zettaset elastic big data security for greenplum database
Post on 16-Apr-2017
185 Views
Preview:
TRANSCRIPT
The information provided in this document constitutes confidential and proprietary information of Zettaset, Inc. You may not disclose, use, reproduce or distribute this document (or any portion thereof) without Zettaset's prior written authorization. Further, as between you and Zettaset, Zettaset owns all right, title and interest in and to this document (together with any and all related intellectual property rights).
Zettaset Elastic Big Data Security for Enterprises
October 2016
2
• Introducing Zettaset
• What problems Zettaset solutions address
• Zettaset Encryption Suite
• Key Management and Key Administration
• Zettaset Big Data Encrypt (BDE)
• BDE Data-at-Rest Overview and Architecture
• BDE Data-in-Motion Overview and Architecture
• Q&A
Agenda
© 2016 Zettaset, Inc. | Proprietary and Confidential
Zettaset: Born in Big DataZettaset™ Big Data encryption
solutions protect and assure the integrity of critical data, on-premises and in the cloud
3 © 2016 Zettaset, Inc. | Proprietary and Confidential
Specifically designed for optimized scalability and performance in today’s distributed computing systems and Big Data environments
Ideally suited for elastic cloud deployments, massive volumes of structured / unstructured content
Software-based approach to encryption key management and hardware security modules sets new bar for ease of administration combined with significant TCO advantages
4
Data-centric security solutions for Big Data and Cloud environments must not suffer the same drawbacks that make legacy solutions irrelevant, namely:
What Problems with Existing Technology Does Zettaset Address?
• Inability to adapt to elastic environments• Inability to adapt to distributed
architectures• Lack of automation• Scalability issues• Performance issues• Inability to adapt to multiple databases,
file systems• Intrusive implementations
© 2016 Zettaset, Inc. | Proprietary and Confidential
5
• In today’s competitive economy, data is the primary asset enterprises and individuals possess
• In cloud computing, foremost concern is about data integrity, confidentiality and privacy
• The only way to secure databases on virtual machines or in cloud environments, without sacrificing the huge benefits of these new architectures, is to use software-based solutions that share the elasticity of virtual machines and cloud computing
A Software-Based Approach to Data Encryption
© 2016 Zettaset, Inc. | Proprietary and Confidential
6
Zettaset Encryption Suite:Optimized for Protection, Performance and Scalability in Big Data Distributed Systems and the Elastic Cloud
© 2016 Zettaset, Inc. | Proprietary and Confidential
High performance volume-level encryption for
Hadoop, NoSQL, and Relational data stores
Granular, authenticated file-level encryption for
HDFS and S3, plus added data integrity protection
7
ApplicationDirect integration with encrypt and decrypt API
Database (RDBMS)Transparent to applications with integration to crypto API
File SystemFiles and directories that are part of database
DiskPartition-level or entire disk
Self-Encrypting Drive (SED)Transparent to all layers above
Data-at-Rest Encryption Layers
© 2016 Zettaset, Inc. | Proprietary and Confidential
Key Manager
8
• Basic roles of key manager and hardware security module (HSM) no longer sufficient
– Provide secure storage
– Protect and retrieve keys
Scale and volume of Big Data and complexity of cloud requires more comprehensive approach to key management and administration• Automation of features, like node removal and
key revocation
• Policy creation and enforcement
• Key rotation without re-encryption
• Per-user granularity
Key Management for Big Data: Old Rules Don’t Apply
© 2016 Zettaset, Inc. | Proprietary and Confidential
"Key management is the hardest part of cryptography and often the Achilles' heel of an otherwise secure system.” - Bruce Schneier
Cryptographer and Security Expert, Berkman Center for Internet & Society at Harvard Law School
9
BDEncrypt™
Performance and Scalability in Any Big Data Environment: NoSQL, Relational, and Hadoop
V-Key Mgr V-HSM
• Data-at-Rest• Data-in-Motion• Certificate Authority
• Advanced, automated key management• Certificates generated automatically during install• Admin can revoke all certificates on a node to securely remove that node
Data-at-Rest Measured 3% performance impact Encrypts all existing data regardless of media Encrypts data on any disks – avoids premium
SED costs and offers integrated key management
Standalone, turnkey solution or can integrate and leverage existing infrastructure
Transparent to the file system AES 256-bit standard for optimum security
Data-in-Motion Measured 7% performance impact Secures all connections between cluster
nodes, and between cluster and management console
Eliminates possibility of unauthorized access by anyone within corporate network or server cluster
Ensures networking connections are secure within encrypted and authenticated tunnel
© 2016 Zettaset, Inc. | Proprietary and Confidential
10
• Command-line installer supports distributed installation
• Driven by inventory file
• Easily integrated in complex installation flow
• Uses Ansible
• Requires SSH trust configuration
Installer
11
Installer Architecture
Installer Host
node01 node02 node03
Inventory File[hosts]node01node02node03
SSH Trust
Package Deployment Configuration Deployment
© 2016 Zettaset, Inc. | Proprietary and Confidential
12
• High performance partition level encryption
• KMIP-compliant Key Manager with passive backup (HA is in development)
• PKCS#11-compliant Software HSM
• Encryption takes place in the kernel
• Partition key is obtained at boot time and kept in the kernel
• Nodes can be removed by revoking node certificates
• Command-line installer supports distributed installations
• Easy to add nodes
• Ability to preserve existing data, encrypt in place
• Presented as raw encrypted device, can be formatted as any file system
Data at Rest Encryption
© 2016 Zettaset, Inc. | Proprietary and Confidential
13
Data at Rest Encryption Architecture
Raw Device
DMCRYPT kernel module
Raw Encrypted Device (LUKS)
File System (e.g. ext4)
Database (e.g. Greenplum)
HSM
Key Manager
Kernel Space
User SpaceNode Certificate
Certificate Authority
© 2016 Zettaset, Inc. | Proprietary and Confidential
14
• Get license file from Zettaset
• Establish SSH trust between nodes
• Stop firewall
• Install prerequisites
• Edit or generate inventory file (hosts.inv)
– List of nodes to install on– Encrypted partition(s) configuration on every node– HSM PIN– Internal CA
• Run pre-installation checks
– $ ./install_zts-dar.sh –i hosts.inv check
• Run installation
– $ ./install_dts-dar.sh –i hosts.inv install -vv
Installation Steps
© 2016 Zettaset, Inc. | Proprietary and Confidential
15
Post-Installation Checks
© 2016 Zettaset, Inc. | Proprietary and Confidential
$ more /var/lib/zts/slave/crypt1/data.txt$ dd if=/dev/sdc1 | strings | grep AAAAA
16
• All cluster communications are secured
• Can be applied to any network interface
• KMIP-compliant key manager with passive backup
• PKCS#11-compliant Software HSM
• Command-line installer supports distributed installations
• Based on standard Linux tools
Data in Motion Encryption
© 2016 Zettaset, Inc. | Proprietary and Confidential
17
Data in Motion Encryption Architecture
Security Policy Database
KERNEL
Internet Key Exchange Daemon
Security Association Database
HSM
Key Manager
Node Certificate
Certificate Authority
Data Packet© 2016 Zettaset, Inc. | Proprietary and Confidential
18
• Get license file from Zettaset
• Establish SSH trust between nodes
• Stop firewall
• Install prerequisites
• Edit or generate inventory file (hosts.inv)
– List of nodes to encrypt traffic on– Network interfaces to encrypt traffic on– HSM PIN– Internal CA
• Run pre-installation checks
– $ ./install_zts-dim.sh –i hosts.inv check
• Run installation
– $ ./install_dts-dim.sh –i hosts.inv install -vv
Installation Steps
© 2016 Zettaset, Inc. | Proprietary and Confidential
19
Post-Install Checks with TCP dump
© 2016 Zettaset, Inc. | Proprietary and Confidential
20
• To remove one or more nodes, their certificates must be revoked, so KMIP server would no longer issue keys to those nodes
• Get list of currently enabled hosts
– $ /usr/share/zts/bin/zts.ca list-hosts
• Revoke node certificates
– $ /usr/share/zts/bin/zts.ca revoke-host node15
• Data at Rest: node will stop functioning on next reboot
• Data in Motion: active connections will be dropped
Removing node(s) from a cluster
© 2016 Zettaset, Inc. | Proprietary and Confidential
Thank You !
top related