Enviar búsqueda
Cargar
201504 securing cassandraanddse
•
0 recomendaciones
•
565 vistas
J
Johnny Miller
Seguir
Denunciar
Compartir
Denunciar
Compartir
1 de 21
Descargar ahora
Descargar para leer sin conexión
Recomendados
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Tom Kerkhove
More zBang for the zBuck
More zBang for the zBuck
Andy Thompson
Managing secrets at scale
Managing secrets at scale
Alex Schoof
Using Vault for your Nodejs Secrets
Using Vault for your Nodejs Secrets
Taswar Bhatti
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Private Cloud
Microsoft Azure Security Infographic
Microsoft Azure Security Infographic
Microsoft Azure
Data Security Essentials - JavaOne 2013
Data Security Essentials - JavaOne 2013
javagroup2006
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Tom Kerkhove
Recomendados
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Tom Kerkhove
More zBang for the zBuck
More zBang for the zBuck
Andy Thompson
Managing secrets at scale
Managing secrets at scale
Alex Schoof
Using Vault for your Nodejs Secrets
Using Vault for your Nodejs Secrets
Taswar Bhatti
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Windows Azure - Security Best Practices for Developing Windows Azur...
Microsoft Private Cloud
Microsoft Azure Security Infographic
Microsoft Azure Security Infographic
Microsoft Azure
Data Security Essentials - JavaOne 2013
Data Security Essentials - JavaOne 2013
javagroup2006
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Tom Kerkhove
Bletchley
Bletchley
Diogo Mónica
Azure key vault - Brisbane User Group
Azure key vault - Brisbane User Group
Rahul Nath
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey
The Rise of Secrets Management
The Rise of Secrets Management
Akeyless
Automation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret Management
Mary Racter
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Mary Racter
Az 104 session 8 azure monitoring
Az 104 session 8 azure monitoring
AzureEzy1
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
Tom Kerkhove
Hexatier - MySQL Role-based Security & Data Masking
Hexatier - MySQL Role-based Security & Data Masking
Scott Uhrick
Vault 101
Vault 101
Hazzim Anaya
Vault
Vault
Jean-Philippe Bélanger
Microsoft az-104 Dumps
Microsoft az-104 Dumps
Armstrongsmith
Securing Your MongoDB Deployment
Securing Your MongoDB Deployment
MongoDB
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
HashiCorp
Securing sensitive data with Azure Key Vault
Securing sensitive data with Azure Key Vault
Tom Kerkhove
Cassandra Security Configuration
Cassandra Security Configuration
Braja Krishna Das
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
DynamicInfraDays
Adding Role-Based Security and Data Masking to MySQL Through a Hexatier Proxy
Adding Role-Based Security and Data Masking to MySQL Through a Hexatier Proxy
Scott Uhrick
Cloud Security Introduction
Cloud Security Introduction
GLC Networks
Going native with Apache Cassandra
Going native with Apache Cassandra
Johnny Miller
Cassandra 2.0 to 2.1
Cassandra 2.0 to 2.1
Johnny Miller
Más contenido relacionado
La actualidad más candente
Bletchley
Bletchley
Diogo Mónica
Azure key vault - Brisbane User Group
Azure key vault - Brisbane User Group
Rahul Nath
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey
The Rise of Secrets Management
The Rise of Secrets Management
Akeyless
Automation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret Management
Mary Racter
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Mary Racter
Az 104 session 8 azure monitoring
Az 104 session 8 azure monitoring
AzureEzy1
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
Tom Kerkhove
Hexatier - MySQL Role-based Security & Data Masking
Hexatier - MySQL Role-based Security & Data Masking
Scott Uhrick
Vault 101
Vault 101
Hazzim Anaya
Vault
Vault
Jean-Philippe Bélanger
Microsoft az-104 Dumps
Microsoft az-104 Dumps
Armstrongsmith
Securing Your MongoDB Deployment
Securing Your MongoDB Deployment
MongoDB
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
HashiCorp
Securing sensitive data with Azure Key Vault
Securing sensitive data with Azure Key Vault
Tom Kerkhove
Cassandra Security Configuration
Cassandra Security Configuration
Braja Krishna Das
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
DynamicInfraDays
Adding Role-Based Security and Data Masking to MySQL Through a Hexatier Proxy
Adding Role-Based Security and Data Masking to MySQL Through a Hexatier Proxy
Scott Uhrick
Cloud Security Introduction
Cloud Security Introduction
GLC Networks
La actualidad más candente
(20)
Bletchley
Bletchley
Azure key vault - Brisbane User Group
Azure key vault - Brisbane User Group
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
The Rise of Secrets Management
The Rise of Secrets Management
Automation Patterns for Scalable Secret Management
Automation Patterns for Scalable Secret Management
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
Az 104 session 8 azure monitoring
Az 104 session 8 azure monitoring
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
Hexatier - MySQL Role-based Security & Data Masking
Hexatier - MySQL Role-based Security & Data Masking
Vault 101
Vault 101
Vault
Vault
Microsoft az-104 Dumps
Microsoft az-104 Dumps
Securing Your MongoDB Deployment
Securing Your MongoDB Deployment
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Securing sensitive data with Azure Key Vault
Securing sensitive data with Azure Key Vault
Cassandra Security Configuration
Cassandra Security Configuration
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
Adding Role-Based Security and Data Masking to MySQL Through a Hexatier Proxy
Adding Role-Based Security and Data Masking to MySQL Through a Hexatier Proxy
Cloud Security Introduction
Cloud Security Introduction
Destacado
Going native with Apache Cassandra
Going native with Apache Cassandra
Johnny Miller
Cassandra 2.0 to 2.1
Cassandra 2.0 to 2.1
Johnny Miller
Apache Cassandra For Java Developers - Why, What and How. LJC @ UCL October 2014
Apache Cassandra For Java Developers - Why, What and How. LJC @ UCL October 2014
Johnny Miller
Introduction to CQL and Data Modeling with Apache Cassandra
Introduction to CQL and Data Modeling with Apache Cassandra
Johnny Miller
Why does my choice of storage matter with cassandra?
Why does my choice of storage matter with cassandra?
Johnny Miller
Highly available, scalable and secure data with Cassandra and DataStax Enterp...
Highly available, scalable and secure data with Cassandra and DataStax Enterp...
Johnny Miller
Destacado
(6)
Going native with Apache Cassandra
Going native with Apache Cassandra
Cassandra 2.0 to 2.1
Cassandra 2.0 to 2.1
Apache Cassandra For Java Developers - Why, What and How. LJC @ UCL October 2014
Apache Cassandra For Java Developers - Why, What and How. LJC @ UCL October 2014
Introduction to CQL and Data Modeling with Apache Cassandra
Introduction to CQL and Data Modeling with Apache Cassandra
Why does my choice of storage matter with cassandra?
Why does my choice of storage matter with cassandra?
Highly available, scalable and secure data with Cassandra and DataStax Enterp...
Highly available, scalable and secure data with Cassandra and DataStax Enterp...
Similar a 201504 securing cassandraanddse
Cassandra Day London 2015: Securing Cassandra and DataStax Enterprise
Cassandra Day London 2015: Securing Cassandra and DataStax Enterprise
DataStax Academy
Securing Cassandra The Right Way
Securing Cassandra The Right Way
DataStax Academy
Cassandra and security
Cassandra and security
Ben Bromhead
Securing Cassandra
Securing Cassandra
Instaclustr
Instaclustr: Securing Cassandra
Instaclustr: Securing Cassandra
DataStax Academy
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Tom Kerkhove
Managing your secrets in a cloud environment
Managing your secrets in a cloud environment
Taswar Bhatti
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax
Secure Your Data Assets
Secure Your Data Assets
Embarcadero Technologies
C* Summit 2013: Lock it Up: Securing Sensitive Data by Sam Heywood
C* Summit 2013: Lock it Up: Securing Sensitive Data by Sam Heywood
DataStax Academy
Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Da...
Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Da...
DataStax
Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely
Skytap Cloud
UpdateConf 2018: Top 18 Azure security fails and how to avoid them
UpdateConf 2018: Top 18 Azure security fails and how to avoid them
Karl Ots
MobileDBSecurity.pptx
MobileDBSecurity.pptx
missionsk81
Can Your Mobile Infrastructure Survive 1 Million Concurrent Users?
Can Your Mobile Infrastructure Survive 1 Million Concurrent Users?
TechWell
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
Lecture27 cc-security2
Lecture27 cc-security2
Ankit Gupta
Isaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditing
Antonios Chatzipavlis
IT Camp 19: Top Azure security fails and how to avoid them
IT Camp 19: Top Azure security fails and how to avoid them
Karl Ots
MySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 Security
Mark Swarbrick
Similar a 201504 securing cassandraanddse
(20)
Cassandra Day London 2015: Securing Cassandra and DataStax Enterprise
Cassandra Day London 2015: Securing Cassandra and DataStax Enterprise
Securing Cassandra The Right Way
Securing Cassandra The Right Way
Cassandra and security
Cassandra and security
Securing Cassandra
Securing Cassandra
Instaclustr: Securing Cassandra
Instaclustr: Securing Cassandra
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Managing your secrets in a cloud environment
Managing your secrets in a cloud environment
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
Secure Your Data Assets
Secure Your Data Assets
C* Summit 2013: Lock it Up: Securing Sensitive Data by Sam Heywood
C* Summit 2013: Lock it Up: Securing Sensitive Data by Sam Heywood
Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Da...
Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Da...
Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely
UpdateConf 2018: Top 18 Azure security fails and how to avoid them
UpdateConf 2018: Top 18 Azure security fails and how to avoid them
MobileDBSecurity.pptx
MobileDBSecurity.pptx
Can Your Mobile Infrastructure Survive 1 Million Concurrent Users?
Can Your Mobile Infrastructure Survive 1 Million Concurrent Users?
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Lecture27 cc-security2
Lecture27 cc-security2
Isaca sql server 2008 r2 security & auditing
Isaca sql server 2008 r2 security & auditing
IT Camp 19: Top Azure security fails and how to avoid them
IT Camp 19: Top Azure security fails and how to avoid them
MySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 Security
201504 securing cassandraanddse
1.
Securing Cassandra &
DataStax Enterprise Johnny Miller, Solutions Architect @CyanMiller www.linkedin.com/in/johnnymiller
2.
What is security? Security
is about the protection of assets • Protective measures: • Prevention • Detection • Reaction • What if your asset is information? • Information can be stolen - but you still have it… • Confidential information may be copied and sold - but the theft might not be detected… • The criminals may be on the other side of the world… ©2015 DataStax Confidential. Do not distribute without consent. 2
3.
What is security? Features •
Confidentiality • prevention of unauthorized disclosure of information • Integrity • prevention of erroneous modification of information • Availability • prevention of unauthorized withholding of information • Non-repudiation • can you prove I did that? • Authentication • verifying that users are who they claim to be • Authorization • determine whether a user should have access to resources • Accountability • actions can be traced back to the responsible party ©2015 DataStax Confidential. Do not distribute without consent. 3
4.
Reality Check Data Breaches •
Heartland Payment Systems, 2008-2009: 130 million records compromised • Target Stores, 2013: 110 million records compromised • Sony online entertainment services, 2011: 102 million records compromised • National Archive and Records Administration, 2008: 76 million records compromised • Anthem, 2015: 69 million to 80 million records compromised • Epsilon, 2011: 60 million to 250 million records compromised • Home Depot, 2014: 56 million payment cards compromised • Evernote, 2013: More than 50 million records compromised • Living Social, 2013: More than 50 million records compromised • TJX Companies Inc., 2006-2007: At least 46 million records compromised • Sony Pictures Entertainment, 2014: Company's inner workings completely exposed • Plus many, many more that we know and don’t know about….. ©2015 DataStax Confidential. Do not distribute without consent. 4
5.
What are my
requirements? If you don’t know, then ask What do I have to do? • Legal and regulatory requirements • Data Protection • PCI • HIPAA/HITECH • Etc… • Enterprise policy • Etc… What should I do? • Design and develop with security in mind • Security in depth/layers • OWASP • Don’t ever say “No one cares about this data” ©2015 DataStax Confidential. Do not distribute without consent. 5
6.
Backups Information Assurance Ensuring data
is not lost when critical issues arrive! • nodetool snapshot etc… • OpsCenter Backup Service • create scheduled or one-off backups • data and commit logs • custom scripts that can be run before or after a backup • can backup to local server and/or S3 • automatically compresses backup files to save storage • retention policies on backups • full, table-level, or point-in-time restores for a cluster • All functions available via REST API or via user interface • Plus lots, lots more….. ©2015 DataStax Confidential. Do not distribute without consent. 6
7.
Access Controls Authentication DEFAULT IS
OFF • Internal • Update the authenticator property in the cassandra.yaml to: authenticator: PasswordAuthenticator • Stores usernames and bcrypt-hashed passwords in the system_auth.credentials table • External • LDAP v3, Kerberos, Active Directory, Oracle Directory Server Enterprise Edition • Update cassandra.yaml authenticator e.g. authenticator: com.datastax.bdp.cassandra.auth.LdapAuthenticator • Update dse.yaml to configure the external provider details e.g. ldap_options: server_host: somehost server_port: 389 search_dn: cn=Admin search_password: secret use_ssl: false use_tls: false etc……. ©2015 DataStax Confidential. Do not distribute without consent. 7 Turn on authentication straight away!
8.
Access Controls Authorization • Permissions
to access all keyspaces, a named keyspace, or a table can be granted to a user • GRANT e.g. GRANT SELECT ON ALL KEYSPACES TO johnny; • LIST PERMISSIONS e.g. LIST ALL PERMISSIONS OF johnny; • REVOKE e.g. REVOKE SELECT ON someks.sometable FROM johnny; • Update the authorizer property in the cassandra.yaml to: authorizer: CassandraAuthorizer ©2015 DataStax Confidential. Do not distribute without consent. 8 Permission CQL Statement ALL All statements ALTER ALTER KEYSPACE, ALTER TABLE, CREATE INDEX, DROP INDEX AUTHORIZE GRANT, REVOKE CREATE CREATE KEYSPACE, CREATE TABLE DROP DROP KEYSPACE, DROP TABLE MODIFY INSERT, DELETE, UPDATE, TRUNCATE SELECT SELECT
9.
Access Controls Once Enabled •
A default superuser is created (cassandra/cassandra) • Default users are bad - create a new super user, change the cassandra users password to something huge (and forget it) and take away the cassandra users superuser status • Increase the replication factor for the system_auth keyspace to N (number of nodes) • Adjust the validity period for permissions caching by setting the permissions_validity_in_ms option in the cassandra.yaml (default is 2s) • Update application code to use credentials e.g Cluster.Builder clusterBulder = Cluster.builder() .withCredentials(userName, password); • Best Practices: • Don’t share credentials i.e. named user access only and per application user accounts • Don’t over grant permissions i.e. if you only need read access, only grant read access • Use a file to store credentials via ~/.cassandra/cqlshrc and ~/.dserc files i.e. don’t pass credentials in on the CLI via cqlsh • Use strong passwords ©2015 DataStax Confidential. Do not distribute without consent. 9
10.
Access Controls Enabling without
downtime • The TransitionalAuthenticator and TransitionalAuthorizer included with DataStax Enterprise allow internal authentication and authorization to be enabled without downtime or modification to client code or configuration. • Procedure: 1. Update the cassandra.yaml file • Set the authenticator to com.datastax.bdp.cassandra.auth.TransitionalAuthenticator. • Set the authorizer to com.datastax.bdp.cassandra.auth.TransitionalAuthorizer. 2. Rolling restart 3. Run a repair on the system_auth keyspace 4. Login via cqlsh and the default superuser – create all the logins and permissions you need 5. Update your applications to start using the credentials 6. Update the cassandra.yaml to use the authenticator and authorizer you want and perform a rolling restart 7. Remove the default superuser and create your new one. ©2015 DataStax Confidential. Do not distribute without consent. 10
11.
Data Auditing DataStax Enterprise •
DataStax Enterprise comes with the ability to audit all Cassandra access across the cluster. • Auditing can be limited to specific keyspaces only • Audit logs can be written to filesystem log files (default) using log4j, or to a Cassandra table (dse_audit.audit_log) – use log4j appenders to ship the logs off server • To enable, update the audit_logging section in the dse.yaml • Auditing can also be enabled for the DSE Search via the filter-mapping element of the Solr web.xml ©2015 DataStax Confidential. Do not distribute without consent. 11 Permission CQL Statement ADMIN Logs describe schema versions, cluster name, version, ring, and other administration events. AUTH Logs login events. DML Logs insert, update, delete and other DML events. DDL Logs object and user create, alter, drop, and other DDL events. DCL Logs grant, revoke, create user, drop user, and list users events. QUERY Logs all queries.
12.
Data Auditing Information included e.g: host:ip-10-85-22-245.ec2.internal/10.85.22.245|source:/127.0.0.1|user:johnny |timestamp:1370537557052|category:DDL|type:ADD_KS |ks:test|operation:create
keyspace test with replication = {'class':'NetworkTopologyStrategy', 'Analytics': 1}; ©2015 DataStax Confidential. Do not distribute without consent. 12 Field Decription host dse node address source client address user authenticated user timestamp system time of log event category DML/DDL/QUERY for example Type API level operation batch batch id ks Keyspace cf column family operation textual description
13.
Encrypting Data In-flight • All
data in-flight can be encrypted using SSL • All nodes must have all the relevant SSL certificates for all nodes. • Client-to-node encryption • Enable via the client_encryption_options in the cassandra.yaml • Specify the path to your .keystore and .truststore files and the password used when generating them • Node-to-node encryption • Enable via the encryption_options in the cassandra.yaml • Specify the path to your .keystore and .truststore files and the password used when generating them • You can enable SSL for: • None • All – all traffic is encrypted • DC – only encrypt inter-dc traffic • Rack – encrypt all inter-rack traffic • Make sure .keystore is readable only by the DSE daemon and not by any user of the system. • Make sure everyone is communicating over the SSL ports ©2015 DataStax Confidential. Do not distribute without consent. 13 Use a separate network for Client-to-node and Node-to- node communication
14.
Encrypting Data In-flight • Applications
need to be updated to use SSL also e.g: SSLContext sslContext = SSLFactory.createSSLContext(encryptionOptions, true); SSLOptions sslOptions = new SSLOptions(sslContext, encryptionOptions.cipher_suites); clusterBuilder.withSSL(sslOptions); • Further reading: http://www.datastax.com/dev/blog/accessing-secure-dse-clusters-with-cql-native- protocol • Example code: https://github.com/PatrickCallaghan/datastax-ssl-example ©2015 DataStax Confidential. Do not distribute without consent. 14
15.
Encrypting Data At rest
– Transparent data encryption • SSTables can be encrypted at rest via DataStax Enterprise • Note – this is only the SSTables. If you need commit log encryption, you should look at using an OS-level encrypted file system. • The OS needs to be hardened as an invasion of the local file system will invalidate the encryption as the encryption keys are stored locally • Use the dse command to generate a system key for encryption e.g. dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 system_key • This is inserted into the dse_system.encrypted_keys table and written to a location on disk e.g. / etc/dse/conf (or specifiy system_key_directory in dse.yaml) – make sure the permissions on the directory are correct! This key will need to be copied to each node in the cluster. • The entire cluster uses the system key to decrypt SSTables for operations such as repairs • You also use the system key during upgrading and restoring SSTables that might have been corrupted • When enabling on existing cluster, ensure that the user encrypting data has been granted ALTER permission on the table containing the data to be encrypted. E.g. ALTER TABLE users WITH compression = { 'sstable_compression' : 'EncryptingSnappyCompressor’, 'cipher_algorithm' : 'AES/ECB/PKCS5Padding’, 'secret_key_strength' : 128, 'chunk_length_kb' : 128 }; • Rewrite the sstables i.e nodetool upgradesstables --include-all-sstable ©2015 DataStax Confidential. Do not distribute without consent. 15
16.
Data Replication Security •
A popular feature from a data security perspective is the ability to control at a keyspace/schema level which data centres data should be replicated to. • What this means is that in a multi-data centre (both physical and virtual) cluster you can ensure that data is not shipped anywhere it shouldn’t be and access to that data can be controlled. • This is very simple to set-up and is extremely useful when you need to share some of your data, but not all of you data or if you have requirements around where your data is permitted to reside. ©2015 DataStax Confidential. Do not distribute without consent. 16 DC 1 DC 2 Shared Data Don’t use monolithic keyspaces
17.
Secure OpsCenter • OpsCenter
is a cluster administration tool for DataStax Enterprise • Supports: • Role-based security controls (enterprise only) • SSL between OpsCenter server and agents running on nodes • HTTPs for web and API access Secure OpsCenter – if it gets compromised…. ©2015 DataStax Confidential. Do not distribute without consent. 17
18.
Security Features Cassandra or
DataStax Enterprise ©2015 DataStax Confidential. Do not distribute without consent. 18 Cassandra DataStax Enterprise Internal Authentication • Simple to implement & easy to understand • Internal validation of authorized • No learning curve External Authentication • External validation of authorized users • Leverages Kerberos & LDAP) • Single sign-on to all data domains Object Permission Management • Deep control over who can add/change/delete/ read data • Uses familiar GRANT/REVOKE from relational world • No learning curve Transparent Data Encryption • Protects sensitive data at rest (only sstables) • No changes needed at application level • Encrypt both Cassandra and Hadoop data Client to Node Encryption • Ensures data cannot be captured/stolen in route to a server • Data is safe both in flight from/to a database and on the database • Complete coverage is ensured Data Auditing • Audit trail of all accesses and changes • Control to audit only what’s needed • Uses log4j interface to ensure performance & efficient audit operations
19.
DataStax and Vormetric Partnership •
We’ve seen a rising number of customers in heavily-regulated industries e.g healthcare, Finance, Retail, Education etc… • Vormetric is the industry leader in data security solutions that span physical, virtual, cloud and big data environments from both internal and external threats. • Vormetric with DataStax Enterprise enhances our at-rest encryption: • A single place for managing policies • Protection of data sources, DSE environment and analytic reports through data at rest encryption – encrypts the entire disk • Dashboards and reports • Application layer encryption • Key management • And lots more…. Read more: http://bit.ly/dse_pci ©2015 DataStax Confidential. Do not distribute without consent. 19
20.
Quote “The mantra of
any good security engineer is: 'Security is a not a product, but a process.’ It's more than designing strong cryptography into a system; it's designing the entire system such that all security measures, including cryptography, work together.” Bruce Schneier Cryptographer, Computer Security and Privacy Specialist https://schneier.com @schneierblog Read this: http://bit.ly/dse_security ©2015 DataStax Confidential. Do not distribute without consent. 20
21.
Thank You We power
the big data apps that transform business. ©2015 DataStax Confidential. Do not distribute without consent. 21
Descargar ahora