The Business Case for Protecting the Keys to the Kingdom

An enterprise key management system can prevent data breaches, produce efficiency savings, simplify compliance, and enable digital transformation.

In the battle for security budget funding, enterprise key management isnt nearly as sexy as technologies such as threat hunting or blockchain cybersecurity. Nevertheless, a key management system (KMS) is a behind-the-scenes workhorse that manages and protects the very keys that can open the kingdom. While a KMS is likely already a line item in the annual security budget, an investment to modernize a KMS to extend data security to the cloud will certainly pay dividends by reducing the risk of a data breach.

What is key management, and why is it necessary? Key management is the practice of administering the lifecycle of cryptographic keys in accordance with best practices such as those defined by the National Institute of Standards and Technology (NIST). In its Recommendation for Key Management, NIST states:

The proper management of cryptographic keys is essential to the effective use of cryptography for security. Ultimately, the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of mechanisms and protocols associated with the keys, and the protection afforded to the keys.

The fundamental requirements of key management are to generate cryptographically strong keys, protect the keys against disclosure or alteration, and provide effective controls for managing and using keys.

What is a Key Management System?While encryption is built into many products today, the capabilities for generating and storing keys are often rather rudimentary and generally fall short of standards such as NIST SP 800-57. Electronic key management systems are commonly used to consolidate and centralize the management of keys across the enterprise in accordance with industry standards and best practices for data security.

A central capability of any KMS is systematic management of keys over their entire lifecycle, including generation, import/export, distribution, usage, update, backup, revocation, and deletion. A KMS should also provide controls to ensure that keys can be accessed only by authorized individuals and systems and used only for their intended purposes. All key operations should be logged for audit and compliance purposes.

View original post here:
The Business Case for Protecting the Keys to the Kingdom - Security Today

Microsoft has set the official retirement date for the insecure Transport Layer Security (TLS) 1.0 and 1.1 protocols in Office 365 starting with October 15, 2020, after temporarily halting deprecation enforcement for commercial customers due to COVID-19.

"As companies have pivoted their supply chains and countries have started to re-open we have re-established a retirement date for TLS 1.0 and 1.1 in Office 365 to be October 15, 2020," the company said in the MC218794 Microsoft 365 admin center announcement on Friday.

"As previously communicated [..], we are moving all of our online services to Transport Layer Security (TLS) 1.2+ to provide best-in-class encryption, and to ensure our service is more secure by default."

The TLS 1.0/1.1 retirement was first announced in December 2017 and, as explained by Microsoft, the effect of this change for end-users is expected to be minimal.

IT administrators can use the official KB4057306 documentation to prepare for TLS 1.2 in Office 365 and Office 365 GCC.

They can also download this Office 365 TLS deprecation report to quickly identify the users and devices that connect to Exchange servers via TLS 1.0/1.1.

At the moment, users of the following clients are advised to update to the latest versions as they are known to be unable to use TLS 1.2:

Android 4.3 and earlier versions Firefox version 5.0 and earlier versions Internet Explorer 8-10 on Windows 7 and earlier versions Internet Explorer 10 on Windows Phone 8 Safari 6.0.4/OS X10.8.4 and earlier versions

Microsoft also provides a whitepaper with guidance on how to identify and remove TLS 1.0 dependencies in software built on top of Microsoft operating systems as a starting point for a migration plan to a TLS 1.2+ environment.

As part of any TLS 1.0/1.1 deprecation plan, Microsoft recommends including the following:

Application code analysis to find/fix hardcoded instances of TLS 1.0/1.1. Network endpoint scanning and traffic analysis to identify operating systems using TLS 1.0/1.1 or older protocols. Full regression testing through your entire application stack with TLS 1.0/1.1 and all older security protocols disabled. Migration of legacy operating systems and development libraries/frameworks to versions capable of negotiating TLS 1.2. Compatibility testing across operating systems used by your business to identify any TLS 1.2 support issues. Coordination with your own business partners and customers to notify them of your move to deprecate TLS 1.0/1.1. Understanding which clients may be broken by disabling TLS 1.0/1.1.

Microsoft has already begun deprecating insecure TLS for any clients, devices, or services connecting to Office 365 through TLS 1.0 or 1.1 DoD or GCC High instances as of January 2020.

The two protocols will also become unsupported for commercial Office 365 customers, with the company recommending "that all client-server and browser-server combinations use TLS 1.2 (or a later version) in order to maintain connection to Office 365 services."

In September 2019, Microsoft announced that Windows Server 2019 enables admins to block weak TLS versions from being used with individual certificates via a new "Disable Legacy TLS" feature to make it easier to migrate to TLS 1.2+.

The company also said in March that the TLS 1.0/1.1 retirement in Microsoft browsers would be postponed until July for Chromium-based Edge and September 8 for supported versions of Internet Explorer 11 and Microsoft Edge Legacy.

The retirement of these insecure TLS protocols was announced by all major browser makers including Microsoft, Google, Apple, and Mozilla back in October 2018.

Although users will still be able to re-enable TLS 1.0/1.1 in their browsers after being disabled by default, Microsoft advises against it as newer TLS versions come with more modern cryptography and are more broadly supported by modern web browsers.

With over 97,5% of all sites surveyed by Qualys SSL Labs featuring TLS 1.2 or TLS 1.3 support, the browser vendors' decision to disable TLS 1.0/1.1 in favor of newer protocols is a rational move as they can provide a more secure path going forward.

Netcraft also said in March that the insecure TLS 1.0/1.1 protocols are still in use on over 850,000 websites, exposing their visitors to a wide range of cryptographic attacks (1, 2) that could allow threat actors to decrypt their web traffic.

See the original post:
Microsoft will disable insecure TLS in Office 365 on Oct 15 - BleepingComputer

In todays world, every organization uses a centralized location to store and manage user credentials. The most commonly used service for this is Microsoft Active Directory (AD). Organizations use LDAP protocol to authenticate users to their peripheral devices, but fewer companies use this centralized credential store to allow users to log in to their databases. If you dont use a centralized Active Directory for database authentication, the database administrator has to maintain separate key chain for every database a user needs access to. And implementing security measures such as changing passwords periodically becomes a nightmare.

Kerberos is a network authentication protocol that functions by implementing secret key cryptography. This system is used to verify the identity of a user or a host. System administrators can use AWS Directory Service for Microsoft Active Directory to manage the Active Directory. You can use the same AD credentials to log in to an Amazon Elastic Compute Cloud (Amazon EC2) instance and further authenticate into an Amazon Relational Database Service (Amazon RDS) Oracle database instance. This is all done by using tokens. With Kerberos, after the first authentication, the client holds a ticket so that additional authentication attempts dont overload the AWS Managed Microsoft AD authentication server. In addition, Kerberos facilitates a strong and secure authentication without transmitting passwords. As an additional benefit, you get access to a centralized place to store and manage credentials for multiple database instances.

The purpose of this post is to assist you in setting up Kerberos authentication for Amazon RDS using Oracle database instances from scratch. It delineates specific steps for creating an AWS Managed Microsoft AD, AD users, setting up an Amazon EC2 Linux or Windows instance to connect to an AWS Managed Microsoft AD, and using Kerberos authentication to log in to a database instance from an EC2 instance.

The steps in this walkthrough are structured to complete the setup with minimum configuration changes. For this post, you use Windows Server 2019 AMI for Amazon EC2 Windows, an Amazon Linux 2 AMI for Amazon EC2 Linux, and Oracle Enterprise Edition 12.2.0.1 for Amazon RDS Oracle instance.

After the solution is implemented, users can use the same AD credentials to log in to an EC2 instance and log in to the database with the same credentials. A database administrator still has to create a user account at the database level with the same name as in Active Directory. You also still manage the required grants and privileges of the user at the database level as you would for any other database level user. The only difference is that you dont manage the user credentials. This provides two-layer security protection. When the user no longer needs database access, you can simply revoke access at the database level. If the user is no longer needed and is removed from Active Directory, the database access is removed automatically.

The following diagram illustrates the solution architecture.

The workflow includes the following steps:

This Oracle feature has been tested with Oracle Client (SQL*Plus) and Oracle SQL Developer with a JDBC thin client. For other clients, refer to vendor support or the documentation for Kerberos support.

The following are the high-level steps to configure an Amazon EC2 Linux or Windows machine that connects to an AWS Managed Microsoft AD and uses Kerberos authentication to log in to an Amazon RDS Oracle database instance:

After you complete these steps, you can log in to an Amazon RDS Oracle database instances using passwordless login.

These steps include setting up an AWS Managed Microsoft AD and launching an EC2 instance as part of the AD domain. If your environment already has an EC2 instance set up that is part of the AD domain, you can jump to Step 5: Installing Oracle Client. These steps work using an AWS Managed Microsoft AD.

To set up Kerberos authentication using an on-premises or self-hosted Microsoft AD, create a forest trust or external trust. The trust can be one-way or two-way. For more information about setting up forest trusts using AWS Directory Service, see When to Create a Trust Relationship.

To create a new directory, perform the following steps. Before starting this procedure, make sure that you have completed the prerequisites identified in AWS Managed Microsoft AD Prerequisites.

For more information, see Create Your AWS Managed Microsoft AD directory.

To manage the Active Directory from an EC2 Windows instance, complete the following steps.

Complete the following steps to create additional users as necessary. By default, all users get access to log in to any Amazon EC2 Linux instance. To get RDP access to connect to the Amazon EC2 Windows instance, the users need to be added to the appropriate AWS delegated groups in the AD.

The following steps add an EC2 instance to be part of the AWS Managed Microsoft AD. This post shows how to use an Amazon Linux 2 AMI and Windows Server 2019. After you add the instance, log in using an AD user and verify the connectivity between Amazon EC2 and Amazon RDS instance with a utility like telnet.

To use Linux, complete the following steps:

For instructions on joining an Amazon EC2 Windows instance to an AWS Managed Microsoft AD, see Seamlessly Join an Amazon EC2 Windows instance.

In this step, you install the appropriate Oracle client software on the Amazon EC2 Linux or Windows instance, which is a part of AWS Managed Microsoft AD. For this post, we tested the solution on an Oracle 12.2.0.1 client version.

On Windows, it also works with SQL Developer (without the need to install Oracle client with it).

In this step, you modify the Amazon RDS Oracle instance from the console to enable Kerberos authentication.

Alternatively, enter the following code:

The following steps set up the Kerberos configuration files and configure sqlnet.ora to enable Kerberos authentication service. This post presents the steps for both Linux and Windows.

To use Linux, complete the following steps.

For example, see the modified code:

Oracle doesnt understand the KEYRING cache format. Therefore, we changed it to FILE format.

To use Windows, first download and install MIT Kerberos for Windows 4.1. For more information about Kerberos and downloading links for the installer, see Kerberos: The Network Authentication Protocol.

krb5cache is a file (not a directory) managed by the Kerberos software, and it should not be created by the user. If you receive a permission error when you first use Kerberos, make sure that the krb5cache file doesnt already exist as a file or a directory.The following example code is of the krb5.ini file contents:

Its preferable to set the cache location via configuration file using the %{uid} file name format. This ensures that the file names are unique for every user. Dont set the KRB5CCNAME system variable when the default cache name is defined in the configuration file. Additionally, you cant use %{uid} as a file name format when passed as a system variable.

If Oracle Client is installed, edit sqlnet.ora to add the following parameters:

If youre using SQL Developer, no additional configuration changes are required (you can also skip the step to install MIT Kerberos software).

In the connection string properties, for Authentication Type, choose Kerberos and enter the credentials.

To connect to the database, complete the following steps:

For Windows, enter the following code:

For Windows, no additional environment variables are required.

For Windows, enter the following code:

The following troubleshooting steps are the same for both Linux and Windows (in Windows, Oracle Client must be installed).

This post described how to set up Kerberos authentication for Amazon RDS Oracle database instances. For more information, see Using Kerberos authentication with Amazon RDS for Oracle and Configuring Kerberos Authentication.

If you have any questions, concerns, or comments, please leave your thoughts in the comments section.

Tirthadeep Roy is a Cloud Support Engineer with Amazon Web Services.

See more here:
Setting up passwordless login from Amazon EC2 Windows and Linux instances to Amazon RDS Oracle database instances - idk.dev