SlideShare una empresa de Scribd logo

Securing Search Index with Searchable Encryption

H
Harry Ochiai

A searchable encryption plugin for encrypting search indices of enterprise search platforms, Apache Solr and Elasticsearch.

Tecnología
1 de 19
Descargar para leer sin conexión
© Hitachi Solutions America, Ltd. 2017. All rights reserved. Zero-Knowledge Technologies for the CloudJune 7, 2017 NYC Apache Lucene/Solr Meetup
© Hitachi Solutions America, Ltd. 2017. All rights reserved. 1 Security Needs for Search Engine  Gathered in one place  Pre-processed in useful form  Shows relativity between data Index Data is Valuable
© Hitachi Solutions America, Ltd. 2017. All rights reserved. 2 Data Breach is Real  $4 million cost in average  29% increased cost since 2013  Only 25% is human error Security Needs for Search Engine
© Hitachi Solutions America, Ltd. 2017. All rights reserved. 3 Index Data Encryption  Thicker walls are not enough to protect credential data any more.  Effective protection even after the attackers break in is required. Security Needs for Search Engine
© Hitachi Solutions America, Ltd. 2017. All rights reserved. 4 Security Needs for Search Engine Use FDE platform Customization by engine integrator Lucene 6966 Existing Encryption Solution
© Hitachi Solutions America, Ltd. 2017. All rights reserved. 5 Security Needs for Search Engine Keys are accessible for server Server side encryption Decrypt for every search Problem of Existing Solution
© Hitachi Solutions America, Ltd. 2017. All rights reserved. 6 Overview of Credeon SFS is a product developed by Hitachi Solutions in Japan, based on an advanced cryptographic scheme born in the research lab of Hitachi. Credeon Secure Full-text Search
© Hitachi Solutions America, Ltd. 2017. All rights reserved. 7 Overview of Credeon SFS Keys are inaccessible for server Client side encryption Search without decryption Main Goal of Credeon SFS
© Hitachi Solutions America, Ltd. 2017. All rights reserved. 8 Overview of Credeon SFS How dose Credeon SFS Work Credeon Codec Credeon Plugin Update Handler Search Component Request Handler Postings Format Stored Fields Format
© Hitachi Solutions America, Ltd. 2017. All rights reserved. Client Side Server Side 9 Scheme like Lucene 6966 Encryption Scheme Upload Create Index Decrypt Encrypt Return Result QUERY ? QUERY ?Send Query Search
© Hitachi Solutions America, Ltd. 2017. All rights reserved. 10 Scheme of Credeon SFS Encryption Scheme Key Management Server Client Side Server Side QUERY ? QUERY ? Create Index Create Query Decrypt Result Decrypt Upload Search
© Hitachi Solutions America, Ltd. 2017. All rights reserved. 11 A Patent Cryptographic Technology Developed by Hitachi R&D Searchable Encryption Secure Practical
© Hitachi Solutions America, Ltd. 2017. All rights reserved. 12 Searchable Encryption How Secure×Practical  AES 256 (FIPS 140-2)  Probabilistic Encryption  AES Encryption Speed  None Linear to Data Size Probabilistic Plain Encrypted Apple Banana Banana Banana Coconut $k24J$jX K#$#J%K^ G%jQ%K9( HFv9hbvn !=v[h-u Terms in Index SearchTime Plain Text Search Encrypted Search
© Hitachi Solutions America, Ltd. 2017. All rights reserved. 13 Mechanism Searchable Encryption
© Hitachi Solutions America, Ltd. 2017. All rights reserved. 14 Current Model As a Product text keyword result Searchable Storage Storage Client Server App Server OS No Encryption OS Encryption Simple Encryption with ES/Solr Client-Side Credeon SFS with ES/Solr Credeon SFS with ES/Solr Security Level No Security Decryption at storage layer  Difficult to separate key Decrypt first and match  Very slow  plaintext in memory Match first and decrypt  Key separation  High Performance  Semantically Secure  plaintext in memory Client Client Decryption at client-side  Key separation  High Performance  Semantically Secure  no plaintext on server Storage value Storage value text keyword result Client ES/Solr/Lucene ES/Solr/Lucene File System Encryption value text keyword result ES/Solr/Lucene Simple Encryption Client value text keyword result ES/Solr/Lucene Encryption Client value text keyword result Searchable Encryption Storage ES/Solr/Lucene IndexIndexIndexIndexIndex
© Hitachi Solutions America, Ltd. 2017. All rights reserved. 15 Performance As a Product Plain Credeon Credeon/Plain Indexing Time (s) 1,643 4,835 2.9 Search Time (ms) 16 19 1.2 Index Size (MB) 2,941 5,011 1.7 CPU Core i5 2.4GHz Mem 8GB OS Ubuntu 14.04 LTD Engine App Solr 5 Data Wikipedia Pages 10GB (13,800,000 terms) TestEnvironmentResult
© Hitachi Solutions America, Ltd. 2017. All rights reserved. 16 Limitation As a Product Type Feature Encrypted Field Plain Field Search Schema Core type, Copy field, Dynamic field Yes Yes Index Indexing, Delete, Update Yes Yes Search N-Gram, Lower case, Phonetic, Stop, Trim, Filter Query, Boost, Boolean, Stemmer, Phrase Yes Yes Pattern, Wildcard, Range, Grouping, Spatial search No Yes Result Relevance, Sort*1, Highlighting*2, Pagination, Yes Yes Spell check, Suggester, More like this No Yes Facet Query faceting, Field-value faceting, Range faceting No Yes Caching Filter cache, Query result cache Yes Yes Field cache No Yes Analyzer, Tokenizer, Filter, Transform, Response writer Yes*3 Yes Cloud Yes Yes Encryption Terms (.tim/.tip/.doc/.pos/.pay) Encrypted N/A Stored field (.fdt) Encrypted N/A Meta data Plain N/A Search keyword Encrypted N/A Transaction log Plain N/A *1: Only with Score *2: Except FastVectorHighlighter *3: Need to evaluate
© Hitachi Solutions America, Ltd. 2017. All rights reserved. 17  Setup  Upload  Search  Select Encryption Fields  Use Multiple Keys  Others Demo
© Hitachi Solutions America, Ltd. 2017. All rights reserved. 18 Thanks for Listening Tong Ye tye@hitachisolutions.com Harry Ochiai hochiai@hitachisolutions.com @credeon https://psg.hitachi-solutions.com/credeon/secure-full-text-search

Recomendados

Přehled portfolia ODA a praktických případů v regionu EMEA
Přehled portfolia ODA a praktických případů v regionu EMEAPřehled portfolia ODA a praktických případů v regionu EMEA
Přehled portfolia ODA a praktických případů v regionu EMEA
MarketingArrowECS_CZ
 
Future of IT
Future of ITFuture of IT
Future of IT
MarketingArrowECS_CZ
 
Using Dbvisit STANDBY as DR solution for Oracle ODA machines
Using Dbvisit STANDBY as DR solution for Oracle ODA machinesUsing Dbvisit STANDBY as DR solution for Oracle ODA machines
Using Dbvisit STANDBY as DR solution for Oracle ODA machines
MarketingArrowECS_CZ
 
ODA Right to use program - Optimalizace IT investice
ODA Right to use program - Optimalizace IT investiceODA Right to use program - Optimalizace IT investice
ODA Right to use program - Optimalizace IT investice
MarketingArrowECS_CZ
 
Best Practices in Porting & Developing Enterprise Applications to the Cloud u...
Best Practices in Porting & Developing Enterprise Applications to the Cloud u...Best Practices in Porting & Developing Enterprise Applications to the Cloud u...
Best Practices in Porting & Developing Enterprise Applications to the Cloud u...
ActiveState
 
Improving Response Times at Optum with Elastic APM
Improving Response Times at Optum with Elastic APMImproving Response Times at Optum with Elastic APM
Improving Response Times at Optum with Elastic APM
Elasticsearch
 
AWSome Data Visibility with Information Map
AWSome Data Visibility with Information MapAWSome Data Visibility with Information Map
AWSome Data Visibility with Information Map
Veritas Technologies LLC
 
Data Science Experience
Data Science ExperienceData Science Experience
Data Science Experience
Zied ABIDI
 

Recomendados

Přehled portfolia ODA a praktických případů v regionu EMEA
Přehled portfolia ODA a praktických případů v regionu EMEAPřehled portfolia ODA a praktických případů v regionu EMEA
Přehled portfolia ODA a praktických případů v regionu EMEA
MarketingArrowECS_CZ
 
Future of IT
Future of ITFuture of IT
Future of IT
MarketingArrowECS_CZ
 
Using Dbvisit STANDBY as DR solution for Oracle ODA machines
Using Dbvisit STANDBY as DR solution for Oracle ODA machinesUsing Dbvisit STANDBY as DR solution for Oracle ODA machines
Using Dbvisit STANDBY as DR solution for Oracle ODA machines
MarketingArrowECS_CZ
 
ODA Right to use program - Optimalizace IT investice
ODA Right to use program - Optimalizace IT investiceODA Right to use program - Optimalizace IT investice
ODA Right to use program - Optimalizace IT investice
MarketingArrowECS_CZ
 
Best Practices in Porting & Developing Enterprise Applications to the Cloud u...
Best Practices in Porting & Developing Enterprise Applications to the Cloud u...Best Practices in Porting & Developing Enterprise Applications to the Cloud u...
Best Practices in Porting & Developing Enterprise Applications to the Cloud u...
ActiveState
 
Improving Response Times at Optum with Elastic APM
Improving Response Times at Optum with Elastic APMImproving Response Times at Optum with Elastic APM
Improving Response Times at Optum with Elastic APM
Elasticsearch
 
AWSome Data Visibility with Information Map
AWSome Data Visibility with Information MapAWSome Data Visibility with Information Map
AWSome Data Visibility with Information Map
Veritas Technologies LLC
 
Data Science Experience
Data Science ExperienceData Science Experience
Data Science Experience
Zied ABIDI
 
Owasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainOwasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chain
Michele Chubirka
 
NetApp IT Uses NetApp Manageability SDK to do More Than Configuration Tasks
NetApp IT Uses NetApp Manageability SDK to do More Than Configuration Tasks NetApp IT Uses NetApp Manageability SDK to do More Than Configuration Tasks
NetApp IT Uses NetApp Manageability SDK to do More Than Configuration Tasks
NetApp
 
NetApp IT Data Center Strategies to Enable Digital Transformation
NetApp IT Data Center Strategies to Enable Digital TransformationNetApp IT Data Center Strategies to Enable Digital Transformation
NetApp IT Data Center Strategies to Enable Digital Transformation
NetApp
 
Oracle six journeys to cloud
Oracle six journeys to cloudOracle six journeys to cloud
Oracle six journeys to cloud
Tekpros
 
Hybrid Cloud Data Storage with OpenIO and Backblaze B2
Hybrid Cloud Data Storage with OpenIO and Backblaze B2Hybrid Cloud Data Storage with OpenIO and Backblaze B2
Hybrid Cloud Data Storage with OpenIO and Backblaze B2
Backblaze
 
OpenIO A3techlive in London - March 2016
OpenIO A3techlive in London - March 2016OpenIO A3techlive in London - March 2016
OpenIO A3techlive in London - March 2016
OpenIO Object Storage
 
The Non-Relational Revolution
The Non-Relational RevolutionThe Non-Relational Revolution
The Non-Relational Revolution
Mikhail Prudnikov
 
IBM Data Science Experience and Machine Learning Use Cases in Healthcare
IBM Data Science Experience and Machine Learning Use Cases in HealthcareIBM Data Science Experience and Machine Learning Use Cases in Healthcare
IBM Data Science Experience and Machine Learning Use Cases in Healthcare
IDEAS - Int'l Data Engineering and Science Association
 
Replatform your Teradata to a Next-Gen Cloud Data Platform in Weeks, Not Years
Replatform your Teradata to a Next-Gen Cloud Data Platform in Weeks, Not YearsReplatform your Teradata to a Next-Gen Cloud Data Platform in Weeks, Not Years
Replatform your Teradata to a Next-Gen Cloud Data Platform in Weeks, Not Years
VMware Tanzu
 
NetApp IT and how Data Fabric Simplifies Data Management across the Hybrid Cl...
NetApp IT and how Data Fabric Simplifies Data Management across the Hybrid Cl...NetApp IT and how Data Fabric Simplifies Data Management across the Hybrid Cl...
NetApp IT and how Data Fabric Simplifies Data Management across the Hybrid Cl...
NetApp
 
Bridging Your Business Across the Enterprise and Cloud with MongoDB and NetApp
Bridging Your Business Across the Enterprise and Cloud with MongoDB and NetAppBridging Your Business Across the Enterprise and Cloud with MongoDB and NetApp
Bridging Your Business Across the Enterprise and Cloud with MongoDB and NetApp
MongoDB
 
"Vision for All?," a Presentation from Intel
"Vision for All?," a Presentation from Intel"Vision for All?," a Presentation from Intel
"Vision for All?," a Presentation from Intel
Edge AI and Vision Alliance
 
MongoDB World 2018: Managing a Mission Critical eCommerce Application on Mong...
MongoDB World 2018: Managing a Mission Critical eCommerce Application on Mong...MongoDB World 2018: Managing a Mission Critical eCommerce Application on Mong...
MongoDB World 2018: Managing a Mission Critical eCommerce Application on Mong...
MongoDB
 
Elastic Cloud Enterprise @ Cisco
Elastic Cloud Enterprise @ CiscoElastic Cloud Enterprise @ Cisco
Elastic Cloud Enterprise @ Cisco
Elasticsearch
 
DevOps@Scale- IBM Cloud and NetAp-Insight-Berlin
DevOps@Scale- IBM Cloud and NetAp-Insight-BerlinDevOps@Scale- IBM Cloud and NetAp-Insight-Berlin
DevOps@Scale- IBM Cloud and NetAp-Insight-Berlin
Sreeni Pamidala
 
FINRA's Managed Data Lake: Next-Gen Analytics in the Cloud - ENT328 - re:Inve...
FINRA's Managed Data Lake: Next-Gen Analytics in the Cloud - ENT328 - re:Inve...FINRA's Managed Data Lake: Next-Gen Analytics in the Cloud - ENT328 - re:Inve...
FINRA's Managed Data Lake: Next-Gen Analytics in the Cloud - ENT328 - re:Inve...
Amazon Web Services
 
Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...
Kal BO
 
EPM, ERP, Cloud, and On-Premise: All Integration Options Explained
EPM, ERP, Cloud, and On-Premise: All Integration Options ExplainedEPM, ERP, Cloud, and On-Premise: All Integration Options Explained
EPM, ERP, Cloud, and On-Premise: All Integration Options Explained
Joseph Alaimo Jr
 
ICIC 2013 New Product Introductions CEPT
ICIC 2013 New Product Introductions CEPTICIC 2013 New Product Introductions CEPT
ICIC 2013 New Product Introductions CEPT
Dr. Haxel Consult
 
Aerospike: Enabling Your Digital Transformation
Aerospike: Enabling Your Digital TransformationAerospike: Enabling Your Digital Transformation
Aerospike: Enabling Your Digital Transformation
Brillix
 
Converged Everything, Converged Infrastructure delivering business value and ...
Converged Everything, Converged Infrastructure delivering business value and ...Converged Everything, Converged Infrastructure delivering business value and ...
Converged Everything, Converged Infrastructure delivering business value and ...
NetAppUK
 
Oracle Database Appliance, ODA, X7-2 portfolio.
Oracle Database Appliance, ODA, X7-2 portfolio.Oracle Database Appliance, ODA, X7-2 portfolio.
Oracle Database Appliance, ODA, X7-2 portfolio.
Daryll Whyte
 

Más contenido relacionado

La actualidad más candente

Owasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainOwasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chain
Michele Chubirka
 
NetApp IT Data Center Strategies to Enable Digital Transformation
NetApp IT Data Center Strategies to Enable Digital TransformationNetApp IT Data Center Strategies to Enable Digital Transformation
NetApp IT Data Center Strategies to Enable Digital Transformation
NetApp
 
Replatform your Teradata to a Next-Gen Cloud Data Platform in Weeks, Not Years
Replatform your Teradata to a Next-Gen Cloud Data Platform in Weeks, Not YearsReplatform your Teradata to a Next-Gen Cloud Data Platform in Weeks, Not Years
Replatform your Teradata to a Next-Gen Cloud Data Platform in Weeks, Not Years
VMware Tanzu
 

La actualidad más candente (10)

Owasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chainOwasp appsec container_security_supply_chain
Owasp appsec container_security_supply_chain
 
NetApp IT Uses NetApp Manageability SDK to do More Than Configuration Tasks
NetApp IT Uses NetApp Manageability SDK to do More Than Configuration Tasks NetApp IT Uses NetApp Manageability SDK to do More Than Configuration Tasks
NetApp IT Uses NetApp Manageability SDK to do More Than Configuration Tasks
 
NetApp IT Data Center Strategies to Enable Digital Transformation
NetApp IT Data Center Strategies to Enable Digital TransformationNetApp IT Data Center Strategies to Enable Digital Transformation
NetApp IT Data Center Strategies to Enable Digital Transformation
 
Oracle six journeys to cloud
Oracle six journeys to cloudOracle six journeys to cloud
Oracle six journeys to cloud
 
Hybrid Cloud Data Storage with OpenIO and Backblaze B2
Hybrid Cloud Data Storage with OpenIO and Backblaze B2Hybrid Cloud Data Storage with OpenIO and Backblaze B2
Hybrid Cloud Data Storage with OpenIO and Backblaze B2
 
OpenIO A3techlive in London - March 2016
OpenIO A3techlive in London - March 2016OpenIO A3techlive in London - March 2016
OpenIO A3techlive in London - March 2016
 
The Non-Relational Revolution
The Non-Relational RevolutionThe Non-Relational Revolution
The Non-Relational Revolution
 
IBM Data Science Experience and Machine Learning Use Cases in Healthcare
IBM Data Science Experience and Machine Learning Use Cases in HealthcareIBM Data Science Experience and Machine Learning Use Cases in Healthcare
IBM Data Science Experience and Machine Learning Use Cases in Healthcare
 
Replatform your Teradata to a Next-Gen Cloud Data Platform in Weeks, Not Years
Replatform your Teradata to a Next-Gen Cloud Data Platform in Weeks, Not YearsReplatform your Teradata to a Next-Gen Cloud Data Platform in Weeks, Not Years
Replatform your Teradata to a Next-Gen Cloud Data Platform in Weeks, Not Years
 
NetApp IT and how Data Fabric Simplifies Data Management across the Hybrid Cl...
NetApp IT and how Data Fabric Simplifies Data Management across the Hybrid Cl...NetApp IT and how Data Fabric Simplifies Data Management across the Hybrid Cl...
NetApp IT and how Data Fabric Simplifies Data Management across the Hybrid Cl...
 

Similar a Securing Search Index with Searchable Encryption

"Vision for All?," a Presentation from Intel
"Vision for All?," a Presentation from Intel"Vision for All?," a Presentation from Intel
"Vision for All?," a Presentation from Intel
Edge AI and Vision Alliance
 
DevOps@Scale- IBM Cloud and NetAp-Insight-Berlin
DevOps@Scale- IBM Cloud and NetAp-Insight-BerlinDevOps@Scale- IBM Cloud and NetAp-Insight-Berlin
DevOps@Scale- IBM Cloud and NetAp-Insight-Berlin
Sreeni Pamidala
 
FINRA's Managed Data Lake: Next-Gen Analytics in the Cloud - ENT328 - re:Inve...
FINRA's Managed Data Lake: Next-Gen Analytics in the Cloud - ENT328 - re:Inve...FINRA's Managed Data Lake: Next-Gen Analytics in the Cloud - ENT328 - re:Inve...
FINRA's Managed Data Lake: Next-Gen Analytics in the Cloud - ENT328 - re:Inve...
Amazon Web Services
 
ICIC 2013 New Product Introductions CEPT
ICIC 2013 New Product Introductions CEPTICIC 2013 New Product Introductions CEPT
ICIC 2013 New Product Introductions CEPT
Dr. Haxel Consult
 
Apache Spark and Apache Ignite: Where Fast Data Meets IoT
Apache Spark and Apache Ignite: Where Fast Data Meets IoTApache Spark and Apache Ignite: Where Fast Data Meets IoT
Apache Spark and Apache Ignite: Where Fast Data Meets IoT
Denis Magda
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Denim Group
 

Similar a Securing Search Index with Searchable Encryption (20)

Bridging Your Business Across the Enterprise and Cloud with MongoDB and NetApp
Bridging Your Business Across the Enterprise and Cloud with MongoDB and NetAppBridging Your Business Across the Enterprise and Cloud with MongoDB and NetApp
Bridging Your Business Across the Enterprise and Cloud with MongoDB and NetApp
 
"Vision for All?," a Presentation from Intel
"Vision for All?," a Presentation from Intel"Vision for All?," a Presentation from Intel
"Vision for All?," a Presentation from Intel
 
MongoDB World 2018: Managing a Mission Critical eCommerce Application on Mong...
MongoDB World 2018: Managing a Mission Critical eCommerce Application on Mong...MongoDB World 2018: Managing a Mission Critical eCommerce Application on Mong...
MongoDB World 2018: Managing a Mission Critical eCommerce Application on Mong...
 
Elastic Cloud Enterprise @ Cisco
Elastic Cloud Enterprise @ CiscoElastic Cloud Enterprise @ Cisco
Elastic Cloud Enterprise @ Cisco
 
DevOps@Scale- IBM Cloud and NetAp-Insight-Berlin
DevOps@Scale- IBM Cloud and NetAp-Insight-BerlinDevOps@Scale- IBM Cloud and NetAp-Insight-Berlin
DevOps@Scale- IBM Cloud and NetAp-Insight-Berlin
 
FINRA's Managed Data Lake: Next-Gen Analytics in the Cloud - ENT328 - re:Inve...
FINRA's Managed Data Lake: Next-Gen Analytics in the Cloud - ENT328 - re:Inve...FINRA's Managed Data Lake: Next-Gen Analytics in the Cloud - ENT328 - re:Inve...
FINRA's Managed Data Lake: Next-Gen Analytics in the Cloud - ENT328 - re:Inve...
 
Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...
 
EPM, ERP, Cloud, and On-Premise: All Integration Options Explained
EPM, ERP, Cloud, and On-Premise: All Integration Options ExplainedEPM, ERP, Cloud, and On-Premise: All Integration Options Explained
EPM, ERP, Cloud, and On-Premise: All Integration Options Explained
 
ICIC 2013 New Product Introductions CEPT
ICIC 2013 New Product Introductions CEPTICIC 2013 New Product Introductions CEPT
ICIC 2013 New Product Introductions CEPT
 
Aerospike: Enabling Your Digital Transformation
Aerospike: Enabling Your Digital TransformationAerospike: Enabling Your Digital Transformation
Aerospike: Enabling Your Digital Transformation
 
Converged Everything, Converged Infrastructure delivering business value and ...
Converged Everything, Converged Infrastructure delivering business value and ...Converged Everything, Converged Infrastructure delivering business value and ...
Converged Everything, Converged Infrastructure delivering business value and ...
 
Oracle Database Appliance, ODA, X7-2 portfolio.
Oracle Database Appliance, ODA, X7-2 portfolio.Oracle Database Appliance, ODA, X7-2 portfolio.
Oracle Database Appliance, ODA, X7-2 portfolio.
 
MySQL 8.0 in a nutshell
MySQL 8.0 in a nutshellMySQL 8.0 in a nutshell
MySQL 8.0 in a nutshell
 
State ofdolphin short
State ofdolphin shortState ofdolphin short
State ofdolphin short
 
Apache Spark and Apache Ignite: Where Fast Data Meets IoT
Apache Spark and Apache Ignite: Where Fast Data Meets IoTApache Spark and Apache Ignite: Where Fast Data Meets IoT
Apache Spark and Apache Ignite: Where Fast Data Meets IoT
 
Synectiks Microservice Platform
Synectiks Microservice PlatformSynectiks Microservice Platform
Synectiks Microservice Platform
 
Servereless Jobs with AWS Lambda
Servereless Jobs with AWS LambdaServereless Jobs with AWS Lambda
Servereless Jobs with AWS Lambda
 
STG314-Case Study Learn How HERE Uses JFrog Artifactory w Amazon EFS Support ...
STG314-Case Study Learn How HERE Uses JFrog Artifactory w Amazon EFS Support ...STG314-Case Study Learn How HERE Uses JFrog Artifactory w Amazon EFS Support ...
STG314-Case Study Learn How HERE Uses JFrog Artifactory w Amazon EFS Support ...
 
Postgres Vision 2018: Making Modern an Old Legacy System
Postgres Vision 2018: Making Modern an Old Legacy SystemPostgres Vision 2018: Making Modern an Old Legacy System
Postgres Vision 2018: Making Modern an Old Legacy System
 
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
Monitoring Application Attack Surface to Integrate Security into DevOps Pipel...
 

Último

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Último (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

Securing Search Index with Searchable Encryption

  • 1. © Hitachi Solutions America, Ltd. 2017. All rights reserved. Zero-Knowledge Technologies for the CloudJune 7, 2017 NYC Apache Lucene/Solr Meetup
  • 2. © Hitachi Solutions America, Ltd. 2017. All rights reserved. 1 Security Needs for Search Engine  Gathered in one place  Pre-processed in useful form  Shows relativity between data Index Data is Valuable
  • 3. © Hitachi Solutions America, Ltd. 2017. All rights reserved. 2 Data Breach is Real  $4 million cost in average  29% increased cost since 2013  Only 25% is human error Security Needs for Search Engine
  • 4. © Hitachi Solutions America, Ltd. 2017. All rights reserved. 3 Index Data Encryption  Thicker walls are not enough to protect credential data any more.  Effective protection even after the attackers break in is required. Security Needs for Search Engine
  • 5. © Hitachi Solutions America, Ltd. 2017. All rights reserved. 4 Security Needs for Search Engine Use FDE platform Customization by engine integrator Lucene 6966 Existing Encryption Solution
  • 6. © Hitachi Solutions America, Ltd. 2017. All rights reserved. 5 Security Needs for Search Engine Keys are accessible for server Server side encryption Decrypt for every search Problem of Existing Solution
  • 7. © Hitachi Solutions America, Ltd. 2017. All rights reserved. 6 Overview of Credeon SFS is a product developed by Hitachi Solutions in Japan, based on an advanced cryptographic scheme born in the research lab of Hitachi. Credeon Secure Full-text Search
  • 8. © Hitachi Solutions America, Ltd. 2017. All rights reserved. 7 Overview of Credeon SFS Keys are inaccessible for server Client side encryption Search without decryption Main Goal of Credeon SFS
  • 9. © Hitachi Solutions America, Ltd. 2017. All rights reserved. 8 Overview of Credeon SFS How dose Credeon SFS Work Credeon Codec Credeon Plugin Update Handler Search Component Request Handler Postings Format Stored Fields Format
  • 10. © Hitachi Solutions America, Ltd. 2017. All rights reserved. Client Side Server Side 9 Scheme like Lucene 6966 Encryption Scheme Upload Create Index Decrypt Encrypt Return Result QUERY ? QUERY ?Send Query Search
  • 11. © Hitachi Solutions America, Ltd. 2017. All rights reserved. 10 Scheme of Credeon SFS Encryption Scheme Key Management Server Client Side Server Side QUERY ? QUERY ? Create Index Create Query Decrypt Result Decrypt Upload Search
  • 12. © Hitachi Solutions America, Ltd. 2017. All rights reserved. 11 A Patent Cryptographic Technology Developed by Hitachi R&D Searchable Encryption Secure Practical
  • 13. © Hitachi Solutions America, Ltd. 2017. All rights reserved. 12 Searchable Encryption How Secure×Practical  AES 256 (FIPS 140-2)  Probabilistic Encryption  AES Encryption Speed  None Linear to Data Size Probabilistic Plain Encrypted Apple Banana Banana Banana Coconut $k24J$jX K#$#J%K^ G%jQ%K9( HFv9hbvn !=v[h-u Terms in Index SearchTime Plain Text Search Encrypted Search
  • 14. © Hitachi Solutions America, Ltd. 2017. All rights reserved. 13 Mechanism Searchable Encryption
  • 15. © Hitachi Solutions America, Ltd. 2017. All rights reserved. 14 Current Model As a Product text keyword result Searchable Storage Storage Client Server App Server OS No Encryption OS Encryption Simple Encryption with ES/Solr Client-Side Credeon SFS with ES/Solr Credeon SFS with ES/Solr Security Level No Security Decryption at storage layer  Difficult to separate key Decrypt first and match  Very slow  plaintext in memory Match first and decrypt  Key separation  High Performance  Semantically Secure  plaintext in memory Client Client Decryption at client-side  Key separation  High Performance  Semantically Secure  no plaintext on server Storage value Storage value text keyword result Client ES/Solr/Lucene ES/Solr/Lucene File System Encryption value text keyword result ES/Solr/Lucene Simple Encryption Client value text keyword result ES/Solr/Lucene Encryption Client value text keyword result Searchable Encryption Storage ES/Solr/Lucene IndexIndexIndexIndexIndex
  • 16. © Hitachi Solutions America, Ltd. 2017. All rights reserved. 15 Performance As a Product Plain Credeon Credeon/Plain Indexing Time (s) 1,643 4,835 2.9 Search Time (ms) 16 19 1.2 Index Size (MB) 2,941 5,011 1.7 CPU Core i5 2.4GHz Mem 8GB OS Ubuntu 14.04 LTD Engine App Solr 5 Data Wikipedia Pages 10GB (13,800,000 terms) TestEnvironmentResult
  • 17. © Hitachi Solutions America, Ltd. 2017. All rights reserved. 16 Limitation As a Product Type Feature Encrypted Field Plain Field Search Schema Core type, Copy field, Dynamic field Yes Yes Index Indexing, Delete, Update Yes Yes Search N-Gram, Lower case, Phonetic, Stop, Trim, Filter Query, Boost, Boolean, Stemmer, Phrase Yes Yes Pattern, Wildcard, Range, Grouping, Spatial search No Yes Result Relevance, Sort*1, Highlighting*2, Pagination, Yes Yes Spell check, Suggester, More like this No Yes Facet Query faceting, Field-value faceting, Range faceting No Yes Caching Filter cache, Query result cache Yes Yes Field cache No Yes Analyzer, Tokenizer, Filter, Transform, Response writer Yes*3 Yes Cloud Yes Yes Encryption Terms (.tim/.tip/.doc/.pos/.pay) Encrypted N/A Stored field (.fdt) Encrypted N/A Meta data Plain N/A Search keyword Encrypted N/A Transaction log Plain N/A *1: Only with Score *2: Except FastVectorHighlighter *3: Need to evaluate
  • 18. © Hitachi Solutions America, Ltd. 2017. All rights reserved. 17  Setup  Upload  Search  Select Encryption Fields  Use Multiple Keys  Others Demo
  • 19. © Hitachi Solutions America, Ltd. 2017. All rights reserved. 18 Thanks for Listening Tong Ye tye@hitachisolutions.com Harry Ochiai hochiai@hitachisolutions.com @credeon https://psg.hitachi-solutions.com/credeon/secure-full-text-search