AWS ABCs: Granting A Third-Party Access to Your Account
There can be times when you’re working on the AWS Cloud where you need to grant limited access to your account to a third-party. For example:
- A contractor or a specialist needs to perform some work on your behalf
- You’re having AWS Professional Services or a partner from the Amazon Partner Network do some work in your account
- You’re conducting a pilot with AWS and you want your friendly neighborhood Solutions Architect to review something
In each of these cases you likely want to grant the permissions the third-party needs but no more. In other words, no granting of AdministratorAccess policies because it’s easy and just works. Instead, adherence to the principle of least privilege.
This post will describe two methods–IAM users and IAM roles–for proving limited access to third-parties.
Comparing the Two Approaches
The big difference with the IAM user approach vs the role-based approach is the way the credentials for each entity are handed out.
IAM users have long-term credentials that only change by a manual action (either the user or an administrator changes the credentials). Those credentials will continue to provide access to the account until they’re either changed or the user is disabled/deleted.
By contrast, roles Continue reading
VMworld 2019: Sneak Peak at Our Keynote Sessions. Plus a Chance to Win!
Networking & Security Keynotes at VMworld 2019
About a month ago, we published a VMworld security guide with shortlisted 100 to 300 level sessions that best illustrate real-world application of our products. This time, we’ll be focusing on two networking and security keynotes. The first keynote will highlight how VMware’s single-stack, complete networking and security platform can achieve a consistent operational network fabric for hybrid cloud environments, and the second keynote will focus on how users can leverage existing VMware infrastructure to implement a more effective, intrinsic security.
In addition, you will have a shot at winning Bose headphones simply by attending each event. Although chances are slim (1250 times harder to win both as opposed to just one), duplicate winners will be acknowledged so if you are looking for a present for yourself and a significant other, make sure to register and save on your yearly bonus! Winners will be announced at the end of each keynote, so make sure to stay until the end!
Showcase Keynote: Networking and Security for the Cloud Era [NETS3413KU]
There has never been a more exciting and challenging time in the networking space. As the cloud, application developers, IoT, Continue reading
U.S. Delays Huawei Ban Another 90 Days
Huawei earned itself another narrow and temporary reprieve from a blanket ban against doing...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
Cisco and F5 Networks Discuss the Value of Tech Partnerships
SDxCentral spoke with Cisco and F5 Networks about their companies’ complementary approaches and...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
Cloudflare Files IPO Paperwork to Battle AWS, Cisco, and Oracle
It also directly competes against CDN firms like Akamai, Limelight, and Fastly, which went public...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
Cisco Software Subscriptions Hit 70%, China Trade War Spooks Investors
Cisco’s China revenue dropped 25% on an annualized basis in the fourth quarter.
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
Key Steps and Pitfalls to Avoid in Cloud Security, with Valtix’s CEO Vishal Jain
Hear from Valtix CEO Vishal Jain and is his take on cloud security today, where it’s going, and...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
VMware SVP Tom Corn: Security Is a Team Sport and vAdmins Play a Starring Role
Application security is changing the role of virtual administrators and expanding their job...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
Hacker Jeopardy, Wrong Answers Only Edition
Among the evening entertainment at DEF CON is "Hacker Jeopardy", like the TV show Jeopardy, but with hacking tech/culture questions. In today's blog post, we are going to play the "Wrong Answers Only" version, in which I die upon the hill defending the wrong answer.The problem posed is this:
YOU'LL LIKELY SHAKE YOUR HEAD WHEN YOU SEE TELNET AVAILABLE, NORMALLY SEEN ON THIS PORT
Apparently, people gave 21, 22, and 25 as the responses. The correct response, according to RFC assignments of well-known ports, is 23.
A good wrong answer is this one, port 25, where the Morris Worm spread via port 25 (SMTP) via the DEBUG command.
pre-1988 it was 25, but you had to type DEBUG after connecting ?— pukingmonkey? (@pukingmonkey) August 10, 2019
But the real correct response is port 21. The problem posed wasn't about which port was assigned to Telnet (port 23), but what you normally see these days.
Port 21 is assigned to FTP, the file transfer protocol. A little known fact about FTP is that it uses Telnet for it's command-channel on port 21. In other words, FTP isn't a text-based protocol like SMTP, HTTP, POP3, and so on. Instead, Continue reading
Fast Friday- Black Hat USA 2019
I just got back from my first Black Hat and it was an interesting experience. It was crazy to see three completely different security-focused events going on in town all at once. There was Black Hat, B-Sides Las Vegas, and DEFCON all within the space of a day or so of each other. People were flowing back and forth between them all and it was quite amazing.
A wanted to share a few quick thoughts about the event from my perspective being a first timer.
- The show floor wasn’t as bit as VMworld or Cisco Live, but it was as big as it needed to be. Lots of companies that I’ve heard of, but several more that were new to me. That’s usually a good sign of lots of investment in the security space.
- Speaking of which, I talked to quite a few companies about a variety of analytics, telemetry, and insider threat monitoring solutions. And almost all of them had a founder from Israel or someone that was involved in the cybersecurity areas of the IDF. That’s a pretty good track record for where the investment is going.
- The Vegas booth gimmicks never change. I think I’ve spent too Continue reading
Introducing Certificate Transparency Monitoring
Today we’re launching Certificate Transparency Monitoring (my summer project as an intern!) to help customers spot malicious certificates. If you opt into CT Monitoring, we’ll send you an email whenever a certificate is issued for one of your domains. We crawl all public logs to find these certificates quickly. CT Monitoring is available now in public beta and can be enabled in the Crypto Tab of the Cloudflare dashboard.
Background
Most web browsers include a lock icon in the address bar. This icon is actually a button — if you’re a security advocate or a compulsive clicker (I’m both), you’ve probably clicked it before! Here’s what happens when you do just that in Google Chrome:
This seems like good news. The Cloudflare blog has presented a valid certificate, your data is private, and everything is secure. But what does this actually mean?
Certificates
Your browser is performing some behind-the-scenes work to keep you safe. When you request a website (say, cloudflare.com), the website should present a certificate that proves its identity. This certificate is like a stamp of approval: it says that your connection is secure. In other words, the certificate proves that content was not intercepted or Continue reading
Securing devices for DEFCON
There's been much debate whether you should get burner devices for hacking conventions like DEF CON (phones or laptops). A better discussion would be to list those things you should do to secure yourself before going, just in case.These are the things I worry about:
- backup before you go
- update before you go
- correctly locking your devices with full disk encryption
- correctly configuring WiFi
- Bluetooth devices
- Mobile phone vs. Stingrays
- USB
Backup
Traveling means a higher chance of losing your device. In my review of crime statistics, theft seems less of a threat than whatever city you are coming from. My guess is that while thieves may want to target tourists, the police want to even more the target gangs of thieves, to protect the cash cow that is the tourist industry. But you are still more likely to accidentally leave a phone in a taxi or have your laptop crushed in the overhead bin. If you haven't recently backed up your device, now would be an extra useful time to do this.
Anything I want backed up on my laptop is already in Microsoft's OneDrive, so I don't pay attention to this. However, I have a Continue reading
Dynatrace Scores $544M IPO, Cloudflare to Follow Suit
Dynatrace raised $544 million in its initial public offering (IPO) today, selling 35.6 million...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
Cisco Pays $8.6M in First-Ever Security Software Whistleblower Payout
It’s essentially pocket change for the vendor — Cisco CEO Chuck Robbin’s house sold for...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
IBM Packs Red Hat OpenShift Into Cloud Paks
The Cloud Paks allow IBM software to run across major public cloud providers like Amazon Web...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
Lanner and GTT Leverage uCPE to Bolster SD-WAN Performance
Both companies announced new SD-WAN capabilities leveraging universal customer premises...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
Cohesity Adds Security Capabilities With CyberScan
“Before us, backup data was just an expensive insurance policy. We are the first ones to make...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
Juniper Pushes Security Into MX Routers, Updates Containerized Firewall
The vendor first started talking about Connected Security earlier this year. It involves a layered...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.
VMware Cloud on AWS: NSX Networking and Security eBook
Check out my latest book co-authored with my colleagues Gilles Chekroun (@twgilles) and Nico Vibert (@nic972) on VMware NSX networking and security in VMware Cloud on AWS. Thank you Tom Gillis (@_tomgillis), Senior Vice President/General Manager, Networking and Security Business Unit for writing the foreword and providing some great insight.
Download the eBook for Free
I’ve been very fortunate to have the opportunity to publish my second VMware Press book. My first book was VMware NSX Multi-site Solutions and Cross-vCenter NSX Design: Day 1 Guide. This book was focused very much on NSX on prem and across multiple sites. In my latest book with Gilles and Nico, the focus was on NSX networking and security in the cloud and cloud/hybrid cloud solutions.
You can download the free ebook here:
In this book you’ll learn how VMware Cloud on AWS with NSX networking and security provides a robust cloud/hybrid cloud solution. With VMware Cloud on AWS extending or moving to the cloud is no longer a daunting task. In this book, we discuss use cases and solutions while also providing a detailed walkthrough of Continue reading
When It Comes to Security Architecture, Edge Is Where It’s At
There are billions of reasons why network security needs to be pushed to the edge, and Netskope is...
© SDxCentral, LLC. Use of this feed is limited to personal, non-commercial use and is governed by SDxCentral's Terms of Use (https://www.sdxcentral.com/legal/terms-of-service/). Publishing this feed for public or commercial use and/or misrepresentation by a third party is prohibited.