GraphConnect Europe 2016 - Securely Deploying Neo4j into AWS - Benjamin Nussbaum

19
a platform by Securely Deploy Neo4j in AWS Welcome! by Benjamin Nussbaum @bennussbaum | [email protected] a platform by

Transcript of GraphConnect Europe 2016 - Securely Deploying Neo4j into AWS - Benjamin Nussbaum

Page 1: GraphConnect Europe 2016 - Securely Deploying Neo4j into AWS - Benjamin Nussbaum

a platform by

Securely Deploy Neo4j in AWSWelcome!

by Benjamin Nussbaum@bennussbaum | [email protected]

a platform by

Page 2: GraphConnect Europe 2016 - Securely Deploying Neo4j into AWS - Benjamin Nussbaum

a platform by

SecurelyIn

Why is Security Important?security incidents are on the rise and costly

• Nearly 40% YoY Increase• Over 169M Records Exposed• AVG Cost of $154 per Record

According to research done by PwC on the state of information security within enterprises, 2015 saw known security incidents increase by 38% from the year prior. http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html

23/5/16

According to ITRC Data Breach Reports over 169 million records were exposed in 2015, stemming from 781 publicized breaches across financial, business, education, government and healthcare. http://www.idtheftcenter.org/images/breach/DataBreachReports_2015.pdf

According to research done by IBM/Ponemon the average global cost was $154 per each lost or stolen record containing confidential or sensitive data. http://www-03.ibm.com/security/data-breach/

Page 3: GraphConnect Europe 2016 - Securely Deploying Neo4j into AWS - Benjamin Nussbaum

a platform by

SecurelyIn

Why is Security Important?the users of your software don’t know

• Being ResponsibleIt’s your responsibility to treat your user’ data securely because they don’t really know any better - they likely assume you do or take the ignorance is bliss approach.

33/5/16

Page 4: GraphConnect Europe 2016 - Securely Deploying Neo4j into AWS - Benjamin Nussbaum

a platform by

SecurelyIn

Where does Security Start?security is a culture and a frame of mind

• PersonnelTo build and manage a secure software deployment you need a culture of security. Your team is your most important security asset. Build awareness of security on all fronts: Social, Personal and Technical.

43/5/16

Page 5: GraphConnect Europe 2016 - Securely Deploying Neo4j into AWS - Benjamin Nussbaum

a platform by

SecurelyIn

Does Security Differ by Cloud?security features vary greatly by cloud provider

• AWS• Azure

AWS has a very robust security architecture that is able to be leveraged with granular control to achieve a solid technical security implementation

Azure has some similar offerings w.r.t network isolation and security groups, but there are some differences.

**Features change all the time so check with your cloud provider documentation

53/5/16

Page 6: GraphConnect Europe 2016 - Securely Deploying Neo4j into AWS - Benjamin Nussbaum

a platform by

SecurelyIn

Getting More Technicalbut not that much

• SSL in Flight• Enable Neo4j on 7473 for https

Regardless of your cloud provider, always use SSL when routing data, even within your network.

Neo4j gives you the option to configure https usage, which will take advantage of SSL.

63/5/16

Page 7: GraphConnect Europe 2016 - Securely Deploying Neo4j into AWS - Benjamin Nussbaum

a platform by

SecurelyIn

How can I Deploy to AWS?several options for rolling your own cloud deployment

• CloudFormation• Manual or Package Install• Docker on ECS• Provision with Chef

Use CloudFormation Template https://github.com/neo4j-contrib/ec2neo

Use Tarball and install manually or use Debian or Yum package manager to install

Use Neo4j with Docker and deploy to Elastic Container Service

Provision EC2 instance using Chef https://github.com/michaelklishin/neo4j-server-chef-cookbook

73/5/16

Security NOT

Included

Page 8: GraphConnect Europe 2016 - Securely Deploying Neo4j into AWS - Benjamin Nussbaum

a platform by

SecurelyIn

How Do I Make it Secure?learning the language

• IAM• MFA• VPC

Identity and Access Management (IAM): Provides user and group level permissions for authentication and authorization control to AWS resources.

Multi-Factor Authentication (MFA): Requires users with access the AWS console to use an additional generated token in addition to their usual password when logging in.

Virtual Private Cloud (VPC): Enables AWS resources to be launched into a private network without being publicly accessible and only accessible when using a VPN client.

83/5/16

Page 9: GraphConnect Europe 2016 - Securely Deploying Neo4j into AWS - Benjamin Nussbaum

a platform by

SecurelyIn

How Do I Make it Secure?applying it to neo4j

• IAM• MFA• VPC

Identity and Access Management (IAM): This is where your operations team users and groups are managed for who has access to Neo4j within the organization when authenticated on the VPN.

Multi-Factor Authentication (MFA): This is another layer of security for users within the organization to prevent access to privileged accounts that have access to Neo4j data resources.

Virtual Private Cloud (VPC): Deploy Neo4j in a VPC to restrict access to internal infrastructure and authorized personnel with the correct VPN access.

93/5/16

Page 10: GraphConnect Europe 2016 - Securely Deploying Neo4j into AWS - Benjamin Nussbaum

a platform by

SecurelyIn

How Do I Make it Secure?gaining access

• VPN• DirectConnect

OpenVPN can be used to authenticate a user for VPC access and is as little as $9.60 per connection per year. This makes it even quite affordable even for startups.

Direct Connect establishes a dedicated network connection from your premises (i.e data center, office, etc) to your VPC in AWS, which is a great option for enterprises introducing cloud into their architecture.

103/5/16

Page 11: GraphConnect Europe 2016 - Securely Deploying Neo4j into AWS - Benjamin Nussbaum

a platform by

SecurelyIn

How Do I Make it Secure?learning the language

• Security Group• Network ACL• S3 ACLs

A Security Group controls inbound and outbound traffic. They operate at an instance level with support for only allow rules.

Network Access Control List (ACL): controls inbound and outbound traffic for one or more subnets. This is where your broad sweeping port decisions are made for public versus private.

S3 Access Control Lists (ACLs): Define the accounts and groups with access and the type of access to a bucket or an object.

113/5/16

Page 12: GraphConnect Europe 2016 - Securely Deploying Neo4j into AWS - Benjamin Nussbaum

a platform by

SecurelyIn

How Do I Make it Secure?applying it to neo4j

• Security Group• Network ACL• S3 ACLs

A Security Group adds additional allow rules to the Neo4j instance for traffic in/out within the VPC.

Network Access Control List (ACL): Keep Neo4j ports private for non-internal infrastructure use only.

S3 Access Control Lists (ACLs): Resources stored in S3 and reference in Neo4j that would be returned by an application for loading in a browser would be managed here.

123/5/16

Page 13: GraphConnect Europe 2016 - Securely Deploying Neo4j into AWS - Benjamin Nussbaum

a platform by

SecurelyIn

How Do I Make it Secure?an example

• Neo4j Security Group

133/5/16

Page 14: GraphConnect Europe 2016 - Securely Deploying Neo4j into AWS - Benjamin Nussbaum

a platform by

SecurelyIn

How Do I Make it Secure?completely private

• NAT RoutingYou can use a network address translation (NAT) instance in a public subnet in your VPC to enable instances in the private subnet to initiate outbound traffic to the Internet or other AWS services, but prevent the instances from receiving inbound traffic initiated by someone on the Internet.

143/5/16

Page 15: GraphConnect Europe 2016 - Securely Deploying Neo4j into AWS - Benjamin Nussbaum

a platform by

SecurelyIn

How Do I Make it Secure?completely private

• NAT Routing

153/5/16

Page 16: GraphConnect Europe 2016 - Securely Deploying Neo4j into AWS - Benjamin Nussbaum

a platform by

SecurelyIn

How Does GraphGrid Do It?brining it all together

• There’s A LOT to Know• This Provided a Starting Point

Those are the security layers you get to work with in AWS and the reality is there is just a lot to know and be thinking about holistically as an organization about personnel and infrastructure as they relate to information security.

You now know what components you have to work with and some recommend practices and the connection point to Neo4j. It’s now a matter of learning how to configure those correctly together and establishing a security-minded culture.

163/5/16

Page 17: GraphConnect Europe 2016 - Securely Deploying Neo4j into AWS - Benjamin Nussbaum

a platform by

SecurelyIn

How Does GraphGrid Do It?

173/5/16 US-WEST-2 (Oregon)

Virtual Private Cloud (172.128.0.0/16)

US-WEST-2A US-WEST-2B US-WEST-2CVPC Subnet (172.128.1.64/26)VPC Subnet (172.128.1.0/26) VPC Subnet (172.128.1.128/25)

Neo1 Neo2 Neo3

0.0.0.0/00.0.0.0/00.0.0.0/0

GraphGrid

172.128.0.0/16 172.128.0.0/16 172.128.0.0/16

Internet Gateway

Public IP Auto-assigned: Yes Public IP Auto-assigned: Yes Public IP Auto-assigned: Yes

LocalLocal Local

HN: neo1.graphgrid.comPVT: 172.128.1.1PUB: 54.16.129.21

HN: neo2.graphgrid.comPVT: 172.128.1.64PUB: 54.16.132.12

HN: neo3.graphgrid.comPVT: 172.128.1.129PUB: 54.16.4.196

Neo Security Group INBOUND:

ALLOW ALL 172.128.1.0/26ALLOW ALL 172.128.1.64/26ALLOW ALL 172.128.1.128/25

OUTBOUND:ALLOW ALL 0.0.0.0/0

Private DNSneo1.graphgrid.com - 172.128.1.1neo2.graphgrid.com - 172.128.1.65neo3.graphgrid.com - 172.128.1.129neos.graphgrid.com - elb-slave-privateneom.graphgrid.com - elb-master-privateneoa.graphgrid.com - elb-available-private

EBS Data Volumes Mounted-Encryption Optional

EBS Snapshots- Offline Backups- Online Restores

S3 Storage- Online Backups- Online Restores

ELB Endpoints- Master- Slave- Available- Added to all Subnets

Page 18: GraphConnect Europe 2016 - Securely Deploying Neo4j into AWS - Benjamin Nussbaum

a platform by

SecurelyIn

How Can GraphGrid Help Me?leverage a secure foundation

• Let GraphGrid Do It• We’ve Already Put It All Together

GraphGrid provides all this security and more right out of the box, and we have external Infosec partners validate.

So if you prefer to not undertake this challenge on your own, we’ve got you covered. We securely deploy and fully manage Neo4j in AWS.

183/5/16

Page 19: GraphConnect Europe 2016 - Securely Deploying Neo4j into AWS - Benjamin Nussbaum

a platform by

Securely Deploy Neo4j in AWSThank You!

by Benjamin Nussbaum@bennussbaum | [email protected]

a platform by