Upload
sqrrl
View
214
Download
3
Tags:
Embed Size (px)
DESCRIPTION
In this talk, Adam Fuchs, the CTO of Sqrrl and co-founder of the Accumulo project discusses some of the lessons learned for properly architecting, applying, and managing cell-level security labels in customer environments.
Citation preview
Securely explore your data
BREAKING DOWN DATA SILOS WITH SQRRL ENTERPRISE
Adam Fuchs CTO: Sqrrl Data, Inc. February 26, 2014
DATABASES ARE GREAT! • Decouple data providers and consumers • Enable independent development
Database
Data Provider Data Consumer
... but how can we handle complex security policies?
© 2014 Sqrrl | All Rights Reserved 2
COMPLEX SECURITY POLICIES Healthcare Example
PII
Sensitive Diagnoses
Doctor’s Notes 3 © 2014 Sqrrl | All Rights Reserved
TRADITIONAL SECURITY Build security policy logic into the application
Database
Data Provider Security Policy
Data Consumer
Security
© 2014 Sqrrl | All Rights Reserved 4
Application Implements Security Through: • Database Views • Query Rewriting
MORE COMPLEX SECURITY...
5
Claims Data
EMRs
Public Records
Genomic Data
Healthcare Fraud / Automated Diagnosis App
© 2014 Sqrrl | All Rights Reserved
COMBINATORIAL COMPLEXITY
Database
Data Provider Security Policy
Data Consumer
Security
Data Consumer
Security
Data Consumer
Security
Data Provider Security Policy
Data Provider Security Policy
© 2014 Sqrrl | All Rights Reserved 6
COMBINATORIAL COMPLEXITY
Database
Data Provider
Security Policy
Data Consumer
Security
Data Consumer
Security
Data Consumer
Security
Data Provider
Security Policy
Data Provider
Security Policy
• Security complexity grows with sources
• Leads to apps specializing on security
• Apps should be focused on analytics
• App maintenance, policy changes complicate the story
• Cannot scale without data-centric security
© 2014 Sqrrl | All Rights Reserved 7
ADVANCES IN IDENTITY AND AUTHORIZATION MANAGEMENT
Federated Identity " Use common services for
authentication " Leverage technology like
OpenID, PKI, Single Sign-On, Kerberos
" Reduces administrative burden for user management
Federated Authorization " Delegate authorization to
common services " Leverage technology like
OAuth, SAML, LDAP, AD " Ties into Data-Centric
Security concept
© 2014 Sqrrl | All Rights Reserved 8
DATA-CENTRIC SECURITY
• Move policy enforcement out of the app and into the database
• Separate development of analysis from security • Layer with traditional security elements
• Access control, auditing, encryption, ...
Data carries with it information needed to make access control decisions.
© 2014 Sqrrl | All Rights Reserved 9
• Sorted Key/Value Store • Fine-grained access control
(cell-level security) • Modeled after Google’s Bigtable • Distributed, Shared-Nothing
Architecture • Scales to 10s of Petabytes • Originally Developed in the US
Intelligence Community • Now Open-Source, Apache
Software Foundation: accumulo.apache.org
© 2014 Sqrrl | All Rights Reserved
In#Memory*Map*
Write*Ahead*Log*
(For*Recovery)*
Sorted,*Indexed*File*
Sorted,*Indexed*File*
Sorted,*Indexed*File*
Tablet'Data'Flow'
Reads&Iterator*Tree*
Minor&Compac0on&
Merging&/&Major&Compac0on&
Iterator*Tree*
Writes& Iterator*Tree*
Scan&
Tablet*Server*
Tablet*
Tablet*Server*
Tablet*
Tablet*Server*
Tablet*
ApplicaAon*
Zookeeper*
Zookeeper*
Zookeeper*
Master*
HDFS*
Read/Write&
Store/Replicate&
Assign/Balance&
Delegate&Authority&
Delegate&Authority&
ApplicaAon*
ApplicaAon*
Row Col. Fam. Col. Qual. Visibility Timestamp Value
John Doe Notes 2012-09-12 PCP_JD 20120912 Patient suffers from an acute …
John Doe Test Results Cholesterol JD|PCP_JD 20120912 183
John Doe Test Results Mental Health JD|PSYCH_JD 20120801 Pass
John Doe Test Results X-Ray JD|PCP_JD 20120513 1010110110100…
ACCUMULO DATA FORMAT
11 © 2014 Sqrrl | All Rights Reserved
Key Value
Cell-Level Tagging
DATA-CENTRIC ECOSYSTEM
12 © 2014 Sqrrl | All Rights Reserved
DATA-CENTRIC SECURITY ENABLES...
Secure Indexes " Challenge: Indexes reveal
information about the data they represent
" Solution: Preserve the security model in an inverted index with data-centric security
Secure Knowledge-Bases " Challenge: Data
transformation obscures data source and schema
" Solution: Preserve the security model in linked documents with data-centric security and fine-grained access control
© 2014 Sqrrl | All Rights Reserved 13
Proxy Logs
BUILDING A SECURE KNOWLEDGE-BASE
14
Source Protocol Destination Port Bytes In Bytes Out 10.1.2.3 http google.com 80 73,824 15,632 10.1.2.4 https facebook.com 443 10,328 13,284,129 10.1.2.4 http google.com 80 623,249 93,125 10.1.2.3 unknown abcd1234.ru 31337 158 523,698,104 10.1.2.3 https netflix.com 443 434,855,357 1,392,994 10.1.2.4 https newcompany.com 443 23,084 583,331 10.1.2.3 ssh 10.1.2.5 22 204 158
© 2014 Sqrrl | All Rights Reserved
Proxy Logs
BUILDING A SECURE KNOWLEDGE-BASE
15
Source Protocol Destination Port Bytes In Bytes Out
10.1.2.3 http google.com 80 73,824 15,632
10.1.2.4 https facebook.com 443 10,328 13,284,129
10.1.2.4 http google.com 80 623,249 93,125
10.1.2.3 unknown abcd1234.ru 31337 158 523,698,104
10.1.2.3 https netflix.com 443 434,855,357 1,392,994
10.1.2.4 https newcompany.com 443 23,084 583,331
10.1.2.3 ssh 10.1.2.5 22 204 158
© 2014 Sqrrl | All Rights Reserved
Customer Access Logs Time IP Address Username Location
12:38:01 10.1.2.4 johndoe Seattle
12:38:07 10.1.2.3 janedoe Boston
google.com
10.1.2.3 facebook.com
abcd1234.ru
netflix.com
10.1.2.4
10.1.2.5
johndoe
janedoe
Source Protocol Destination Port Bytes In Bytes Out
10.1.2.3 http google.com 80 73,824 15,632
10.1.2.4 https facebook.com 443 10,328 13,284,129
10.1.2.4 http google.com 80 623,249 93,125
10.1.2.3 unknown abcd1234.ru 31337 158 523,698,104
10.1.2.3 https netflix.com 443 434,855,357 1,392,994
10.1.2.4 https newcompany.com 443 23,084 583,331
10.1.2.3 ssh 10.1.2.5 22 204 158
BUILDING A SECURE KNOWLEDGE-BASE
© 2014 Sqrrl | All Rights Reserved 16
Data-centric security makes this possible.
• Multi-Structured Data • Multi-Layered Graph • Multi-Level Security • Multi-Tenancy • Universal Search and
Discovery • Simplified Infrastructure • Rapid Application
Innovation
HOW TO LEARN MORE
Sqrrl Data, Inc. " Big Data Platform with Data-Centric Security " sqrrl.com
Download our White Paper " www.sqrrl.com/whitepaper
Request a demo or one-on-one workshop " www.sqrrl.com/contact
17 © 2014 Sqrrl | All Rights Reserved
18
Coming Up " Big Data Techcon
March 31-April 2, Cambridge MA
" Accumulo Summit June 12, Greenbelt MD Accumulosummit.com
" “Data Driven Applications with Sqrrl Enterprise” Webinar: March 12, 2pm EST
Keep up with us on social media:
www.twitter.com/SqrrlData
www.facebook.com/SqrrlData
www.linkedin.com/company/sqrrl
© 2014 Sqrrl | All Rights Reserved
Securely explore your data
THANK YOU
Adam Fuchs CTO: Sqrrl Data, Inc. February 26, 2014