accumulo summit 2014: past and future threats: encryption and security in accumulo
Post on 06-May-2015
472 Views
Preview:
DESCRIPTION
TRANSCRIPT
Securely explore your data
ENCRYPTION AND SECURITY IN ACCUMULO
Michael Allen
Security Architect
Sqrrl Data, Inc.
michael@sqrrl.com
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
ISN’T ACCUMULO ALREADY SECURE?
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
I MEAN, THESE SMART GALS AND GUYS MADE IT…
(Undisclosed location)
So
urc
e:
wik
ipe
dia
.org
. P
ub
lic d
om
ain
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
CELL-LEVEL SECURITY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
CELL-LEVEL SECURITY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
CELL-LEVEL SECURITY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHAT’S THE THREAT?
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
A TYPICAL DEPLOYMENT
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
A TYPICAL DEPLOYMENT
(…ignoring master nodes, name nodes,garbage collectors, other ephemera…)
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
A TYPICAL CAST
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
THREATS INSIDE AND OUT
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHO CAN WE PUSH OUT?
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
HOW?
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
ENCRYPTION
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
IN MOTION AND AT REST
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
IT’S NOT…
So
urc
e:
htt
p:/
/bit.
ly/H
qS
cSr.
Cre
ativ
e C
om
mo
ns,
A
ttrib
utio
n.
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
FUNDAMENTAL QUESTIONS
What are you encrypting?
How are you encrypting it?
How are you protecting the key(s)?
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
ACCUMULO 1.6
SSL for Accumulo Clients and Servers
Encrypting data within HDFS
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
SSL FOR ACCUMULO
You need certificates:
OpenSSL (LibreSSL?)
Java keytool
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
MAKE YOUR CERTS
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
CONFIGURE YOUR SERVERS
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
CONFIGURE YOUR SERVERS
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
DISTRIBUTE YOUR CERTS
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
DISTRIBUTE YOUR ROOTS
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
ENJOY YOUR SSL
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
ENCRYPTION AT REST
Uses Java Cryptography Extensions (JCE) for encryption
interface / engine
(Guess what? It’s pluggable.)
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
BEHIND THE SCENES
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
BEHIND THE SCENES
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
BEHIND THE SCENES
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
BEHIND THE SCENES
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
BEHIND THE SCENES
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
BEHIND THE SCENES
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
BEHIND THE SCENES
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHERE DOES THAT KEY GO?
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHERE DOES THAT KEY GO?
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHERE DOES THAT KEY GO?
???
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
PLUGGABLE STRATEGY
• Java class that mediates access to KEK
• Encrypts and decrypts per-file keys
• Passes back to callers opaque ID to identifyKEK used to do encryption
• Callers should store opaque ID along withencrypted key
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
PLUGGABLE STRATEGY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
PLUGGABLE STRATEGY
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
CONFIGURATION OPTIONSProperty Name “Usual” Value Meaning
crypto.module.class org.apache.accumulo.core.security.crypto.DefaultCryptoModule
The class that creates encrypting and decrypting data streams
crypto.cipher.suite AES/CFB/NoPadding Encryption algorithm spec
crypto.cipher.key.length
128 Key length
crypto.module.class org.apache.accumulo.core.security.crypto.CachingHDFSSecretKey-EncryptionStrategy
Class that mediates access to KEK
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
REDUCED THREAT
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
REDUCED THREAT
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
TOWARDS THE FUTURE
© 2014 Sqrrl | All Rights Reserved | Proprietary and Confidential
@supermallen
michael@sqrrl.com
top related