Upload
couchbase
View
110
Download
0
Tags:
Embed Size (px)
Citation preview
Secure Re-platforming Security Standards and Compliance in Couchbase Server
Don Pinto | Sr. Product Manager | @NoSQLDon
©2015 Couchbase Inc.
Agenda
Big data adoption and barriers
Compliance challenges
Secure re-platforming
Simplifying security compliance in Couchbase
What’s next?
Q&A
2
©2015 Couchbase Inc.
Big data adoption and barriers
85%Of Companies deployed/expect to deploy
BIG DATA PROJECTS IN 2 YEARS- Gartner,
2014
- Dell Global Technology Adoption Index, 20154
©2015 Couchbase Inc.
Key drivers of NoSQL data security
Regulatory compliance requirements
• PCI, HIPAA, EU Data Protection Directive, and others
• Additional corporate security policies
Growing number of insider threats
5*2015 Vormetric Insider Threat Report
©2015 Couchbase Inc.
Compliance is challenging
7
Too complex
• Policies and controls change too often
• Hard to understand requirements
Very expensive
• Each regulation needs resources and budget
• Not something that can be “crossed off the list” once certified
©2015 Couchbase Inc.
Good news is ...
8
Securityrequirement 5
Securityrequirement 3
Security requirement 2
Security requirement 1
SOX
FISMA
Security requirement 4
HIPAA
PCI
CobiT
NIST
Security
NIST
SOX
CobiT
PCI
FISMA
HIPAA
• Leverage similarities to increase efficiencies and reduce costs• Consistent themes across regulations
©2015 Couchbase Inc. 10
Securely Deploying CouchbaseO
uts
ide
Netw
ork
WEB AND MOBILE APPS
Load Balancer
Allow Couchbase ingress and
outgress ports
Allow Couchbase node-to-node
ports on local internal networkCOUCHBASE CLUSTER
Inte
rna
l
Netw
ork
Peri
mete
r
Netw
ork
End users & hack3rs
Web Server
External
Firewall
Internal
Firewall
Allow webserver ingress and
outgress ports
Packet Filtering
Blocking malicious IPs
IT Admins
& App Developers
IT Admin
& DBA
©2015 Couchbase Inc. 11
©2014 Couchbase, Inc.
Pro
d
De
v, Q
A,
Te
st
StorageStorage
Backup Server
Sensitive
hAck3rs
Which ports are open
through the firewall?
What if an operator steals a
disk?
Is sensitive data encrypted?
Is there admin access and data access
separation? Is your data encrypted in
the cloud?
Are backups encrypted ?
XDCR to
remote
Cluster
Is XDCR Secure?
What Vulnerabilities?
Questions from the field ?
©2015 Couchbase Inc.
Previous… In 2.2 In 2.5 In 3.0 New in 4.0
SASL AuthN
with Bucket
Passwords
Admin User
Secure Build
Platform
Read-Only
User
Easy Admin
Password
Reset
Non-root User
Deployments
Secure
Communication
for XDCR
Encrypted
client server
communication
Encrypted
admin access
Access Log
Data-at-rest
Encryption
• Simplified
compliance
with admin
auditing
• External
identity
managemen
t for admins
using LDAP
Couchbase security features
In a few
slides ..
12
©2015 Couchbase Inc.
Couchbase authentication overview
13
• Application authentication • Buckets are protected with challenge-response SASL protocol• AuthN happens place over CRAM-MD5
• Admin authentication • Authentication through admin username and password• Authentication through LDAP (New in 4.0)
AUTHENTICATION
©2015 Couchbase Inc.
Couchbase authorization overview
14
• Application data access • Full access to the bucket application is connected to
• Admin access• Full administrator has full privileges on the cluster • Read-only administrator cannot change cluster settings
AUTHORIZATION
©2015 Couchbase Inc.
Couchbase encryption overview
15
• Encryption at the application • Leverage vormetric encryption and key management• APIs, libraries and sample code in Java, .NET, C/C++.
VAE
Application Vormetric Application Encryption
Encryption KeyRequest / Response*
DSM
Cli
ent-
serv
er
SS
L
ENCRYPTION
©2015 Couchbase Inc.
Couchbase encryption overview
16
• Data-in-motion encryption• Client-server communication can be encrypted using SSL • Secure admin access using SSL over port 18091• Secure view access using SSL over port 18092• Secure XDCR for encryption across datacenters
Track all AccessSERVER 3SERVER 1 SERVER 2
Couchbase Server – New York SERVER 3SERVER 1 SERVER 2
Couchbase Server – London
SSL
Client applications
SecureXDCR over
SSL
Admin access
over port 18091
SS
L
View access
over port 18092
SS
L
https://couchbase_server:18091/…
https://couchbase_server:18092/…
ENCRYPTION
©2015 Couchbase Inc.
Couchbase encryption overview
17
• Transparent data-at-rest encryption solution ENCRYPTION
Storage
Database
Application
User
File Systems
VolumeManagers
DSM
VormetricData Security Manager
on Enterprise premise or in cloudvirtual or physical appliance
• Centrally manage keys and policy• Virtual and physical appliance • High-availability with cluster• Multi-tenant and strong separation of duties• Proven 10,000+ device and key management scale• Web, CLI, API Interfaces• FIPS 140-2 certified
Secure Personally Identifiable Information• User profile information• Login Credentials• IP Addresses
©2015 Couchbase Inc.
External identity management using LDAP
19
Centralized identity management
• Define multiple read-only admins and full-admins
• Centralized security policy management for admin accounts for stronger passwords, password rotation, and auto lockouts
Individual accountability. Simplified compliance.
• Define UIDs in LDAP, and map UIDs to read-only / full admin role in Couchbase
• Comprehensive audit trails with LDAP UIDs in audit records
©2015 Couchbase Inc.
LDAP architecture in Couchbase
Ad
min
U
ID /
pa
ssw
ord
UIDs defined inLDAP
OpenLDAPprotocol
saslauthdconfig file
SASLAUTHD
CHECK IN LDAP ?
SASLprotocol
YES / NO?
CHECK IN ADMIN
PASSWORD FILE
Authentication SUCCESS!
Authentication FAILED!
UID / password
20
©2015 Couchbase Inc.
New UI for authorizing LDAP administrators
Turn on/off LDAP
Add UIDs to read-only admins
Add UIDs to full admins
Set default behavior if UID is not mapped
Testing credentials to verify what level
of access
Plus REST, and CLI integration for programmatic setup21
©2015 Couchbase Inc.
Admin Auditing in Couchbase
22
Rich audit events
• Over 25+ different, detailed admin audit events
• Auditing for tools including backup
Configurable auditing
• Configurable file target
• Support for time based log rotation and audit filtering
Easy integration
• JSON format allows for easy integration with downstream systems using flume, logstash, and syslogd
©2015 Couchbase Inc.
Auditing a successful login
23
{"timestamp":"2015-02-20T08:48:49.408-08:00", "id":8192, "name":"login success", "description":"Successful login to couchbase cluster", "role":"admin", "real_userid": {
"source":"ns_server","user":"bjones”
},"sessionid":"0fd0b5305d1561ca2b10f9d795819b2e", "remote":{"ip":"172.23.107.165", "port":59383}
}
WHEN
WHO
WHAT
HOW
©2015 Couchbase Inc.
Security Roadmap
©2014 Couchbase, Inc. 25
Simplified Compliance
• Simplified compliance
with auditing framework
for admin actions
• External identity
management for admins
with enterprise standard
identity management
tools through LDAP
Fine Grain Authorization
• User, roles and
permissions for Admins
and applications
Advanced Compliance
• Application Auditing
• External Authentication
for Applications
Today Next Future
* The following is intended to outline our general product direction. It is intended for information purposes and is only a plan.
Thank [email protected] | @NoSQLDon