The Promise and Perils of Encrypting Cassandra Data (Ameesh Divatia, Baffle, Inc.) | C* Summit 2016
Transcript of The Promise and Perils of Encrypting Cassandra Data (Ameesh Divatia, Baffle, Inc.) | C* Summit 2016
Ameesh DivatiaThe Promise and Perils of Encrypting Cassandra Data
Confidential & Proprietary 2
ENTERPRISE IT DOMAIN(ON-PREMISE OR CLOUD)
CLOUD SERVICEPROVIDER DOMAIN
SQL APP
DATA DISK DB SERVER
CLOUD ADMIN
DB QUERY
THREAT & CHALLENGES
Perils of Cloud Hosted DatabasesCloud hosted database services being adopted by enterprise IT§ Where is the data stored?
Threats§ Stolen cloud administrator credentials
§ Violations of compliance regulations
Need§ Complete control of data by enterprise IT at all times
§ Encrypt all data that is uploaded to the cloud
How does enterprise IT deal with this?
Confidential & Proprietary 3
APP
CQL QUERY
COMMIT LOG SSTABLE
MEMORY
DISK
MEMTABLE
C*
FLUSH
INDEX TDE ENCRYPTION
WRITE DATA
Cassandra Security
Confidential & Proprietary 4
Use Case – Apache Cassandra§ Raw customer data stored in multi-tenant
clusters as clear text
§ Encryption available as an option only at rest
Vulnerabilities§ Data in memory is in the clear
§ Encryption key is in the clear in memory risking the entire data store
OLTP DOMAIN
SQL APP
DB QUERY
DB SERVER ADMIN ENCRYPTED DATA
KEYS
DATA DISK DB SERVER
DB SERVER ADMINENCRYPTED DATA
KEYS
ENCRYPT {}
DECRYPT {}
Anatomy of a Hack
Confidential & Proprietary 5
Threat Scenario§ Database admin has access to data and
keys used for ‘at rest’ security
OLTP DOMAIN
SQL APP
DB QUERY
DB SERVER ADMIN ENCRYPTED DATA
KEYS
DATA DISK DB SERVER
DB SERVER ADMINENCRYPTED DATA
KEYS
ENCRYPT {}
DECRYPT {}
Vulnerabilities§ Administrator’s credentials are stolen by a hacker
§ Hacker has access to the data as well as the key
Need§ Separation of keys and data into separate domains
§ Never decrypting data in a single compute instance
§ Operate on encrypted data
X
APP
X
KEY STORE ADMIN ENCRYPTED DATA
KEYSX
Encryption Adoption Challenges
Complexity: Perception that once the data is
encrypted, the customer loses control
Key management: What if the keys are lost, stolen or
stagnant?
Confidential & Proprietary 6
Encryption Adoption Challenges
Performance degradation: Perception that
application performance will slow down
Workflow impact: Changes the current
paradigm of app to database communication
Confidential & Proprietary 7
APP
CASSANDRA CLUSTERPER CUSTOMER
APP VPC
CASSANDRA VPC
ENCRYPTED CQL DATA REQUEST
CLEAR CQLDATA REQUEST
C*
PROTECTING IN-MEMORY & AT-REST CASSANDRA CLUSTER
DRIVER LEVEL PROXY
KMS
C*
C* C*
A Practical ApproachDriver level insertion for data protection
§ Transparent application operation
Seamless key management withAmazon KMS
§ Generate, use, store, rotate and retire keys
Performance at scale using massive parallelization
§ Elastic load balancing in response to demand
Frictionless integration into enterprise application workflows
§ Active monitoring of service components toensure high availability and failover
Confidential & Proprietary 8
Selective Privacy Example
Confidential & Proprietary 9
C* C*
APPTHREAT
THREATCQL INTERPRETER / API
EXISTINGCASSANDRA DATABASE
1 Optional – when disk encryption is used, the
key and data co-resident on media
making it very vulnerable to breaches
DISK ENCRYPTION1
BEFORE
CASSANDRANATIVE CALLS
DATA TABLE
APP
SECURE CASSANDRA
CQL / API
SECURE CASSANDRA
CASSANDRANATIVE CALLS
DATA TABLE
Secure Cassandra – Before and After
Confidential & Proprietary 10
Data In Use(Application)
Data In Use(Cassandra Memory)
Data At Rest(Cassandra DB)
SECU
RED
BY B
AFFL
EN
ON
E
Driver Modifications
Added couple of pipeline stages for encryption / decryption in the java driver
Connection.java
pipeline.addLast("messageDecryptor", new MessageDecryptor(transformDB));
pipeline.addLast("messageEncryptor", new MessageEncryptor.Encryptor(transformDB));
Confidential & Proprietary 11
Tiers of SecurityPARAMETER STOCK CASSANDRA SECURE CASSANDRA
PROTECTION
Data on disk Encrypted Encrypted
Data in Cassandra server memory Clear Encrypted
Data in App memory Clear Clear
Vulnerability No data Protection (App, DB Server, Disk)
Data Protection below CQL Interface(DB Server & Disk)
IMPACT
Driver Unchanged Added pipeline stages
DB Binaries Unchanged Add support for custom types
OPERATIONS ON ENCRYPTED DATA None Search, Sort, Aggregate
Confidential & Proprietary 12
Cassandra Modifications
Added custom types for encrypted values with serializers/ deserializers
Added custom functions for operations such as compares and aggregates on the encrypted values
Custom Integer Type:Db/marshal/EncIntType.javapublic class EncIntType extends AbstractType<BlindInt>{
public static final EncIntType instance = new EncIntType();private EncIntType(){
super(ComparisonType.CUSTOM);}
…}public synchronized int compareCustom(ByteBuffer o1, ByteBuffer o2){
Confidential & Proprietary 13
Conclusion
Cloud hosted databases have perils for stored data
Practical approach to protecting Cassandra data
§ Driver level modifications to enable encryption
§ Support custom types and functions for encrypted operations
The promise of keeping data encrypted…always! is attainable
§ No threats to availability
§ No impact on stability
§ Minimal impact on performance
Confidential & Proprietary 14
Make data breaches irrelevant
www.baffle.io
Thank You
baff el