accumulo security and encryption
Post on 21-Oct-2014
1.044 views
DESCRIPTION
Speaker: Michael Allen, Security Architect, Sqrrl Venue: October 28th Accumulo Users Group (along with Strata NY / Hadoop World) The early Accumulo developers made security a core part of Accumulo's codebase. As the open source community around Accumulo continues to thrive, this talk examines the current state of Accumulo's security features. The talk will detail some exciting developments in the upcoming 1.6 release, which include enhancements around encryption at rest and in motion. We will also take a broader look at new use cases suggesting a wider set of threats, and how current and future work addresses those threats.TRANSCRIPT
Securely explore your data
ENCRYPTION AND SECURITY IN ACCUMULO
Michael Allen
Security Architect
Sqrrl Data, Inc.
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ISN’T ACCUMULO ALREADY SECURE?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
I MEAN, THESE SMART GALS AND GUYS MADE IT…
(Undisclosed location)
So
urc
e:
wik
ipe
dia
.org
. P
ub
lic d
om
ain
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CELL-LEVEL SECURITY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CELL-LEVEL SECURITY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CELL-LEVEL SECURITY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHAT’S THE THREAT?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
A TYPICAL DEPLOYMENT
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
A TYPICAL DEPLOYMENT
(…ignoring master nodes, name nodes,garbage collectors, other ephemera…)
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
A TYPICAL CAST
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
THREATS INSIDE AND OUT
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHO CAN WE PUSH OUT?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
HOW?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ENCRYPTION
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
IN MOTION AND AT REST
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
IT’S NOT…
So
urc
e:
htt
p:/
/bit.
ly/H
qS
cSr.
Cre
ativ
e C
om
mo
ns,
A
ttrib
utio
n.
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
FUNDAMENTAL QUESTIONS
What are you encrypting?
How are you encrypting it?
How are you protecting the key?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ACCUMULO 1.6
SSL for Accumulo Clients
Encrypting data within HDFS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
SSL AND ACCUMULO
ACCUMULO-1009
Patch that adds configuring and using SSL certificates
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
MAKE YOUR CERTS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CONFIGURE YOUR SERVERS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CONFIGURE YOUR SERVERS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
DISTRIBUTE YOUR CERTS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
DISTRIBUTE YOUR ROOTS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ENJOY YOUR SSL
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ENCRYPTION AT REST
ACCUMULO-998
Patch that adds encryption for Rfiles and WAL
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ENCRYPTION AT REST
Uses Java Cryptography Extensions (JCE) for encryption
interface / engine
(Guess what? It’s pluggable.)
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
BEHIND THE SCENES
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
BEHIND THE SCENES
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
BEHIND THE SCENES
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
BEHIND THE SCENES
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHERE DOES THAT KEY GO?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHERE DOES THAT KEY GO?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHERE DOES THAT KEY GO?
???
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
PLUGGABLE STRATEGY
• Java class that mediates access to KEK
• Encrypts and decrypts per-file keys
• Passes back to callers opaque ID to identifyKEK used to do encryption
• Callers should store opaque ID along withencrypted key
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
PLUGGABLE STRATEGY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
PLUGGABLE STRATEGY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CONFIGURATION OPTIONSProperty Name “Usual” Value Meaning
crypto.module.class org.apache.accumulo.core.security.crypto.DefaultCryptoModule
The class that creates encrypting and decrypting data streams
crypto.cipher.suite AES/CFB/PKCS5Padding Encryption algorithm spec
crypto.cipher.key.length
128 Key length
crypto.module.class org.apache.accumulo.core.security.crypto.DefaultSecret-KeyEncryptionStrategy
Class that mediates access to KEK
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
REDUCED THREAT
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
REDUCED THREAT
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
TOWARDS THE FUTURE
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential