Solved: SAS VA 7.4- Understanding HTTP vs HTTPS

ArvindElayappan · Posted 01-27-2018 06:51 AM

We are using SAS VA 7.4 on our intranet. Which obviously means this gives no access to anyone outside our domain. Anyone who has to access the dashboard has to connect to the domain through VPN. The server has firewall restriction enabled and Mcfxxx full security application is also installed.

Because of settings mentioned in the local environment (non-internet), we installed and left at HTTP and not https. now my infrastructure & security is recommending us to move to https / SSL stating that "an Open HTTP is a risk for internal threats as well. Root Cause for many of the `Top 10 OWASP Threats’ like `Cross-site scripting’ is open HTTP access. I understand it can be org decision, but I want to know if this was necessary. If by decision, HTTPS is always recommended then, why have an option for HTTP. By Default, SAS can have their default installation settings to HTTPS.

Sometimes people do because they are asked to do or they are told that it is better safe than sorry though it may not warrant one.

Metaphorically, I don't want to buy an antivirus software when I don't have a computer or mobile phones for the virus can attack me.

Regards,

Arvind E

nhvdwalt · Posted 01-29-2018 01:22 AM

Fully agree with @SASKiwi

Personally I would also recommend that new SAS systems just get deployed as HTTPS and be done with it. As @SASKiwi said, if it's not an requirement today, it will be tomorrow.

So why is HTTPS not the default ?

IMHO....TLS adds some complexity to the installation. The installer/admin team needs a good understanding of how TLS works. There are three domains you need to understand TLS, SAS and TLS+SAS. If the installer/admin team is not familiar with TLS+SAS, I would not suggest they try TLS out of the box. I think if you have TLS as the default for SAS, you'll have many failed deployments out there since it's actually a very rare skill out there. I'm not saying don't do TLS, I'm saying make sure you have the skills before you launch into a TLS deployment, during an installation or post.

Secondly, certificates might incur a cost if certs are third-party signed. So make sure about the process and costs for obtaining certificates.

Lastly, for environments that hold no sensitive information, an organisation MIGHT elect not to apply TLS. So it's very possible that your UAT and PROD environments have TLS, but not DEV. Again, organisational policies.

So my point is, TLS is a tool in the IT security toolbox. You and your organisation needs to decide what tools you use in your security framework. Neither SAS or this forum can do this.

Hope this helps.

View solution in original post

SASKiwi · Posted 01-27-2018 06:56 PM

In my experience, the security rules applied in any organisation change over time. As cyber attacks become more and more advanced, IT departments are demanding higher levels of security to combat this. This means that SAS installations are now required to be more secure than they used to be in the past.

One of the principles of IT security is to enforce multiple layers of protection. So you don't rely just on being on an intranet protected by firewalls, you also use HTTPS which adds another layer of security on your intranet traffic (often called in-flight data these days). This makes it harder for the cyber attacker - if they breach the outer wall, then they still have to break through another one or two walls to start to cause any damage.

So I'm not surprised by the HTTPS requirement. It is pretty much standard at least in our organisation for any new SAS installs along with ensuring in-flight data is encrypted.

nhvdwalt · Posted 01-29-2018 01:22 AM

Fully agree with @SASKiwi

Personally I would also recommend that new SAS systems just get deployed as HTTPS and be done with it. As @SASKiwi said, if it's not an requirement today, it will be tomorrow.

So why is HTTPS not the default ?

IMHO....TLS adds some complexity to the installation. The installer/admin team needs a good understanding of how TLS works. There are three domains you need to understand TLS, SAS and TLS+SAS. If the installer/admin team is not familiar with TLS+SAS, I would not suggest they try TLS out of the box. I think if you have TLS as the default for SAS, you'll have many failed deployments out there since it's actually a very rare skill out there. I'm not saying don't do TLS, I'm saying make sure you have the skills before you launch into a TLS deployment, during an installation or post.

Secondly, certificates might incur a cost if certs are third-party signed. So make sure about the process and costs for obtaining certificates.

Lastly, for environments that hold no sensitive information, an organisation MIGHT elect not to apply TLS. So it's very possible that your UAT and PROD environments have TLS, but not DEV. Again, organisational policies.

So my point is, TLS is a tool in the IT security toolbox. You and your organisation needs to decide what tools you use in your security framework. Neither SAS or this forum can do this.

Hope this helps.

Anand_V · Posted 02-14-2018 11:01 AM

SAS Provides both the options as it isn't necessary to go HTTPS for lower environments or short term POC.
Also as mentioned above by others configuration of HTTPS on SAS Installations is more complex than normal HTTP install.

Starting with 9.3 M3 rel. SAS is providing support for Cross Site Request Forgeries. You can find the details related to the same here.

http://documentation.sas.com/?docsetId=bimtag&docsetTarget=p1xtsni38p58t3n1ljd2fy4c3joz.htm&docsetVe...

Thanks,
A

JuanS_OCS · Posted 02-14-2018 11:38 AM

Hello @ArvindElayappan,

I think you have received great answer, covering most of the areas I can think of, and probably even more of that you actually need, or not.

In short I would say, that you can set many levels of security in SAS, not only SAS Web Server, but other areas as well. SAS is really powerful and elastic on such way. Different options are available for different requirements (costs, IT policies, skills, etc). And yes, SSL/certificates is only 1 way to secure your environment. Recommended, while not required.

In your case, it seems as you received an audit. I would advise to just get along with the requirements of the audit and implement what they are asking for. And if you need help, you can contact your SAS office, they will be happy to bring some support.

Could you please mark the post that helped you the most, as accepted solution? And, if the question is still not answered, please let us know, and what aspects are not clear yet.

SAS VA 7.4- Understanding HTTP vs HTTPS

Re: SAS VA 7.4- Understanding HTTP vs HTTPS

Re: SAS VA 7.4- Understanding HTTP vs HTTPS

Re: SAS VA 7.4- Understanding HTTP vs HTTPS

Re: SAS VA 7.4- Understanding HTTP vs HTTPS

Re: SAS VA 7.4- Understanding HTTP vs HTTPS