DEV Community: sachindra@work

Microsoft Cloud Adoption Framework

sachindra@work — Sun, 14 Dec 2025 14:05:52 +0000

Microsoft Cloud Adoption Framework (CAF) for Azure is a comprehensive guide and set of tools from Microsoft to help organizations plan, implement, and govern cloud adoption at scale. It provides structured guidance across the full lifecycle of cloud transformation, from strategy through operations, with built-in best practices, templates, and governance controls.

Key Components:
Define Strategy:

Why do you want to move to cloud?
Would you be able to reduce costs by moving to the cloud?
Do you want to run cloud-native technologies?

Plan:

What applications are you moving to the cloud?
Can you move the applications to the cloud? - This takes care of feasibility of the application or data movement to the cloud.

Ready

Keep the cloud environment ready.
Design, what cloud services are required.

Adopt

Migrate the application.
Enhance by building cloud-native capabilities.

Secure

Protect the resources.

Manage

Manage the operations

Govern

Policy and Compliance

Google Cloud Options for Storing Data

sachindra@work — Sat, 13 Dec 2025 04:48:22 +0000

Options for storing structured data:

Points to remember:

Cloud SQL is Google Cloud's Managed Relational Database service.
Alloy DB is a fully managed, high performance PostgreSQL Database Service.
Spanner is Google Cloud's fully Managed, Relational Database Service that offers strong consistency and horizontal scalability.
FireStore is a fast, fully-managed, serverless NoSQL document database built for automatic scaling, high performance and ease of application development.
BigQuery is a fully managed, serverless Enterprise Data Warehouse for analytics.
BigTable is a high-performance NoSQL database service. It is built for fast key-value lookup and supports consistent sub-10 milliseconds latency.

Google Cloud Storage Classes:

What is DNS and how does it work

sachindra@work — Sun, 28 Sep 2025 10:59:05 +0000

What is DNS?
The Domain Name System, or DNS, is like the phonebook of the internet. It enables users to connect to websites using human-readable domain names (like ibm.com) instead of having to remember complex numerical IP addresses. DNS translates these domain names into IP addresses.

How DNS Works

User Request:
When a user types a domain name into a browser, the query is sent to a DNS resolver (often provided by the user's Internet Service Provider).
DNS Resolver Cache:
The resolver first checks its cache for a stored IP address corresponding to the domain name. If found, it quickly returns the address.
Query the DNS Hierarchy:
If not in cache, the resolver sends a query to a root DNS server. The root server responds with a referral to the Top-Level Domain (TLD) server for the domain (e.g., ".com").
TLD Server:
The resolver then queries the TLD server, which responds with the address of the authoritative name server for the domain (such as "ibm.com").
Authoritative DNS Server:
The resolver queries the authoritative server, which looks up the DNS zone file and returns the IP address for the domain.
Return and Cache:
The resolver caches the IP address for a time-to-live (TTL) period and returns it to the user's device. The browser or app uses the IP to connect to the web server.

DNS Components

DNS Zones and Zone Files:
DNS zones are collections of resource records managed by authoritative DNS servers. Zone files contain these records that map between domain names and IP addresses.
Resource Records:

A Record: Maps a hostname to an IPv4 address.
AAAA Record: Maps a hostname to an IPv6 address.
CNAME Record: These records forward one domain or subdomain to another domain. Maps an alias hostname to a canonical name (C-NAME).
MX Record: These records resolve to the address of the servers that handle the email for the domain.
PTR Record: Used for reverse DNS lookups.
NS Record: Indicates authoritative DNS servers for a domain. Indicates which DNS server is authoritative for that domain (i.e. which server contains the actual DNS records)
TXT Record: Holds text information for various uses including email verification. Lets an admin store text notes in the record. These records are often used for email security.

Types of DNS Servers
Recursive Resolver (or Recursive DNS Server):
This is the first server to receive a DNS query from a client (like your web browser).

Its job is to find the IP address for the requested domain name by querying other DNS servers on behalf of the client.
Often, this server is provided by your Internet Service Provider (ISP) or a third-party service like Google Public DNS.

Root Name Servers:
These servers are the top of the DNS hierarchy.

When a recursive resolver needs to find the IP address for a new domain, it first contacts a root server to get a list of servers responsible for that domain's top-level domain (like .com or .org).

Top-Level Domain (TLD) Name Servers:
After getting the TLD information from the root server, the recursive resolver then contacts the TLD name server.

The TLD server holds information for all domains with a particular extension (e.g., all .com domains) and points the resolver to the authoritative name server for that specific domain.

Authoritative Name Servers:
This is the final server in the chain and holds the actual IP address for the requested website or domain.

Once the authoritative server provides the IP address to the recursive resolver, the resolver caches the information and sends the IP address to your device, allowing your browser to connect to the website.

DNS Records are nothing but instructions that are stored in authoritative DNS servers and also it’s called as zone file. These records provide important and relevant details about domains and hostnames.

Importance and Security
DNS is essential for the internet's usability, translating human-friendly domains into machine-friendly IP addresses. It also supports email delivery and network troubleshooting. Security measures like DNSSEC (DNS Security Extensions) are implemented to ensure authenticity and protect users from attacks like DNS spoofing.

References:

AWS Services in scope for AWS Certified Machine Learning Engineer - Associate Exam (AWS-MLA- C01)

sachindra@work — Sat, 08 Mar 2025 14:03:01 +0000

The following list contains AWS services and features that are in scope for the exam.
This list is non-exhaustive and is subject to change. AWS offerings appear in categories that align with the offerings’ primary functions:

Analytics:

Amazon Athena
Amazon Data Firehose
Amazon EMR
AWS Glue
AWS Glue DataBrew
AWS Glue Data Quality
Amazon Kinesis
AWS Lake Formation
Amazon Managed Service for Apache Flink
Amazon OpenSearch Service
Amazon QuickSight
Amazon Redshift

Application Integration:

Amazon EventBridge
Amazon Managed Workflows for Apache Airflow (Amazon MWAA)
Amazon Simple Notification Service (Amazon SNS)
Amazon Simple Queue Service (Amazon SQS)
AWS Step Functions

Cloud Financial Management:

AWS Billing and Cost Management
AWS Budgets
AWS Cost Explorer

Compute:

AWS Batch
Amazon EC2
AWS Lambda
AWS Serverless Application Repository

Containers:

Amazon Elastic Container Registry (Amazon ECR)
Amazon Elastic Container Service (Amazon ECS)
Amazon Elastic Kubernetes Service (Amazon EKS)

Database:

Amazon DocumentDB (with MongoDB compatibility)
Amazon DynamoDB
Amazon ElastiCache
Amazon Neptune
Amazon RDS

Developer Tools:

AWS Cloud Development Kit (AWS CDK)
AWS CodeArtifact
AWS CodeBuild
AWS CodeDeploy
AWS CodePipeline
AWS X-Ray

Machine Learning:

Amazon Augmented AI (Amazon A2I)
Amazon Bedrock
Amazon CodeGuru
Amazon Comprehend
Amazon Comprehend Medical
Amazon DevOps Guru
Amazon Fraud Detector
AWS HealthLake
Amazon Kendra
Amazon Lex
Amazon Lookout for Equipment
Amazon Lookout for Metrics
Amazon Lookout for Vision
Amazon Mechanical Turk
Amazon Personalize
Amazon Polly
Amazon Q
Amazon Rekognition
Amazon SageMaker
Amazon Textract
Amazon Transcribe
Amazon Translate

Management and Governance:

AWS Auto Scaling
AWS Chatbot
AWS CloudFormation
AWS CloudTrail
Amazon CloudWatch
Amazon CloudWatch Logs
AWS Compute Optimizer
AWS Config
AWS Organizations
AWS Service Catalog
AWS Systems Manager
AWS Trusted Advisor

Media:

Amazon Kinesis Video Streams
Migration and Transfer:
AWS DataSync
Networking and Content Delivery:
Amazon API Gateway
Amazon CloudFront
AWS Direct Connect
Amazon VPC
Security, Identity, and Compliance:
AWS Identity and Access Management (IAM)
AWS Key Management Service (AWS KMS)
Amazon Macie
AWS Secrets Manager

Storage:

Amazon Elastic Block Store (Amazon EBS)
Amazon Elastic File System (Amazon EFS)
Amazon FSx
Amazon S3
Amazon S3 Glacier
AWS Storage Gateway

Out-of-scope AWS services and features
The following list contains AWS services and features that are out of scope for the exam. This list is non-exhaustive and is subject to change. AWS offerings that are entirely unrelated to the target job roles for the exam are excluded from this list:

Analytics:

AWS Clean Rooms
Amazon DataZone
Amazon FinSpace
Application Integration:
Amazon AppFlow
Amazon MQ
Amazon Simple Workflow Service (Amazon SWF)

Business Applications:

Amazon Chime
Amazon Connect
Amazon Honeycode
Amazon Pinpoint
Amazon Simple Email Service (Amazon SES)
AWS Supply Chain
AWS Wickr
Amazon WorkDocs
Amazon WorkMail

Cloud Financial Management:

AWS Application Cost Profiler

Compute:

AWS App Runner
AWS Elastic Beanstalk
Amazon Lightsail
AWS Outposts

Containers:

Red Hat OpenShift Service on AWS (ROSA)

Customer Enablement:

AWS Activate for startups
AWS IQ
AWS re:Post Private

Developer Tools:

AWS Application Composer
AWS CloudShell
Amazon CodeCatalyst
AWS Fault Injection Service

End User Computing:

Amazon AppStream 2.0
Amazon WorkSpaces
Amazon WorkSpaces Secure Browser
Amazon WorkSpaces Thin Client

Frontend Web and Mobile:

AWS Amplify
AWS AppSync
AWS Device Farm
Amazon Location Service

Internet of Things (IoT):

FreeRTOS
AWS IoT 1-Click
AWS IoT Core
AWS IoT Device Defender
AWS IoT Device Management
AWS IoT Events
AWS IoT FleetWise
AWS IoT Greengrass
AWS IoT RoboRunner
AWS IoT SiteWise
AWS IoT TwinMaker

Machine Learning:

AWS DeepRacer
AWS HealthImaging
AWS HealthOmics
Amazon Monitron
AWS Panorama

Management and Governance:

AWS AppConfig
AWS Control Tower
AWS Launch Wizard
AWS License Manager
Amazon Managed Grafana
AWS Proton
AWS Resilience Hub
AWS Resource Explorer
AWS Telco Network Builder
AWS User Notifications

Media:

Amazon Elastic Transcoder
AWS Elemental Appliances and Software
AWS Elemental MediaConnect
AWS Elemental MediaConvert
AWS Elemental MediaLive
AWS Elemental MediaPackage
AWS Elemental MediaStore
AWS Elemental MediaTailor
Amazon Interactive Video Service (Amazon IVS)
Amazon Nimble Studio

Migration and Transfer:

AWS Application Discovery Service
AWS Application Migration Service
AWS Mainframe Modernization
AWS Migration Hub

Network and Content Delivery:

AWS App Mesh
AWS Cloud Map
AWS Global Accelerator
AWS Private 5G
Amazon Route 53
Amazon Route 53 Application Recovery Controller
Amazon VPC IP Address Manager

Security, Identity, and Compliance:

AWS Artifact
AWS Audit Manager
AWS Certificate Manager (ACM)
AWS CloudHSM
Amazon Cognito
Amazon Detective
AWS Directory Service
AWS Firewall Manager
Amazon GuardDuty
Amazon Inspector
AWS Payment Cryptography
AWS Private Certificate Authority
AWS Resource Access Manager (AWS RAM)
AWS Security Hub
AWS Shield
AWS Signer
Amazon Verified Permissions
AWS WAF

Storage:

AWS Elastic Disaster Recovery

Here is the detailed link for the exam guide.

Whitepapers

You also can review the collection of AWS ML Whitepapers

FAQs

Understanding Pass-Through Authentication (PTA) and Password Hash Synchronization (PHS)

sachindra@work — Sat, 22 Feb 2025 16:35:47 +0000

In hybrid environments where on-premises Active Directory (AD) integrates with Azure Active Directory (Azure AD), two primary methods are used to authenticate users: Pass-Through Authentication (PTA) and Password Hash Synchronization (PHS).

Pass-Through Authentication (PTA)
PTA allows users to authenticate directly against the on-premises AD. When a user attempts to sign in, their password is validated by the on-premises AD domain controller. Unlike other methods, PTA does not store or sync the password hash to Azure AD. Instead, it relies on an agent installed on the on-premises server to handle authentication requests. This ensures that the authentication process remains within the on-premises environment, providing a higher level of security for organizations that prefer to keep their authentication processes local.

Password Hash Synchronization (PHS)
PHS, on the other hand, synchronizes a hash of the user’s password from the on-premises AD to Azure AD. This hash is further hashed using a secure SHA256 algorithm before being stored in Azure AD. When a user attempts to sign in, Azure AD validates the password against the stored hash. This method allows for seamless Single Sign-On (SSO) experiences and reduces dependency on the on-premises infrastructure for authentication.

Key Differences

Authentication Location:
- PTA: Authentication occurs on-premises.
- PHS: Authentication occurs in Azure AD.
Password Storage:
- PTA: No password hashes are stored in Azure AD.
- PHS: A hash of the password hash is stored in Azure AD.
Dependency:
- PTA: Requires an on-premises agent to handle authentication requests.
- PHS: Does not require an on-premises agent for authentication.
Security:
- PTA: Keeps authentication within the on-premises environment, which may be preferred for security reasons.
- PHS: Provides a secure way to store password hashes in Azure AD using SHA256.

Use Cases

PTA is suitable for organizations that want to maintain control over their authentication processes and prefer not to store password hashes in the cloud.
PHS is ideal for organizations looking for a simpler setup with reduced dependency on on-premises infrastructure and a seamless SSO experience.

Threat Modeling in Cybersecurity

sachindra@work — Sun, 26 Jan 2025 08:24:19 +0000

Threat Modeling is a structured approach to identify, assess and mitigate potential security threats to a system, application or network. It is a method of optimizing network security by locating vulnerabilities, identifying objectives and developing counter-measures to either prevent or mitigate the effects of cyber-attacks against the system.

Threat Modelling process involves creating a security profile for the application taking into account the resources or components involved in the application, their role in the entire application lifecycle, identifying potential threats and documenting the detrimental effects along with the mitigating actions required to resolve those.

Threat Modelling plays a crucial role in the entire security landscape of any organization. It allows organizations to proactively identify potential threats and vulnerabilities within their systems, applications or networks, thereby enabling them to take preventive measures and mitigating risks before any security incident and/or breach occurs, thereby improving their overall security posture and reducing the likelihood of a successful attack. Security Threat Modelling enables an IT Team to understand the nature of threats, as well as how they may impact the network.

How does Threat Modelling support Software Development Lifecycle
In software development, Threat Modelling help identify potential vulnerabilities in the early stages of application design, allowing developers to incorporate security measures into the application from the initial design phases. It directs the focus towards areas that require immediate attention and resources promoting a cost-effective and efficient application security strategy. It plays an integral role right from the initial stages of the software development process, where the developers and solution architects start with the design of the application. This phase entails scrutinizing all the potential interaction points within the system to identify potential vulnerabilities. By applying Threat Modelling early in the SDLC process, developers can minimize risks, save valuable time and resources that would otherwise be spent on damage control at a later stage.

Identifying potential threats and vulnerabilities early in the process allows developers to protect higher risk areas, implement stronger authentication mechanisms and improve validation methods. Essentially Threat Modelling helps developers design and build resilient software.

It is noteworthy that, Threat Modelling is not a one-time task and is relevant throughout the SDLC lifecycle. As the software or the product evolves with new features and modifications, the threat landscape may change. So, it is critical to continually re-evaluate the system. However, this is considered a pro-active measure when implemented during design or development stage, or a reactive measure when implemented during deployment stage. The biggest value that Threat modelling as a process brings in, is not the final report at the end, it's going through the entire process.

Key Reasons to use Threat Modelling:

Early Risk Identification
Prioritization of Security Controls
Improved Communication between Security & Development Teams
Risk Mitigation
Compliance & Regulations

Types of Threat Modelling Frameworks:
Threat Modelling Frameworks are structured methodologies that guide the process of identifying, assessing and mitigating security threats within a system. Organizations can enhance their security posture and protect their systems efficiently by choosing the right framework.

Some commonly used frameworks are:

STRIDE:
Developed by Praerit Garg and Loren Kohnfelder at Microsoft in 1999, this is a mnemonic-based threat modelling framework used to identify potential security threats in software systems. This is straight-forward and easier to apply, making it suitable for identifying specific threat types in software systems, however, it may not cover all possible threats comprehensively. It is more suitable for smaller projects or initial threat assessments.

Spoofing
Tampering
Repudiation
Information Disclosure
Denial of Service (DoS)
Escalation of Privilege

DREAD:

Damage Potential: How severe would the attack be?
Reproducibility: How easy is it to reproduce the attack?
Exploitability: How easy is it to launch the attack?
Affected Users: How many users would be affected?
Discoverability: How easy is it to discover the vulnerability?

PASTA (Process for Attack Simulation and threat Analysis):
Pasta is a detailed, risk-centric threat modelling framework, developed by VerSprite CEO Tony UcedaVélez and security leader Marco M. Morana in 2015, that focuses on simulating potential attacks and analyzing their impact on business objectives, providing a thorough analysis. However, it can be complex and resource-intensive. Pasta is usually ideal for comprehensive, in-depth threat modelling in large, critical systems. This provides an ability to prioritize based on what is likely to happen in my application model and to substantiate and create a level of credibility with information and posture.

Stages:

Definition of Objectives: Identify business objectives and security requirements.
Definition of technical scope: Outline the technical environment.
Application Decomposition: Break down application into components.
Threat Analysis: Identify potential threats.
Vulnerability Analysis: Discover vulnerabilities.
Attack Modelling: Simulate potential attacks.
Risk and Impact Analysis: Assess the impact an likelihood of risks.

Trike:

Risk Modelling: assess risks based on security requirements and stakeholder needs.
Threat Modelling: Identify threats and vulnerabilities.
Mitigation and Planning: Plan and implement mitigations.

VAST (Visual, Agile and Simple Threat):

Application Threat Modelling: Focuses on individual applications.
Operational Threat Modelling: Focuses on infrastructure.

Attack Trees:

Tree Structure: Diagram representing potential attacks on a system.
Nodes: Different steps or actions an attacker can take.
Root Node: The ultimate goal of the attack.

OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)

Phases:

Build asset-based threat profiles: Identify critical assets and threats
Identify infrastructure Vulnerabilities: Assess vulnerabilities.
Develop Security Strategy and Plans: Formulate mitigation strategies.

How Threat Modelling works:
The Threat modelling process can be decomposed into four high level steps with each step being duly documented as it is carried out.

Scope the work: This is the first step which involves drawing data flow diagrams (DFD) which show what we are working on. This step might include several levels of DFDs based on the complexities being added to the application flow. This shows different paths through the system, highlighting the privilege or trust boundaries. This step also involves identifying entry points to visualize where any attacker can interact with the application. This helps identify the assets involved and trust levels that represent the access rights granted to external entities. Next step is to identify the trust boundaries in the threat modelling diagrams. These are places in the diagrams where trust levels change, meaning where unauthenticated users to authenticated users; or regular users to privileged users.
Determine Threats: This step involves leveraging a framework to identify threats. The goal is to help identify threats from the actors. It analyses how an attacker might exploit the system. This involves considering each of the trust boundaries and note down the strengths and weaknesses in each category. Strengths are normally the mitigation steps undertaken.
Address the Threats: This step involves defining counter-measures and mitigation techniques. This also includes prioritization of those counter-measures. This takes into account several factors like likelihood of attack, damage induced from the attack and complexity or cost of the fix applied. the mitigation strategies involve analyzing the threats from a business impact perspective. Options for addressing the risks identified include below options:

Accept
Eliminate
Mitigate
Transfer
Validate the Model: After the above steps are completed, we get a diagram, the threats' list and a controls list.

Threat Modeling Tools:

OWASP Threat Dragon
Microsoft Threat Modeling Tool
PyTM
SeaSponge
IriusRisk
Threat Composer
SD Elements
ThreatModeler
Arxan Threat Analytics
Axure RP

Resources:

EDR vs. XDR vs. SIEM vs. MDR vs. SOAR

sachindra@work — Wed, 26 Jun 2024 15:43:43 +0000

The world of Cybersecurity is buzzing with tech jargon and abbreviations. Many enterprises prefer to use newer approaches to combat the ever-evolving security risks and attack vectors. To counter threats, there are several tools and solutions including SIEM (Security Information and Event Management), MDR (Managed Detection & Response), SOAR (Security Orchestration, Automation & Response), EDR (Endpoint Detection & Response) and XDR (Extended Detection & Response).

SIEM: It is a tool that assists enterprises in identifying, assessing and responding to threats that affect businesses. It is intended to increase the visibility of the IT environment, allowing teams to respond to perceive events and security incidents efficiently through communication and collaboration. This involves identifying threats and taking action. It also offers forensic investigation and compliance reporting capabilities.

MDR: It typically comprises of technology, processes and people that collaborate to detect and respond to cyber threats. It is designed to provide continuous cybersecurity threat protection, detection and response. This makes use of machine learning to investigate, alert and contain cyber threats at scale. As a solution, MDR provides a proactive approach to threat detection and response and also assists enterprises to identify and mitigate threats faster, provide real-time monitoring, and respond to cyber threats.

SOAR: This is a solution stack that allows an organization to gather information about security threats and respond to events without any human involvement. This enables task coordination, execution and automation between various individuals and tools within a single platform. It provides a centralized platform for incident management, thereby reducing the need for manual processes and various technologies. This allows enterprises to easily plan, track and report on incident management activities, which improves the incident response times and the overall security posture. This can orchestrate and automate tasks across multiple security tools and systems allowing businesses to streamline their incident response process. It can automatically invoke investigation path workflows and shorten the time it takes to resolve alerts. According to Gartner, SOAR is a technology that comprises of security orchestration and automation (SOA), incident response, and threat intelligence platforms (TIPs). This allows security teams to investigate threats by leveraging automated threat hunting playbooks and reduce the overall mean-time-to-detect (MTTD) and mean-time-to-respond (MTTD).

EDR: This helps detect, investigate and respond to advanced endpoint threats. It is used as a compensation for the shortcomings of traditional endpoint protection solutions for preventing attacks. This allows customers to have full visibility into all security related endpoint activities. This is an advanced version of EPP (Endpoint Protection Platform) and helps completely thwart threats.

XDR: This is a security solution that aims to identify, investigate and respond to advanced threats emanating from various sources, like cloud, networks and email. It is a SaaS-based security platform that combines the organization's existing security solutions into a single security system. It collates raw telemetry data from a wide range of sources, including cloud apps, email, identity and access control, and integrates it with the data from multiple security systems to improve threat visibility and reduce the time to detect and respond to an attack. This is an evolution of EDR. XDR's capabilities extend beyond endpoint detection, it offers detection, analytics and response capabilities across endpoints, networks, severs, cloud workloads, SIEMs and many other platforms.

ServiceNow and MID Server

sachindra@work — Mon, 15 Apr 2024 09:25:28 +0000

ServiceNow is a cloud-based platform that helps organizations with a unified solution to streamline workflows, enhance customer experience, and drive innovation using AI and innovation. It enables purposeful orchestration and automation of tasks and processes across the enterprise and its ecosystems. It drives efficiency, optimization, and agility, regardless of an organization’s size or industry.

ServiceNow Discovery is an application/module within ServiceNow that allows an enterprise to determine the devices in its internal network or resources in its public cloud and also the applications that run on the cloud. It is also known as Infrastructure and Application Discovery. It finds computers and other devices connected to an enterprise's network. When Discovery finds a computer or device, it explores the device's configuration, provisioning, and current status and updates the CMDB accordingly. It discovers organizational IT infrastructure, creating an accurate and up-to-date record in the ServiceNow CMDB (Configuration Management Database). It discovers both physical and logical components, including virtual machines, servers, storage, databases, applications, and more. Discovery also creates all the relationships between computer systems (such as an application on one server that uses a database on another server).

MID Server (Management, Instrumentation and Discovery) is a Java application that runs as a Windows service or UNIX Daemon on a server on the enterprise network. The ServiceNow MID Server enables communication and data movement between the ServiceNow apps and enterprise servers and/or applications. It works behind the organizational firewall and is completely controlled by the organization. It initiates all communication within the ServiceNow instance. This communication is recorded as records in the MID Server ECC queue (External Communication Channel), which acts as a communication log between the MID Server and the ServiceNow instance. Jobs that the MID Server needs to perform are saved in this queue until the MID Server is ready to handle them.

The MID Server subscribes to messages published by the Asynchronous Message Bus (AMB), which notifies the MID Server about pending tasks in the ECC Queue. MID Server updates of the progress of the task(s) to the ECC Queue. It polls the ECC Queue on regular intervals (default being 40 seconds) regardless of AMB message activity. While MID Server facilitate communication, orchestration, and discovery, it does not store data themselves. Instead, they act as conduits, ensuring secure interactions between ServiceNow and your organization’s systems. It supports service mapping by identifying dependencies and relationships among services.

Below are few resources that provide details around the ServiceNow MID Server component.

IPSec vs MACSec

sachindra@work — Mon, 16 Oct 2023 08:25:56 +0000

There is no definitive answer to which protocol is more secure, as they have different advantages and disadvantages depending on the use case and the level of security required. IPSec and MACSec are both used for network security, but they operate at different layers of the network. IPSec works on IP packets at Layer 3, while MACSec works on Ethernet frames at Layer 2.

Some of the factors that affect the security of each protocol are:

IPSec provides end-to-end security, while MACSec provides hop-by-hop security. This means that IPSec encrypts and decrypts data only at the endpoints of a tunnel, while MACSec encrypts and decrypts data at every hop along the way. This can have implications for the confidentiality, integrity, and availability of the data.
MACSec can secure all DHCP and ARP traffic, which IPSec cannot. DHCP and ARP are protocols that operate at Layer 2 and are used for dynamic IP address assignment and MAC address resolution. These protocols can be vulnerable to spoofing and hijacking attacks, which MACSec can prevent by authenticating and encrypting the traffic.
IPSec can work across routers, while MACSec is limited to a LAN. This means that IPSec can secure traffic over a wide area network (WAN), such as the Internet, while MACSec can only secure traffic within a local area network (LAN), such as a campus or data center. This can affect the scalability and flexibility of the network design.
MACSec is faster and simpler than IPSec, as it operates at the physical layer and does not enlarge the Ethernet header significantly. IPSec is more complex and requires a dedicated encryption engine and a larger header. This can affect the performance and cost of the network equipment.

The two protocols can be compatible and complementary, depending on the use case and the level of security required. For example, MACSec can enhance IPSec by securing the last mile link between a wireless device and a central office. Alternatively, IPSec can enhance MACSec by providing end-to-end security over a WAN.

Grey Box vs Double Grey Box Testing

sachindra@work — Sun, 24 Sep 2023 06:17:57 +0000

Grey box testing and double grey box testing are two types of software testing methods that differ in the amount of information that is shared between the testers and the target system.

In grey box testing, the testers have partial knowledge of the internal structure of the system, such as the architecture, the data structures, or the algorithms. They use this information to design test cases that can cover both the functionality and the code of the system. Grey box testing is a combination of black box testing and white box testing, where black box testing does not require any knowledge of the internal structure, and white box testing requires full access to the source code. Grey box testing can provide better test coverage and efficiency than black box testing, as well as identify context-specific errors that are related to web systems.

In double grey box testing, not only the testers have partial knowledge of the internal structure of the system, but also the system has partial knowledge of the test cases that are being executed. This means that the system can adapt its behavior or responses based on the test cases and try to evade or deceive the testers. Double grey box testing is often used in penetration testing or security testing, where the testers try to find vulnerabilities or weaknesses in the system, and the system tries to defend itself or hide its flaws. Double grey box testing can provide a realistic assessment of the security posture and resilience of the system, as well as challenge the skills and creativity of the testers.

Blind Testing vs Double Blind Testing vs Triple Blind Testing

sachindra@work — Sun, 24 Sep 2023 06:05:03 +0000

Blind Testing and Double-Blind Testing are two types of penetration testing methods that differ in the amount of information shared between the testers and the target organization.

In Blind Testing, testers have no prior knowledge of the target network or system, and they have to perform the tests as if they were real attackers. This simulates a realistic scenario where the attackers do not have any insider information about the target. The advantage of blind testing is that it can reveal the vulnerabilities that might be overlooked by the target organization. The disadvantage is that it can be time-consuming and costly, as the testers have to spend more time and resources to gather information and plan the attack.

In Double Blind Testing, not only the testers are unaware of the target network or system, but also the target organization is not informed of the test being conducted. This means that the target organization's security has team has to respond to the test as if it were a real attack, without any prior preparation or notification. This can evaluate the effectiveness and readiness of the security team, as well as the incident response procedures and policies. The advantage of double-blind testing is that it can provide a realistic assessment of the security posture and resilience of the target organization. The disadvantage is that it can be risky and disruptive, as it can cause damage or downtime to the target network or system or trigger legal or ethical issues.

Triple blind testing is a type of experimental design that involves three levels of blinding: the participants, the researchers, and the data analysts. This means that none of these parties know which group (treatment or control) each participant belongs to, or what the expected outcome of the experiment is. This reduces the risk of bias and confounding factors that might affect the results of the experiment.

Triple blind testing is often used in medical research, especially in clinical trials, where the effectiveness and safety of a new drug or treatment are being tested. By blinding the participants, the researchers, and the data analysts, the experiment can ensure that the results are based on the actual effects of the drug or treatment, and not influenced by any expectations, preferences, or behaviors of any of the parties involved.

For example, suppose you are testing a new drug for depression. In a triple blind trial, you would randomly assign some participants to receive the new drug, and some to receive a placebo (a fake drug that has no effect). Neither the participants nor the researchers who administer the drug would know who is receiving which drug. This way, you can avoid the placebo effect (where participants feel better because they think they are receiving a real drug) or the nocebo effect (where participants feel worse because they think they are receiving a fake drug). You would also blind the data analysts who evaluate the results of the experiment. They would not know which group is which, or what the hypothesis of the experiment is. This way, you can avoid confirmation bias (where data analysts interpret the results in a way that supports their preconceived beliefs) or experimenter bias (where data analysts manipulate or select the data in a way that favors one group over another).

Triple blind testing is considered to be a very rigorous and reliable method of conducting experiments, as it eliminates many sources of error and bias. However, it is also very challenging and costly to implement, as it requires careful planning and coordination among all parties involved. It may also not be feasible or ethical in some situations, such as when there are serious risks or side effects associated with the treatment being tested.

DLP vs DRM - Understanding the differences

sachindra@work — Tue, 12 Sep 2023 12:34:08 +0000

DRM stands for Digital Rights Management, which is a software that helps protect the intellectual property rights of digital content owners. DRM can encrypt files and control access privileges dynamically, even after the files are shared or downloaded.

Some examples of DRM are:

Apple iTunes: Uses DRM to limit how many devices customers can use to listen to songs. Audio files that users download from iTunes include data about their purchase and usage of songs. This prevents the files from being accessed on unauthorized devices.
Spotify: Leverages blockchain technology to enable the payment of artists through cryptocurrency. The blockchain records the transactions and ensures that the artists receive their fair share of royalties.
Microsoft software: Anyone that downloads Microsoft software, such as Windows or Office programs, has to accept the company’s user license and enter a key before they can install it. The key verifies that the software is legitimate and not pirated.
ADEPT, FairPlay, Advanced Access Content System: These are modern DRM systems that rely on encryption to be fully effective. They are used by various publishers and distributors of digital content, such as ebooks, music, and movies, to protect their rights and prevent unauthorized copying or sharing.

DLP stands for Data Loss Prevention, which is a software that helps protect sensitive data from unauthorized access, leakage, or theft. DLP can analyze document content and user behavior patterns and restrict the movement of information based on preset criteria. DLP is a part of a company’s overall security strategy that focuses on detecting and preventing the loss, leakage or misuse of data through breaches, ex-filtration transmissions and unauthorized use. Organizations use DLP to protect and secure their data and comply with regulations. DLP can also block the extraction of sensitive data and prevent the illicit transfer of data outside the organization.

DLP works by classifying, detecting, and protecting information in three states: data in use, data at rest, and data in motion. DLP can also track, alert, change permissions, or block data when it is in danger of leaving the corporate network. DLP can help prevent data exfiltration, which is the unauthorized transfer of data outside the organization.

There are many DLP solutions available in the market, each with its own features and capabilities. Some of the common DLP solutions are:

Digital Guardian Endpoint DLP: A cloud-based platform that protects data across endpoints, networks, and cloud applications.
Fidelis: A network-based solution that detects and prevents data exfiltration, insider threats, and advanced attacks.
Check Point DLP: A gateway-based solution that monitors and controls data transfers over web, email, and FTP protocols.
Microsoft 365 Compliance: A cloud-based solution that integrates with Microsoft products and services to classify, protect, and govern data.
SolarWinds Data Loss Prevention with ARM
Endpoint Protector by CoSoSys
Symantec Data Loss Prevention
McAfee Total Protection for DLP
Code42
Google Cloud Data Loss Prevention
Nightfall.ai
Spirion Data Privacy Manager

Some of the common DLP solutions for email are:

Proofpoint: A gateway-based solution that monitors and controls data transfers over email and satisfies compliance with 80+ built-in policies.
Tessian: A machine learning-based solution that detects and prevents data exfiltration, insider threats, and misdirected emails by learning from user behavior.
Google Workspace: A cloud-based solution that scans email traffic using DLP rules and detectors and applies automatic responses such as quarantining, rejecting, or modifying messages.

The main difference between DRM and DLP is that DRM focuses on protecting the rights of the content owners, while DLP focuses on protecting the confidentiality of the data. DRM can enforce policies even when the data is outside the network perimeter, while DLP can only monitor and control data within the network boundary.