Security & LOGS Questions

marie-ange

New member
To the best of my knowledge users can only be set up per Graph, as there is no users for Anatella as such. If correct, these questions would have to apply to graph specific users/accounts/passwords. For all questions please provide details on security measures/encryption method used etc., where possible. In some cases the questions may not be applicable, as they are intended to cover all type of applications.

Security Questions

  • Are user passwords must be stored using a Salted Cryptographic Hash?
  • Are response phrases stored in a secure manner using a symmetric encryption method or cryptographic hash?
  • For encrypt graph and similar functions, what cryptographic algorithms are used?
  • Are encryption keys, Initialization Vectors (IV), and salts generated randomly?
  • Are encryption keys stored separately from the data they encrypt?
  • Are encryption keys protected during transit or in storage?

LOGS QUESTIONS
  • Do logs (if any), produced meet the following criteria?
(a) the time and date of the event,
(b) the application associated with the event,
(c) the user or process initiating the event and, if applicable, the subject acted upon,
(d) the remote IP address of the initiating user or process,
(e) success or failure indication,
(f) a detailed description of the event.

  • If multiple logs are generate do they allow correlation of log activity across these logs via a unique ID?
  • Are all successful and failed login attempts logged?
  • Are account creations, deletions, and modifications logged?
  • Are failed access attempts to data, functions, and services logged?
  • Are password resets, self-service or administrative logged?
  • Is logging/detailed debugging information disabled in production versions?
 

Support

Administrator
Staff member
Hello,

please find below our current answers:

Security Questions
  • Are user passwords must be stored using a Salted Cryptographic Hash?
Yes, when it's possible.
For example, the ODBC password to connect to relational database is encrypted using a symmetric algorithm with a 196 bit key.
The usage of a symmetric algorithm is required because the key must be decrypted before being sent to the database.
  • Are response phrases stored in a secure manner using a symmetric encryption method or cryptographic hash?
There are no response phrases in TIMI/Anatella.

  • For encrypt graph and similar functions, what cryptographic algorithms are used?
3DES (or DES sometime)

  • Are encryption keys, Initialization Vectors (IV), and salts generated randomly?
yes

  • Are encryption keys stored separately from the data they encrypt?
yes
  • Are encryption keys protected during transit or in storage?
yes


LOGS Questions

  • Do logs (if any), produced meet the following criteria?
(a) the time and date of the event,
(b) the application associated with the event,
(c) the user or process initiating the event and, if applicable, the subject acted upon,
(d) the remote IP address of the initiating user or process,
(e) success or failure indication,
(f) a detailed description of the event.
  • If multiple logs are generated do they allow correlation of log activity across these logs via a unique ID?
Typically, with Anatella/TIMi, the logs are saved inside Jenkins and Jenkins indeed saves all the requested details listed here above.
We just added also a second logging mechanism inside Anatella/TIMi that does not rely on Jenkins (i.e. it's directly integrated within Anatella). This second logging mechanism also satisfies the requested criteria listed here above. The objective of this second logging mechanism is to log all the SQL commands that were sent to your databases.
More details: When your data scientists are managing sensitive data stored inside a database, you need to closely monitor their actions to prevent any catastrophic event that might jeopardize the confidentiality of the data (or even damage your database!). These “SQL logs” are useful to make your data scientists accountable for all their actions that are related to your sensitive databases. You'll find more details about the new "SQL Logs" functionality inside Anatella in the section 7.6. inside the "AnatellaQuickGuide.pdf" (press F1 inside Anatella to read this PDF). The “SQL logs” functionality is available since Anatella v2.12.

  • Are all successful and failed login attempts logged?
Login are handled through MS-Windows.
And, yes, MS-Windows provides a log of all login attempts.
More details: Typically, before creating a new Anatella graph (or using TIMi in general), you must log into a MS-Windows machine. You can also run an Anatella graph (that was previously designed by an Analysts during a MS-Windows session) through your scheduler. Anatella/TIMi is compatible with any scheduling tools. Inside the documentation, we suggest you to use the MS-Windows integrated scheduler or the Jenkins Scheduler. The Jenkins Scheduler provides a web interface. Inside the Jenkins web interface, the login attempts are also saved: More details on this subject here: https://stackoverflow.com/questio...o-successfully-logged-into-my-jenkins-server .

  • Are account creations, deletions, and modifications logged?
This is handled through MS-Windows.
And, yes, MS-Windows provides a log of all changes on the accounts.
For example: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4720
If you are using the Jenkins scheduler, then, you can log all changes on the accounts (more details here:https://jenkins.io/blog/2019/09/23/outreachy-audit-log-release/). Jenkins also integrates with Active Directory so that you can manage your Jenkins users directly using the standard MS-Windows administrative tools.


  • Are failed access attempts to data, functions, and services logged?
Anatella/TIMi can access data stored in many locations: in files, in databases, in cloud services, etc.
When in production, the log of the failure of all accesses are saved in Jenkins.
As requested, this includes all the types of access supported by TIMi/Anatella: data access, function access, services access, etc.

In particular, when the "SQL Logs" option is enabled, the log of all the data accesses to all your databases is saved all the time (i.e. this is not limited to just the "production" mode inside Jenkins: e.g. this also includes when using Anatella in interactive mode when designing a brand-new data transformation graph). You'll find more details about the new "SQL Logs" functionality inside Anatella in the section 7.6. inside the "AnatellaQuickGuide.pdf" (press F1 inside Anatella to read this PDF).

  • Are password resets, self-service or administrative logged?
This is handled through MS-Windows.
And, yes, MS-Windows provides a log of all changes on the accounts.
For example: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4720

If you are using the Jenkins scheduler, then, you can log all changes on the Jenkins accounts (more details here:https://jenkins.io/blog/2019/09/23/outreachy-audit-log-release/). Jenkins provides a large lists of plugins(https://plugins.jenkins.io/) that allows you to handle any security issues that you might have (for example, see here:https://www.google.com/search?hl=en&q=jenkins+log+account+creation,+deletions,+and+modifications+logged?&spell=1&sa=X&ved=2ahUKEwiPkYyTlOXoAhXC2qQKHd3jDTsQBSgAegQICxAn&biw=1375&bih=625 and here:https://plugins.jenkins.io/ui/search?sort=relevance&categories=adminTools&labels=user&view=Tiles&page=1&query=). In particular, Jenkins integrates with Active Directory so that you can manage your Jenkins users directly using the standard MS-Windows administrative tools.

  • Is logging/detailed debugging information disabled in production versions?
With TIMi/Anatella, the "production Mode" is typically handled through the Jenkins scheduler (although you can use any other scheduler). The Anatella graphs that are executed through the Jenkins scheduler are running under a specific MS-Windows account. For more details on this subject, see the section 4.7.9.2.1. inside the "AnatellaQuickGuide.pdf" (press F1 inside Anatella to read this PDF). When Jenkins runs a scheduled job, it saves the logs of this new execution inside its own log repository. To the best of my knowledge, there is no way to prevent this logging to occur.

This is it!
Have a great day!
 
Top