securing your couchbase server deployment using vormetric: couchbase connect 2015
TRANSCRIPT
Agenda
NoSQL/Couchbase Overview Encryption/Data Security Drivers Vormetric Overview Protecting Sensitive Data in Couchbase Sample Security Policy for Couchbase Summary
Why NoSQL security ?
Big data not only means..
Volume Velocity Variety
But also
Value
NoSQL is a popular solution for big data apps.90%
STRUCTURED UNSTRUCTURED
Structured information is only 10% of the story
90% of big data is unstructured and is made up of information like emails, videos, tweets, facebook posts, web clicks, and so on..
Because your information is valuable
10%
©2014 Couchbase, Inc.
4
Pro
d
De
v, Q
A,
Test
StorageStorage
Backup Server
Sensitive
hAck3rs
Which ports are
open through
the firewall?
What if an operator steals a disk?
Is sensitive data encrypted?
Is there admin access and data
access separation? Is your data encrypted in the cloud?
Common security questions
Are backups encrypted ?
XDCR to remote Cluster
Is XDCR Secure?
What Vulnerabilities?
Sensitive Data is Dispersing and GrowingBecoming harder to secure
• Physical
• Virtual
• Outsourced
• Sources
• Nodes
• Analytics
Enterprise Data Centers Private, Public, Hybrid Clouds
Big DataRemote Servers
• 2013: 1 Zettabyte of sensitive data not protected
• 2020: 10 Zettabytes of exposed sensitive data
- IDC 2014
Top Concerns for Cloud and Big DataSecurity and compliance
“By 2018 …25% of corporate data traffic will bypass traditional perimeter security defenses - up from 4% today.”
“By 2018, 25% of corporate data traffic will bypass traditional perimeter security defenses – up from 4% today.” - Gartner, Nov 2013
Top Security Concerns With Cloud Computing
March 2014
41%
35%
32%
26%
18%
15%
11%
10%
4%
Data Privacy and Security
Access and Control
Auditing and Compliance
Control of Data
Security Models/ Toolsets
Contractual/ Legal Issues
Internal Issues
Network Connection Security
Geographical Coverage
“The biggest growth inhibitors for Big Data market are security and privacy concerns. ” - Wikibon, Jan 2014
Big Data Market Forecast
Vormetric Data Security PlatformCentralized Encryption, Tokenization, Key Management
Best Encryptio
n
Security &Compliance
Protecting Sensitive Data in Couchbase
Sensitive data (e.g. PII/PHI) resides in many locations inside the enterprise (and in the cloud) in structured and unstructured formats
Sensitive data is required by state and national regulations to be encrypted at rest
Sensitive data should also be monitored and protected from insider threats, malware, and APTs which can lead to data breaches
Reporting & Analytics
Storage
Database
Application
User
File Systems
VolumeManagers
• Allow/Block• Encrypt/
Decrypt
VormetricData Security Managervirtual or physical appliance
Cloud Admin, Storage
Admin, etc
*$^!@#)(-|”_}?$%-:>>
Encrypted & Controlled
DSM
*$^!@#)(-|”_}?$%-:>>
Encrypted& Controlled
Privileged Users
John Smith 401 Main Street
Clear Text
Approved Processes and
Users
Server
DSM
Storage
Database
Application
User
File Systems
VolumeManagers
External key management
- SS Tables / Data- Saved Caches- Commit Logs / Error logs,
etc- Configuration files
Au
dit L
og
s
Vormetric Transparent EncryptionFile Level Encryption
*$^!@#)(
-|”_}?$%-:>>
John Smith 401 Main Street
Clear Text
Storage
Database
Application
User
File Systems
VolumeManagers
Big Data, Databases or Files
VormetricData Security ManagerVirtual or Physical Appliance
Cloud Provider /Outsource
Administrators
*$^!@#)(
-|”_}?$%-:>>
Name: Jon DoughSS: if030jcl
PO: Jan395-2014
Approved Applications
Privileged Users
• Allow/Block• Encrypt/
Decrypt
External key management
Reporting & Analytics
Au
dit L
og
s
Encrypted& Controlled
Encrypted& Controlled
Vormetric Application EncryptionField Level Encryption
Couchbase encryption – clientEncryption at the application
Leverage Vormetric encryption and key management
APIs, libraries, and sample code in Java, .NET, C/C++.
VAEApplication Vormetric
Application Encryption
S S N : 1 1 2 -1 1 1 - 6 7 6 2
J o n D o u g h
Vormetric APIEncryption Key
Request / Response*
$ # A d # $ g & * j% J 1 T J C Z
J o n D o u g h DSM
Co
uc
hb
as
eC
lien
t-se
rve
r S
SL
Via Couchbase SDKs
Intended User Can See File Metadata and Read couchdb.log Data Content
Vormetric Security Intelligence Event Log:
Privileged User Can See File Metadata, and couchdb.log Log Data is Encrypted
Vormetric Security Intelligence Event Log:
Summary
Couchbase provides a powerful NoSQL platform
Data security including encryption should be addressed proactively
Vormetric & Couchbase have partnered to enable customers to build high-performance, highly-secure applications
Visit www.vormetric.com for more information http://www.vormetric.com/compliance/pci-dss
Don’t forget to fill out the Connect Session Survey on the Connect App
Get Started with Couchbase Server 4.0: www.couchbase.com/beta
Test drive vormetric @ http://testdrive.vormetric.com/
Get trained on Couchbase: training.couchbase.com