ITLEB PTY LTD

Tag: Technology

  • Endpoint security and cloud architecture

    Endpoint security and cloud architecture

    Hackers love endpoints—those end-user devices that connect to your enterprise network. With a little ingenuity, bad actors (outside or inside your organization) can access sensitive data through employees’ laptops and smartphones, the office security cameras, printers, and a host of other entry points.

    Endpoint security protects your enterprise resources by safeguarding these end-user devices from breach or physical theft. But many organizations are asking how cloud computing fits into the equation. In this brief interview, Pluralsight instructor Terumi Laskowsky (TL) walks through the considerations and responds to frequently asked questions.

    How has endpoint security changed in the era of cloud?

    TL: A decade ago, organizations typically limited the type of end-user devices that could connect to the corporate network, which gave IT professionals significant control over device security.

    In contrast, cloud involves broad network access, and the possible devices that can access the cloud are growing exponentially and more geographically distributed.

    Gone are the days where equipment lived primarily on a corporate campus, accessed through highly secure VPN connections. Today’s devices often access the corporate network via the cloud, without this enhanced scrutiny in place.

    Many enterprises utilize a hybrid deployment model where the cloud is an extension of on-premises infrastructure. This requires security professionals to consider an ever-growing assortment of endpoint devices, which all represent potential attack vectors and require risk management strategies to protect corporate resources and data.

    How do you protect endpoints?

    TL: First, it’s important to recognize that a device can be an attacker or a victim. So, you have to plan for both scenarios. How do you protect a device from a cyber attack? And how do you protect your corporate resources against a compromised device?

    You can install an endpoint security solution in a device and control its behavior using an organizational security policy. For example, to protect data leakage from these devices, the security policy could prohibit using USB sticks. Here’s another example: You could enforce whole-disk encryption in case someone loses their end-user devices. This is easier to do if your organization owns and manages the devices.

    However, many employers allow personally owned devices to connect to the corporate infrastructure, especially from the cloud. This complicates the matter. If you allow your company to install an agent on your phone, who has control over your phone? How about your private data on the phone? Is your privacy protected? Organizations need to think through and resolve these questions.

    What should an endpoint protection strategy include?

    TL: Organizations need to catalog all devices that access corporate resources—from computers and smartphones to IoT devices such as fire alarms, thermostats, the sensors where employees swipe their badges to gain access to your building, and an ever-growing assortment of smart technology.

    Anything that connects to your corporate resources can be a point of entry for a cyberattacker. This means you need a process for constantly updating your inventory of endpoint devices and managing each via an endpoint security corporate policy.

    Your strategy also needs to identify who owns the responsibility for maintaining the security of each endpoint device. In some cases, the answer is IT. In other cases, you’ll need a formal shared responsibility agreement. For example, your facilities team maintains your thermostats. What aspects of security will they be responsible for? And what will IT handle?

    This can’t just be an exercise on paper—a document that sits on a shelf and collects dust. When there’s shared responsibility, both parties need to formally acknowledge they understand their role. And you need an oversight process that periodically audits security for each of the endpoint devices.

    When organizations don’t plan for shared responsibility, security can fall through the cracks.

    Actor Henry Winkler said, “Assumptions are the termites of relationships.” In my opinion, they also are the termites of cybersecurity. A good endpoint security policy clearly articulates who is responsible for the security of each device so there are no assumptions or oversights.

    T. Laskowsky

    How does the cloud deployment model affect endpoint security?

    TL: Here’s a rule of thumb to consider when planning your cloud strategy:
    Complexity increases overall security risk and complicates endpoint security planning.

    If 100% of your corporate resources live in a private cloud (single tenant = you), your endpoint security planning is easier than with a multi-tenant public cloud.

    When you have part of your corporate resources in one spot—say, an on-prem data center—and the rest with a public cloud provider (a hybrid cloud approach), you need security planning for both sets of resources. The complexity of connecting the two increases the risk of security vulnerabilities. Same with multicloud, where you’re utilizing two or more public cloud providers.

    Each of these models requires a different level of effort to manage security risk.

    What are endpoint security best practices when the cloud is involved?

    TL: Applying security controls to the endpoint is just one step. Organizations must also apply security controls to the critical resources, such as network, database, email systems, to detect and neutralize insider threats.

    Second, corporations must beef up their detection of malicious behavior patterns in their infrastructure. This will help them respond to threats faster and isolate the internal threat agent quickly. This response can also update the security policy to enhance the security of all endpoint devices—features normally part of endpoint detection and response (EDR) solutions.

    Third, have strong ingress (protection from incoming attacks from endpoints on the Internet) and egress (protection from exfiltration of data from the corporate network) filters. The best move: pair egress filtering, also known as DLP (data loss prevention) solutions, with endpoint security.

    Fourth, apply attribute-based access control so that if an end user is connecting using an approved device with endpoint protection implemented from an approved location (i.e., attributes), they’re given greater access compared to those accessing the Internet using non-standard devices.

    And finally, continue to use traditional protection of the endpoint itself if possible. We’re talking solutions such as strong encryption, anti-malware detection, host-based firewall, host-based intrusion detection and prevention, and remote-wiping capability.

    How do cloud providers help with endpoint security?

    TL: Your stakeholders entrust you to protect their data. So, you need to own your security plan. While major cloud providers offer various endpoint security solutions, it’s vital to think of cloud security as a shared responsibility managed by you. Your organization’s reputation is on the line. You have bottom-line responsibility for security.

    Via: https://www.pluralsight.com/

  • How are permissions managed in VMware server?

    How are permissions managed in VMware server?

    Permissions are one of the most important aspects of managing VMware vCenter Server objects. Managing permissions in vCenter Server is a complex task that requires understanding both the global and local permissions structures. Administrators can assign any object type to a user or group. However, not all users or groups have access to every object type. 

    For example, the Operations Manager role includes several tasks related to the datastores attached to hosts. If an administrator creates a datastore and then assigns it to a host, he automatically becomes the owner of the datastore. However, the Operations Manager role does not include access to manage datastores. 

    Therefore, the Operations Manager user would not have access to the datastore’s Advanced Settings window and could not assign it to another user. Moreover, any datastore attached to a host that has been created by the Operations Manager user would be automatically assigned to the Operations Manager user and cannot be reassigned to any other user. 

    This article will discuss the basic structure of authorization in VMware vSphere, managing permissions, and different objects, and assigning roles in VMware vCenter.

    Need VMware Training?

    If you are new to virtualization or VMware, the right training can help you get up to speed. And you can’t go wrong with learning how to use VMware effectively because it’s the industry leader when it comes to virtualization. 

    Find the VMware training you need at CBT Nuggets. We offer a variety of online VMware training geared at different levels and roles, from admins to engineers. Start a 7-day free trial today to start learning VMware!

    Understanding Authorization in VMware vSphere

    For establishing if a user is authorized to execute a task, vSphere offers many models where the vSphere admin can accomplish a task depending on group membership in a vCenter Single Sign-On group. Whether you are permitted to carry out other actions depends on your role on an item or your global permission.

    In vSphere, privileged users can grant access to other users so they can carry out tasks. To grant access to other users for specific vCenter Server instances, you can either utilize global permissions or local vCenter Server permissions.

    How are Permissions Managed in VMware vCenter Server?

    vCenter Server’s permissions and roles give users precise control over authorization where vSphere admin can designate which person or group has access to an object by permitting it to a specific object. Roles, which are collections of privileges, are used to specify the privileges.

    Initially, the vCenter Server system allows only the vCenter Single Sign-On domain administrator user to log in. Administrator@vsphere.local is the default administrator, and the default domain is vsphere.local. When installing vSphere, the default domain can be changed.

    The administrator user can carry out these actions:

    • Add a user and group definition source for identities to vCenter Single Sign-On.
    • Grant a user or group access to specific resources in vCenter inventory by selecting an object, e.g. a VM or a vCenter Server system, and assign the user or group a role on that object.

    What are the 5 vCenter Server Objects?

    Five different objects that we can have in a vCenter Server are listed below:

    Roles: You can grant authorization to an object by using a role. Predefined roles include Administrator and Resource Pool Administrator. Most established roles can be duplicated or modified except Administrator.

    Privileges: Privileges control the resource access and are grouped into roles—mapped to specific users or groups.

    Users and groups: Some rights can only be granted to users who have used Single Sign-On (SSO) to authenticate. Users must either be defined within the SSO or come from outside identity sources like Microsoft AD or other LDAP.

    Permissions: The vCenter hierarchy contains a set of related permissions for each object. Each permission details the rights that a group or person has access to an object.

    Global Permissions: Global privileges are specific permissions. The global root object, which encompasses various solutions, is where they are applied. Consider installing vCenter Server and vRealize Orchestrator side by side. These two items are capable of using global permissions. The vsphere.local domain replicates global permissions. Services run by vsphere.local groups require authorization, which is not provided by global permissions.

    How to Assign Roles and Permissions in VMware vSphere

    You can assign roles to objects in your VMware vSphere inventory using the vSphere Client, which allows you to establish roles with tailored sets of rights to suit the access control requirements of your environment. Log in to the vSphere Client > Administration > Roles.

    From the Roles provider drop-down menu, choose a vCenter Server domain. Here, we’re using vsphere.local, the default, and select New.

    Enter a role name and description. Select datacenter > Select all operations to assign to a role, and then we click the CREATE button to move on.

    The list includes the new job. Now that you’ve chosen an object in your VMware vSphere inventory, you may provide rights by designating a user or group as the role holder for that object.

    Select a Hosts or Clusters object from the vSphere Client Object Navigator, click on Permissions, and then the ADD button.

    Choose the domain for the user or group from the Domain drop-down menu. Here, we’re using vsphere.local, the default. Type a user or group name into the search field and then choose the entry. Select a specific role from the drop-down menu. By using the “Propagate to children” checkbox, you can decide whether to propagate permissions to child objects. Input OK.

    The Permissions tab shows the permissions you added.

    You can also set global permissions in addition to granting access to specific objects in VMware vCenter objects. In a vSphere environment, you can grant a user or group privileges for all items in all inventory hierarchies by using global permissions.

    Wrapping Up

    One of the most crucial elements of maintaining a VMware vCenter Server installation is permissions. Local permissions enable administrators to govern access to objects and settings within specific vCenter Server systems, whereas global permissions handle the security of all objects in a vCenter Server hierarchy.

    Understanding both the global and local permissions hierarchies is necessary for managing permissions in the vCenter Server. To determine if a user has the right to carry out an activity, VMware vSphere provides several models. Your participation in a group for vCenter Single Sign-On controls what you can do. You can execute different activities based on your role on an object or your global authorization.

    Via: https://www.cbtnuggets.com/

  • Tumblr’s only viable business model is shitposting

    Tumblr’s only viable business model is shitposting

    As Elon Musk struggles to make people give Twitter $8 a month for a blue check, Tumblr had an idea: What if they offered users $8 for not one, but two blue checks?

    Yes, you can legitimately buy two blue checks for your Tumblr blog. For the low, low price of $7.99. As Tumblr wrote in an official post, “That’s cheaper than some other places, when you consider that you get not one but TWO checkmarks for your blog.”

    If you keep paying Tumblr, you can get even more blue checks. Want 10 blue checks? That’ll be about $40.

    Tumblr has struggled to monetize for its entire existence. Tumblr was acquired by Yahoo (TechCrunch’s parent company) for $1 billion in 2013, but when it sold again to Verizon (TechCrunch’s former parent company) in 2019, it was worth just $3 million.

    Tumblr’s success as a social media platform has been in even more jeopardy since it banned porn in 2018 to protect its presence on the App Store. In the last year alone, Automattic has tried to get Tumblr to make money through paid ad-free browsing, a subscription product and a tip jar, marking some of the first paid creator features on the longstanding blogging site. Yet despite growing nostalgia for Tumblr, the platform has failed to grow its user base significantly since the porn ban, when it lost 30% of web traffic.

    Tumblr’s initial rollout of its Post+ subscription rollout was a mess, as users worried how the harsh reality of capitalism would change their fandom paradise. But Tumblr users have proven to be extremely willing to pay money for two things: ad-free browsing and shitposting. 

    According to data from SensorTower, Tumblr’s mobile app has seen approximately $507,000 in consumer spending since April. That was the month when Tumblr announced Blaze, a feature that lets users promote their own posts. Not coincidentally, Blaze debuted on 4/20 with price points ending in $4.20.

    On a platform like Facebook, promoted posts are usually for businesses. On Tumblr, Blazed posts are commonly used to make other people bear witness to your cursed content.

    Since the launch of Blaze, Tumblr’s top five in-app purchases have been ad-free browsing (monthly and annual), two price points for Blaze and … crabs. Yes, crabs. In July, Tumblr added a feature that allows you to send someone crabs that dance around their dashboard for a day, and now, crabs have generated more in-app purchases than Post+.

    Tumblr’s paid jab at Twitter verification has only just launched, so we can’t say yet how profitable it will be. But if Tumblr’s history is any indication, this should be a financial slam dunk, since Tumblr users seem to just really want to buy things that are useless.

    According to analytics firm Similarweb, Tumblr did not experience a significant uptick in monthly visits worldwide on mobile and desktop after it launched creator monetization features in summer 2021. However, Tumblr is generating some more interest now that we live in a world in which Elon Musk owns Twitter. Other alternative social networks have seen an influx of new users too — Mastodon nearly doubled its user base so far this month.

    Matt Mullenweg, CEO of Automattic (the company that owns Tumblr), tweeted that Tumblr app downloads are up about 58% in the last week. This could be because Twitter now seems like more of a hellsite than Tumblr under Musk’s ownership, or because Tumblr just changed its community guidelines. Now, Tumblr allows nudity, but not “visual depictions of sexually explicit acts.” Some internet denizens took this policy change to mean that porn is back, but the last time we checked, porn generally falls into the category of “visual depictions of sexually explicit acts.”

    If you’re looking to jump ship from Twitter as Elon Musk gets settled in as its new owner, I hate to break it to you: Tumblr may not be your saving grace (unless if you’re a former “Superwholock” fan whose new favorite book is “Gideon the Ninth,” in which case, you’re probably still on Tumblr anyway). But to be fair, it’s likely that none of the Twitter alternatives that are floating around — no, not even Mastodon — will become the new Twitter.

    Regardless, Tumblr now has something that Twitter doesn’t: two blue checkmarks.

    Via: https://techcrunch.com/