accumulo summit 2014: past and future threats: encryption and security in accumulo

Click here to load reader

Post on 06-May-2015

468 views

Category:

Technology

0 download

Embed Size (px)

DESCRIPTION

Speaker: Michael Allen The early Accumulo developers made security a core part of Accumulo's codebase. As the open source community around Accumulo continues to thrive, this talk examines the current state of Accumulo's security features. The talk will detail some exciting developments in the upcoming 1.6 release, which include enhancements around encryption at rest and in motion. We will also take a broader look at new use cases suggesting a wider set of threats, and how current and future work addresses those threats.

TRANSCRIPT

  • 1.Securely explore your data ENCRYPTION AND SECURITY IN ACCUMULO Michael Allen Security Architect Sqrrl Data, Inc. [email protected]

2. ISNT ACCUMULO ALREADY SECURE? 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 3. I MEAN, THESE SMART GALS AND GUYS MADE IT 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential (Undisclosed location) Source:wikipedia.org.Publicdomain 4. CELL-LEVEL SECURITY 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 5. CELL-LEVEL SECURITY 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 6. CELL-LEVEL SECURITY 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 7. WHATS THE THREAT? 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 8. A TYPICAL DEPLOYMENT 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 9. A TYPICAL DEPLOYMENT 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential (ignoring master nodes, name nodes, garbage collectors, other ephemera) 10. A TYPICAL CAST 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 11. THREATS INSIDE AND OUT 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 12. WHO CAN WE PUSH OUT? 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 13. HOW? 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 14. ENCRYPTION 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 15. IN MOTION AND AT REST 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 16. ITS NOT 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Source:http://bit.ly/HqScSr.CreativeCommons, Attribution. 17. FUNDAMENTAL QUESTIONS What are you encrypting? How are you encrypting it? How are you protecting the key(s)? 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 18. ACCUMULO 1.6 SSL for Accumulo Clients and Servers Encrypting data within HDFS 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 19. SSL FOR ACCUMULO You need certificates: OpenSSL (LibreSSL?) Java keytool 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 20. MAKE YOUR CERTS 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 21. CONFIGURE YOUR SERVERS 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 22. CONFIGURE YOUR SERVERS 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 23. DISTRIBUTE YOUR CERTS 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 24. DISTRIBUTE YOUR ROOTS 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 25. ENJOY YOUR SSL 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 26. ENCRYPTION AT REST 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Uses Java Cryptography Extensions (JCE) for encryption interface / engine (Guess what? Its pluggable.) 27. BEHIND THE SCENES 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 28. BEHIND THE SCENES 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 29. BEHIND THE SCENES 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 30. BEHIND THE SCENES 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 31. BEHIND THE SCENES 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 32. BEHIND THE SCENES 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 33. BEHIND THE SCENES 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 34. WHERE DOES THAT KEY GO? 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 35. WHERE DOES THAT KEY GO? 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 36. WHERE DOES THAT KEY GO? 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 37. PLUGGABLE STRATEGY 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Java class that mediates access to KEK Encrypts and decrypts per-file keys Passes back to callers opaque ID to identify KEK used to do encryption Callers should store opaque ID along with encrypted key 38. PLUGGABLE STRATEGY 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 39. PLUGGABLE STRATEGY 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 40. CONFIGURATION OPTIONS 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential Property Name Usual Value Meaning crypto.module.class org.apache.accumulo. core.security.crypto. DefaultCryptoModule The class that creates encrypting and decrypting data streams crypto.cipher.suite AES/CFB/NoPadding Encryption algorithm spec crypto.cipher.key.length 128 Key length crypto.module.class org.apache.accumulo. core.security.crypto. CachingHDFSSecretKey- EncryptionStrategy Class that mediates access to KEK 41. REDUCED THREAT 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 42. REDUCED THREAT 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 43. TOWARDS THE FUTURE 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential 44. 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential @supermallen [email protected]