23
SECURING YOUR COUCHBASE ENVIRONMENT Don Pinto | Sr. Product Manager | [email protected] Darin Briskman | Professional Services | [email protected]

Securing Your Couchbase Environment in Couchbase Server 4.0: Couchbase Connect 2015

Embed Size (px)

Citation preview

SECURING YOUR COUCHBASE ENVIRONMENT

Don Pinto | Sr. Product Manager | [email protected] Darin Briskman | Professional Services | [email protected]

©2015 Couchbase Inc. 2

Disclaimer

Couchbase Server 4.0 is still in development. Details presented in this presentation might change based on customer feedback and other factors by the time the final version of the product is released.

“Prediction is very difficult, especially about the future.” - Niels Bohr

©2015 Couchbase Inc. 3

Key drivers of NoSQL data security

Regulatory compliance requirements PCI, HIPAA, EU Data Protection Directive, and

others Additional corporate security policies

Growing number of insider threats

*2015 Vormetric Insider Threat Report

©2015 Couchbase Inc. 4

Core security requirements

AUTHENTICATION

• Who am I/prove it

• Control access to cluster

AUTHORIZATION

• Admin/dataaccess separation

• Role based access

ENCRYPTION

• Encrypt data at rest and in-motion

ADMINISTRATION

• Security best practices

AUDITING

• Who did what, when, and how ?

©2015 Couchbase Inc. 5

Previously… In 2.2 In 2.5 In 3.0 New in 4.0

SASL AuthN with Bucket Passwords

Admin User

Secure Build Platform

Read-Only User

Easy Admin Password

Reset

Non-Root User

Deployments

Secure Communication for XDCR

Encrypted Client-Server Communicati

on

Encrypted Admin Access

Access Log

Data-at-Rest Encryption

• Simplified compliance with admin auditing

• External identity management for admins using LDAP

Couchbase security journey

In a fewslides...

©2015 Couchbase Inc. 6

Couchbase authentication

Application authentication Buckets are protected with challenge-response SASL

protocol AuthN happens over CRAM-MD5

Admin authentication Authentication through admin username and password Authentication through LDAP (New in 4.0)

AUTHENTICATION

©2015 Couchbase Inc. 7

External identity management using LDAP

Centralized identity management Define multiple read-only admins and full-admins Centralized security policy management for admin

accounts for stronger passwords, password rotation, and auto lockouts

Individual accountability. Simplified compliance. Define UIDs in LDAP, and map UIDs to

read-only/full admin role in Couchbase Comprehensive audit trails with LDAP UIDs

in audit records

AUTHENTICATION

©2015 Couchbase Inc. 8

LDAP architecture in Couchbase

Ad

min

U

ID /

passw

ord

UIDs defined inLDAP

OpenLDAPprotocol

saslauthdconfig file

SASLAUTHD

CHECK IN LDAP ?

SASLprotocol

YES / NO?

CHECK IN ADMIN

PASSWORD FILE

YES

Authentication SUCCESS!

NO

Authentication FAILED!

UID / passwordYES

AUTHENTICATION

©2015 Couchbase Inc. 9

New UI for authorizing LDAP administrators

Turn on/off LDAP

Add UIDs to read-only admins

Add UIDs to full admins Set default

behavior if UID is not mapped

Testing credentials to verify what

level of access

Plus REST APIs and CLI integration for programmatic setup

AUTHENTICATION

©2015 Couchbase Inc. 10

Couchbase authorization

Application data access Full access to specific buckets

Admin access Full administrator has full privileges on the cluster Read-only administrator cannot change cluster settings

AUTHORIZATION

©2015 Couchbase Inc. 11

Couchbase encryption – client

Encryption at the application Leverage Vormetric encryption and key management APIs, libraries, and sample code in Java, .NET, C/C++.

VAEApplication Vormetric

Application Encryption

SS N : 1 1 2 -1 1 1 - 6 7 6 2

Jon Dough

Encryption KeyRequest / Response*

$ # A d # $ g & * j% J 1 T J C Z

Jon Dough DSM

Clien

t-serv

er

SS

L

ENCRYPTION

©2015 Couchbase Inc. 12

Couchbase encryption – in motion

Data-in-motion encryption Client-server communication should be encrypted using

SSL Secure admin access using SSL over port 18091 Secure view access using SSL over port 18092 Secure XDCR for encryption across datacenters

Track all AccessSERVER 3SERVER 1 SERVER 2

Couchbase Server – New York SERVER 3SERVER 1 SERVER 2

Couchbase Server – London

SSL

Client applications

SecureXDCR over

SSL

Admin access over port

18091

SS

L

View access over port

18092

SS

L

https://couchbase_server:18091/…

https://couchbase_server:18092/…

ENCRYPTION

©2015 Couchbase Inc. 13

Couchbase encryption – at rest

Transparent data-at-rest encryption solution

ENCRYPTION

Storage

Database

Application

User

File Systems

VolumeManagers

DSM

VormetricData Security Manager

on Enterprise premise or in cloud

virtual or physical appliance

• Centrally manage keys and policy• Virtual and physical appliance • High-availability with cluster• Multi-tenant and strong separation of duties• Proven 10,000+ device and key management scale• Web, CLI, API Interfaces• FIPS 140-2 certified

Secure Personally Identifiable Information• User profile information• Login Credentials• IP Addresses

©2015 Couchbase Inc. 14

Admin auditing in Couchbase

Rich audit events Over 25+ different, detailed admin audit events Auditing for tools including backup

Configurable auditing Configurable file target Support for time-based log rotation and

audit filtering

Easy integration JSON format allows for easy integration

with downstream systems using Flume, Logstash, and syslogd

AUDITING

©2015 Couchbase Inc. 15

Auditing events

LIST OF ADMIN AUDIT EVENTS

Success/failure login for administratorAudit configuration changesEnable/disable auditAdd a node to the clusterRemove a node from the clusterFailover a nodeRebalance the clusterShutdown/startup of the system by the administratorCreate a bucketDelete a bucketFlush a bucketModify bucket settingsChange configured disk and index pathAdd read-only administrator userBackup

AUDITING

Remove read-only administrator userAdd admin userRemove admin userSetup remote cluster referenceDelete remote cluster referenceChanges to XDCRCreating/deleting XDCR profilePause resume XDCR streamChanging XDCR filter rulesAdd/remove query nodeAdd/remove index nodeCreate server groupAdd node to server groupRemove node from server groupDelete server groupAdmin password changes/resets

©2015 Couchbase Inc. 16

Auditing a successful login

{ "timestamp":"2015-02-20T08:48:49.408-08:00", "id":8192, "name":"login success", "description":"Successful login to couchbase cluster", "role":"admin", "real_userid": { "source":"ns_server", "user":"bjones” }, "sessionid":"0fd0b5305d1561ca2b10f9d795819b2e", "remote":{"ip":"172.23.107.165", "port":59383}}

WHEN

WHO

WHAT

HOW

AUDITING

©2015 Couchbase Inc. 17

ADMINISTRATION

Securely Deploying CouchbaseO

uts

ide

Net

wo

rk

WEB AND MOBILE APPS

Load Balancer

Allow Couchbase ingress and outgress ports

Allow Couchbase node-to-node ports on local internal networkCOUCHBASE CLUSTER

Inte

rnal

N

etw

ork

Per

imet

er

Net

wo

rk

End users & hack3rs

Web Server

External Firewall

Internal Firewall

Allow webserver ingress and outgress ports

Packet FilteringBlocking malicious IPs

IT Admins& App Developers

IT Admin & DBA

Check out our docs for in-depth security best practiceshttp://docs.couchbase.com/admin/admin/security/security-best-practices.html

©2015 Couchbase Inc. 18

©2014 Couchbase, Inc.

Pro

d

De

v, Q

A,

Test

StorageStorage

Backup Server

Sensitive

hAck3rs

Which ports are

open through

the firewall?

What if an

operator steals a disk?

Is sensitive data

encrypted?

Is there admin access and data

access separation?

Are backups encrypted ?

Is XDCR Secure?

What vulnerabilitie

s?

Questions to askADMINISTRATI

ON

XDCR to remote Cluster

DemoCouchbase admin auditing & splunk security

reporting

What’s next ?

©2015 Couchbase Inc. 21

Security roadmap

21

Simplified Compliance

Simplified compliance with auditing framework for admin actions

External identity management for admins with enterprise standard identity management tools through LDAP

Fine-Grained Authorization

User, roles, and permissions for admins and applications

Advanced Compliance

Application auditing

External authentication for applications

Today Next Future

* The following is intended to outline our general product direction. It is intended for information purposes and is only a plan.

Thank you!

[email protected] | @[email protected] | @briskmad

Get Started with Couchbase Server 4.0: www.couchbase.com/beta

Get Trained on Couchbase: training.couchbase.com