Blog de Joe Freeman

Bitlocker forces you to re-enter our BitLocker encryption key when a drive has been moved to different hardware.  Upgrading a graphics card will change the signature.  This means a graphics card upgrade may prompt you for your BitLocker key on startup. You will be prompted for your key.   Hopefully, you saved your BitLocker key to your Microsoft account to paper or some secure device. Microsoft provides the corporate recovery link The boot screen refers you to https://aka.ms/bitlocker .  This is the location redirects to htts://login.microsoftonline.com where Enterprise Accounts  keep their BitLocker keys.  You will get a message something like  AADSTS50020: User account <your account> from identity provider 'live.com' does not exist in tenant 'Microsoft' and cannot access the application ....(MSProtect Website [wsfed enabled]) in that tenant. The account needs to be added as an external user in the tenant first. Sing out and sign in again...

PaaS and SaaS persistence services store your data in their systems, often in their accounts or subscriptions.  The service provider protects the system and its associated storage. We need to determine our appetite for risk when deciding what additional work must be done to secure the externally hosted data. Risks Data at rest must be protected with a multi-layered approach. Identify the attacks that you wish to prevent in order to determine how much protection you want. The list below is just a sample. disk re-use  is hardware or technology-related. It can be mitigated without any application or user experience changes.  Vendor -related access issues exist because a 3rd party is hosting the data. This includes vendor staff access and the ability to remove or render unusable your data in their ho Control Plane refers to dashboards or admin screens that are vendor-provided.  Many have preview functions that let you validate the data.  The built-in user permissio...

The best approach for protecting data in message queues and data streams is to not put any sensitive data in the message. Some systems use a claim check  model where the messages contain just resource identifiers that can be used passed to the originating system to retrieve the data. The  Claim check approach   creates tighter coupling between the producer and consumers. It puts an additional burden on the producer to be able to cough up the data associated for the claim for some period of time.  Some systems sometimes have to create caching architectures to store the claims for retrieval adding additional complexity to the producer.  Data / payload encryption is an alternative approach that can be used to protect data stored in messaging systems or on disk. Sensitive data is encrypted and put into the message payload.  Producers and consumers only need share access to encryption or decryption keys. This is easy in cloud environments which have services b...

Web traffic is protected in-flight  when it is transferred via TLS encrypted links using HTTPS.  HTTPS is a protocol that is based on encryption algorithms using asymmetrical keys.  Asymmetrical keys are managed, packaged and distributed via certificates. Browsers, applications and servers trust certificates and their associated encryption keys based on their trust of the issuing parties known as Certificate Authorities (CA). Public web sites are identified by public/private certificates pairs that are purchased from one of the well known CAs. Their certificate pairs contain an identity component signed by the Certificate Authority and an encryption key that is encrypted by the CA. Server identity is encrypted in the server certificate with the Certificate Authority public key.  Server traffic is encrypted by the server using the private encryption key embedded in the Server's private certificate.   Server traffic is decrypted by clients using the public ...

Web traffic is protected in-flight when it is transferred via TLS encrypted links using the HTTPS protocol. HTTPS is a protocol for payload encryption that is based on algorithms using encryption asymmetrical  keys.  Asymmetrical keys are managed, packaged and distributed with via certificates Encryption Basics Asymmetrical encryption relies on a key pair where one key can decrypt any data that is encrypted by the other.  Data encrypted with Key-A can be decrypted with Key-B only.  Key-A cannot be used to decrypt data encrypted with Key-A.  Key-B cannot be derived by knowing Key-A. Internet encryption relies on asymmetry and key anonymity in order to create secure links over a public and untrusted Internet.  A server or party can publish a public key  that other parties can use to encrypt their data.  The server then can decrypt the message using the corresponding private key . Encrypted messages are secure as long as the server keeps ...

RabbitMQ is one of the many caching and messaging tools that uses local disk persistent storage or as a backing store for in memory data.  These systems normally put data to disk in some format that is optimized for speed and not for security. Ex: RabbitMQ, ActiveMQ, Coherence, Gemfire, MongoDB. This can cause issues when trying to comply with policies around protecting Personally Identifiable Information  , making systems Payment Card Industry Data Security Standard (PCI DSS) compliant or when implementing S/Ox controls. RabbitMQ Installation We assume that you are running RabbitMQ under the local system account.  Users who run RabbitMQ under different accounts or in different locations must change certain commands or settings.  The RabbitMQ team has a good set of documentation on their web site. Windows installation instructions:  https://www.rabbitmq.com/install-windows.html Windows quirks:  https://www.rabbitmq.com/windows-quirks.ht...