La frenesia e la voglia di nuvole non devono farci dimenticare l’importanza di una sicurezza sempre più a misura di utente nell’accesso a dati e servizi, di Marco Rottigni

Prefazione: Sono contento di ospitare Marco nel mio blog. Quello che ammiro di lui e’ non solo la competenza tecnica, ma il modo con cui riesce a trasmettere. — Gippa

Oramai la nuvola ha assunto forme e connotazioni di ogni tipo.  Flettendosi, adattandosi, rinnovandosi attorno al magico concetto di un nuovo modo di fare IT. Più pervasivo, economico, onnipresente, accessibile, semplice, bello e risparmioso. Ci sono i soffici e fioccosi altocumuli, fatti a misura di utente con soluzioni personali di storage. Oppure i cirrocumuli, lunghi e filamentosi strati che abbracciano nuvole aziendali private che si estendono, ibridandosi, verso servizi condivisi di CRM e condivisione documentale offerti da nuvole pubbliche. Oppure ancora gli strati, basi di formazioni nuvolose consistenti e solite coprire vaste porzioni di cielo: piattaforme di elaborazione più o meno general purpose, per trasporre vere e proprie porzioni di IT aziendale, quello fatto di server, nella nuvola.

Purtroppo l’IT non brilla per poesia, preferendo ad essa acronimi freddi e spesso devianti. Ecco che le metafore di cui parlavo diventano asettici *aaS. Dove all’asterisco si sostituisce I per infrastruttura, P per piattaforma, S per software… e via così, mentre la tripletta a suffisso viene estesa in “as a Service”. Ad indicare il metodo con cui la prima componente viene offerta: a noleggio operativo. Cioè manutenuta e fruibile, di solito a fronte di un canone. Continuando nella “meteo-fora” a me cara, è importante fare attenzione a nembostrati e cumulonembi. Perchè portano instabilità atmosferica nel sistema nuvoloso. E questi si formano quando la sicurezza nel cloud è un afterthought, cioè un fattore pensato successivamente (o peggio, tralasciato) alla pianificazione e adozione del cloud come modello di IT.

Nella migrazione al cloud il perimetro aziendale si estende fuori dai muri, flettendosi grazie alla Rete verso un modo potenzialmente più pericoloso e meno sicuro. Come difenderlo? Prima di rispondere a questa domanda è necessario domandarci quale è il nuovo perimetro. In una situazione dove i servizi cruciali per l’azienda di delocalizzano, dove i dati si deduplicano, replicano, spostano. Dove gli utenti telelavorano, mobilavorano, con dispositivi spesso avulsi da ogni controllo aziendale. Ecco che il nuovo perimetro si restringe a circondare l’utente, la sua identità, le sue credenziali e il livello di fiducia che merita in base al contesto in cui opera. Ed è questo nuovo perimetro da difendere controllo i mille pericoli di furti di identità, di impersonazione, di privilegi a cui il nuovo perimetro è soggetto.

Concetti questi molto chiari a GARL, azienda che parte da un assunto di base estremamente importante e garante di serietà: l’identità è un valore, da custodire e proteggere come un tesoro. E quale miglior posto per un tesoro se non una banca? E con la cura maniacale per i crismi di sicurezza tipici di un’entità elvetica, GARL crea SecurePass: un servizio di AaaS. Dove A sta per Autenticazione. Forti di un CTO con una competenza tecnologica ed una visione tecnologica complete e poliedriche, SecurePass riassume la sua missione in due parole che stanno appena sotto il logo nella loro homepage: Protecting Identities.

Quello che stupisce è un modello di assoluta flessibilità ed integrazione. Costruita su solide basi tecnologiche ed opensource, poggia su principi di sicurezza di notevole resilienza e forza. Regalando all’utente un’esperienza di semplicità d’uso, di gestione e di integrazione davvero difficili da trovare insieme. In una soluzione che elimina il termine CAPEX, in favore di un OPEX alla portata di ogni tipologia di azienda.

Quando parliamo di identità sono di fatto trei princìpi e le tecnologie fondanti: autenticazione, fattore genetico del protocollo RADIUS; gestione, elemento fondante del protocollo LDAP; single sign-on, cioè gestione di credenziali per login multipli protette e riutilizzabili. Qui i protocolli sono più d’uno, sebbene il protocollo di ispirazione classica sia Kerberos. GARL orchestra questi tre elementi sapientemente, permettendo all’utente di immergersi completamente nel paradigma Bring Your Own Device (BYOD). Dove BYOD significa usare il dispositivo che si preferisce per autenticarsi, gratuito o meno, hardware o meno, già in proprio possesso o meno.

Significa integrare la propria applicazione con sistemi di autenticazione forte, garantiti da password che si usano una volta sola, che dopo una manciata di secondi non servono più a niente e a nessuno. Significa gestire i propri account con un’interfaccia semplice, flessibile e a misura di utente e non di genio plurilaureato esperto di programmazione quantica. Un sistema pensato per gli utenti da chi utente lo è stato e lo è in mille occasioni e scenari. Dove la decisione è di mettere esperienza e competenze al servizio della semplicità d’uso e di integrazione. E non importa se state mettendo in sicurezza il blog dove gli impiegati possono vedere il menu del giorno della mensa aziendale e decidere se rientrare per pranzo o visitare l’ennesimo cliente; oppure se il vostro scopo è proteggere e unificare gli accessi ai documenti di progettazione di sofisticati modelli di aeroplani stealth per il vostro cliente militare.

La soluzione offerta da GARL non solo è in grado di soddisfare entrambe le esigenze, ma lo fa in un modo che genera una piacevole sensazione di appagamento nel responsabile di progetto che si riassume nel pensiero: beh, è stato facile!

– Marco Rottigni  (a.k.a.RoarinPenguin)

Not everybody knows what a pad is and, quite frankly, I wasn’t aware either until I joined Canonical and I started cooperating with the Ubuntu community.

I was fascinated by this technology and I understood immediately the potential of editing any kind of text at the same time, even if you are sitting kilometers away. At the Ubuntu Developer Summit (UDS), this tool is used to share minutes of the meetings, either from people sitting in the room or connected via confcall/IRC.

Just imagine the potential on cooperating with your colleagues and partners that are working together on an idea or writing documentation for a project, anywhere and with any device. More, when you finish you can export the document in well known formats such as Microsoft Word and Libreoffice/Openoffice, so that your document can look even more professional.

But the pad itself has no concept of security or user identity as it was born to share information across people working on open source projects.

My challenge was to bring pads at an enterprise level, so that companies can enjoy new way of communicating with staff and partners, while maintaining appropriate security and control on data.

The slides will explain in detail what a pad is and what are the advantages of embracing this technology, what could be a secure architecture and how to implement it.

Hope you will enjoy.

A couple of weeks ago I was visiting a friend of mine, who is an IT manager of a well known Italian media company.

The pain point he was rising was about managing access from mobile devices and employee personal laptops, most often Mac hardware and he was seeking for a product to solve his pain. This is what marketing guys call it the BYOD problem.

The wrong approach is seeking for a “box” (= product) that is able to fix your issues. While you can enable 802.1x on your network, you can still join the network with an unmanaged device if you have a valid authentication and you can’t enable a NAC. But how to limit access to data is a total different story.

In my humble opinion, with the introduction of different (unmanaged) devices, more and more we have to focus on protecting data and who is accessing what, not what kind of device can access the network.

The key message people should understand is that you have to have a strategy to protect your data.

In these short slides I tried to explain the concept in a non-technical way what is the correct approach: happy reading!

One of the frequently asked question is how do I run the former HP Proliant Support Pack (PSP) in Ubuntu. Most of the customers ends up installing RedHat/CentOS in their HP servers because they don’t have hardware monitoring support.

Well, this is kind of “hidden” information and also most HP employees doesn’t know this, you have to have strong connections with engineering to know the truth

Just to recap, PSP has been renamed in Management Component Pack (MCP). This software let you  control and monitor HP-specific hardware components. You can configure your HP SmartArray online, monitor your hardware health with the HP System Management Homepage, or setup snmp traps for interesting events. The Management Component Pack is an essential group of utilities to help you manage Linux on your HP ProLiant servers.
To download and install these packages, simply point apt at the HP Software Delivery Repository (SDR):

Add this line to /etc/apt/sources.list:

deb http://downloads.linux.hp.com/SDR/downloads/MCP/ubuntu precise/current non-free

then apt-get install the components you’d like to use:

# apt-get update
# apt-get install hpacucli

Debian packages included (apt-cache search hp | grep ^hp):

• hpsmh – HP System Management Homepage
• hp-snmp-agents – Insight Management SNMP Agents for HP ProLiant Systems
• hp-smh-templates – HP System Management Homepage Templates
• hponcfg – RILOE II/iLo online configuration utility
• hp-health – hp System Health Application and Command line Utility Package
• hpacucli – HP Command Line Array Configuration Utility
• hp-ams – Agentless Monitoring Service for HP ProLiant Gen8 Systems

Just in case someone in the support wish to bother you, the HP  official statement is out on our support matrix: www.hp.com/go/ubuntucert

As for their own wording: “HP will provide support for HP’s ProLiant hardware and all HP delivered drivers, firmware, utilities, tools and management software. Canonical will provide support of the operating system, software and in distribution drivers.”

Hope this helps!

Face the distributed network: BYOD, home offices and human factor 
could increase the importance of a firewall. Firewalls have traditionally protected companies of any sizes from internet attacks. Sitting in the perimeter between corporate intranets and Internet, firewalls naturally evolved in something that was able to protect companies from most of internet threats: the UTM or Unified Threat Management. These appliances have all they need to protect you from common security issues, but there is something that they could not protect you from: identity theft. Here’s how.

While the concept of authenticating the user is (quite) well accepted, the concept of authorizing and assigning roles to a given user is still a concept that not everybody is familiar with.

Let me recap it again: authentication is the process of identifying the user (who are you?) and authorization is the process of granting access to a given resource (what can you do?).

SecurePass relief the system administrator(s) to identifying securely the user connecting to a given application or a given security device. SecurePass’ web single sign-on feature is a great tool to identify once the end-user while enabling access to every company’s web applications.

It’s still system administrators’ responsibility to grant access to specific resources. The new Apache SecurePass module is intended to address the authorization part, especially when more parties collaborates in a single application.

This great article explains you how:

http://alorenzi.netsons.org/alorenzi/doku.php?id=securepass_module_for_apache

The Apache SecurePass authorization module is ready to embrace the new releases of SecurePass: in future, system administrators’ will be able to manage corporate groups and policies, plus cross-corporation groups.

Stay tune for more in 2013!

As per my previous post, I was guest at SMAU 2012 an the italian computer exhibition that was held in Milan Oct 19th.

Basically we all know that Cloud can provide great flexibility to IT, ensuring business continuity and optimizing costs. But what are the implications for IT security? Even big names such as IEEE, Apple and Samsung are among the victims of identity theft in the Cloud. If you choose to adopt virtual data center (IaaS) or on-line applications (SaaS), you shift the paradigm of security as it was conceived up to now. Through the presentation I examined the security implications of a Cloud infrastructure and possible remedies with practical examples.

By “popular demand”, I translated the slides into english. Hope you will enjoy!

A brief introduction in English for everybody: I was guest at SMAU 2012 an the italian computer exhibition that was held in Milan Oct 19th. I presented some slides on the identity theft issues connected to cloud infrastructures and how they can be fixed. Slides are in italian as it didn’t make sense to me to present in english while in Italy

Queste sono le slides che ho presentato il 19 Ottobre 2012 a SMAU 2012 sul problema dei furti di identità negli ambienti Cloud e possibili rimedi. E’ noto -infatti- che il Cloud consente di dare una maggiore flessibilità all’IT, garantendo una continuità del business e ottimizzando i costi. Ma quali sono le implicazioni sulla sicurezza aziendale? La cronaca recente ha evidenziato che anche nomi importanti quali IEEE, Apple e Samsung sono tra le vittime piu’ famose dei furti di identita’ nel Cloud. Se si adottano datacenter virtuali (IaaS) o applicazioni on-line (SaaS), si sposta il paradigma della sicurezza così’ come concepita finora.
L’intervento ha analizzato le implicazioni di sicurezza di una infrastruttura Cloud e i possibili rimedi, con esempi pratici.

IEEE, Apple and Samsung are big brands that were recently victims of identity theft. But any company of any size can be victim of identity theft if their applications or data are exposed in the Internet. As company starts embracing Cloud services, you are outsourcing part of your datacenter in a virtual datacenter hosted in a provider, or you are storing part of your core data in an application hosted somewhere and this changes the way security has been conceived so far.

It doesn’t take much to protect your application from identity theft: by embracing SecurePass as a strong authentication and identity management you can protect your django/python application in less than 3 minutes.  I created a video to show how this is possible.

These are the steps to integrate your Django project into SecurePass:

1. You have to have a valid SecurePass account and working userid. If you don’t, open a free account on http://www.secure-pass.net/accounts/open/

2. You have to have an existing project in Django

3. Create a superuser account in your application that matches SecurePass userid, otherwise you won’t be able to access your admin panel anymore. Use the command:

python manage.py createsuperuser

4. Download django-cas from:
https://bitbucket.org/cpcc/django-cas

5. Unzip and move the django_cas directory in the root of your django project

6. Modify settings.py as follows:

6a. Append the CAS Server URL:

## CAS configuration
CAS_SERVER_URL = "https://login.secure-pass.net/cas/"

6b. Add ‘django_cas.middleware.CASMiddleware’ in MIDDLEWARE_CLASSES touple

6c. Add the following lines to act as authentication backends:

AUTHENTICATION_BACKENDS = (
'django.contrib.auth.backends.ModelBackend',
'django_cas.backends.CASBackend',
)

6d. Optionally, add a line that specify the realms/domains that are allowed to access the application.

## Allowed realms
ALLOWED_REALMS = ('garl.ch', )

7. Add django-cas authentication in urls.py

(r'^accounts/login/$', 'django_cas.views.login'),
(r'^accounts/logout/$', 'django_cas.views.logout'),

This will also trap admin access requests that will be validated through CAS/SecurePass.

8. In the views.py:

8a. import the login_required decorator with:

from django.contrib.auth.decorators import login_required

8b. Add “@login_required” decorator to the methods you want to protect

8c. Optionally further protect your method access from the realms you trust with:

 if request.user.username.partition("@")[2].lower() not in settings.ALLOWED_REALMS:
     error = "<h1>Authorization denied</h1><p>You are not authorized to access this application.</p>"
     return HttpResponseForbidden(error)

Well, Windows is not my favorite OS, but still Windows and Windows Servers are very popular. I received a lot of queries on how to authenticate against SecurePass using RADIUS and I decided to write a small program in C# and share it with everybody.

The code is just an example and has been tested using Mono under Mac OS X, but should work fine under Windows with Visual Studio.

First of all, you will need the dotnet radius client library from http://code.google.com/p/dotnet-radius-client-library/. If you are running under Windows, you can download the pre-compiled DLL, otherwise you have to check-out the source files and compile them yourself.

Please have a look at the comments for more information.

/*
 *  sp-login - Giuseppe Paterno' (gpaterno@gpaterno.com)
 *  Demo of logging in to SecurePass with C#/.NET
 *  through RADIUS protocol
 */

using System;
using System.Net;
using Ais.Net.Radius;
using Ais.Net.Radius.Attributes;

namespace splogin
{
	class MainClass
	{
		public static void Main (string[] args)
		{
			string user, password;

			// Populate it with your radius secret
			// Better if you get it from a config file
			const string radius_secret = "mysecretpassword";

			// Get my IP address to send it as a NasIP address
			// This is just for logging
			string host = Dns.GetHostName();
			IPHostEntry ip = Dns.GetHostEntry(host);
			string nasIp = ip.AddressList[0].ToString();

			// Get IP address for the radius server, you will
			// never know what's the answer from the global
			// load balancing system.
			string SecurePassRadius = "radius1.secure-pass.net";
			IPAddress[] addresslist = Dns.GetHostAddresses(SecurePassRadius);

			Console.WriteLine ("nWelcome to SecurePass .NET demo!");
			Console.WriteLine ("================================n");

			// Ask for username and password, i.e.
			// OTP + SecureFactor
			Console.Write("Username: ");
			user = Console.ReadLine ();

			Console.Write("Password: ");
			password = Console.ReadLine ();

			// Build a client with parameters
			var radiusClient = new Client(addresslist[0], 1812, radius_secret) {
				SendTimeout = 5000,
				ReceiveTimeout = 5000,
				Ttl = 50
			};

			// Create an access request
			var request = new AccessRequest(nasIp, ServiceType.Framed, user,
                                                                            password, radiusClient);

			// Send with 3 retries
			var response = radiusClient.Send(request, true, 3);

			// Analyze the response packet
			if (response.Packet.PacketType == PacketType.AccessAccept)
				Console.WriteLine("Access granted");
			else
				Console.WriteLine("Access denied");

		}
	}
}