Download - Accumulo Security and Encryption
Securely explore your data
ENCRYPTION AND SECURITY IN ACCUMULO
Michael Allen
Security Architect
Sqrrl Data, Inc.
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ISN’T ACCUMULO ALREADY SECURE?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
I MEAN, THESE SMART GALS AND GUYS MADE IT…
(Undisclosed location)
So
urc
e:
wik
ipe
dia
.org
. P
ub
lic d
om
ain
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CELL-LEVEL SECURITY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CELL-LEVEL SECURITY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CELL-LEVEL SECURITY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHAT’S THE THREAT?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
A TYPICAL DEPLOYMENT
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
A TYPICAL DEPLOYMENT
(…ignoring master nodes, name nodes,garbage collectors, other ephemera…)
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
A TYPICAL CAST
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
THREATS INSIDE AND OUT
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHO CAN WE PUSH OUT?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
HOW?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ENCRYPTION
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
IN MOTION AND AT REST
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
IT’S NOT…
So
urc
e:
htt
p:/
/bit.
ly/H
qS
cSr.
Cre
ativ
e C
om
mo
ns,
A
ttrib
utio
n.
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
FUNDAMENTAL QUESTIONS
What are you encrypting?
How are you encrypting it?
How are you protecting the key?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ACCUMULO 1.6
SSL for Accumulo Clients
Encrypting data within HDFS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
SSL AND ACCUMULO
ACCUMULO-1009
Patch that adds configuring and using SSL certificates
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
MAKE YOUR CERTS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CONFIGURE YOUR SERVERS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CONFIGURE YOUR SERVERS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
DISTRIBUTE YOUR CERTS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
DISTRIBUTE YOUR ROOTS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ENJOY YOUR SSL
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ENCRYPTION AT REST
ACCUMULO-998
Patch that adds encryption for Rfiles and WAL
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ENCRYPTION AT REST
Uses Java Cryptography Extensions (JCE) for encryption
interface / engine
(Guess what? It’s pluggable.)
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
BEHIND THE SCENES
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
BEHIND THE SCENES
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
BEHIND THE SCENES
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
BEHIND THE SCENES
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHERE DOES THAT KEY GO?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHERE DOES THAT KEY GO?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHERE DOES THAT KEY GO?
???
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
PLUGGABLE STRATEGY
• Java class that mediates access to KEK
• Encrypts and decrypts per-file keys
• Passes back to callers opaque ID to identifyKEK used to do encryption
• Callers should store opaque ID along withencrypted key
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
PLUGGABLE STRATEGY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
PLUGGABLE STRATEGY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CONFIGURATION OPTIONSProperty Name “Usual” Value Meaning
crypto.module.class org.apache.accumulo.core.security.crypto.DefaultCryptoModule
The class that creates encrypting and decrypting data streams
crypto.cipher.suite AES/CFB/PKCS5Padding Encryption algorithm spec
crypto.cipher.key.length
128 Key length
crypto.module.class org.apache.accumulo.core.security.crypto.DefaultSecret-KeyEncryptionStrategy
Class that mediates access to KEK
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
REDUCED THREAT
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
REDUCED THREAT
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
TOWARDS THE FUTURE
![Accumulo Summit 2015: Extending Accumulo to Support ABAC using XACML [Security]](https://cdn.vdocuments.us/doc/165x107/55a5e52f1a28ab325b8b4644/accumulo-summit-2015-extending-accumulo-to-support-abac-using-xacml-security.jpg)
![Accumulo Summit 2015: Zookeeper, Accumulo, and You [Internals]](https://cdn.vdocuments.us/doc/165x107/55a5e46a1a28ab2d368b47c4/accumulo-summit-2015-zookeeper-accumulo-and-you-internals.jpg)
![Accumulo Summit 2015: Tracing in Accumulo and HDFS [Internals]](https://cdn.vdocuments.us/doc/165x107/55a5e4021a28ab3c368b478e/accumulo-summit-2015-tracing-in-accumulo-and-hdfs-internals.jpg)
