Speaker: Michael Allen, Security Architect, Sqrrl Venue: October 28th Accumulo Users Group (along with Strata NY / Hadoop World) The early Accumulo developers made security a core part of Accumulo's codebase. As the open source community around Accumulo continues to thrive, this talk examines the current state of Accumulo's security features. The talk will detail some exciting developments in the upcoming 1.6 release, which include enhancements around encryption at rest and in motion. We will also take a broader look at new use cases suggesting a wider set of threats, and how current and future work addresses those threats.

1. Securely explore your data
ENCRYPTION AND
SECURITY IN
ACCUMULO
Michael Allen
Security Architect
Sqrrl Data, Inc.
michael@sqrrl.com

2. ISN’T
ACCUMULO
ALREADY
SECURE?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

3. Source: wikipedia.org. Public domain
I MEAN, THESE SMART GALS AND
GUYS MADE IT…
(Undisclosed location)
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

4. CELL-LEVEL SECURITY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

5. CELL-LEVEL SECURITY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

6. CELL-LEVEL SECURITY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

7. WHAT’S THE THREAT?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

8. A TYPICAL DEPLOYMENT
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

9. A TYPICAL DEPLOYMENT
(…ignoring master nodes, name nodes,
garbage collectors, other ephemera…)
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

10. A TYPICAL CAST
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

11. THREATS INSIDE AND OUT
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

12. WHO CAN WE PUSH OUT?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

13. HOW?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

14. ENCRYPTION
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

15. IN MOTION AND AT REST
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

16. Source: http://bit.ly/HqScSr. Creative Commons,
Attribution.
IT’S NOT…
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

17. FUNDAMENTAL QUESTIONS
What are you encrypting?
How are you encrypting it?
How are you protecting the key?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

18. ACCUMULO 1.6
SSL for Accumulo Clients
Encrypting data within HDFS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

19. SSL AND ACCUMULO
ACCUMULO-1009
Patch that adds configuring and
using SSL certificates
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

20. MAKE YOUR CERTS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

21. CONFIGURE YOUR SERVERS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

22. CONFIGURE YOUR SERVERS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

23. DISTRIBUTE YOUR CERTS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

24. DISTRIBUTE YOUR ROOTS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

25. ENJOY YOUR SSL
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

26. ENCRYPTION AT REST
ACCUMULO-998
Patch that adds encryption for
Rfiles and WAL
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

27. ENCRYPTION AT REST
Uses Java Cryptography
Extensions (JCE) for encryption
interface / engine
(Guess what? It’s pluggable.)
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

28. BEHIND THE SCENES
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

29. BEHIND THE SCENES
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

30. BEHIND THE SCENES
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

31. BEHIND THE SCENES
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

32. WHERE DOES THAT KEY GO?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

33. WHERE DOES THAT KEY GO?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

34. WHERE DOES THAT KEY GO?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

35. PLUGGABLE STRATEGY
• Java class that mediates access to KEK
• Encrypts and decrypts per-file keys
• Passes back to callers opaque ID to identify
KEK used to do encryption
• Callers should store opaque ID along with
encrypted key
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

36. PLUGGABLE STRATEGY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

37. PLUGGABLE STRATEGY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

38. CONFIGURATION OPTIONS
Property Name
“Usual” Value
Meaning
crypto.module.class
org.apache.accumulo.
core.security.crypto.
DefaultCryptoModule
The class that
creates
encrypting
and
decrypting
data streams
crypto.cipher.suite
AES/CFB/PKCS5Padding
Encryption
algorithm
spec
crypto.cipher.key.length 128
Key length
crypto.module.class
Class that
mediates
access to
KEK
org.apache.accumulo.
core.security.crypto.
DefaultSecretKeyEncryptionStrategy
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

39. REDUCED THREAT
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

40. REDUCED THREAT
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

41. TOWARDS THE FUTURE
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

42. THANKS
!michael@sqrrl.com
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential