SAML 101: How it works

Bart Hendrickx SmallPosted by Bart Hendrickx

In my last post, I wrote about what SAML is. In this one, I’ll offer a use case to put it into context. There are a number of scenarios where SAML can be used, but I will stick toSSO3 login (authentication) that is initiated by the service provider. I’ll use Questionmark OnDemand as an example of a SP that can work with SAML. Our fictitious customer has an identity provider that is internally hosted behind a firewall, inaccessible from the outside world. Users at the customer’s company can go on the Internet; therefore, they can also take Questionmark OnDemand assessments.

User Jane Doe wants to connect to Questionmark OnDemand, to take an assessment that was scheduled to her. She browses to her company’s OnDemand area, which had been set up to authenticate via SAML. Through the federation metadata, Questionmark OnDemand knows which identity provider to ask for those authentication details. But it cannot talk to the IdP directly. Instead, it creates a SAML request which the web browser passes on to the IdP. Jane Doe’s computer is on the internal network and can access the IdP. The request is forwarded to the IdP, which accepts it because it knows about the service provider (SP), i.e. the customer’s OnDemand area—also possible thanks to the federation metadata.

Jane Doe is already logged on to the IdP: she opened her company’s intranet page this morning, which required her to authenticate, and that session is still active in her browser. So when the IdP gets a request: “Who is this user?”, it already knows the answer: “This is Jane Doe.” The IdP prepares a SAML response and includes a number of attributes, such as Jane Doe’s email address and hire date. All those data form an assertion, which is part of the response.

Again, Jane Doe’s browser plays a key role. It receives the SAML response with the assertion from the IdP and passes it on to the customer’s OnDemand area, which then reads the response. The OnDemand area confirms that this information comes from its trusted IdP and sees that this is Jane Doe. and that an assessment has been scheduled to her. Jane Doe now has access to the OnDemand area and can take the assessment.

For Jane Doe, this all happens seamlessly. She may see her browser redirect to other URLs a few times, when it is relaying information from the SP to the IdP and vice versa, but the entire process usually only takes a couple of seconds.

In a future post, I will explain what SAML requests and responses do and do not contain. Stay tuned!

SAP to present their global certification program at London briefing

Chloe MendoncaPosted by Chloe Mendonca

A key to SAP’s success is ensuring that the professional learning path of skilled SAP practitioners is continually supported – thereby making qualified experts on their cloud solutions readily available to customers, partners and consultants.

In a world where current knowledge and skills are more important than ever, SAP needed a way to verify that their cloud consultants around the world were keeping their knowledge and skills up-to-date  with rapidly changing technology. A representative of the certification program at SAP comments:breakfast briefing

It became clear that a certification that lasted for two or three years didn’t cut it any longer – in all areas of the portfolio. Everything is evolving so quickly, and SAP has to always support current, validated knowledge.”

Best Practices from SAP

The move to the cloud required some fundamental changes to SAP’s existing certification program. What challenges did they face? What technologies are they using to ensure the security of the program? Join us on the 21st of October for a breakfast briefing in London, where Ralf Kirchgaessner, Manager of Global Certification at SAP, will discuss the answers to these questions. Ralf will tell how the SAP team planned for the program, explain its benefits and share lessons learned.

Click here to learn more and register for this complimentary breakfast briefing *Seats are limited

High-Stakes Assessments

The briefing will  include a best-practice seminar on the types of technologies and techniques to consider using as part of your assessment program to securely create, deliver and report on high-stakes tests around the world. It will highlight technologies such as online invigilation, secure browsers and item banking tools that alleviate the testing centre burden and allow organisations and test publishers to securely administer trustable tests and exams and protect valuable assessment content.

What’s a breakfast briefing?

You can expect a morning of networking, best practice tips and live demonstrations of the newest assessment technologies.The event will include a complimentary breakfast at 8:45 a.m. followed by presentations and discussions until about 12:30 p.m.

Who should attend?

These gatherings are ideal for people involved in certification, compliance and/or risk management, and learning and development.

When? Where?

Wednesday 21st October at Microsoft’s Office in London, Victoria — 8:45 a.m. – 12:30 p.m

Click here to learn more and register to attend

Unlocking website security

Steve Lay HeadshotPosted by Steve Lay

As a product manager at Questionmark, one of the questions that I’m increasingly being asked is about support for specific versions of SSL and TLS. These abbreviations refer to different flavours of the ‘https’ protocol that keeps your web browsing secure. Questionmark’s OnDemand service no longer supports the older SSL protocol. To understand why, read on…

In this post I’ll focus on the privacy aspect of secure websites only —the extent to which communication is protected from eavesdroppers. Issues of trust are just as important, but I’ll have to discuss those in a future post.

Most browsers display a padlock icon by the web address or the site name to indicate that communication between your browser and the server is encrypted for privacy. Just as with real padlocks, though, there are stronger and weaker forms of encryption. The difference is too subtle for most browsers to show. In practice, browsers adopt a strategy of attempting to use the strongest type of encryption protocol they can, falling back to weaker methods if required. In Internet Explorer you can even configure these settings under the Advanced tab of your internet options:

qm comp 1As you can see, there are five different encryption protocols listed, in increasing order of strength. Generally speaking, TLS is better than SSL and more recent versions of TLS are better still. Published attacks on these protocols typically enable someone who can view network traffic to decrypt some or even all of the information passing over the ‘secure connection’. This type of scenario is called a ‘man in the middle attack’ because the eavesdropper stands in between your browser and the website it is communicating with.

If your browser always chooses the best encryption available, why would you want to configure the specific protocols it supports? Unfortunately, the very first part of the communication between your browser and the website is more vulnerable. The two systems have to agree on an encryption protocol to use before they can be truly private. In some special cases it is possible for a man in the middle to intervene and force a weaker protocol to be negotiated. By configuring your browser to support only stronger protocols, you can ensure that your browser is never tricked this way.

Here at Questionmark, we care about your security too! If a protocol like SSLv3 is considered vulnerable to interception, shouldn’t the server refuse to use it as well? Yes, it should. In fact, we don’t support SSL versions 2 and 3 for this very reason.

For this blog post I’ve focused on the most visible aspect of the security protocol. In practice, there lots of subtle differences in the way each protocol can be configured. If you use Google’s Chrome browser you can click on the padlock to reveal information about connection security.

qm compNotice that this connection uses TLS 1.2, but there is even more detail reported concerning the specific cryptographic algorithms used. Sites like www.ssllabs.com have almost 50 separate check points that they can report on for a public-facing secure website! Staying on top of all this configuration complexity is critical to keeping websites secure.

Unfortunately, sometimes we have to strengthen security in such a way that compatibility with older browsers is sacrificed. For example, according to the latest simulation results, Internet Explorer version 6 (running on Windows XP) is no longer able to successfully negotiate a secure connection with our OnDemand service.

In practice, an overwhelming majority of users use more modern browsers (or have access to one), so the web remains both secure and usable. Perhaps a greater cause of concern is older applications that are integrated with our APIs. It is just as important to keep these applications up to date. For example, applications that use older versions of Java, such as Java 6 or have their Java runtime configuration options set inappropriately might have problems communicating to the same high standards. If you are running a custom integration and are concerned about future compatibility, please get in touch.

This is a developing field. New ways of exploiting older protocols and cryptographic algorithms are being found by security researchers all the time, and the bad guys aren’t far behind. Our security specialists at Questionmark constantly monitor best practice and update the configuration of our OnDemand service to keep your communications safe.

Eight ways to check if security is more than skin deep

Picture of computer and padlockJohn Kleeman HeadshotPosted by John Kleeman

The assessment industry has always been extremely careful about exam security and ways to prevent cheating. As cloud and online assessment takes over as delivery models, it’s critical we all deeply embed IT security in our culture to ensure that computer vulnerabilities don’t leak sensitive data or disrupt the integrity of the assessment process.

Many years ago, Questionmark realized that data protection and IT security were critical to our success. We re-formed our culture to make security a priority. We followed our own path and looked for opportunities to learn from others such as Bill Gates and his famous trustworthy computing memo, part of which is quoted below:

… when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve. …  These principles should apply at every stage of the development cycle of every kind of software we create …

Questionmark understands that we’re in an arms race. We stay vigilant and look for opportunities to improve our security. Here are eight key ways in which we have embedded security deep within our company. If you are an assessment provider, we’d encourage you to find your own way to follow suit. And if you are a customer, here are eight questions you can ask to identify whether an assessment provider is truly working to be as secure as it can,  instead of just claiming to be secure when in fact security is only skin deep.

1. Who does the security function report to?

At Questionmark our security officer reports directly to me as Questionmark Chairman. If security reports directly into IT or product development, a security concern might be overruled by operational need. We’ve found this separation very helpful to ensure security gets listened to throughout the organization.

2. Would a security flaw hold up a release?

In any sensible company, this has to be true. Feature improvements in software are important, but if there is a serious security issue, it needs to be fixed first. Developers need to know that they can’t make a release unless it is secure.

3. How do you check your employees know about security?

Questionmark trains all our employees on data security but how do we know they understand? We practice what we preach and everyone from senior management to sales to accounting to developers needs to take and pass a data security test every year to check understanding. I’d encourage everyone in the assessment industry to follow this approach.

4. How deep is your team’s knowledge of IT security?

SaaS security is complex. There are many layers to security and any weakness can lead to a vulnerability. Equally throwing resources in the wrong place won’t really help. We are fortunate to have at least half a dozen experts within Questionmark who have deep knowledge of and passion for different aspects of security. This helps us get things right,.

5. Is your ecosystem secure?

Every company operates in an ecosystem , and it’s the ecosystem that needs to be secure. Questionmark works with our suppliers, subcontractors and partners to help them to be secure, including offering training and advice. We even want our competitors to be secure as any breaches in the assessment industry would be hurtful to all.

6. How transparent and open are you on your security?

Security by obscurity is not secure. Questionmark shares information on the security of our OnDemand service in white papers (Security of Questionmark’s US OnDemand Service and Security of Questionmark’s EU OnDemand Service) and have “red papers” which describe our security and business continuity planning in detail, available under NDA to prospective customers. The review process as customers ask questions about these provides comfort for customers and input to us to improve our security.

7. What kinds of external review do you allow?

As we shared in Third-party audits verify our platform’s security, we run regular penetration tests by a third party company, Veracode on Questionmark OnDemand. We are also fortunate to have many customers who care deeply about security and undertake their own audits and reviews by experts. We welcome such review and learn from it to improve our own security.

8. Are you completely satisfied with your security?

imageAbsolutely not. There is an arms race happening in the security world. Hackers and other bad actors are increasing their capabilities and however good you are, if you rest on your laurels, the arms race will overtake you. See for example the graph to the right from Verizon showing the increase in breaches over time.

Questionmark, like other good SaaS companies, has a policy of continual improvement – we want to be much better each year than the last.

This video provides an overview of how Questionmark builds security into its products from day one. Watch below:

Interact with your data: Looking forward to Napa

Steve Lay HeadshotPosted by Steve Lay

It’s almost time for the Questionmark Users Conference, which this year is being held in Napa, California. As usual there’s plenty on the program for delegates interested in integration matters!

At last year’s conference we talked a lot about OData for Analytics, (which I have also written about here: What is OData, and why is it important? ). OData is a data standard originally created by Microsoft but now firmly embedded in the open standards community through a technical group at OASIS. OASIS have taken on further development, resulting in the publication of the most recent version, OData 4.

This year we’ve built on our earlier work with the Results OData API to extend our adoption of OData to our delivery database, but there’s a difference. Whereas the Results OData API provides access to data, the data exposed from our delivery system supports read and write actions, allowing third-party integrations to interact with your data during the delivery process.

Why would you want to do that?

Some assessment delivery processes involve actions that take place outside the Questionmark system. The most obvious example is essay grading. Although the rubrics (the rules for scoring) are encoded in the Questionmark database, it takes a human being outside the system to follow those rules and to assign marks to the participant. We already have a simple scoring tool built directly in to Enterprise Manager but for more complex scoring scenarios you’ll want to integrate with external marking tools.

The new Delivery OData API provides access to the data you need, allowing you to read a participant’s answers and write back the scores using a simple Unscored -> Saved -> Scored workflow. When the result is placed in the final status, the participant’s result is updated and will appear with the updated scores in future reports.

I’ll be teaming up with Austin Fossey, our product owner for reporting, and Howard Eisenberg, our head of Solution Services, to talk at the conference about Extending Your Platform, during which we’ll be covering these topics. I’m also delighted that colleagues from Rio Salado College will also be talking about their own scoring tool that is built right on top of the Delivery OData API.

I look forward to meeting you in Napa but if you can’t make it this year, don’t worry, some of the sessions will be live-streamed. Click here to register so that we can send you your login info and directions. And you can always follow along with social media by following and tweeting with @Questionmark.

What organizational and technical measures are appropriate in assessment delivery?

John Kleeman HeadshotPosted by John Kleeman

One of the key responsibilities of an assessment sponsor acting as data controller under European Law is to implement appropriate technical and organizational measures to protect personal data.  But what does appropriate mean?

And when you contract with a data processor to deliver assessments, you must ensure that the processor implements appropriate measures. But again what does appropriate mean?

This is not just an academic question. A  UK organization was fined £150,000 in 2013 for failing to protect personal data with the regulator commenting that a key reason for the fine was “… the data controller has failed to take appropriate technical measures against the loss of personal data”

The measures to use will depend on the risk to the data and to the assessment participant. But here are some measures  to consider. They are all met by Questionmark if you delegate service delivery to Questionmark – though some also need action by you:

For more information, you can download a complimentary version of the white paper: Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities [requires registration]

Measure Questionmark OnDemand? Your system?
Premises access control
Data center certified against ISO 27001 or SSAE 16
Two-factor authentication for staff and visitors
24/7/365 personnel intrusion alarms
24/7/365 monitored digital surveillance cameras
23/7/365 security team on site at all times
Strong physical security in nondescript building to aid anonymity
System controls
Well configured firewalls in each tier
Intrusion Detection System or Intrusion Prevention System
Secure software development approach following best practices
Comprehensive anti-virus measures
Regular third party penetration testing
Regularly updated system and application software
24/7/365 network monitoring
Data access control (authentication and authorization)
Individual, unique high strength passwords for all users (you need to action)
Users can easily be deleted when they leave an organization (you need to action)
Store administrator passwords in encrypted form
Administrators can be given access to only functions/data needed (you need to configure)
Participant login & identity can be confirmed by monitors/proctors (you need to configure)
Data transmission control
All participant access via well configured SSL/TLS
All administrator access to results via well configured SSL/TLS
Any data copied for troubleshooting purposes strongly encrypted
No need to send data physically – all data transmitted electronically
Data entry control (keeping track of who does what)
Able to present participant with information & record consent (you need to action)
Participant answers cannot be changed except with authority
Participant submissions recorded with time-stamp
Differential privileges for administrators, control over system functions (you need to configure)
Log important activities by administrators and other users
Contractual control
Have data protection compliant contracts with processors
Processing only performed on instructions from Data Controller
Logical or physical separation of data from different customers
Availability controls (protecting against unauthorized destruction or loss)
Power supply redundancy, UPSs and onsite generators
N+1 or 2N redundancy on all hardware and Internet connections
Backup of all assessment data to offsite location
Backup assessment results frequently (e.g. hourly) to avoid losing data
Regular restore tests of such backups
Save participant answers “as you go” on server during test-taking
Tested, current service continuity plan in place in event of disasters
24/7/365 environment monitoring
Organizational measures (These are all met by Questionmark; you will also have to follow these yourselves.)
Designate a data protection officer
Personnel have written commitment to confidentiality
Background checks on new employees
Regular training of employees on data security
Regular testing of personnel on data security to check understanding
Faulty or end of life disks degaussed or otherwise safely destroyed

I hope this helps you work out what measures might be appropriate for your needs. If you want to learn more, then please read our free-to-download white paper: Responsibilities of a Data Controller When Assessing Knowledge, Skills and Abilities [requires registration].

If you are interested in seeing if Questionmark OnDemand could meet your needs, see here for more information.