GraphConnect Europe 2016 - Securely Deploying Neo4j into AWS - Benjamin Nussbaum
-
Upload
neo4j-the-fastest-and-most-scalable-native-graph-database -
Category
Technology
-
view
329 -
download
0
Transcript of GraphConnect Europe 2016 - Securely Deploying Neo4j into AWS - Benjamin Nussbaum
a platform by
Securely Deploy Neo4j in AWSWelcome!
by Benjamin Nussbaum@bennussbaum | [email protected]
a platform by
a platform by
SecurelyIn
Why is Security Important?security incidents are on the rise and costly
• Nearly 40% YoY Increase• Over 169M Records Exposed• AVG Cost of $154 per Record
According to research done by PwC on the state of information security within enterprises, 2015 saw known security incidents increase by 38% from the year prior. http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html
23/5/16
According to ITRC Data Breach Reports over 169 million records were exposed in 2015, stemming from 781 publicized breaches across financial, business, education, government and healthcare. http://www.idtheftcenter.org/images/breach/DataBreachReports_2015.pdf
According to research done by IBM/Ponemon the average global cost was $154 per each lost or stolen record containing confidential or sensitive data. http://www-03.ibm.com/security/data-breach/
a platform by
SecurelyIn
Why is Security Important?the users of your software don’t know
• Being ResponsibleIt’s your responsibility to treat your user’ data securely because they don’t really know any better - they likely assume you do or take the ignorance is bliss approach.
33/5/16
a platform by
SecurelyIn
Where does Security Start?security is a culture and a frame of mind
• PersonnelTo build and manage a secure software deployment you need a culture of security. Your team is your most important security asset. Build awareness of security on all fronts: Social, Personal and Technical.
43/5/16
a platform by
SecurelyIn
Does Security Differ by Cloud?security features vary greatly by cloud provider
• AWS• Azure
AWS has a very robust security architecture that is able to be leveraged with granular control to achieve a solid technical security implementation
Azure has some similar offerings w.r.t network isolation and security groups, but there are some differences.
**Features change all the time so check with your cloud provider documentation
53/5/16
a platform by
SecurelyIn
Getting More Technicalbut not that much
• SSL in Flight• Enable Neo4j on 7473 for https
Regardless of your cloud provider, always use SSL when routing data, even within your network.
Neo4j gives you the option to configure https usage, which will take advantage of SSL.
63/5/16
a platform by
SecurelyIn
How can I Deploy to AWS?several options for rolling your own cloud deployment
• CloudFormation• Manual or Package Install• Docker on ECS• Provision with Chef
Use CloudFormation Template https://github.com/neo4j-contrib/ec2neo
Use Tarball and install manually or use Debian or Yum package manager to install
Use Neo4j with Docker and deploy to Elastic Container Service
Provision EC2 instance using Chef https://github.com/michaelklishin/neo4j-server-chef-cookbook
73/5/16
Security NOT
Included
a platform by
SecurelyIn
How Do I Make it Secure?learning the language
• IAM• MFA• VPC
Identity and Access Management (IAM): Provides user and group level permissions for authentication and authorization control to AWS resources.
Multi-Factor Authentication (MFA): Requires users with access the AWS console to use an additional generated token in addition to their usual password when logging in.
Virtual Private Cloud (VPC): Enables AWS resources to be launched into a private network without being publicly accessible and only accessible when using a VPN client.
83/5/16
a platform by
SecurelyIn
How Do I Make it Secure?applying it to neo4j
• IAM• MFA• VPC
Identity and Access Management (IAM): This is where your operations team users and groups are managed for who has access to Neo4j within the organization when authenticated on the VPN.
Multi-Factor Authentication (MFA): This is another layer of security for users within the organization to prevent access to privileged accounts that have access to Neo4j data resources.
Virtual Private Cloud (VPC): Deploy Neo4j in a VPC to restrict access to internal infrastructure and authorized personnel with the correct VPN access.
93/5/16
a platform by
SecurelyIn
How Do I Make it Secure?gaining access
• VPN• DirectConnect
OpenVPN can be used to authenticate a user for VPC access and is as little as $9.60 per connection per year. This makes it even quite affordable even for startups.
Direct Connect establishes a dedicated network connection from your premises (i.e data center, office, etc) to your VPC in AWS, which is a great option for enterprises introducing cloud into their architecture.
103/5/16
a platform by
SecurelyIn
How Do I Make it Secure?learning the language
• Security Group• Network ACL• S3 ACLs
A Security Group controls inbound and outbound traffic. They operate at an instance level with support for only allow rules.
Network Access Control List (ACL): controls inbound and outbound traffic for one or more subnets. This is where your broad sweeping port decisions are made for public versus private.
S3 Access Control Lists (ACLs): Define the accounts and groups with access and the type of access to a bucket or an object.
113/5/16
a platform by
SecurelyIn
How Do I Make it Secure?applying it to neo4j
• Security Group• Network ACL• S3 ACLs
A Security Group adds additional allow rules to the Neo4j instance for traffic in/out within the VPC.
Network Access Control List (ACL): Keep Neo4j ports private for non-internal infrastructure use only.
S3 Access Control Lists (ACLs): Resources stored in S3 and reference in Neo4j that would be returned by an application for loading in a browser would be managed here.
123/5/16
a platform by
SecurelyIn
How Do I Make it Secure?an example
• Neo4j Security Group
133/5/16
a platform by
SecurelyIn
How Do I Make it Secure?completely private
• NAT RoutingYou can use a network address translation (NAT) instance in a public subnet in your VPC to enable instances in the private subnet to initiate outbound traffic to the Internet or other AWS services, but prevent the instances from receiving inbound traffic initiated by someone on the Internet.
143/5/16
a platform by
SecurelyIn
How Do I Make it Secure?completely private
• NAT Routing
153/5/16
a platform by
SecurelyIn
How Does GraphGrid Do It?brining it all together
• There’s A LOT to Know• This Provided a Starting Point
Those are the security layers you get to work with in AWS and the reality is there is just a lot to know and be thinking about holistically as an organization about personnel and infrastructure as they relate to information security.
You now know what components you have to work with and some recommend practices and the connection point to Neo4j. It’s now a matter of learning how to configure those correctly together and establishing a security-minded culture.
163/5/16
a platform by
SecurelyIn
How Does GraphGrid Do It?
173/5/16 US-WEST-2 (Oregon)
Virtual Private Cloud (172.128.0.0/16)
US-WEST-2A US-WEST-2B US-WEST-2CVPC Subnet (172.128.1.64/26)VPC Subnet (172.128.1.0/26) VPC Subnet (172.128.1.128/25)
Neo1 Neo2 Neo3
0.0.0.0/00.0.0.0/00.0.0.0/0
GraphGrid
172.128.0.0/16 172.128.0.0/16 172.128.0.0/16
Internet Gateway
Public IP Auto-assigned: Yes Public IP Auto-assigned: Yes Public IP Auto-assigned: Yes
LocalLocal Local
HN: neo1.graphgrid.comPVT: 172.128.1.1PUB: 54.16.129.21
HN: neo2.graphgrid.comPVT: 172.128.1.64PUB: 54.16.132.12
HN: neo3.graphgrid.comPVT: 172.128.1.129PUB: 54.16.4.196
Neo Security Group INBOUND:
ALLOW ALL 172.128.1.0/26ALLOW ALL 172.128.1.64/26ALLOW ALL 172.128.1.128/25
OUTBOUND:ALLOW ALL 0.0.0.0/0
Private DNSneo1.graphgrid.com - 172.128.1.1neo2.graphgrid.com - 172.128.1.65neo3.graphgrid.com - 172.128.1.129neos.graphgrid.com - elb-slave-privateneom.graphgrid.com - elb-master-privateneoa.graphgrid.com - elb-available-private
EBS Data Volumes Mounted-Encryption Optional
EBS Snapshots- Offline Backups- Online Restores
S3 Storage- Online Backups- Online Restores
ELB Endpoints- Master- Slave- Available- Added to all Subnets
a platform by
SecurelyIn
How Can GraphGrid Help Me?leverage a secure foundation
• Let GraphGrid Do It• We’ve Already Put It All Together
GraphGrid provides all this security and more right out of the box, and we have external Infosec partners validate.
So if you prefer to not undertake this challenge on your own, we’ve got you covered. We securely deploy and fully manage Neo4j in AWS.
183/5/16
a platform by
Securely Deploy Neo4j in AWSThank You!
by Benjamin Nussbaum@bennussbaum | [email protected]
a platform by