sqrrl november webinar: encryption and security in accumulo
Post on 18-Oct-2014
46 views
DESCRIPTION
Tightening Your Trusted Zone: Encryption for Accumulo. In this webinar we will provide a technical deep dive into the NoSQL database Apache Accumulo. Some of the topics that will be covered include: encryption in motion, encryption at rest, trust boundaries.TRANSCRIPT
Securely explore your data
ENCRYPTION AND SECURITY IN ACCUMULO AND SQRRL
Michael Allen Security Architect Sqrrl Data, Inc. [email protected]
ISN’T ACCUMULO ALREADY SECURE?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
I MEAN, THESE SMART GALS AND GUYS MADE IT…
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
(Undisclosed location)
Sou
rce:
wik
iped
ia.o
rg.
Pub
lic d
omai
n
CELL-LEVEL SECURITY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CELL-LEVEL SECURITY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CELL-LEVEL SECURITY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHAT’S THE THREAT?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
A TYPICAL DEPLOYMENT
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
A TYPICAL DEPLOYMENT
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
(…ignoring master nodes, name nodes, garbage collectors, other ephemera…)
A TYPICAL CAST
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
THREATS INSIDE AND OUT
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHO CAN WE PUSH OUT?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
HOW?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ENCRYPTION
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
IN MOTION AND AT REST
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
IT’S NOT…
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
Sou
rce:
http
://bi
t.ly/
HqS
cSr.
Cre
ativ
e C
omm
ons,
A
ttrib
utio
n.
FUNDAMENTAL QUESTIONS
What are you encrypting?
How are you encrypting it?
How are you protecting the key?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ACCUMULO 1.6
SSL for Accumulo Clients
Encrypting data within HDFS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
SSL AND ACCUMULO
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ACCUMULO-1009
Patch that adds configuring and using SSL certificates
MAKE YOUR CERTS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CONFIGURE YOUR SERVERS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CONFIGURE YOUR SERVERS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
DISTRIBUTE YOUR CERTS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
DISTRIBUTE YOUR ROOTS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ENJOY YOUR SSL
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ENCRYPTION AT REST
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ACCUMULO-998
Patch that adds encryption for Rfiles and WAL
ENCRYPTION AT REST
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
Uses Java Cryptography Extensions (JCE) for encryption
interface / engine
(Guess what? It’s pluggable.)
BEHIND THE SCENES
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
BEHIND THE SCENES
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
BEHIND THE SCENES
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
BEHIND THE SCENES
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHERE DOES THAT KEY GO?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHERE DOES THAT KEY GO?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHERE DOES THAT KEY GO?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
PLUGGABLE STRATEGY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
• Java class that mediates access to KEK
• Encrypts and decrypts per-file keys
• Passes back to callers opaque ID to identify KEK used to do encryption
• Callers should store opaque ID along with encrypted key
PLUGGABLE STRATEGY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
PLUGGABLE STRATEGY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CONFIGURATION OPTIONS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
Property Name “Usual” Value Meaning
!"#$%&'(&)*+,'!+-../ &"0'-$-!1,'-!!*(*+&'/!&",'.,!*"2%#'!"#$%&'/3,4-*+%5"#$%&6&)*+,/
The class that creates encrypting and decrypting data streams
!"#$%&'!2$1,"'.*2%, 789:5;<:=>59?=-))2@0/ Encryption algorithm spec
!"#$%&'!2$1,"'A,#'+,@0%1 BCD/ Key length
!"#$%&'(&)*+,'!+-../ &"0'-$-!1,'-!!*(*+&'/!&",'.,!*"2%#'!"#$%&'/3,4-*+%9,!",%E>,#8@!"#$%2&@9%"-%,0#/
Class that mediates access to KEK
REDUCED THREAT
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
REDUCED THREAT
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
TOWARDS THE FUTURE
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
