Couchbase Live Europe 2015: Secure Re-platforming: Security Standards & Compliance in Couchbase Server

Secure Re-platforming Security Standards and Compliance in Couchbase Server

Don Pinto | Sr. Product Manager | @NoSQLDon

©2015 Couchbase Inc.

Agenda

Big data adoption and barriers

Compliance challenges

Secure re-platforming

Simplifying security compliance in Couchbase

What’s next?

Q&A

2


Disclaimer

3


Big data adoption and barriers

85%Of Companies deployed/expect to deploy

BIG DATA PROJECTS IN 2 YEARS- Gartner,

2014

- Dell Global Technology Adoption Index, 20154


Key drivers of NoSQL data security

Regulatory compliance requirements

• PCI, HIPAA, EU Data Protection Directive, and others

• Additional corporate security policies

Growing number of insider threats

5*2015 Vormetric Insider Threat Report

Compliance Challenges


Compliance is challenging

7

Too complex

• Policies and controls change too often

• Hard to understand requirements

Very expensive

• Each regulation needs resources and budget

• Not something that can be “crossed off the list” once certified


Good news is ...

8

Securityrequirement 5

Securityrequirement 3

Security requirement 2


SOX

FISMA


HIPAA

PCI

CobiT

NIST

Security

NIST

SOX

CobiT

PCI

FISMA

HIPAA

• Leverage similarities to increase efficiencies and reduce costs• Consistent themes across regulations

Secure Re-platforming

©2015 Couchbase Inc. 10

Securely Deploying CouchbaseO

uts

ide

Netw

ork

WEB AND MOBILE APPS

Load Balancer

Allow Couchbase ingress and

outgress ports

Allow Couchbase node-to-node

ports on local internal networkCOUCHBASE CLUSTER

Inte

rna

l

Netw

ork

Peri

mete

r

Netw

ork

End users & hack3rs

Web Server

External

Firewall

Internal

Firewall

Allow webserver ingress and

outgress ports

Packet Filtering

Blocking malicious IPs

IT Admins

& App Developers

IT Admin

& DBA

©2015 Couchbase Inc. 11

©2014 Couchbase, Inc.

Pro

d

De

v, Q

A,

Te

st

StorageStorage

Backup Server

Sensitive

hAck3rs

Which ports are open

through the firewall?

What if an operator steals a

disk?

Is sensitive data encrypted?

Is there admin access and data access

separation? Is your data encrypted in

the cloud?

Are backups encrypted ?

XDCR to

remote

Cluster

Is XDCR Secure?

What Vulnerabilities?

Questions from the field ?


Previous… In 2.2 In 2.5 In 3.0 New in 4.0

SASL AuthN

with Bucket

Passwords

Admin User

Secure Build

Platform

Read-Only

User

Easy Admin

Password

Reset

Non-root User

Deployments

Secure

Communication

for XDCR

Encrypted

client server

communication

Encrypted

admin access

Access Log

Data-at-rest

Encryption

• Simplified

compliance

with admin

auditing

• External

identity

managemen

t for admins

using LDAP

Couchbase security features

In a few

slides ..

12


Couchbase authentication overview

13

• Application authentication • Buckets are protected with challenge-response SASL protocol• AuthN happens place over CRAM-MD5

• Admin authentication • Authentication through admin username and password• Authentication through LDAP (New in 4.0)

AUTHENTICATION


Couchbase authorization overview

14

• Application data access • Full access to the bucket application is connected to

• Admin access• Full administrator has full privileges on the cluster • Read-only administrator cannot change cluster settings

AUTHORIZATION


Couchbase encryption overview

15

• Encryption at the application • Leverage vormetric encryption and key management• APIs, libraries and sample code in Java, .NET, C/C++.

VAE

Application Vormetric Application Encryption

Encryption KeyRequest / Response*

DSM

Cli

ent-

serv

er

SS

L

ENCRYPTION



16

• Data-in-motion encryption• Client-server communication can be encrypted using SSL • Secure admin access using SSL over port 18091• Secure view access using SSL over port 18092• Secure XDCR for encryption across datacenters

Track all AccessSERVER 3SERVER 1 SERVER 2

Couchbase Server – New York SERVER 3SERVER 1 SERVER 2

Couchbase Server – London

SSL

Client applications

SecureXDCR over

SSL

Admin access

over port 18091

SS

L

View access

over port 18092

SS

L

https://couchbase_server:18091/…

https://couchbase_server:18092/…

ENCRYPTION



17

• Transparent data-at-rest encryption solution ENCRYPTION

Storage

Database

Application

User

File Systems

VolumeManagers

DSM

VormetricData Security Manager

on Enterprise premise or in cloudvirtual or physical appliance

• Centrally manage keys and policy• Virtual and physical appliance • High-availability with cluster• Multi-tenant and strong separation of duties• Proven 10,000+ device and key management scale• Web, CLI, API Interfaces• FIPS 140-2 certified

Secure Personally Identifiable Information• User profile information• Login Credentials• IP Addresses

Simplifying Security Compliance

What’s new in security in Couchbase 4.0


External identity management using LDAP

19

Centralized identity management

• Define multiple read-only admins and full-admins

• Centralized security policy management for admin accounts for stronger passwords, password rotation, and auto lockouts

Individual accountability. Simplified compliance.

• Define UIDs in LDAP, and map UIDs to read-only / full admin role in Couchbase

• Comprehensive audit trails with LDAP UIDs in audit records


LDAP architecture in Couchbase

Ad

min

U

ID /

pa

ssw

ord

UIDs defined inLDAP

OpenLDAPprotocol

saslauthdconfig file

SASLAUTHD

CHECK IN LDAP ?

SASLprotocol

YES / NO?

CHECK IN ADMIN

PASSWORD FILE

Authentication SUCCESS!

Authentication FAILED!

UID / password

20


New UI for authorizing LDAP administrators

Turn on/off LDAP

Add UIDs to read-only admins

Add UIDs to full admins

Set default behavior if UID is not mapped

Testing credentials to verify what level

of access

Plus REST, and CLI integration for programmatic setup21


Admin Auditing in Couchbase

22

Rich audit events

• Over 25+ different, detailed admin audit events

• Auditing for tools including backup

Configurable auditing

• Configurable file target

• Support for time based log rotation and audit filtering

Easy integration

• JSON format allows for easy integration with downstream systems using flume, logstash, and syslogd


Auditing a successful login

23

{"timestamp":"2015-02-20T08:48:49.408-08:00", "id":8192, "name":"login success", "description":"Successful login to couchbase cluster", "role":"admin", "real_userid": {

"source":"ns_server","user":"bjones”

},"sessionid":"0fd0b5305d1561ca2b10f9d795819b2e", "remote":{"ip":"172.23.107.165", "port":59383}

}

WHEN

WHO

WHAT

HOW

What’s next ?


Security Roadmap

©2014 Couchbase, Inc. 25

Simplified Compliance

• Simplified compliance

with auditing framework

for admin actions

• External identity

management for admins

with enterprise standard

identity management

tools through LDAP

Fine Grain Authorization

• User, roles and

permissions for Admins

and applications

Advanced Compliance

• Application Auditing

• External Authentication

for Applications

Today Next Future

* The following is intended to outline our general product direction. It is intended for information purposes and is only a plan.

Demo

Couchbase admin auditing & splunk security reporting

Thank [email protected] | @NoSQLDon

Software

Couchbase Live Europe 2015: Secure Re-platforming: Security Standards & Compliance in Couchbase Server