Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Cargando en…3
×
1 de 22

Zettaset Elastic Big Data Security for Greenplum Database

1

Compartir

Descargar para leer sin conexión

Here are the slides for Greenplum Chat #8. You can view the replay here: https://www.youtube.com/watch?v=FKFiyJDgdQk

The increased frequency and sophistication of high-profile data breaches and malicious hacking is putting organizations at continued risk of data theft and significant business disruption. Complicating this scenario is the unbounded growth of Big Data and petabyte-scale data storage, new open source database and distribution schemes, and the continued adoption of cloud services by enterprises.

Pivotal Greenplum customers often look for additional encryption of data-at-rest and data-in-motion. The massively parallel processing (MPP) architecture of Pivotal Greenplum provides an architecture that is unlike traditional OLAP on RDBMS for data warehousing, and encryption capabilities must address the scale-out architecture.

The Zettaset Big Data Encryption Suite has been designed for optimal performance and scalability in distributed Big Data systems like Greenplum Database and Apache HAWQ.

Here is a replay of our recent Greenplum Chat with Zettaset:

00:59 What is Greenplum’s approach for encryption and why Zettaset?
02:17 Results of field testing Zettaset with Greenplum
03:50 Introduction to Zettaset, the security company
05:36 Overview of Zettaset and their solutions
14:51 Different layers for encrypting data at rest
16:50 Encryption key management for big data
20:51 Zettaset BD Encrypt for data at rest and data in motion
22:19 How to mitigate encryption overhead with an MPP scale-out system
24:12 How to deploy BD Encrypt
25:50 Deep dive on data at rest encryption
30:44 Deep dive on data in motion encryption
36:72 Q: How does Zettaset deal with encrypting Greenplums multiple interfaces?
38:08 Q: Can I encrypt data for a particular column?
40:26 How Zettaset fits into a security strategy
41:21 Q: What is the performance impact on queries by encrypting the entire database?
43:28 How Zettaset helps Greenplum meet IT compliance requirements
45:12 Q: How authentication for keys is obtained
48:50 Q: How can Greenplum users try out Zettaset?
50:53 Q: What is a ‘Zettaset Security Coach’?

Audiolibros relacionados

Gratis con una prueba de 30 días de Scribd

Ver todo

Zettaset Elastic Big Data Security for Greenplum Database

  1. 1. The information provided in this document constitutes confidential and proprietary information of Zettaset, Inc. You may not disclose, use, reproduce or distribute this document (or any portion thereof) without Zettaset's prior written authorization. Further, as between you and Zettaset, Zettaset owns all right, title and interest in and to this document (together with any and all related intellectual property rights). Zettaset Elastic Big Data Security for Enterprises October 2016
  2. 2. • Introducing Zettaset • What problems Zettaset solutions address • Zettaset Encryption Suite • Key Management and Key Administration • Zettaset Big Data Encrypt (BDE) • BDE Data-at-Rest Overview and Architecture • BDE Data-in-Motion Overview and Architecture • Q&A 2 Agenda © 2016 Zettaset, Inc. | Proprietary and Confidential
  3. 3. Zettaset: Born in Big Data Zettaset™ Big Data encryption solutions protect and assure the integrity of critical data, on- premises and in the cloud 3 © 2016 Zettaset, Inc. | Proprietary and Confidential  Specifically designed for optimized scalability and performance in today’s distributed computing systems and Big Data environments  Ideally suited for elastic cloud deployments, massive volumes of structured / unstructured content  Software-based approach to encryption key management and hardware security modules sets new bar for ease of administration combined with significant TCO advantages
  4. 4. Data-centric security solutions for Big Data and Cloud environments must not suffer the same drawbacks that make legacy solutions irrelevant, namely: 4 What Problems with Existing Technology Does Zettaset Address? • Inability to adapt to elastic environments • Inability to adapt to distributed architectures • Lack of automation • Scalability issues • Performance issues • Inability to adapt to multiple databases, file systems • Intrusive implementations © 2016 Zettaset, Inc. | Proprietary and Confidential
  5. 5. • In today’s competitive economy, data is the primary asset enterprises and individuals possess • In cloud computing, foremost concern is about data integrity, confidentiality and privacy • The only way to secure databases on virtual machines or in cloud environments, without sacrificing the huge benefits of these new architectures, is to use software- based solutions that share the elasticity of virtual machines and cloud computing 5 A Software-Based Approach to Data Encryption © 2016 Zettaset, Inc. | Proprietary and Confidential
  6. 6. Zettaset Encryption Suite: Optimized for Protection, Performance and Scalability in Big Data Distributed Systems and the Elastic Cloud © 2016 Zettaset, Inc. | Proprietary and Confidential6 High performance volume- level encryption for Hadoop, NoSQL, and Relational data stores Granular, authenticated file-level encryption for HDFS and S3, plus added data integrity protection
  7. 7. Application Direct integration with encrypt and decrypt API Database (RDBMS) Transparent to applications with integration to crypto API File System Files and directories that are part of database Disk Partition-level or entire disk Self-Encrypting Drive (SED) Transparent to all layers above 7 Data-at-Rest Encryption Layers © 2016 Zettaset, Inc. | Proprietary and Confidential Key Manager
  8. 8. • Basic roles of key manager and hardware security module (HSM) no longer sufficient – Provide secure storage – Protect and retrieve keys Scale and volume of Big Data and complexity of cloud requires more comprehensive approach to key management and administration • Automation of features, like node removal and key revocation • Policy creation and enforcement • Key rotation without re-encryption • Per-user granularity 8 Key Management for Big Data: Old Rules Don’t Apply © 2016 Zettaset, Inc. | Proprietary and Confidential "Key management is the hardest part of cryptography and often the Achilles' heel of an otherwise secure system.” - Bruce Schneier Cryptographer and Security Expert, Berkman Center for Internet & Society at Harvard Law School
  9. 9. BDEncrypt™ Performance and Scalability in Any Big Data Environment: NoSQL, Relational, and Hadoop 9 V-Key Mgr V-HSM • Data-at-Rest • Data-in-Motion • Certificate Authority • Advanced, automated key management • Certificates generated automatically during install • Admin can revoke all certificates on a node to securely remove that node Data-at-Rest  Measured 3% performance impact  Encrypts all existing data regardless of media  Encrypts data on any disks – avoids premium SED costs and offers integrated key management  Standalone, turnkey solution or can integrate and leverage existing infrastructure  Transparent to the file system  AES 256-bit standard for optimum security Data-in-Motion  Measured 7% performance impact  Secures all connections between cluster nodes, and between cluster and management console  Eliminates possibility of unauthorized access by anyone within corporate network or server cluster  Ensures networking connections are secure within encrypted and authenticated tunnel © 2016 Zettaset, Inc. | Proprietary and Confidential
  10. 10. • Command-line installer supports distributed installation • Driven by inventory file • Easily integrated in complex installation flow • Uses Ansible • Requires SSH trust configuration 10 Installer
  11. 11. 11 Installer Architecture Installer Host node01 node02 node03 Inventory File [hosts] node01 node02 node03 SSH Trust Package Deployment Configuration Deployment © 2016 Zettaset, Inc. | Proprietary and Confidential
  12. 12. • High performance partition level encryption • KMIP-compliant Key Manager with passive backup (HA is in development) • PKCS#11-compliant Software HSM • Encryption takes place in the kernel • Partition key is obtained at boot time and kept in the kernel • Nodes can be removed by revoking node certificates • Command-line installer supports distributed installations • Easy to add nodes • Ability to preserve existing data, encrypt in place • Presented as raw encrypted device, can be formatted as any file system 12 Data at Rest Encryption © 2016 Zettaset, Inc. | Proprietary and Confidential
  13. 13. 13 Data at Rest Encryption Architecture Raw Device DMCRYPT kernel module Raw Encrypted Device (LUKS) File System (e.g. ext4) Database (e.g. Greenplum) HSM Key Manager Kernel Space User Space Node Certificate Certificate Authority © 2016 Zettaset, Inc. | Proprietary and Confidential
  14. 14. • Get license file from Zettaset • Establish SSH trust between nodes • Stop firewall • Install prerequisites • Edit or generate inventory file (hosts.inv) – List of nodes to install on – Encrypted partition(s) configuration on every node – HSM PIN – Internal CA • Run pre-installation checks – $ ./install_zts-dar.sh –i hosts.inv check • Run installation – $ ./install_dts-dar.sh –i hosts.inv install -vv 14 Installation Steps © 2016 Zettaset, Inc. | Proprietary and Confidential
  15. 15. 15 Post-Installation Checks © 2016 Zettaset, Inc. | Proprietary and Confidential $ more /var/lib/zts/slave/crypt1/data.txt $ dd if=/dev/sdc1 | strings | grep AAAAA
  16. 16. • All cluster communications are secured • Can be applied to any network interface • KMIP-compliant key manager with passive backup • PKCS#11-compliant Software HSM • Command-line installer supports distributed installations • Based on standard Linux tools 16 Data in Motion Encryption © 2016 Zettaset, Inc. | Proprietary and Confidential
  17. 17. 17 Data in Motion Encryption Architecture Security Policy Database KERNEL Internet Key Exchange Daemon Security Association Database HSM Key Manager Node Certificate Certificate Authority Data Packet © 2016 Zettaset, Inc. | Proprietary and Confidential
  18. 18. • Get license file from Zettaset • Establish SSH trust between nodes • Stop firewall • Install prerequisites • Edit or generate inventory file (hosts.inv) – List of nodes to encrypt traffic on – Network interfaces to encrypt traffic on – HSM PIN – Internal CA • Run pre-installation checks – $ ./install_zts-dim.sh –i hosts.inv check • Run installation – $ ./install_dts-dim.sh –i hosts.inv install -vv 18 Installation Steps © 2016 Zettaset, Inc. | Proprietary and Confidential
  19. 19. 19 Post-Install Checks with TCP dump © 2016 Zettaset, Inc. | Proprietary and Confidential
  20. 20. • To remove one or more nodes, their certificates must be revoked, so KMIP server would no longer issue keys to those nodes • Get list of currently enabled hosts – $ /usr/share/zts/bin/zts.ca list-hosts • Revoke node certificates – $ /usr/share/zts/bin/zts.ca revoke-host node15 • Data at Rest: node will stop functioning on next reboot • Data in Motion: active connections will be dropped 20 Removing node(s) from a cluster © 2016 Zettaset, Inc. | Proprietary and Confidential
  21. 21. Thank You !

Notas

  • Additional benefits and features:

    Automated key management: Integration with HSM via PKCS#11 and Key Management servers via KMIP
    Distribution and database transparent: works on any HDFS installation that supports extended attributes
    Multiple file system support, including HDFS, GPFS, Isilon OneFS
    Kerberos integration
    Transparent command-line and application support
  • ×