CTD Enabling Secure Hadoop Environments -...

1©Cloudera,Inc.Allrightsreserved.

FredKoopmansSr.DirectorofProductManagement

EnablingSecureHadoopEnvironments

2©Cloudera,Inc.Allrightsreserved.©Cloudera,Inc.Allrightsreserved.

Thefutureofgovernmentisdatamanagement

What’syourstrategy?

Cloudera’sEnterpriseDataHubmakesitpossible

Bringallyourdatatogether

Bringallyourknowledgeworkerstogether

Bringallyourdataapplicationstogether

Runanywhere

But,anEDHcanalsomakeajuicytarget

Alldatainoneplace?

Provideeveryoneaccesstooneplatform?

HowdoIensuresecurity?

HowdoImaintainsecurityastheplatformgrows?

4focusareasforsecuringyourHadoopenvironment

AccessDefiningwhatusersandapplicationscan

dowithdata

TechnicalConcepts:PermissionsAuthorization

DataProtectingdatainthe

clusterfromunauthorizedvisibility

TechnicalConcepts:Encryption,Keymanagement,Datamasking

VisibilityReportingonwheredatacamefromandhowit’sbeingused

TechnicalConcepts:AuditingLineage

PerimeterGuardingaccesstothe

clusteritself

TechnicalConcepts:Authentication

Networkisolation

PerimeterSecurityRequirements

PreserveuserchoiceofHadoopservice

Conformtocentrallymanagedauthenticationpolicies

Implementwithexistingstandardsystems

ClouderaManager

clusteritself

Networkisolation

Authentication

• Kerberosauthentication• AutomationprovidedbyClouderaManagertoleverageActiveDirectory

CDHcomponents

• LDAPandSAMLauthentication

WebUIs

• LDAPandKerberosauthentication

SQLAccess

Userauthenticates

Authenticatedusergets

KerberosTicket

TicketgrantsaccesstoServices

e.g.ImpalaUser[ssmith]Password[*****]

NetworkIsolation

EdgeNodes

WebServers

Onlyadmins permittedaccesstofullcluster

Mostusersonlypermittedaccesstogatewayservicesrunningonclusterperiphery

AccessSecurityRequirements

Keeponlyonelogicalcopyofdata

Createonlyonepermissionsruleforallapplicationsandallcomputeframeworks

Enforcepermissionsatcolumnandrowlevelgranularity

dowithdata

InfoSecConcept:Authorization

ApacheSentry,RecordService

FilesystemHDFS

HIVE,IMPALA

SPARK,MR

EarlydaysofHadoop:Storagepermissionsonly

• Simple“AllorNothing”permissionsforeachfile/table

But...• Tablesoftencontain10s– 100sofcolumns• Notallusersareallowedtoseeallcolumnsandrows

APPS DATAMEER SASPLATFORA TABLEAU ETC...

Usecasesforfine-grainedaccesscontrol

Columns• Differentusergroupsneedaccesstodifferentcolumns(ex:socialsecuritynumbers)

Rows• Differentusergroupsneedaccesstodifferentrecords(ex:bysecurityclearancelevel)

FilesystemHDFS

HIVE,IMPALA

SPARK,MR

Fewyearsago:Storagepermissions+SQLAuth.

• Addscolumnandrow-levelpermissions

But...• Createsduplicatedata,duplicatepermissionsrulestosupportSparkandMR

ApacheSentry

FilesystemHDFS

APACHESENTRY,RECORDSERVICE

HIVE,IMPALA

SPARK,MR

UpNext:ApacheSentry+RecordService*workingtogether

• ColumnandRow-levelPermissions• Onecopyofdata• Onesetofpermissions

*inbeta

Fine-grainedaccesscontrolwithout Sentry&RecordService*

Date/time Accnt # SSN Asset Trade Country

09:33:11 16-Feb-2015

0234837823 238-23-9876

AZP Sell US

11:33:0116-Feb-2015

3947848494 329-44-9847

TBT Buy EU

14:12:3416-Feb-2015

4848367383 123-56-2345

IDI Sell UK

09:22:03 16-Feb-2015

3485739384 585-11-2345

ICBD Buy US

11:55:3316-Feb-2015

3847598390 234-11-8765

FWQ Buy US

10:22:55 16-Feb-2015

8765432176 344-22-9876

UAD Buy UK

13:45:24 16-Feb-2015

3456789012 412-22-8765

NZMA Sell EU

09:03:4416-Feb-2015

4857389329 123-44-5678

TMV Buy US

15:55:5516-Feb-2015

4756983234 234-76-9274

DRW Buy UK

14:12:3416-Feb-2015

4848367383 123-56-2345

IDI Sell UK

10:22:55 16-Feb-2015

8765432176 344-22-9876

UAD Buy UK

15:55:5516-Feb-2015

4756983234 234-76-9274

DRW Buy UK

11:33:0116-Feb-2015

3947848494 329-44-9847

TBT Buy EU

13:45:24 16-Feb-2015

3456789012 412-22-8765

NZMA Sell EU

09:33:11 16-Feb-2015

0234837823 238-23-9876

AZP Sell US

09:22:03 16-Feb-2015

3485739384 585-11-2345

ICBD Buy US

11:55:3316-Feb-2015

3847598390 234-11-8765

FWQ Buy US

09:03:4416-Feb-2015

4857389329 123-44-5678

TMV Buy US

• SplittheHDFSpermissionsoriginalfile• Usetolimitaccess

Fine-grainedaccesscontrolwith Sentry&RecordService*

• Sentry:Definepermissionsatthetable,columnandrowlevels• Sentry+RecordService:Enforcetheseacrossallaccesspaths

09:33:11 16-Feb-2015

0234837823 238-23-9876

AZP Sell US

11:33:0116-Feb-2015

3947848494 329-44-9847

TBT Buy EU

14:12:3416-Feb-2015

4848367383 123-56-2345

IDI Sell EU

09:22:03 16-Feb-2015

3485739384 585-11-2345

ICBD Buy US

11:55:3316-Feb-2015

3847598390 234-11-8765

FWQ Buy US

10:22:55 16-Feb-2015

8765432176 344-22-9876

UAD Buy EU

13:45:24 16-Feb-2015

3456789012 412-22-8765

NZMA Sell EU

Column-LevelControls

Row-LevelCon

09:33:11 16-Feb-2015

0234837823 238-23-9876

AZP Sell US

11:33:0116-Feb-2015

3947848494 329-44-9847

TBT Buy group2

14:12:3416-Feb-2015

4848367383 123-56-2345

IBM Sell group3

09:22:03 16-Feb-2015

3485739384 585-11-2345

ICBD Buy US

11:55:3316-Feb-2015

3847598390 234-11-8765

FWQ Buy US

10:22:55 16-Feb-2015

8765432176 344-22-9876

UA Buy group3

13:45:24 16-Feb-2015

3456789012 412-22-8765

AMZN Sell group2

Column-LevelControls

Row-LevelCon

XXX-XX

WhatU.S.BrokersSee

Hive,Impala,MR,Spark,Pig

SingleHDFSfile:

VisibilitySecurityRequirements

Complywithpoliciesforaudit,dataclassification,andlineage

Centralizetheauditrepository

InfoSecConcept:AuditingLineage

ClouderaNavigator

Audit&LineageTrustedforproduction• 100sofcustomerdeploymentsofClouderaNavigatoroverlast3+years

Compliance-ready• OnlyHadoopdistributiontopassPCIaudit

Detailed• Columnandrowlevelaccesstrail

Playsnicelywithothers• Integratedwiththeleadingpartnersolutions

DataSecurityRequirements

Performanalyticsonregulateddata

Encryptdata,conformtokeymanagementpolicies,protectfromroot

IntegratewithexistingHSMaspartofkeymanagementinfrastructure

InfoSecConcept:Encryption,Keymanagement,Datamasking

NavigatorEncrypt&KeyTrustee

ComprehensiveDataSecurity

Manager Navigator

Impala Hive

HDFS HBase

Sentry

NavigatorKeyTrustee

LogFiles

MetadataStore

EncryptedData

EncryptionKey

Legend

IngestPaths,Temp/Spillfiles

HSM(optional)

ALLdataonthewire• ALLdataatrest:HDFS,HBase,metadatadatabases,tempfiles,ingestpaths

• Automatedkeyreplication&backup• HSMbackedkeyprotection

• Sensitivedatainlogs• Passwordsinconfig files

Encryption

KeyManagement

DataMasking

Cloudera’scomprehensive,compliance-readysecuritysolution

dowithdata

TechnicalConcepts:PermissionsAuthorization

TechnicalConcepts:Encryption,Keymanagement,Datamasking

TechnicalConcepts:AuditingLineage

ClouderaManager ApacheSentry&RecordService

ClouderaNavigator NavigatorEncrypt&KeyTrustee

clusteritself

Networkisolation

Beyondtraditionalsecuritycontrols

Automateddiscoveryandtaggingofsensitivedata• Automaticallyscanforprotectedattributetypes• Automaticallyapplyauthorizationandencryptionpolicy

“Followthedata”authorizationandprotectionpolicies• Leveragelineagedatataggingenforceauthorizationandencryptionpolicy• Eliminatemanualconfigurationofsecurityforeachnewtableandcolumn

Adminsfocusedonexceptionhandlingduetoinsufficientaccess

ThankyouThankYouFredKoopmans

CTD Enabling Secure Hadoop Environments -...

Documents

Transcript of CTD Enabling Secure Hadoop Environments -...

Apache Hadoop YARN Enabling next generation data applications

Enabling Engagement: Building Relationships Across Channels In Complex Environments

Assessing Business Enabling Environments: How Gender ...€¦ · Assessing Business Enabling Environments: How Gender Changes the Equation ... It has become clear that macro-, meso-

Enabling creativity in learning environments: lessons from ...sro.sussex.ac.uk/49395/1/Enabling_Creativity.pdf · Enabling Creativity in Learning Environments: Lessons From the CREANOVA

Data streaming in Hadoop - diva-portal.org927113/FULLTEXT01.pdf · data streaming in hadoop a study of real time data pipeline integration between hadoop environments and external

Project NEMO - towards empathy-enabling digital environments

Hadoop World: Enabling ad-hoc Analytics at Web Scale

Enabling the Internet of Things with Real-time Hadoop

KEYNOTE: Enabling Scalable Search, Discovery and Analytics with Solr,Mahout and Hadoop

ENABLING ENVIRONMENTS ENHANCED PROVISION Nature watch

Enabling Java in Latency Sensitive Environments · 2020-04-24 · Enabling Java in Latency Sensitive Environments Matt Schuetze, Product Manager, Azul Systems DotCMS Bootcamp, Nashville,

The DOG Gateway Enabling Ontology-based Intelligent Domotic Environments

Enabling Environments for Clean Energy Technology Transfer

Exploring enabling literacy environments: Young children’s ...shura.shu.ac.uk/11859/4/__staffhome.hallam.shu.ac.uk_STAFFHOME… · Exploring enabling literacy environments: Young

Chapter 12: Enabling environments to support healthy and ... · 25/9/2015 · Chapter 12: Enabling environments to support healthy and safe behaviours SUMMARY POINTS · Noncommunicable

Inclusive Education Module 1 Enabling Environments.

Ensuring QoS in Multi-tenant Hadoop Environments

Map/Reduce on Lustre Hadoop Performance in HPC Environments

FORGING NEED -BASED, DEMAND-DRIVEN PARTNERSHIPS National Enabling Environments … · 2016-12-23 · FORGING NEED -BASED, DEMAND-DRIVEN PARTNERSHIPS National Enabling Environments

Enabling Environments