BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
ArvindElayappan
Fluorite | Level 6

We are using SAS VA 7.4 on our intranet. Which obviously means this gives no access to anyone outside our domain. Anyone who has to access the dashboard has to connect to the domain through VPN. The server has firewall restriction enabled and Mcfxxx full security application is also installed. 

 

Because of settings mentioned in the local environment (non-internet), we installed and left at HTTP and not https. now my infrastructure & security is recommending us to move to https / SSL stating that "an Open HTTP is a risk for internal threats as well.  Root Cause for many of the `Top 10 OWASP Threats’ like `Cross-site scripting’ is open HTTP access. I understand it can be org decision, but I want to know if this was necessary. If by decision, HTTPS is always recommended then, why have an option for HTTP. By Default, SAS can have their default installation settings to HTTPS.

 

Sometimes people do because they are asked to do or they are told that it is better safe than sorry though it may not warrant one. 

 

Metaphorically, I don't want to buy an antivirus software when I don't have a computer or mobile phones for the virus can attack me.

 

Regards,

Arvind E

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
nhvdwalt
Barite | Level 11

Fully agree with @SASKiwi

 

Personally I would also recommend that new SAS systems just get deployed as HTTPS and be done with it. As @SASKiwi said, if it's not an requirement today, it will be tomorrow.

 

So why is HTTPS not the default ?

 

IMHO....TLS adds some complexity to the installation. The installer/admin team needs a good understanding of how TLS works. There are three domains you need to understand TLS, SAS and TLS+SAS. If the installer/admin team is not familiar with TLS+SAS, I would not suggest they try TLS out of the box. I think if you have TLS as the default for SAS, you'll have many failed deployments out there since it's actually a very rare skill out there. I'm not saying don't do TLS, I'm saying make sure you have the skills before you launch into a TLS deployment, during an installation or post.

 

Secondly, certificates might incur a cost if certs are third-party signed. So make sure about the process and costs for obtaining certificates.

 

Lastly, for environments that hold no sensitive information, an organisation MIGHT elect not to apply TLS. So it's very possible that your UAT and PROD environments have TLS, but not DEV. Again, organisational policies.

 

So my point is, TLS is a tool in the IT security toolbox. You and your organisation needs to decide what tools you use in your security framework. Neither SAS or this forum can do this.

 

Hope this helps.

 

View solution in original post

4 REPLIES 4
SASKiwi
PROC Star

In my experience, the security rules applied in any organisation change over time. As cyber attacks become more and more advanced, IT departments are demanding higher levels of security to combat this. This means that SAS installations are now required to be more secure than they used to be in  the past.

 

One of the principles of IT security is to enforce multiple layers of protection. So you don't rely just on being on an intranet protected by firewalls, you also use HTTPS which adds another layer of security on your intranet traffic (often called in-flight data these days). This makes it harder for the cyber attacker - if they breach the outer wall, then they still have to break through another one or two walls to start to cause any damage.

 

So I'm not surprised by the HTTPS requirement. It is pretty much standard at least in our organisation for any new SAS installs along with ensuring in-flight data is encrypted.

 

 

nhvdwalt
Barite | Level 11

Fully agree with @SASKiwi

 

Personally I would also recommend that new SAS systems just get deployed as HTTPS and be done with it. As @SASKiwi said, if it's not an requirement today, it will be tomorrow.

 

So why is HTTPS not the default ?

 

IMHO....TLS adds some complexity to the installation. The installer/admin team needs a good understanding of how TLS works. There are three domains you need to understand TLS, SAS and TLS+SAS. If the installer/admin team is not familiar with TLS+SAS, I would not suggest they try TLS out of the box. I think if you have TLS as the default for SAS, you'll have many failed deployments out there since it's actually a very rare skill out there. I'm not saying don't do TLS, I'm saying make sure you have the skills before you launch into a TLS deployment, during an installation or post.

 

Secondly, certificates might incur a cost if certs are third-party signed. So make sure about the process and costs for obtaining certificates.

 

Lastly, for environments that hold no sensitive information, an organisation MIGHT elect not to apply TLS. So it's very possible that your UAT and PROD environments have TLS, but not DEV. Again, organisational policies.

 

So my point is, TLS is a tool in the IT security toolbox. You and your organisation needs to decide what tools you use in your security framework. Neither SAS or this forum can do this.

 

Hope this helps.

 

AnandVyas
Ammonite | Level 13
SAS Provides both the options as it isn't necessary to go HTTPS for lower environments or short term POC.
Also as mentioned above by others configuration of HTTPS on SAS Installations is more complex than normal HTTP install.

Starting with 9.3 M3 rel. SAS is providing support for Cross Site Request Forgeries. You can find the details related to the same here.

http://documentation.sas.com/?docsetId=bimtag&docsetTarget=p1xtsni38p58t3n1ljd2fy4c3joz.htm&docsetVe...

Thanks,
A
JuanS_OCS
Amethyst | Level 16

Hello @ArvindElayappan,

 

I think you have received great answer, covering most of the areas I can think of, and probably even more of that you actually need, or not.

 

In short I would say, that you can set many levels of security in SAS, not only SAS Web Server, but other areas as well. SAS is really powerful and elastic on such way. Different options are available for different requirements (costs, IT policies, skills, etc). And yes, SSL/certificates is only 1 way to secure your environment. Recommended, while not required.

 

In your case, it seems as you received an audit. I would advise to just get along with the requirements of the audit and implement what they are asking for. And if you need help, you can contact your SAS office, they will be happy to bring some support.

 

Could you please mark the post that helped you the most, as accepted solution? And, if the question is still not answered, please let us know, and what aspects are not clear yet.

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 4 replies
  • 1519 views
  • 5 likes
  • 5 in conversation