Exclusively through Cloudera OnDemand, Cloudera Security Training introduces you to the tools and techniques that Cloudera's solution architects use to protect the clusters our customers rely on for critical machine learning and analytics workloads. This webinar will give you a sneak peek at our new on-demand security course and show you the immense scope of Cloudera training. From authentication and authorization to encryption, auditing, and everything in between, this course gives you the skills you need to properly secure your Cloudera cluster.

1. SECURITY TRAINING OVERVIEW
Tom Wheeler

2. 2© 2018 Cloudera, Inc. All rights reserved.
Big data training delivered by industry experts
In-Person | Virtual Classroom | OnDemand | Blended Learning
university.cloudera.com

3. 3© 2018 Cloudera, Inc. All rights reserved.
AGENDA
About the Cloudera Security Training course
Presentation: Based on material from the Cloudera Security Training course
Conclusion

4. 4© 2018 Cloudera, Inc. All rights reserved.
PURPOSE
Why this course is valuable
• Teaches important aspects of security in Cloudera's platform
• Covers relevant tools and technologies
• Makes your Cloudera professional services engagement more productive

5. 5© 2018 Cloudera, Inc. All rights reserved.
FORMAT
How this course is delivered
• Cloudera Security Training is available exclusively through Cloudera
OnDemand
• Learn at your own pace
Cloudera
OnDemand
Cloudera’s world-class training courses. Available anytime,
anywhere.

6. 6© 2018 Cloudera, Inc. All rights reserved.
FEATURES OF CLOUDERA ONDEMAND
• Start and pause
the videos
• Control playback
speed
• Read or search
the transcript
• Participate in
online discussion

7. 7© 2018 Cloudera, Inc. All rights reserved.
INTENDED AUDIENCE
Who should take this course
• System administrators and those in similar roles
• Experience performing system administration tasks in Linux
• Must understand the basics of the platform (CDH and Cloudera Manager)
• Recommended prerequisite: Cloudera Administrator Training
• No background in computer security is necessary

8. 8© 2018 Cloudera, Inc. All rights reserved.
LEARNING OBJECTIVES (1)
What skills will you gain
• To describe security in the context of Hadoop
• To assess threats to a production Hadoop cluster
• To plan and deploy defenses against these threats
• To improve the security of each node in the cluster
• To monitor a cluster for suspicious activity
• To perform common key management tasks

9. 9© 2018 Cloudera, Inc. All rights reserved.
LEARNING OBJECTIVES (2)
What skills will you gain
• To use encryption for protecting data in motion and at rest
• To configure strong authentication with Kerberos and Active Directory
• To use permissions and ACLs to control access to files in HDFS
• To use platform authorization features to control data access
• To understand additional security considerations, including auditing, data
governance, and disaster recovery

10. 10© 2018 Cloudera, Inc. All rights reserved.
COURSE OUTLINE
What we cover in the course
• Security Overview
• Security Architecture
• Host Security
• Encrypting Data in Motion
• Authentication
• Authorization
• Encrypting Data at Rest
• Additional Considerations

11. 11© 2018 Cloudera, Inc. All rights reserved.
AGENDA
About the Cloudera Security Training course
Presentation: Based on material from the Cloudera Security Training course
Conclusion

12. 12© 2018 Cloudera, Inc. All rights reserved.
WHAT DO YOU NEED TO PROTECT?
• Business
• Merger or acquisition targets
• Customer information
• Product roadmap
• Trade secrets
• Government
• Ongoing criminal investigations
• Military strategies and capabilities
• Healthcare
• Medical records
• Charities
• Donor lists
• Education
• Student records
• Financial aid information

13. 13© 2018 Cloudera, Inc. All rights reserved.
WHY SECURITY MATTERS
• Laws
• Industry regulations
• Contractual obligations
• Customer expectations

14. 14© 2018 Cloudera, Inc. All rights reserved.
SECURITY IS A PROCESS

15. 15© 2018 Cloudera, Inc. All rights reserved.
EXAMPLE: EVALUATING RISK AND PLANNING DEFENSES
• Asset: Table containing customer records
• Risk: Unauthorized party gains access to sensitive data
• Potential damages
• Loss of customer trust
• Regulatory non-compliance
• Possible defenses
• Improve perimeter security
• Limit access to database
• Encrypt sensitive data

16. 16© 2018 Cloudera, Inc. All rights reserved.
DESIGN CONSIDERATION: LAYERED SECURITY
Also known as the castle approach
• Any individual line of defense may fail
• Solution: Use multiple layers of defense
• Redundancy can improve security
• Consider multiple areas of concern, such as
• Physical security
• Technology
• Processes
• People

17. 17© 2018 Cloudera, Inc. All rights reserved.
DESIGNING FOR MULTIPLE LAYERS OF SECURITY
• Physical security
• Upgrade door locks and alarm system
• Technology
• Implement BIOS password and filesystem encryption
• Process
• Establish procedures for routine auditing and offsite backup
• People
• Train employees to report suspicious incidents and hire staff to respond to them
Example solutions for protecting a data center

18. 18© 2018 Cloudera, Inc. All rights reserved.
CONCEPT: ACCESS CONTROL
• Relies on two abilities
• Authentication: Positively identifying each user
• Authorization: Determining level of access granted to each user
Allowing appropriate level of access to the “right” people

19. 19© 2018 Cloudera, Inc. All rights reserved.
AUTHENTICATION: KERBEROS
• Kerberos is a mature protocol for network authentication
• Started at MIT in 1980s
• Widely used in large UNIX networks in the 1990s
• Part of Microsoft Active Directory
• Provides the foundation for strong authentication in Hadoop

20. 20© 2018 Cloudera, Inc. All rights reserved.
AUTHORIZATION: APACHE SENTRY
• Provides fine-grained role-based access control for multiple applications
• Apache Hive
• Apache Impala
• Apache Solr
• Apache Kafka
• Relies on underlying authentication system
• On secured clusters, Kerberos authenticates the users
• Can also enforce restrictions on underlying data in HDFS

21. 21© 2018 Cloudera, Inc. All rights reserved.
CONCEPT: CRYPTOGRAPHY
The science of hidden communication
• Encryption transforms data so that it is meaningless without a key
• We can keep encrypted data confidential by restricting access to the key need to decrypt it

22. 22© 2018 Cloudera, Inc. All rights reserved.
PROTECTING DATA IN MOTION: TLS
Transport Layer Security
• TLS protects data during transit
• Relies on encryption
• Provides confidentiality and integrity
• Uses digital certificates for identity verification
• Makes spoofing attacks difficult

23. 23© 2018 Cloudera, Inc. All rights reserved.
TLS SUPPORT IN CLOUDERA MANAGER
• Configuring Cloudera Manager for TLS protects data in motion
• Three cumulative levels of TLS support
1. Encryption only
2. Encryption, plus server-side certificate validation
3. Encryption, plus server-side and client-side certificate validation

24. 24© 2018 Cloudera, Inc. All rights reserved.
PROTECTING DATA AT REST: HDFS DATA ENCRYPTION
• Transparent encryption for data stored in HDFS
• Uses industry-standard AES cipher
• Takes advantage of AES-NI processor instruction set
• Low overhead on modern hardware
• Protects data in designated encryption zones

25. 25© 2018 Cloudera, Inc. All rights reserved.
PROTECTING DATA AT REST: CLOUDERA NAVIGATOR ENCRYPT
• Used to protect local directories containing sensitive data
• Log files
• Application databases
• Temporary files created during processing

26. 26© 2018 Cloudera, Inc. All rights reserved.
AGENDA
About the Cloudera Security Training course
Presentation: Based on material from the Cloudera Security Training course
Conclusion

27. THANK YOU