BizTalk360 is the one-stop monitoring solution for your BizTalk environment. Being a web application, security plays an important role in the application. Any organization installing the product would be considering the security aspects of the application. With BizTalk360 we provide high-level authorization capabilities through the User Access Policy and Governance/Audit capabilities. The level of access can be customized for any BizTalk360 user. The activities performed by the users within BizTalk360 are audited and listed in the Audit History section.
Security compliance is a legal concern for organizations in many industries today. In demonstrating security compliance, enterprises are better able to define and achieve specific IT security goals, as well as mitigating the threat of network attacks through processes like vulnerability management. The security requirements and standards may vary for different organizations.
Being a web application, BizTalk360 is also expected to comply with the security standards for the organization’s demands. In this blog, I would like to give some details on some of the security compliances that are accommodated in BizTalk360. Let’s get into the details of the security compliances in BizTalk360.
The FIPS standards specify the best practices and security requirements for implementing crypto algorithms, encryption schemes, handling important data and working with various operating systems and hardware, whenever cryptographic-based security systems must be used to protect sensitive, valuable data. FIPS defines specific methods for encryption and specific methods for generating encryption keys that can be used.
BizTalk360 also uses encryption/decryption algorithms for security.
There are some modules that require information like passwords, application security keys (for adding Azure subscriptions in BizTalk360 UI) to be provided in the UI. This kind of data will be encrypted and stored in the database. The areas in BizTalk360 where encryption is used include:
- License activation
- Adding Azure Subscription
- Placeholders in custom widgets
- Notification channel configurations
- Accessing endpoints for monitoring
FIPS Compliance is mandatory for US government computers, which means that all computers used for government work must be FIPS compliant. Application developers who need to test their software for government computers must ensure that they perform their testing on FIPS compliant computers.
Often, the support team gets support tickets from customers through various channels like email, feedback widget, and the support portal. One such ticket from a customer was that there was an error message in BizTalk360 UI as seen below.
As per the Government rules, the organization had to turn on the FIPS encryption algorithm in all the servers. Once the encryption was turned on, the above error started displaying BizTalk360. This is due to the reason that FIPS supported encryption methods were not available since it was AES standard compatible. The development team checked for all the areas where the encryption algorithms were implemented and modified them to support the FIPS standard.
This is considered as one of the important security aspects because if the compliance is not met, it would have been difficult for the customer to continue to monitor their BizTalk environment using BizTalk360.
TLS latest version Support
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP (VoIP). Websites can use TLS to secure all communications between their servers and web browsers.
The TLS protocol aims primarily to provide privacy and data integrity between two or more communicating computer applications. There are different versions of TLS available. BizTalk360 was supporting TLS 1.0 until BizTalk360 v8.8. With the latest version of TLS, it is important that BizTalk360 also supports this latest version. This must be done at the installer level; when TLS 1.2 was not yet supported, the BizTalk360 installer would fail while trying to connect to the SQL database. This has been modified to support TLS 1.2.
We are happy to inform you that, from v8.9 onwards, BizTalk360 supports TLS 1.2.
Other security considerations
From a security perspective, Databases are considered as important for any organization. As access permissions to the database are restricted for safety reasons, DBAs are not ready to give all rights to all users. They would only provide the absolute minimum of required permissions on the database. The same principle is used in BizTalk360 as well. Under the Secure SQL queries option, the user can create/execute queries.
The following are the advantages of Secure SQL queries functionality in BizTalk360:
- Single management tool for users to execute the queries. No need for SQL Server Management Studio
- Central Query Repository – maintaining queries is much easier
- The end-users need not have direct access to the SQL database. The queries will be executed in the context of the BizTalk360 service account, therefore only the service account requires access to SQL Server
- Queries can be executed against any SQL instance/database which can be accessed by the BizTalk360 service account
But how is the security imposed here? Well, in BizTalk360, the Super User can choose the required permissions for the user in the query execution and provide the necessary access permission under the User Access Policy. Based on these permissions, the user can perform the query execution when he logins to BizTalk360.
There might be some organizations that would run a security scan report to find any security issues that may come with BizTalk360. One such report was generated by one of our customers and they shared where the security risks were, classified as high, medium and low risks.
Some of the risks that were identified were SQL injection, database error patterns, and directory listing. Due to the SQL server injection, there might be the possibility to view, modify or delete database entries and tables. For the directory listing enabled, it is possible to view and download the contents of certain web application virtual directories, which might contain restricted files. The test result seems to indicate a vulnerability because the response contains SQL Server errors. This suggests that the test managed to penetrate the application and reach the SQL query itself, by injecting hazardous characters.
Being an on-premise application, the directory browsing should not affect the security because the application is installed on-premise and the database is also local and specific to the organization. The users who will have access to BizTalk360 will be Active Directory users of the specified domain. Also, BizTalk360 can be accessed in another domain only when there is a proper trust established between the domains and the users are added to the security group in the domain. The response contains the content of a directory (directory listing). This indicates that the server allows the listing of directories, which is not usually recommended.
Hence, disabling the directory browsing for the BizTalk360 site in IIS will not affect the application in any way. Once that was disabled, the risk was mitigated. For the SQL injection, the query to retrieve the tracking database performance counters and BizTalk Server performance counters were modified. These types of queries led to vulnerability because the response contained SQL Server errors. This suggests that the test managed to penetrate the application and reach the SQL query itself, by injecting hazardous characters. This was mitigated by modifying those queries accordingly.
With the security aspects in consideration and as per the feedback from the customers, we always enhance the features of BizTalk360. Considering the priority of the reported issue, our team will always act immediately, and the fix would be provided. This way we make sure that the product is secure and meets all the security standards so that there will not be any hindrance in monitoring your BizTalk environment using BizTalk360.
Happy monitoring with BizTalk360!