CTD Enabling Secure Hadoop Environments -...

1©Cloudera,Inc.Allrightsreserved.

FredKoopmansSr.DirectorofProductManagement

EnablingSecureHadoopEnvironments


2©Cloudera,Inc.Allrightsreserved.©Cloudera,Inc.Allrightsreserved.

Thefutureofgovernmentisdatamanagement

What’syourstrategy?


Cloudera’sEnterpriseDataHubmakesitpossible

Bringallyourdatatogether

Bringallyourknowledgeworkerstogether

Bringallyourdataapplicationstogether

Runanywhere


But,anEDHcanalsomakeajuicytarget

Alldatainoneplace?

Provideeveryoneaccesstooneplatform?

HowdoIensuresecurity?

HowdoImaintainsecurityastheplatformgrows?


4focusareasforsecuringyourHadoopenvironment

AccessDefiningwhatusersandapplicationscan

dowithdata

TechnicalConcepts:PermissionsAuthorization

DataProtectingdatainthe

clusterfromunauthorizedvisibility

TechnicalConcepts:Encryption,Keymanagement,Datamasking

VisibilityReportingonwheredatacamefromandhowit’sbeingused

TechnicalConcepts:AuditingLineage

PerimeterGuardingaccesstothe

clusteritself

TechnicalConcepts:Authentication

Networkisolation


PerimeterSecurityRequirements

PreserveuserchoiceofHadoopservice

Conformtocentrallymanagedauthenticationpolicies

Implementwithexistingstandardsystems

ClouderaManager


clusteritself


Networkisolation


Authentication

• Kerberosauthentication• AutomationprovidedbyClouderaManagertoleverageActiveDirectory

CDHcomponents

• LDAPandSAMLauthentication

WebUIs

• LDAPandKerberosauthentication

SQLAccess

Userauthenticates

toAD

Authenticatedusergets

KerberosTicket

TicketgrantsaccesstoServices

e.g.ImpalaUser[ssmith]Password[*****]


NetworkIsolation

EdgeNodes

WebServers

Onlyadmins permittedaccesstofullcluster

Mostusersonlypermittedaccesstogatewayservicesrunningonclusterperiphery


AccessSecurityRequirements

Keeponlyonelogicalcopyofdata

Createonlyonepermissionsruleforallapplicationsandallcomputeframeworks

Enforcepermissionsatcolumnandrowlevelgranularity


dowithdata

InfoSecConcept:Authorization

ApacheSentry,RecordService


FilesystemHDFS

STORA

GECO

MPU

TE

HIVE,IMPALA

SPARK,MR

EarlydaysofHadoop:Storagepermissionsonly

• Simple“AllorNothing”permissionsforeachfile/table

But...• Tablesoftencontain10s– 100sofcolumns• Notallusersareallowedtoseeallcolumnsandrows

APPS DATAMEER SASPLATFORA TABLEAU ETC...


Usecasesforfine-grainedaccesscontrol

Columns• Differentusergroupsneedaccesstodifferentcolumns(ex:socialsecuritynumbers)

Rows• Differentusergroupsneedaccesstodifferentrecords(ex:bysecurityclearancelevel)


FilesystemHDFS

STORA

GECO

MPU

TE

HIVE,IMPALA

SPARK,MR

Fewyearsago:Storagepermissions+SQLAuth.

• Addscolumnandrow-levelpermissions

But...• Createsduplicatedata,duplicatepermissionsrulestosupportSparkandMR


ApacheSentry

X


FilesystemHDFS

STORA

GE

APACHESENTRY,RECORDSERVICE

COMPU

TE

HIVE,IMPALA

SPARK,MR

UpNext:ApacheSentry+RecordService*workingtogether

• ColumnandRow-levelPermissions• Onecopyofdata• Onesetofpermissions


*inbeta


Fine-grainedaccesscontrolwithout Sentry&RecordService*

Date/time Accnt # SSN Asset Trade Country

09:33:11 16-Feb-2015

0234837823 238-23-9876

AZP Sell US

11:33:0116-Feb-2015

3947848494 329-44-9847

TBT Buy EU

14:12:3416-Feb-2015

4848367383 123-56-2345

IDI Sell UK

09:22:03 16-Feb-2015

3485739384 585-11-2345

ICBD Buy US

11:55:3316-Feb-2015

3847598390 234-11-8765

FWQ Buy US

10:22:55 16-Feb-2015

8765432176 344-22-9876

UAD Buy UK

13:45:24 16-Feb-2015

3456789012 412-22-8765

NZMA Sell EU

09:03:4416-Feb-2015

4857389329 123-44-5678

TMV Buy US

15:55:5516-Feb-2015

4756983234 234-76-9274

DRW Buy UK


14:12:3416-Feb-2015

4848367383 123-56-2345

IDI Sell UK

10:22:55 16-Feb-2015

8765432176 344-22-9876

UAD Buy UK

15:55:5516-Feb-2015

4756983234 234-76-9274

DRW Buy UK


11:33:0116-Feb-2015

3947848494 329-44-9847

TBT Buy EU

13:45:24 16-Feb-2015

3456789012 412-22-8765

NZMA Sell EU


09:33:11 16-Feb-2015

0234837823 238-23-9876

AZP Sell US

09:22:03 16-Feb-2015

3485739384 585-11-2345

ICBD Buy US

11:55:3316-Feb-2015

3847598390 234-11-8765

FWQ Buy US

09:03:4416-Feb-2015

4857389329 123-44-5678

TMV Buy US

• SplittheHDFSpermissionsoriginalfile• Usetolimitaccess


Fine-grainedaccesscontrolwith Sentry&RecordService*

• Sentry:Definepermissionsatthetable,columnandrowlevels• Sentry+RecordService:Enforcetheseacrossallaccesspaths


09:33:11 16-Feb-2015

0234837823 238-23-9876

AZP Sell US

11:33:0116-Feb-2015

3947848494 329-44-9847

TBT Buy EU

14:12:3416-Feb-2015

4848367383 123-56-2345

IDI Sell EU

09:22:03 16-Feb-2015

3485739384 585-11-2345

ICBD Buy US

11:55:3316-Feb-2015

3847598390 234-11-8765

FWQ Buy US

10:22:55 16-Feb-2015

8765432176 344-22-9876

UAD Buy EU

13:45:24 16-Feb-2015

3456789012 412-22-8765

NZMA Sell EU

Column-LevelControls

Row-LevelCon

trols


09:33:11 16-Feb-2015

0234837823 238-23-9876

AZP Sell US

11:33:0116-Feb-2015

3947848494 329-44-9847

TBT Buy group2

14:12:3416-Feb-2015

4848367383 123-56-2345

IBM Sell group3

09:22:03 16-Feb-2015

3485739384 585-11-2345

ICBD Buy US

11:55:3316-Feb-2015

3847598390 234-11-8765

FWQ Buy US

10:22:55 16-Feb-2015

8765432176 344-22-9876

UA Buy group3

13:45:24 16-Feb-2015

3456789012 412-22-8765

AMZN Sell group2

Column-LevelControls

Row-LevelCon

trols

XXX-XX

XXX-XX

XXX-XX

WhatU.S.BrokersSee

Hive,Impala,MR,Spark,Pig

SingleHDFSfile:


VisibilitySecurityRequirements

Complywithpoliciesforaudit,dataclassification,andlineage

Centralizetheauditrepository


InfoSecConcept:AuditingLineage

ClouderaNavigator


Audit&LineageTrustedforproduction• 100sofcustomerdeploymentsofClouderaNavigatoroverlast3+years

Compliance-ready• OnlyHadoopdistributiontopassPCIaudit

Detailed• Columnandrowlevelaccesstrail

Playsnicelywithothers• Integratedwiththeleadingpartnersolutions


DataSecurityRequirements

Performanalyticsonregulateddata

Encryptdata,conformtokeymanagementpolicies,protectfromroot

IntegratewithexistingHSMaspartofkeymanagementinfrastructure



InfoSecConcept:Encryption,Keymanagement,Datamasking

NavigatorEncrypt&KeyTrustee


ComprehensiveDataSecurity

Manager Navigator

Impala Hive

HDFS HBase

Sentry

NavigatorKeyTrustee

LogFiles

MetadataStore

EncryptedData

EncryptionKey

Legend

IngestPaths,Temp/Spillfiles

HSM(optional)

ALLdataonthewire• ALLdataatrest:HDFS,HBase,metadatadatabases,tempfiles,ingestpaths

• Automatedkeyreplication&backup• HSMbackedkeyprotection

• Sensitivedatainlogs• Passwordsinconfig files

Encryption

KeyManagement

DataMasking


Cloudera’scomprehensive,compliance-readysecuritysolution


dowithdata

TechnicalConcepts:PermissionsAuthorization



TechnicalConcepts:Encryption,Keymanagement,Datamasking


TechnicalConcepts:AuditingLineage

ClouderaManager ApacheSentry&RecordService

ClouderaNavigator NavigatorEncrypt&KeyTrustee


clusteritself


Networkisolation


Beyondtraditionalsecuritycontrols

Automateddiscoveryandtaggingofsensitivedata• Automaticallyscanforprotectedattributetypes• Automaticallyapplyauthorizationandencryptionpolicy

“Followthedata”authorizationandprotectionpolicies• Leveragelineagedatataggingenforceauthorizationandencryptionpolicy• Eliminatemanualconfigurationofsecurityforeachnewtableandcolumn

Adminsfocusedonexceptionhandlingduetoinsufficientaccess

CTD Enabling Secure Hadoop Environments -...

Documents

Transcript of CTD Enabling Secure Hadoop Environments -...