws and regulation.

Does the proposed feature depend on personal data that the organization has consent to use?
Is the data required for the feature necessary for the organization to carry out its primary business?

This is one of the reasons that a security and governance function inevitably has a proactive role. They must be subject matter experts advising on how to avoid introducing vulnerabilities and explaining what is required to implement good security practice.

GDPR article 25 requires us to build in data protection by design and default. It is far easier to build secure systems when security is a foundation stone of the design. You are likely to create more problems than you solve by attempting to secure something in retrospect.

Once again, the importance of an applications catalog, as well as a data catalog, becomes apparent. Its importance is in the detailing of the applications, libraries and frameworks in use within the organization and the versions and patch levels for each.

A fundamental duty of the security and governance function is to keep up to date with threats and vulnerabilities that might affect the organization, such as those arising from:

Software used by the organization, whether it be apps, libraries or frameworks
Tools and techniques that can invalidate security safeguards.
Legal and regulatory change, such as GDPR
Changing business requirements that may bring the organization under new regulatory bodies
Social engineering approaches to defeating security, such as phishing.
Organizational restructuring

Again, there should be cyclic relationship between the architectural roadmap and the work undertaken to identify vulnerabilities. The expertise of the security and government specialists informs the architectural roadmap, and so the architectural roadmap informs security and governance specialists as to what new software and tools will be required.

In the event of a vulnerability or threat, a security and governance function would provide an early warning for application developers, database teams and for those responsible for the network infrastructure. All parties should work closely together to ensure those vulnerabilities are addressed.

As vulnerabilities and threats are a moving target, they also have an important role in determining how security training should be updated so that people have the information they need to address new threats. Emerging training needs should be a feedback loop to HR.

Organizational behavior needed to build secure systems

If we accept that organizational security is a team sport, then we must consider the organizational behaviors needed to nurture a team mentality. Consider Patrick Lenceoni’s 5 dysfunctions of a team and what threat these dysfunctions pose when securing the organization. In this case each team member is an organizational function.

Trust

Team members need to trust in each other, and that other team members are competent. They need to feel that it is safe to admit to knowledge gaps and to ask for help from other team members, but also that they can hold each other to account and in turn be held to account themselves. Without trust, scarce resources are wasted because teams:

Build isolated fortresses, without covering the grey areas in between, resulting in security vulnerabilities in the overall systems
Build features to guard against the perceived incompetence of other team members rather than features to guard against real threats
Create unnecessary complexity, making system security difficult to test and verify

Dealing constructively with conflict

Conflict, in the positive sense, can be the action of holding each other to account or drawing attention to vulnerabilities. If conflict is avoided, due to fear of political ramifications, then the risk is that security is weakened because critical information and feedback is withheld.

Attention to results

The desired outcome is a secure, appropriately accessible corporate data asset. The organization needs to decide how it can measure the implementation and effectiveness of the security regime intended to deliver that outcome. This includes what “KPIs” are and how they are presented.

If the organization identifies the security regime it wants, without identifying and quantifying the KPIs it will use to prove it has achieved it, then team members will tend focus on just the KPIs that indicate their individual behavior rather than KPIs that indicate the success or failure of the team as a whole.

Commitment to act

The clearest, most informative security dashboard on Earth is of no use unless there is commitment to act on the information presented. This requires commitment from each team member:

To define appropriate processes in response to measures that indicate action is needed
To enact those processes promptly when required
To log actions taken and communicate that action to the team

Accountability

Each team member must be accountable for:

Providing the information that allows others in their team to fulfil their security obligations.
Making clear what information is required from other teams and departments
Highlighting when that information is not forthcoming

Measurement, surveillance and monitoring

Most security breaches are internal to the organization and are often unintended, or caused by employee complacency, or both. Employees already have legitimate access to organizational systems so are already within the company’s security perimeter. For this reason, there needs to be robust and continual monitoring and logging of items such as the following:

Changes to data
Changes to infrastructure configuration
Changes to application versions patch levels
Changes to permissions
Changes to role membership (both Active Directory and database)
Logins and logouts

As with any measurement regime, we can only recognize and detect abnormal behavior if we have a baseline for what constitutes normal behavior. The thresholds for “abnormal” require careful definition; too high and threats are missed, too low and the system “cries wolf” and is soon ignored.

Monitoring SQL Server Security: What’s Required?

A monitoring tool must help us defend against both known and unknown avenues of attack. It must be adaptable, monitor a diffuse collection of metrics, and then help us determine the reason for any sudden change in the patterns of access.

The purpose of any alert, report or dashboard is to support a decision or be a clear call to action. Brevity and clarity should be the guiding principles with the recipient being the arbiter of what is useful.

Third party security specialists should carry out both external and internal penetration testing on the system. They will flush out vulnerabilities that would only otherwise be found by hostile parties, and their testing will verify the effectiveness of systems intended to spot anomalous behavior. Penetration testing should show up in the logs and trigger appropriate alerts.

Another important consideration is the perceived neutrality of the third party. Audits can uncover painful truths and receiving those truths from a neutral third party can be more palatable; if not, it is rarely frowned upon to shoot an external messenger.

Summary and recap

Data security must ensure that legitimate people have access to the information they need, as well as preventing malicious actors from gaining access.
Information integrity is essential to ensure that data can be both checked and corrected, and that data curation complies with the law.
You must be able to prove that data security is not being compromised. It is no longer enough to claim you didn’t know about a breach.
Collaboration and corroboration both aid the implementation of an effective security regime
Housekeeping tasks help manage the security surface area thus making anomalies easier to spot
Security by obscurity is not a good strategy. It is as likely, if not more likely, to hide vulnerabilities as it is to act as a preventative measure
Database applications must, by design, allow the organization to meet the required standards of data security and information integrity.

Let’s block ads! (Why?)

SQL – Simple Talk

Work 365 Handles Microsoft’s Control Panel Vendor Program Security Requirements And MFA

December 6, 2019 CRM News and Info

Microsoft recently announced new mandatory security requirements that tackle potential security risks from unauthorized access to the Microsoft Partner Center, the CPV program. A Control Panel Vendor (CPV) is an independent software vendor that develops applications for use by Cloud Solution Provider (CSP) partners to enable them to integrate their systems with Partner Center APIs.

The new security model from Microsoft is based on the requirements:

CPV Vendors and the tenants cannot store credentials
API based access must provide the purpose of impersonating credentials to access partner center
Use a consent framework to receive permissions
The systems and CPVs must be able to support any future requirements
Both human and system admin CPV users must use multi-factor authentication to access the partner center

Direct Partners and In-Direct Partners using Work 365 have varying uses:

(figure 1)

The Figure 1 above shows how Partners and users access the Partner Center and Services and subscriptions for their Customers. Work 365 (CPV) is the automation and control system between the partner center that ultimately leads to the provisioning of services and a financial impact from Microsoft.

Lost credentials (or claims of lost credentials, including sharing of credentials within a partner organization) can result in the provisioning of unauthorized services. Many CPVs are SaaS applications and need to store the credentials within their systems, which represents a potential security risk.

What is the Work 365 Advantage?

Built on Azure Active Directory

Microsoft built its platform on Azure AD, Office 365, CRM, Partner Center all leverage Azure AD and So does Work 365. One consolidated platform to manage user identities, prevent ‘leakage’, sleep better.

Built on Dynamics 365

The CSP business changes rapidly – change or your customers will. Dynamics 365 is a platform – extensibility is a core tenet. Work 365 inherits the capabilities of the platform, making it a truly extensible platform. Adapt to a rapidly evolving business landscape

Designed to keep you in control

In stark contrast to competitors, Work 365 is not a custodian of your data – the data resides with you. Work 365 is a set of services designed to operate on your data at its rightful place. You control who has access and how much

One version of the truth, your version!

Consolidate your business data in a single location. Enrich your data with integrations (Partner Center, distributors, ERP systems). Leverage the rich self-reporting capabilities of Dynamics 365 (Advanced Find, Dashboards, Charts) to quickly highlight what’s important or find what’s amiss.

Work 365 is Compliant with Control Panel Vendor Security Requirements.

Work 365’s fundamental architected to comply and meet the security requirements.

All the data is stored directly in the Dynamics 365 tenant
All the access permissions are managed by the Partner’s AD. The end user controls who has access and roles.
Work 365 uses the consent framework to manage security and permissions.

Work 365’s version 2.1 security enhancements allow a CSP to control access and permissions through the Dynamics 365 security model. Because this model is tied to the partner’s Azure ID in order to use Work 365, no third-party system is required.

Work 365 then accesses the Partner Center through a flexible provider model.

How Work 365 Gets Consent for CPVs

Using the Provider configuration model, you can specify Identification information to your Partner Center ID. Work 365 generates a “get consent link”.

Users can use the link to login with the credentials for the Admin agent and provide consent for the application to manage the subscriptions.

Once you provide consent, credentials are cleared from the system settings.

Work 365 enables CSPs to satisfy the new CPV security requirements regardless of direct or indirect partner status. Read more about how Work 365 can help with your recurring billing and payment collections under the latest CPV program.

Work 365 is built on Dynamics 365 and has bi-synchronization with Partner Center, all subscription changes, billing, and payment status, and invoicing can be done directly from Work 365 with a click of a button, saving Partners and CSPS time and using multiple systems to keep their records in check.

By Ismail Nalwala

I am a Dynamics 365 enthusiast. I enjoy building systems and working with cross-functional teams to solve problems and build processes from lead generation to cash collection. Work 365 is a global developer of the Billing Automation and subscription application for Dynamics. Helping companies to streamline business processes and scale their recurring revenue.

Let’s block ads! (Why?)

CRM Software Blog | Dynamics 365

Synchronize Dynamics 365 CRM and SharePoint security model using SharePoint Security Sync

October 31, 2019 CRM News and Info

SSS blog Synchronize Dynamics 365 CRM and SharePoint security model using SharePoint Security Sync

Dynamics 365 CRM and SharePoint together make a great combination that provides flexibility and ease in document management. Many organizations across the world prefer to use both as a combo pack. And this combo pack can be made more formidable with our NEW upcoming productivity app – SharePoint Security Sync.

So, what is SharePoint Security Sync?

SharePoint Security Sync is a productivity app that helps in synchronizing the security privileges of Dynamics 365 CRM in SharePoint. The need to control the accessibility of Dynamics 365 CRM documents and data stored in SharePoint led to the development of this productivity app. In a way it assures same level of security for documents and records stored in SharePoint that is provided in Dynamics 365 CRM. This means whatever security is assigned for user in Dynamics 365 CRM will be replicated in SharePoint. Similarly, any changes or modification in security privileges in Dynamics 365 CRM will be synced to SharePoint simultaneously.

1SharePoint Security Sync Synchronize Dynamics 365 CRM and SharePoint security model using SharePoint Security Sync

Why use SharePoint Security Sync?

Each application has its own unique security model. Such is the case with Dynamics 365 CRM and SharePoint. There is a significant difference between the security models of Dynamics 365 CRM and SharePoint. The same user can have different level of access in both Dynamics 365 CRM and SharePoint. It may seem that the documents or attachments that were inaccessible in Dynamics 365 CRM can be accessed by the very same user in SharePoint without any restrictions.

For example, let’s say that you have a significant number of attachments or data related to Quotes, Contracts, Opportunities, etc. in your Dynamics 365 CRM system. The access to this data is only given to the selected few top members of your team. Due to space crunch and for better storage you moved those history data to SharePoint. Once moved to SharePoint, it becomes accessible to your entire team.

This is one kind of security crisis that you can easily avoid with our new productivity app – SharePoint Security Sync.

SharePoint Security Sync enables you to safely store and manage documents in SharePoint. You can easily replicate security privileges of Dynamics 365 CRM in SharePoint. So, no more document security crisis.

SharePoint Security Sync – Your Safety Net for Dynamics 365 CRM Document Management

To know more, mail us at crm@inogic.com

Let’s block ads! (Why?)

CRM Software Blog | Dynamics 365

Werner Vogels: For IoT, security and privacy are top concerns

October 30, 2019 Big Data

Startups and tech giants alike are vying for a slice of the burgeoning internet of things (IoT) market, and Amazon is in pole position with an estimated 34% of IoT developer market share. Its lengthy list of IoT services includes IoT Core, which lets connected devices interact with cloud apps, and IoT Greengrass, which extends Amazon Web Services to edge devices so they can act locally on the data they generate. There’s also the analytics service IoT SiteWise; the application builder IoT Things Graph; and the cybersecurity suite IoT Device Defender, to name a few others.

To get a sense of the IoT landscape through Amazon’s lens just over two months out from the company’s annual AWS re:Invent conference, we spoke with CTO Werner Vogels earlier this week in a phone interview. Conversation topics ranged from the challenges involved in device deployment to the privacy concerns that arise as data from IoT devices is collected and processed.

Here’s a transcript of our interview, which has been edited for length and clarity.

VentureBeat: Could you talk the state of the IoT space today and why it’s such an important part of AWS’ business? It’d be great if you could address in your answer the hybrid cloud paradigm and some interesting use cases there, or relevant AWS services and customers you’d like to highlight.

Werner Vogels: Many of our customers literally deploy hundreds of thousands of sensors. Woodside, a large energy company in Australia, has 200,000 sensors to support, [each of which] generates huge amounts of data. [Some are on] drilling platforms hundreds of miles out to sea, where connectivity is not always stable.

IoT Greengrass is often used for these scenarios, which is our IoT environment that can operate independently of the cloud. [Customers like Woodside] … can with AWS not only observe what’s happening now, but predict what’s going to happen a week in advance. For them, it’s really important to be able to anticipate maintenance on those manufacturing operations.

In these IoT scenarios, it’s not just a matter of IoT — it’s IoT plus intelligent processing so that machine learning can be applied to get insights that improve safety and efficiency. There’s a lot of processing that happens in the cloud because most of [AI model training] is very labor-intensive, but processing often happens at the edge.

If you look at the Amazon.com fulfillment centers, for example, we have over 200,000 Kiva robots running about. They can’t always rely on a centralized control to steer them around; they need to be able to be autonomous and operate by themselves.

Massive, heavy compute will [have a place] in the cloud for model training and things like that. However, their workloads aren’t real-time critical most of the time. For our real-time critical operations, models must be moved onto edge devices.

VentureBeat: I’m glad you mentioned the robotics use case because AWS RoboMaker [Amazon’s cloud robotics service for deploying and managing intelligent machines] has gained quite a lot of traction in just a few years. And Amazon internally has robots — fulfillment center robots, as you mentioned, but also Amazon Prime Air drones and even Scout.

Vogels: Yeah, the drones are a really good example. Amazon drones have lidar sensors in addition to sonar, because as it turns out, certain [objects] can’t be detected with sonar. They need to be able to operate in complete autonomous mode — to arrive in somebody’s backyard in the place where they should be landing and detect potential hazards on device rather than in the cloud.

VentureBeat: You noted a second ago that some workloads have to be performed in the cloud because of the amount of data involved. AWS a while ago announced a product called Inferentia, an inference chip that delivers high inferencing performance and supports AI frameworks like Google’s TensorFlow and Facebook’s PyTorch. Can you talk about scenarios where a customer might want to use Inferentia?

Vogels: Advancements in AI [research] have maintained lockstep with the development of [kits] and devices that can accelerate model execution, but we’ve also seen significant investments in software. For instance, AWS recently announced SageMaker Neo, which is targeted toward IoT devices that have a much smaller memory footprint.

It’s a combination of software and hardware that will [advance the state of the art]. Inferentia will play a role in that, but I think software like SageMaker Neo will drive things forward as well.

VentureBeat: That’s a great segue into the next topic I’d like to discuss, which is data privacy. Edge computing is one way to ensure a level of privacy, depending on the application and data involved. How can the average business ensure that data isn’t transmitted to a server people don’t want it transmitted to?

Vogels: I always consider security on the one hand and privacy on the other. Privacy — what is acceptable to share, what is not acceptable to share — is often much more of a societal or individual decision.

On the subject of security, AWS IoT Device Defender is a platform is dedicated to managing all the given security capabilities of devices and the environment around them. That includes device encryption or data encryption, which I think is crucial. Corporations should have full control over where their devices can communicate … and make sure that their devices have strong identity.

The scenarios that we’ve seen in the past year — [compromised] home automation devices running a very open version of Linux — are scenarios that absolutely should not happen. That’s why Amazon FreeRTOS, our IoT operating system, offers very strong identity and encryption in combination with IoT Device Defender to provide control over where data can flow and where not.

VentureBeat: But is it fair to say that were a company like Amazon to deploy, for example, an on-device English language model to Echo devices, it’d be a boon for privacy because processing would happen locally instead of in the cloud?

Vogels: Consumer devices need very strong controls. In the Echo case we’re talking about, there is a mute button on top to disable microphones. With that, we need to make sure that the device has very limited capabilities in the data sense. We need to make sure it only listens for the wake word, and that the data that’s being collected and processed to improve the device is what the consumer wants to share.

It’s not just a matter of developers operating ethically or … things like that. Customers need to have control.

VentureBeat: Privacy is an important part of machine learning model training — not just inference at the edge, but training the models that run at the edge. Could you talk about Amazon’s approach with respect to privacy-preserving techniques? Do you offer AWS customers services that take advantage of, say, federated learning?

Vogels: At Amazon from day one, security and privacy have always been a [top] concern. There’s no business without security to protect customers’ data, and we have very strong controls [around this]. Your data is your data, and we operate internally with a least privileged model, so we’re continually taking permissions from developers to see what’s the minimum set of privileges they actually need to do their job. No engineer can take the old-fashioned root privileges — they have limited or no access to customer data.

There’s a whole different area that’s still very much in the research stage at AWS and Amazon, and that’s [identifying] bias in machine learning. We want to move this area forward so our customers can ensure that both their data and models are fair. On a related note, there are GDPR conditions where customers can remove their data not only from storage, but also from models that have been built using that data.

VentureBeat: Right, and it depends on the type of data we’re talking about — you’d want particularly strong controls around health care data, for example. Transitioning a bit, I’d like to talk a bit about connectivity, which is another important piece of the IoT puzzle. Amazon not that long ago announced Sidewalk, a project to develop a wireless protocol that’s low power and low bandwidth but high range. Clearly you as a company are invested in this — could you explain its importance?

Vogels: We have nothing to announce, but let me take another angle there without talking about protocols. One of the enabling technologies in IoT is 5G. That’s not only because of its higher speeds, but because of the massive parallel management it makes possible.

From my point of view, the important part isn’t necessarily the better bandwidth, but the fact that you can have so many more devices connected while maintaining the bandwidth. With the advent of 5G, I think what you’ll see is many more concurrent connections can be kept. And for all the smart IoT operations that have been built or that are being built, that’s extremely important.

VentureBeat: We’re running up against time here, but I did want to ask about AWS’ developer hardware business — specifically kits like AWS DeepLens. Is this an area AWS still considers critical? It seems to be a burgeoning field, what with Google’s Coral and Nvidia’s Jetson Nano.

Vogels: Absolutely. We strongly believe in the notion that builders build, and for that they need to have the capabilities to build. Having a nicely encompassed device that easily connects to SageMaker is an enabler for customers to start focusing on the algorithms they want to build or the data they want to process, and what we’ve seen is massive innovation happen.

We’re looking at builders to make sure they have the right tools — not necessarily to build a production system, but to become really familiar with the capabilities. That’s the whole story behind SageMaker. It gave developers a really good machine learning pipeline that didn’t exist before.

The same is true of DeepRacer, the driverless car racing competition we’ve been running for a year. It’s all about reinforcement learning — basically, how the machinery itself decides to balance long- and short-term goals. Most developers don’t have access to an autonomous car, but a really small car can really help them think about what data they need. We also built a simulator, so that they can get these same capabilities … without having to procure a real-world track.

DeepRacer is important for another reason — autonomous cars are a scenario where compute is shifting from the cloud to the edge. It can’t always be assumed that autonomous cars will maintain a connection to the cloud, because that would risk lives.

Let’s block ads! (Why?)

Big Data – VentureBeat

Tag Archives: Security

Launchpad in SQL Server 2017

Launchpad in SQL Server 2019

Proving this Concept

Solutions

All Application Containers

Using the App Containers SID

Workaround with a FileTable

Enabling Filetable in SQL Server

Preparing the Database to Support Filetable

New R Script for Filetable

Conclusion

Related

What and why

HE in action

Powerful with other emerging techs

New bridges to partners in AI and ML

New business opportunities

Key role of developers

Standards and Intel

Final word

Addressing ignorance

Communication and collaboration

Human Resources

Development teams and infrastructure

Architects and architecture

Security and governance

Organizational behavior needed to build secure systems

Trust

Dealing constructively with conflict

Attention to results

Commitment to act

Accountability

Measurement, surveillance and monitoring

Summary and recap

What is the Work 365 Advantage?

Built on Azure Active Directory

Built on Dynamics 365

Designed to keep you in control

One version of the truth, your version!

How Work 365 Gets Consent for CPVs

Recent Posts

Categories

Archives