1© Cloudera, Inc. All rights reserved.

Cloudera Security & Governance

Wim Villano, Sales Engineer Cloudera

2© Cloudera, Inc. All rights reserved.

Comprehensive, Compliance-Ready SecurityAuthentication, Authorization, Audit, and Compliance

AccessDefining what users and applications can

do with data

Technical Concepts:PermissionsAuthorization

DataProtecting data in the cluster from

unauthorized visibility

Technical Concepts:Encryption, Tokenization,

Data masking

VisibilityReporting on where data came from and how it’s being used

Technical Concepts:AuditingLineage

Cloudera Manager Apache Sentry Cloudera NavigatorNavigator Encrypt & Key Trustee | Partners

PerimeterGuarding access to

the cluster itself

Technical Concepts:Authentication

Network isolation

3© Cloudera, Inc. All rights reserved.

Perimeter Security – Isolation, AuthenticationPreserve user choice of the right Hadoop service (e.g. Impala, Spark)

Conform to centrally managed authentication policies

Implement with existing standard systems: Active Directory (LDAP) and KerberosCloudera Manager

PerimeterGuarding access to

the cluster itself

Technical Concepts:Authentication

Network isolation

4© Cloudera, Inc. All rights reserved.

Active Directory and Kerberos

• Manages Users, Groups, and Services• Provides username / password

authentication• Group membership determines Service

access

Active Directory

• Trusted and standard third-party• Authenticated users receive “Tickets”• “Tickets” gain access to Services

Kerberos

User authenticates

to AD

Authenticated user gets Kerberos

Ticket

Ticket grants access to

Services e.g. ImpalaUser

[ssmith]Password[***** ]

5© Cloudera, Inc. All rights reserved.

Access Security Requirements

Provide users access to data needed to do their job

Centrally manage access policies

Leverage a role-based access control model built on AD

AccessDefining what users and applications can

do with data

InfoSec Concept:Authorization

Apache Sentry

6© Cloudera, Inc. All rights reserved.

Authorization

• (Linux) POSIX: Directory, File• (Linux) ACL: Management of services/resources• Cloudera Sentry: RBAC within services• Impala, Hive, Search, Kafka

7© Cloudera, Inc. All rights reserved.

RBAC and Centralized Authorization

Manage data access by role, instead of by individual user• Customer Support Rep has read access to US Customers• Broker Analyst has read access to US Transactions• Relationships between users and roles are established via groups

An RBAC policy is then uniformly enforced for all Hadoop services• Provides unified authorization controls• As opposed to tools for managing numerous, service specific

policies

8© Cloudera, Inc. All rights reserved.

Unified Authorization with Apache SentrySentry provides unified authorization via:Fine-grained RBAC for Impala, Hive, Search and KafkaImpala/Hive permissions synced in HDFS for all other components (Spark, MapReduce, etc)

Goal: Unified authorization for all Hadoop services and applications

Sentry Perm.Read Access

to ALL Transaction

Data

Sentry RoleFraud

Analyst Role

GroupFraud

AnalystsSam Smith

9© Cloudera, Inc. All rights reserved.

Visual Policy Management

10© Cloudera, Inc. All rights reserved.

AuditorRead-OnlyLimited OperatorOperatorConfiguratorCluster Administrator

BDR AdministratorNavigator AdministratorUser AdministratorKey AdministratorFull Administrator -

Cloudera Manager Roles - Separation of Duties

11© Cloudera, Inc. All rights reserved.

Cloudera Manager Role Permissions

12© Cloudera, Inc. All rights reserved.

Data Security Requirements

Perform analytics on regulated data

Encrypt data, conform to key management policies, protect from root

Integrate with existing HSM as part of key management infrastructure

DataProtecting data in the cluster from

unauthorized visibility

InfoSec Concept:Compliance

Navigator Encrypt & Key Trustee

13© Cloudera, Inc. All rights reserved.

Compliance-Ready Encryption & Key ManagementCloudera’s Solution:• ALL data encrypted: HDFS, HBase,

metadata, log files, ingest paths

• Enterprise Key Management via Navigator Key Trustee

• Configuration support via Cloudera Manager

• Audit integration to Cloudera Navigator

• Optional root-of-trust integration with HSMs

Manager Navigator

Impala Hive

HDFS HBase

Sentry

Navigator Key Trustee

Log Files

Metadata Store

Encrypted Data

Encryption Key

Legend

Ingest Paths

14© Cloudera, Inc. All rights reserved.

Encryption Firewall

CM Agents

End Points

15© Cloudera, Inc. All rights reserved.

Visibility Security Requirements

Understand where report data came from and discover more data like it

Comply with policies for audit, data classification, and lineage

Centralize the audit repository; perform discovery; automate lineage

VisibilityReporting on where data came from and how it’s being used

InfoSec Concept:Audit

Cloudera Navigator

16© Cloudera, Inc. All rights reserved.

Governance is the Foundation of Data ManagementCompliance

Track, understand and protect access to data

Am I prepared for an audit?

Who’s accessing sensitive data?

What are they doing with the data?

Is sensitive data governed and protected?

StewardshipManage and organize data

assets at Hadoop scale

How can I efficiently manage data lifecycle, from ingest to purge?

How can I efficiently organize and classify all

my data?

How can I efficiently make data available to

my end users?

End User ProductivityEffortlessly find and trust

the data that matters most

How can I find explore data sets on my own?

Can I trust what I find?

How do I use what I find?

How do I find and use related data sets?

AdministrationBoost user productivity

and cluster performance

Is my data optimized to support current access

patterns?

How can I optimize for future workloads?

How can I migrate workloads to Hadoop

risk-free?

Hadoop Governance Foundation

Centralized audits Unified metadata catalog Comprehensive lineage Data policies

17© Cloudera, Inc. All rights reserved.

Thank youWim Villano

18© Cloudera, Inc. All rights reserved.

Reference Architecture