Review: SASE Architecture for dummies

Linked in showed some weeks ago the following posting:

So i downloaded the PDF provided by https://www.netskope.com and here my review on this book, which contains an introduction and 5 chapters on 74 pages, which is really more than the typical booklets i reviewed on this blog in the last years. 

The introduction starts with a nice remark: "But security can’t inhibit people’s ability to do their work." - that means, there are new demands from business for apps, services, etc. which does not fit in the traditional castle security approach, because cloud is an environment, which does not fit to the old data center security. The proposal of this book is:

The architecture called secure access service edge (SASE; pronounced
“sassy”) is the proven way forward.  

Chapter one focuses on the vision, how SASE can secure an enterprise. One assumption here is, no enterprise can avoid SaaS apps/services, if you want to be competitive, but old security mechanisms can cope with that challenges. In this chapter the starting building blocks for SASE are enumerated:

• SWGs (Secure web gateways)
• CASBs (Cloud access security brokers)
• ZTNA (Zero trust network access)
• DLP (Data loss prevention)

and then some others are added like FWaaS and RBI (Remote browser isolation). All these tools are summarized under "Security Service Edge" (SSE). The end of the section focuses on the discussion if SSE and SDWAN has to be delivered from one vendor or if a dual vendor approach will work as well. 

The title of chapter 2 is "Bringing SASE to Life with SSE and SDWAN": and the proposal here is, that security and network performance will enhance each other within SASE. The chapter is divided in to parts: looking into the SSE part and the into the networking part. For the SSE part the identity is key and the integration of all the different building blocks (s. enumeration above) with advanced thread protection (ATP). The SDWAN part is from my perspective somehow an advertising of netskope.

Chapter 3 is named "Empowering People through SASE". A summary of this section can be given with the following quote:

But security is also about shielding your staff from themselves —
guarding against the mistakes, temptations, negligence, and errors
of judgment that can do irreparable harm. This is critical in a land-
scape where more than 85 percent to 95 percent of cybersecurity
incidents are attributable to human error, according to research
from Tessian and IBM --- SASE is a powerful tool for navigating these
waters, removing restrictions on your people while empowering
them to work safely in new ways.

Key for empowering SASE is context - every action is examined and based on user behavior activities can be taken to prevent attacks, etc..

"Protecting data and applications" is the fourth chapter of the book. The promise of SASE is, that traffic is not simply blocked or allowed - there a context aware policies possible and there are less tools, which have to be configured and integrated.

Chapter 5 is a 10-step guide, how to implement SASE in your enterprise. These steps vary from "gain awareness" to "optimize network performance". From my perspective a good checklist to start from.

Overall i liked the clear structure of this book. Every section starts with 5 key phrases, what you can learn in that section. There are many comparisons drawn with castles, modern homes or airport security or .... That is really a good idea and makes it much more understandable. Maybe the following snippets shows, why this book was sponsored by netskope:

But that does not matter - if you want to start into SASE: Read this book!
 

 

Review@amazon: Microsoft Power Platform Enterprise Architecture

 This weekend i read the book "Microsoft Power Platform Enterprise Architecture"

https://www.packtpub.com/product/microsoft-power-platform-enterprise-architecture/9781800204577

Packt.com says about the book:

For forward-looking architects and decision makers who want to craft complex solutions to serve growing business needs, Microsoft Power Platform Enterprise Architecture offers an array of architectural best practices and techniques. With this book, you’ll learn how to design robust software using the tools available in the Power Platform suite and be able to integrate them seamlessly with various Microsoft 365 and Azure components. Unlike most other resources that are overwhelmingly long and unstructured, this book covers essential concepts using concise yet practical examples to help you save time.[...]

This is something i fully agree with. 

For more details please read my review at amazon :).

Postman: Scratchpad is end of life - Only cloud based workspaces possible --> How to keep the passwords/secrets secure?

Postman is the swiss army knife tool for dealing with HTTP(S) requests. You want to test anything with an GET, PUT, POST, OPTION call? Postman is the way to go.

https://postman.com

But some months ago postman announced the following:

Scratchpad was the option to work locally on your PC with postman and nothing was synced to the cloud. That was really cool, because most of the HTTPS requests have to be authenticated in some way (basic auth, secrets for oauth, api-keys, etc...)

From my perspective cloud is a very cool thing, but moving all the sensitive parameters into the postman cloud is not really an option.

So what to do? 

1. Check alternatives....
   But there is nothing like postman. e.g. the possibility to render the request to a curl, powershell, NodeJS axios, ... call and use this anywhere else....
2. Remove all sensitive data from your request
   A good step (and just to note: it is bad design, if you ever stored secrets inside the calls :) )
3. Now the calls do not work anymore....
   :(

But this problem was addressed really a long time ago (more than 4 years ago):

Prevent sync of passwords, api keys, and sensitive variables · Issue #6796 · postmanlabs/postman-app-support (github.com)

So here the link to the solution:

https://learning.postman.com/docs/sending-requests/variables/

It is just this easy:use variables and do not fill the initial value!

Here the tests: 

First the local postman:

Second the browser postman:

As you can see: the current values are empty inside the cloud for all entries, which have the inital value not filled...

(By the way: the current value is always a copy of the inital value. If you put there something like test11 and test22, only test1 and test2 will show up in the cloud version).

LinkedIn: Microsoft 365 Backup for Dummies sponsored by Veeam

 This week Veeam published this booklet on linkedin.com for download:

The booklet contains 6 chapter - the last one is a summary "Six takeaways" like always in such "for dummies" books.

From my point of view chapter 1 & 2 can be skipped - this you should really know, if running M365 (motivation for M365 backup). 

Chapter 3 is about how the loss of files can be prevented with M365 mechanisms. This is about compliance center, retention policies and labels. But only the keywords are mentioned and no deeper insights are provided.

In chapter 4 many scenarios are described, how you can loose your data on M365. Here a quote:

I think this chapter can be skipped like chapter 1 & 2. 

Chapter 5 opens with a nice term which was new to me: BaaS - Backup as a Service. Never thought about this acronym. Completely clear, that some backups in cloud are done without having purchased storage or servers on premises. Nice thing inside this chapter: a checklist about data source, data properties and some others. Really nice.

Chapter 6 comes up with the takeaways. These are really worth reading.

Review: "Cloud Native Infrastructure with Azure" provided by Microsoft

Last week Microsoft published the following linkedin post:

On linkedin often tiny booklets are offered with around 10 up to 30 pages. But this offer from Microsoft is a book with 11 section and 289 pages.
If you are interested you can get it via this link (today this is still working, 12.2.2023): https://azure.microsoft.com/en-us/resources/cloud-native-infrastructure-with-microsoft-azure/

If you are not convinced: Here the table of contents:

1. Introduction: Why Cloud Native?
2. Infrastructure as Code: Setting Up the Gateway
3. Containerizing Your Application: More Than Boxes
4. Kubernetes: The Grand Orchestrator
5. Creating a Kubernetes Cluster in Azure
6. Oberservability: Following the Breadcrumbs
7. Service Discovery and Service Mesh: Finding New Territories and Crossing Borders
8. Networking and Policy Management: Behold the Gatekeepers
9. Distributed Databases and Storage: The Central Bank
10. Getting the Message
11. Serverless
12. Conclusion

Sounds like many topics i want to read about... :)

Review: Securing containers & cloud for dummies

Securing containers & cloud (provided by sysdig) is a booklet with 42 pages and 7 chapters. Like most of the "for dummies" series the last chapter is a summary with ten considerations.

But let's start from the beginning:
Chapter one "understanding cloud security" is a really nice abstract. Here some of the topic, which you should be aware of: "overprivileged identites", "visibility over cloud assets", "leaving out IT", "former employees, one-time users and guest accounts that are left active", ... With knowing that the following proposal is made: "to dectect and stop cyber threats [..] first step is to see them". Therefore a singe event store should be used and a open-source validation because of validation an transparency.
The second chapter is named "securing infrastructure as code (IaC). The typical arguments for IaC are speed, scalabilty, resilience, reproducibility but what about security? IaC is created by the developers and this code has to be checked as well as the application sources. And even if IaC is checked, configuration templates in  a CI/CD pipeline will suffer from drift. "Policy as code PaC allows you to leverage a shared policy model across multiple IaC, cloud, and Kubernetes environments.  Not only does PaC provide consistency and strengthen security, but also it saves time and allows you to scale faster."
"Preventing Vulnerabilites" is the third chapter. Many images in production contain patchable vulnerabilites, which should be patched. So the selecting of container images from every source (including DockerHub) without scanning them is not a good idea. One subsection here is "Automate vulnerability scanning in the CI/CD pipeline". I think this is something you should read in the booklet in detail.
After scanning for threats, the next chapter is about detecting and responding to threats. This chapter is only about 3 pages and it is more an appetizer for Falco, which is a solution from sysdig.
The sixth chapter is named "Targeting monitoring and troubleshooting issues" is is plea for open source. "Avoiding Vendor Lock-In" is key to success at least from the perspective of the authors.
As in the beginning mentioned the last chapter is a ten point summary of the topic. This is a fast checklist, you can use.
 

All in all a very good high level introduction into "Securing Containers & Cloud". I recommend all DevOps engineers and developers to spend half an hour to read this booklet.

AZ-900 achieved: Microsoft Azure Fundamentals

Yesterday evening i passed Microsofts AZ-900 exam:

Taking the exam on site was no option because of COVID-19, so tried the first time the online option. Nice thing: Many schedules and i chose 20:45. 

As examinee you have to start your online session half an hour earlier and this time you really need for the onboarding: 

1. Download the software to your PC and do some checks (audio, network, ...)
   This is an .exe - so only windows PCs are possible
2. Install the app "Pearson VUE" on your smartphone to provide
1. selfie
2. passport/driver license/...
3. photos of your room
3. Talking to an instructor
   You are not allowed to wear a headset - even a watch is not allowed

 After that the exam is about 40 questions in 45 minutes - quite fair.

 The questions are about these topics:

• Describe cloud concepts (20-25%)
• Describe core Azure services (15-20%)
• Describe core solutions and management tools on Azure (10-15%)
• Describe general security and network security features (10-15%)
• Describe identity, governance, privacy, and compliance features (15-20%)
• Describe Azure cost management and Service Level Agreements (10-15%)

More information can be found here: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3VwUY

If you want to do this exam, start here:

Review: Terraform Up & Running

Because of doing many project in the cloud, terraform is the tool which i use regularly. And to get better, i decided to read this book:

If you are working with a cloud of one of the hyperscalers, the you should take a look at terraform and perhaps you should read this book ;-)

If you are interested, take a look at my review at amazon.de (like all my reviews: written in german ;-).

Review: Container Storage for Dummies

After reading Running Containers in Production for Dummies this book fell into my hands:

 
 

Container Storage for Dummies is promoted by RedHat and consists of 5 chapters with 35 pages. 

The first chapter gives a short summary about containers. I liked this statement very much: "For example, a VM is like a heavy hammer. It assumes you’re running a server and that the server can host multiple applications. [...] And the container can run just about anywhere, even on a bare metal machine or in a VM — the container doesn’t care." The chapter ends with a motivation why containers need persistent storage: ephemeral containers are transient....
Chapter 2 has the title "Looking at Storage for and in Containers". The key argument here is: "Software-defined storage (SDS) separates storage hardware from storage controller software, enabling seamless portability across multiple forms of storage hardware. You can’t slice and dice storage using appliances or typical SAN/NAS as easily, readily, or quickly as you can with SDS." Both terms (Storage for Containers + Storage in Containers) are given a defintion (just take a look inside the book ;-)).
In chapter 3 the authors want to convince the reader about the coolness of container-native storage with phrases like "Container-Native Storage Is the Next Sliced Bread". I think the main argument in this section is, that RedHat contributes a substantial parts to open source Kubernetes so that RedHats Openshift container storage fits easily in there. And this is done by introducing the Container Storage Interface which can be used by all storage providers.
Chapter 4 motivates why developers like Container-Native storage: because it can be easily managed without SAN administrators....
The last chapter closes with ten reasons to move to Cantainer-Native storage: simplified management, more automation, scalibility, ....

As summary i think, this book is a nice starting point about the problems and possible solutions with storage for containers. It is a little bit disappointing, that openshift is not really explained - but within only 35 pages this is really impossible.
If you are working or starting to work with containers i require you to read this booklet - it is a good start into the container world!

Oracle Cloud: Feature Set

For all readers, who want to get a short overview to the services which can be configured inside Oracle Cloud, here a walkthrough the menus.
The Main menu shows the following items:

• Core infrastructure
• Compute
• Block Storage
• Object Storage
• File Storage
• Networking 
• Database
• Bare Metal, VM, and Exadata
• Autonomous Data Warehouse
• Autonomous Transaction Processing
• Data Sale
• Exadata Cloud Connector
• Solution and Patterns
• Analytics
• Resource Manager
• Email Delivery
• Application Integration
• Monitoring
• Developer Services Marketplace
• Governance and Administration
• Account Management
• Identity
  

Inside the Compute item the following services can be found:

• Compute
• Instances
• Dedicated Virtual Hosts
• Instance Configurations
• Cluster Networks
• Autoscaling Configurations
• Custom Images
• Boot Volumes
• Boot Volume Backups

• Block Storage
• Block Volumes
• Block Volume Backups
• Volumes Groups
• Volume Group Backups

• Object Storage
• Object Storage
• Data Transfer

• File Storage
• File Systems
• Mount Targets

• Networking
• Virtual Cloud Networks
• Dynamic Routing Gateways
• Customer-Premises Equipments
• IPSec Connections
• Load Balancers
• FastConnect
• Public IPs
• DNS Zone Management
• Traffic Management Steering Policies

• Administration
• Tenancy Details
• Announcements

The menu Database has no subitems.

For most of these services you can find documentation here:
https://docs.cloud.oracle.com/iaas/Content/home.htm

Oracle cloud: Login

Main problem for login into Oracle cloud is to there is no generic login URL.
Inside the mail Oracle sent after the registration there is a specific URL. Something like:

http://app.response.oracle-mail.com/e/er?elq_mid=920.......

But this ends after some seconds at:

https://cloud.oracle.com/en_US/sign-in

 

There is also another login page, but this one does not work for my setup:

https://login.eu-frankfurt-1.oraclecloud.com/v1/oauth2/authorize

For this one i did not find any documentation at all, so i somebody knows how this login page can be used, please add a comment...

Oracle Cloud: my first VM

After some problems with signing up i created my first vm inside Oracle Cloud:

 

 and then a short stop for provisioning:

 And finally:

The machine runs and a login can be done with:

schroff@zerberus:~/.ssh$ ssh 130.61.89.226 -l opc
[opc@myVmInstanceDS ~]$ df -h
Filesystem      Size  Used Avail Use% Mounted on
devtmpfs        459M     0  459M   0% /dev
tmpfs           486M     0  486M   0% /dev/shm
tmpfs           486M   13M  473M   3% /run
tmpfs           486M     0  486M   0% /sys/fs/cgroup
/dev/sda3        39G  1,9G   37G   5% /
/dev/sda1       200M  9,7M  191M   5% /boot/efi
tmpfs            98M     0   98M   0% /run/user/1000
[opc@myVmInstanceDS ~]$ 

Oracle cloud: sign up: after nearly 2 weeks...

After trying to get around my problems with my

• e-mail account (don't use gmx.de - gmail.com works)
• veryfying the authorization amount for my credit card (Thanks to my bank for supporting me!)

i was able to sign up at Oracle cloud services.
Thanks to Oracle support for the e-mails with tips and explanations what i have to do!

And after some seconds i got the following e-mail:

And the sign in worked:

With the next postings i will try to get some VMs etc. running inside Oracle Cloud...

Oracle Sign up: more problems

I thought, i was successful, but:

I received a mail with the following content:

"We have re-authorized a new, specific amount on the credit/debit card used during the sign up process."

and

"To verify the account you have created, please confirm the specific amount re-authorized."


My problem: there is not any "re-authorized amount" on my banking account. I do not know, what is "re-authorized"?
Is this: this amount is charged on my credit card (then i should see it).
Or is this process buggy and i was for some reason not charged?
Or is re-authorization something else?

Oracle Cloud: First login

After signing up to Oracle cloud i tried my first login:

https://cloud.oracle.com/en_US/sign-in

but i only got:

I think the problem is, that there i a manual review step on Oracle's side which i have not passed for now:

So let's wait for a day or two...

Oracle Cloud: Sign up failed... [3] & solved

Finally (see my attempts here and here) i was able to sign up to Oracle cloud.
What did the trick?

I got help from Oracle support:

 

So i used my gmail address and this worked:

and then:

Let's see how this cloud will work compared to Azure and AWS

Oracle Cloud: Sign up failed... [2]

After my failed registration to Oracle cloud, i got very fast an email from Oracle support with the following requirements:

So i tried once again with a firefox "private" window - but this failed again.
Next idea was to use a completely new installed browser: so i tried with a fresh google-chrome.
But the error still remained:

Let's hope Oracle support has another thing which will put me onto Oracle cloud.

UPDATE:

 

There is a tiny link "click here" just abouve the blue button. This link a have to use with the verification code provided by Oracle support.
But then the error is:

I checked this a VISA and MASTERCARD. Neither of them worked...

UPDATE 2: see here how the problem was solved.

Oracle Cloud: Sign up failed...

Yesterday i tried to sign up for oracle cloud:

 So let's start the registration process:

 

The mobile number verification is done with SMS and after entering the 7 digit pin, you are allowed to enter a password:

 

As payment information only credit cards are accepted:

• VISA
• Mastercard
• Amex

Eve though my credit card was accepted:

"Your credit card has been successfully validated. Please proceed to complete the Sign up."

I got the following error:

"We're unable to process your transaction. Please contact Oracle Customer Service."
The link "Oracle Customer Service" did not work, so i used the Chat Support. But inside the chat was no agent available and only "Send E-Mail" worked. Let's see what kind of response i will be given...

EDIT: Some further attempts...

EDIT 2: see here how the problem was solved.