O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Secure Re-platforming
Security Standards and Compliance in Couchbase Server
Don Pinto | Sr. Product Manager | @NoSQLDon
©2015 Couchbase Inc.
Agenda
 Big data adoption and barriers
 Compliance challenges
 Secure re-platforming
 Simplifying...
©2015 Couchbase Inc.
Disclaimer
3
©2015 Couchbase Inc.
Big data adoption and barriers
85%
Of Companies deployed/expect to deploy
BIG DATA PROJECTS IN 2 YEAR...
©2015 Couchbase Inc.
Key drivers of NoSQL data security
Regulatory compliance requirements
• PCI, HIPAA, EU Data Protectio...
Compliance Challenges
©2015 Couchbase Inc.
Compliance is challenging
7
Too complex
• Policies and controls change too often
• Hard to understand...
©2015 Couchbase Inc.
Good news is ...
8
Security
requirement 5
Security
requirement 3
Security
requirement 2
Security
requ...
Secure Re-platforming
©2015 Couchbase Inc. 10
Securely Deploying CouchbaseOutside
Network
WEB AND MOBILE APPS
Load Balancer
Allow Couchbase ingr...
©2015 Couchbase Inc. 11
©2014 Couchbase, Inc.
Prod
Dev,QA,
Test
Storage
Storage
Backup Server
Sensitive
hAck3rs
Which port...
©2015 Couchbase Inc.
Previous… In 2.2 In 2.5 In 3.0 New in 4.0
SASL AuthN
with Bucket
Passwords
Admin User
Secure Build
Pl...
©2015 Couchbase Inc.
Couchbase authentication overview
13
• Application authentication
• Buckets are protected with challe...
©2015 Couchbase Inc.
Couchbase authorization overview
14
• Application data access
• Full access to the bucket application...
©2015 Couchbase Inc.
Couchbase encryption overview
15
• Encryption at the application
• Leverage vormetric encryption and ...
©2015 Couchbase Inc.
Couchbase encryption overview
16
• Data-in-motion encryption
• Client-server communication can be enc...
©2015 Couchbase Inc.
Couchbase encryption overview
17
• Transparent data-at-rest encryption solution ENCRYPTION
Storage
Da...
Simplifying Security Compliance
What’s new in security in Couchbase 4.0
©2015 Couchbase Inc.
External identity management using LDAP
19
Centralized identity management
• Define multiple read-onl...
©2015 Couchbase Inc.
LDAP architecture in Couchbase
Admin
UID/password
UIDs defined in
LDAP
OpenLDAP
protocol
saslauthd
co...
©2015 Couchbase Inc.
New UI for authorizing LDAP administrators
Turn on/off
LDAP
Add UIDs to
read-only admins
Add UIDs to ...
©2015 Couchbase Inc.
Admin Auditing in Couchbase
22
Rich audit events
• Over 25+ different, detailed admin audit events
• ...
©2015 Couchbase Inc.
Auditing a successful login
23
{
"timestamp":"2015-02-20T08:48:49.408-08:00",
"id":8192,
"name":"logi...
What’s next ?
©2015 Couchbase Inc.
Security Roadmap
©2014 Couchbase, Inc. 25
Simplified Compliance
• Simplified compliance
with auditing...
Demo
Couchbase admin auditing & splunk security reporting
Thank you
don@couchbase.com | @NoSQLDon
Próximos SlideShares
Carregando em…5
×

Couchbase Live Europe 2015: Secure Re-platforming: Security Standards & Compliance in Couchbase Server

739 visualizações

Publicada em

One of the most important aspects of your database is keeping it secure. In this presentation, learn about security standards and compliance in Couchbase Server.

Presented by: Don Pinto

Publicada em: Software
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Couchbase Live Europe 2015: Secure Re-platforming: Security Standards & Compliance in Couchbase Server

  1. 1. Secure Re-platforming Security Standards and Compliance in Couchbase Server Don Pinto | Sr. Product Manager | @NoSQLDon
  2. 2. ©2015 Couchbase Inc. Agenda  Big data adoption and barriers  Compliance challenges  Secure re-platforming  Simplifying security compliance in Couchbase  What’s next?  Q&A 2
  3. 3. ©2015 Couchbase Inc. Disclaimer 3
  4. 4. ©2015 Couchbase Inc. Big data adoption and barriers 85% Of Companies deployed/expect to deploy BIG DATA PROJECTS IN 2 YEARS - Gartner, 2014 - Dell Global Technology Adoption Index, 2015 4
  5. 5. ©2015 Couchbase Inc. Key drivers of NoSQL data security Regulatory compliance requirements • PCI, HIPAA, EU Data Protection Directive, and others • Additional corporate security policies Growing number of insider threats 5*2015 Vormetric Insider Threat Report
  6. 6. Compliance Challenges
  7. 7. ©2015 Couchbase Inc. Compliance is challenging 7 Too complex • Policies and controls change too often • Hard to understand requirements Very expensive • Each regulation needs resources and budget • Not something that can be “crossed off the list” once certified
  8. 8. ©2015 Couchbase Inc. Good news is ... 8 Security requirement 5 Security requirement 3 Security requirement 2 Security requirement 1 SOX FISMA Security requirement 4 HIPAA PCI CobiT NIST Security NIST SOX CobiT PCI FISMA HIPAA • Leverage similarities to increase efficiencies and reduce costs • Consistent themes across regulations
  9. 9. Secure Re-platforming
  10. 10. ©2015 Couchbase Inc. 10 Securely Deploying CouchbaseOutside Network WEB AND MOBILE APPS Load Balancer Allow Couchbase ingress and outgress ports Allow Couchbase node-to-node ports on local internal networkCOUCHBASE CLUSTER Internal Network Perimeter Network End users & hack3rs Web Server External Firewall Internal Firewall Allow webserver ingress and outgress ports Packet Filtering Blocking malicious IPs IT Admins & App Developers IT Admin & DBA
  11. 11. ©2015 Couchbase Inc. 11 ©2014 Couchbase, Inc. Prod Dev,QA, Test Storage Storage Backup Server Sensitive hAck3rs Which ports are open through the firewall? What if an operator steals a disk? Is sensitive data encrypted? Is there admin access and data access separation? Is your data encrypted in the cloud? Are backups encrypted ? XDCR to remote Cluster Is XDCR Secure? What Vulnerabilities? Questions from the field ?
  12. 12. ©2015 Couchbase Inc. Previous… In 2.2 In 2.5 In 3.0 New in 4.0 SASL AuthN with Bucket Passwords Admin User Secure Build Platform Read-Only User Easy Admin Password Reset Non-root User Deployments Secure Communication for XDCR Encrypted client server communication Encrypted admin access Access Log Data-at-rest Encryption • Simplified compliance with admin auditing • External identity managemen t for admins using LDAP Couchbase security features In a few slides .. 12
  13. 13. ©2015 Couchbase Inc. Couchbase authentication overview 13 • Application authentication • Buckets are protected with challenge-response SASL protocol • AuthN happens place over CRAM-MD5 • Admin authentication • Authentication through admin username and password • Authentication through LDAP (New in 4.0) AUTHENTICATION
  14. 14. ©2015 Couchbase Inc. Couchbase authorization overview 14 • Application data access • Full access to the bucket application is connected to • Admin access • Full administrator has full privileges on the cluster • Read-only administrator cannot change cluster settings AUTHORIZATION
  15. 15. ©2015 Couchbase Inc. Couchbase encryption overview 15 • Encryption at the application • Leverage vormetric encryption and key management • APIs, libraries and sample code in Java, .NET,C/C++. VAE Application Vormetric Application Encryption Encryption Key Request / Response* DSM Client-server SSL ENCRYPTION
  16. 16. ©2015 Couchbase Inc. Couchbase encryption overview 16 • Data-in-motion encryption • Client-server communication can be encrypted using SSL • Secure admin access using SSL over port 18091 • Secure view access using SSL over port 18092 • Secure XDCR for encryption across datacenters Track all Access SERVER 3SERVER 1 SERVER 2 Couchbase Server – New York SERVER 3SERVER 1 SERVER 2 Couchbase Server – London SSL Client applications Secure XDCR over SSL Admin access over port 18091 SSL View access over port 18092 SSL https://couchbase_server:18091/… https://couchbase_server:18092/… ENCRYPTION
  17. 17. ©2015 Couchbase Inc. Couchbase encryption overview 17 • Transparent data-at-rest encryption solution ENCRYPTION Storage Database Application User File Systems Volume Managers DSM Vormetric Data Security Manager on Enterprise premise or in cloud virtual or physical appliance • Centrally manage keys and policy • Virtual and physical appliance • High-availability with cluster • Multi-tenant and strong separation of duties • Proven 10,000+ device and key management scale • Web, CLI, API Interfaces • FIPS 140-2 certified Secure Personally Identifiable Information • User profile information • Login Credentials • IP Addresses
  18. 18. Simplifying Security Compliance What’s new in security in Couchbase 4.0
  19. 19. ©2015 Couchbase Inc. External identity management using LDAP 19 Centralized identity management • Define multiple read-only admins and full-admins • Centralized security policy management for admin accounts for stronger passwords, password rotation, and auto lockouts Individual accountability. Simplified compliance. • Define UIDs in LDAP, and map UIDs to read-only / full admin role in Couchbase • Comprehensive audit trails with LDAP UIDs in audit records
  20. 20. ©2015 Couchbase Inc. LDAP architecture in Couchbase Admin UID/password UIDs defined in LDAP OpenLDAP protocol saslauthd config file SASLAUTHD CHECK IN LDAP ? SASL protocol YES / NO? CHECK IN ADMIN PASSWORD FILE Authentication SUCCESS! Authentication FAILED! UID / password 20
  21. 21. ©2015 Couchbase Inc. New UI for authorizing LDAP administrators Turn on/off LDAP Add UIDs to read-only admins Add UIDs to full admins Set default behavior if UID is not mapped Testing credentials to verify what level of access Plus REST, and CLI integration for programmatic setup 21
  22. 22. ©2015 Couchbase Inc. Admin Auditing in Couchbase 22 Rich audit events • Over 25+ different, detailed admin audit events • Auditing for tools including backup Configurable auditing • Configurable file target • Support for time based log rotation and audit filtering Easy integration • JSON format allows for easy integration with downstream systems using flume, logstash, and syslogd
  23. 23. ©2015 Couchbase Inc. Auditing a successful login 23 { "timestamp":"2015-02-20T08:48:49.408-08:00", "id":8192, "name":"login success", "description":"Successful login to couchbase cluster", "role":"admin", "real_userid": { "source":"ns_server", "user":"bjones” }, "sessionid":"0fd0b5305d1561ca2b10f9d795819b2e", "remote":{"ip":"172.23.107.165", "port":59383} } WHEN WHO WHAT HOW
  24. 24. What’s next ?
  25. 25. ©2015 Couchbase Inc. Security Roadmap ©2014 Couchbase, Inc. 25 Simplified Compliance • Simplified compliance with auditing framework for admin actions • External identity management for admins with enterprise standard identity management tools through LDAP Fine Grain Authorization • User, roles and permissions for Admins and applications Advanced Compliance • Application Auditing • External Authentication for Applications Today Next Future * The following isintended to outline our general product direction. It is intended for information purposes and is only a plan.
  26. 26. Demo Couchbase admin auditing & splunk security reporting
  27. 27. Thank you don@couchbase.com | @NoSQLDon

×