Audit terminology: SAS 70, SSAE 16, SSAE 18, SOC1, SOC2, Type 1, Type 2

If you are involved in information technology and compliance in a heavily regulated industry,  or work with larger organizations, you have probably run across the terms SAS 70, SSAE 16, SSAE 18, SOC 1 report, SOC 2 report, Type 1 Report, and Type 2 Report. These terms are frequently abused and misunderstood, even by compliance “experts,” so I’ve written this brief one-page summary. Everything I state below has a direct reference on the AICPA site; I have learned not to trust third-party sources in regards to compliance.

Background

The American Institute of CPAs (AICPA) has issued a series of standards for reporting on the controls implemented by service organizations. These standard were originally known as SAS 70, but in 2011 SAS 70 was replaced by SSAE 16. SOC reports issued on or after May 1, 2017 must be written in accordance with SSAE 18, which is an update to and clarification of SSAE 16.

SSAE/SOC are attestation standards that provide a standard system for documenting an organization’s controls and ensuring that the controls are suitable for their stated purpose. Type 1 reports (see below) also document the effectiveness of the controls. SSAE/SOC are fundamentally different from compliance frameworks like HIPAA/HITECH, ISO or PCI because they don’t lay out specific requirements. Therefore, you shouldn’t really say things like “we are compliant with SSAE 18 SOC 2.” It would be accurate to say, “We are HIPAA compliant and we have an SSAE 18 SOC 2 Type 1 report to prove it.”

SOC Reports

The AICPA defines four types of SOC reports.

Which Report Applies to You?

The AICPA recognizes that this is confusing, so they have created a page to help you choose the right SOC report.

 

Advertisements

Configuring Laravel/Lumen applications to connect to SQL database sockets

The Laravel/Lumen framework documentation does not explain how to connect an application to a database using UNIX sockets instead of a TCP-based network connection. I recently had to configure the Polr URL shortener (built on the Lumen microframework by Laravel) to connect to Google Cloud SQL with a UNIX socket. Since all of Polr’s configuration takes place in the .env file, and there is no environment variable that’s specific to database sockets, this took some research. I finally found the answer in an obscure StackOverflow response.

Previous TCP connection:

DB_HOST=some-server-name
DB_PORT=3306

Socket-based SQL connection:

DB_HOST=localhost;unix_socket=/cloudsql/cloud-project-name:us-east1:sql-instance-name

This approach will work with any UNIX socket; you just need to give it the absolute path to the socket.

 

Configure CentOS/RedHat VMs with Kickstart files on Virtualbox

Kickstart is a type of file that’s used to automatically install RedHat or CentOS Linux on a physical or virtual server. If you are managing more than a few servers, it’s a good idea to configure the servers via kickstart files instead of logging in and configuring each one manually. However, some unfortunate choices were made when defining the Kickstart file format, and it’s not the easiest thing to use. When creating a new Kickstart or making major changes, it’s good to have way to quickly iterate and test your changes. Iterating on a Kickstart file is slow and inconvenient in an enterprise environment in which a freshly booted server obtains an image and Kickstarter file via PXEboot. To speed up Kickstart testing and debugging, I’ve developed a simple way to use Kickstart files with CentOS/RedHat guest virtual machines that run in VirtualBox on my Mac. This process should also work with Windows or Linux hosts.

Continue reading Configure CentOS/RedHat VMs with Kickstart files on Virtualbox

Service account credentials with the Python client for the Google Drive API (v3)

There are numerous ways to authenticate against the Google Drive API. If you have an application running on Google Compute Engine that needs to access Drive, a Service Account is probably the easiest way to do it. One use case is for an application to write reports or log files to Drive so that users can see them without logging into a server.

Before you try this example, go through all of the steps in Google’s Using OAuth 2.0 for Server to Server Applications guide and save your service account’s private key locally in JSON format.

Getting credentials from a service account file is easy:

SCOPES = [
        'https://www.google<span id="mce_SELREST_start" style="overflow:hidden;line-height:0;"></span>apis.com/auth/drive'
    ]
    SERVICE_ACCOUNT_FILE = './name-of-service-account-key.json'

    credentials = service_account.Credentials.from_service_account_file(
            SERVICE_ACCOUNT_FILE, scopes=SCOPES)

Continue reading Service account credentials with the Python client for the Google Drive API (v3)

General error: 2006 MySQL server has gone away

“MySQL Server has gone away” is a cryptic error that can be hard to troubleshoot (look at all the various responses on Stack Overflow!) Many problems can cause this error; I would like to document one specific case. In this example, the client is a PHP app using the Phalcon framework:

[Mon, 09 Apr 18 03:34:08 -0400][ERROR]  SQLSTATE[HY000]: General error: 2006 MySQL server has gone away
exception 'PDOException' with message 'SQLSTATE[HY000]: General error: 2006 MySQL server has gone away' in /path/to/ModelBase.php:
Stack trace:
#0 [internal function]: PDOStatement->execute()
...
#17 {main}

Continue reading General error: 2006 MySQL server has gone away

Viewing logs for a cluster of instances on Google Stackdriver Logging

StackDriver Logging is a great feature of Google Compute Engine (GCE). You pretty much need a centralized logging solution if you are taking maximum advantage of the features offered by GCE. For example, most production applications will run on a cluster of web servers. If you set up the cluster as a managed instance group on GCE, Google can auto-scale the size of the cluster based on traffic. The challenge is that it’s much  harder to troubleshoot errors across a cluster. The requests that caused the error could be spread across any number of servers, with randomly assigned names. If load drops and the server pool contracts, you will entirely lose any log data on a server that’s auto-deleted. StackDriver Logging is the answer to this problem. Configure all servers to send all logs to StackDriver, and you can view all of your web server logs in one interface, with the entries in chronological order.

View StackDriver Advanced Filter as a Gist on GitHub

Continue reading Viewing logs for a cluster of instances on Google Stackdriver Logging

Upgrade Ubiquiti UniFi Access Points (WAP) now to avoid KrackAttack

On October 15, 2017, security researcher Mathy Vanhoef announced the discovery of KrackAttacks, a serious flaw in the WPA2 encryption protocol that encrypts most WiFi connections. Using this method, an attacker can decrypt traffic from almost any wireless access point (WAP) and clients. Every WiFi access point will need to be upgraded with patch that prevents this attack.

Ubiquiti has already released a patch for UniFi access points that addresses this vulnerability. However, the upgrade process may not be straightforward, depending on the age of your access points. The following process will ensure that you are running a safe version of the firmware (3.9.3.7537 or later). Note that any upgrade will result in downtime for each access point as it is upgraded, so you will want to perform a rolling upgrade if you have multiple devices that will be upgraded while people are using them. Continue reading Upgrade Ubiquiti UniFi Access Points (WAP) now to avoid KrackAttack

Warning: CentOS/RedHat 7.4 installs FreeRADIUS 3 with breaking changes

When you run yum upgrade on a CentOS/RedHat 7 instance, you will be upgraded to 7.4. If you have a FreeRADIUS server, you will be upgraded from version 2 to 3, and your server will likely stop authenticating! Good times! Fortunately, the solution was not complicated for us, because we had good documentation.

Symptoms

Your radius server suddenly starts denying logins.

Continue reading Warning: CentOS/RedHat 7.4 installs FreeRADIUS 3 with breaking changes

Managing persistent disks on Google Compute Engine

It can confusing when you have multiple persistent disks on an instance running on Google Compute Engine. For example, a server may have separate disks for the filesystem root, MySQL data, logs, and /tmp. Once you’ve created the Compute Engine disks and attached each one to the instance, how do you know which Compute Engine disk maps to each volume on the instance?

Continue reading Managing persistent disks on Google Compute Engine

Migration from GoDaddy to WordPress.com hosting

I’ve migrated my blog from GoDaddy to a paid plan with WordPress.com. I decided to trade flexibility for simplicity, since I don’t want to spend time fiddling around with the administration of this site. When I spend all day on IT, doing IT for a blog is no longer on my list of hobbies. With GoDaddy, you are responsible for all aspects of security, including updating WordPress, updating themes and plugins, and installing a security plugin to block the thousands of known attacks against WordPress. I have two major security concerns with GoDaddy. I had to allow insecure ciphers in order to connect to the shell on my site via SSH (or SCP). Why on earth haven’t they updated to a recent version of SSH?!? GoDaddy also requires you to purchase an SSL certificate from them to enable TLS on your domain. There’s no way to install a free certificate from Let’s Encrypt. I looked into enabling two-factor auth, but you have to manage it yourself with a plugin.

With a Premium plan from WordPress.com, SSL is enabled automatically with a certificate from Let’s Encrypt. I can use my domain name, and security is mostly handled for me. I can enable two-factor authentication. The downside is that I’ve lost some flexility; I can’t use my own theme or install my own plugins unless I upgrade to a Business plan. Also, I have to set up ads through Wordads.com to try to cover the cost of the site. I was fairly successful in covering the cost of hosting with Google AdSense; I’m not sure how effective WordAds will be.