Why do data breaches occur even though we protect data at rest and in flight? What if the Cassandra admin's credentials get compromised? Why is it so hard to make encryption work for real world applications? If I encrypt my customer's data, do I have to turn it over when the authorities come calling? The answer may be in keeping data encrypted. . .always, let the customer own the keys and make data breaches irrelevant.
In this talk, Ameesh Divatia, Co-founder at Baffle.io, will talk about a way to encrypt individual fields in a Cassandra database while continuing to let them be available for CQL access. From deterministic to random algorithms, key management and integration into DataStax drivers, this talk will introduce attendees to the steps to follow in order to protect an existing Cassandra database with field-level granularity ensuring protection against data breaches.
About the Speaker
Ameesh Divatia President & CEO, Baffle, Inc.
Ameesh is a serial entrepreneur with over 25 years of operating experience in storage, security and networking infrastructure. He specializes in conceiving and implementing startup business plans that create new product categories by leveraging innovation in existing markets to its adjacencies. He co-founded Baffle in May 2015 to address the challenge of preventing data breaches in cloud infrastructure.
3. ENTERPRISE IT DOMAIN
(ON-PREMISE OR CLOUD)
CLOUD SERVICE
PROVIDER DOMAIN
SQL APP
DATA DISK DB SERVER
CLOUD ADMIN
DB QUERY
THREAT & CHALLENGES
Perils of Cloud Hosted Databases
Cloud hosted database services being
adopted by enterprise IT
§ Where is the data stored?
Threats
§ Stolen cloud administrator credentials
§ Violations of compliance regulations
Need
§ Complete control ofdataby enterprise ITatall times
§ Encrypt all data that is uploaded to the cloud
How does enterprise IT deal with this?
Confidential & Proprietary 3
4. APP
CQL QUERY
COMMIT LOG SSTABLE
MEMORY
DISK
MEMTABLE
C*
FLUSH
INDEX TDE ENCRYPTION
WRITE DATA
Cassandra Security
Confidential & Proprietary 4
Use Case – Apache Cassandra
§ Raw customer data stored in multi-tenant
clusters as clear text
§ Encryption available as an option only at
rest
Vulnerabilities
§ Data in memory is in the clear
§ Encryption key is in the clear in memory
risking the entire data store
5. OLTP DOMAIN
SQL APP
DB QUERY
DB SERVER ADMIN
ENCRYPTED DATA
KEYS
DATA DISK DB SERVER
DB SERVER ADMIN
ENCRYPTED DATA
KEYS
ENCRYPT {}
DECRYPT {}
Anatomy of a Hack
Confidential & Proprietary 5
Threat Scenario
§ Database admin has access to data and
keys used for ‘at rest’ security
OLTP DOMAIN
SQL APP
DB QUERY
DB SERVER ADMIN
ENCRYPTED DATA
KEYS
DATA DISK DB SERVER
DB SERVER ADMIN
ENCRYPTED DATA
KEYS
ENCRYPT {}
DECRYPT {}
Vulnerabilities
§ Administrator’s credentials are stolen by a hacker
§ Hacker has access to the data as well as the key
Need
§ Separation of keys and data into separate domains
§ Never decryptingdataina single compute instance
§ Operate on encrypted data
X
APP
X
KEY STORE ADMIN
ENCRYPTED DATA
KEYS
X
6. Encryption Adoption Challenges
Complexity: Perception that once the data is
encrypted, the customer loses control
Key management: What if the keys are lost, stolen or
stagnant?
Confidential & Proprietary 6
7. Encryption Adoption Challenges
Performance degradation: Perception that
application performance will slow down
Workflow impact: Changes the current
paradigm of app to database communication
Confidential & Proprietary 7
8. APP
CASSANDRA CLUSTER
PER CUSTOMER
APP VPC
CASSANDRA VPC
ENCRYPTED CQL DATA REQUEST
CLEAR CQL
DATA REQUEST
C*
PROTECTING IN-MEMORY & AT-REST CASSANDRA CLUSTER
DRIVER LEVEL PROXY
KMS
C*
C* C*
A Practical Approach
Driver level insertion for data protection
§ Transparent application operation
Seamless key management with
Amazon KMS
§ Generate, use, store, rotate and retire keys
Performance at scale using massive
parallelization
§ Elastic load balancing in response to demand
Frictionless integration into enterprise
application workflows
§ Active monitoring of service components to
ensure high availability and failover
Confidential & Proprietary 8
10. C* C*
APPTHREAT
THREAT
CQL INTERPRETER / API
EXISTING
CASSANDRA DATABASE
1 Optional – when disk
encryption is used, the
key and data
co-resident on media
making it very
vulnerable to breaches
DISK ENCRYPTION1
BEFORE
CASSANDRA
NATIVE CALLS
DATA TABLE
APP
SECURE CASSANDRA
CQL / API
SECURE CASSANDRA
CASSANDRA
NATIVE CALLS
DATA TABLE
Secure Cassandra – Before and After
Confidential & Proprietary 10
Data In Use
(Application)
Data In Use
(Cassandra Memory)
Data At Rest
(Cassandra DB)
SECUREDBYBAFFLENONE
11. Driver Modifications
Added couple of pipeline stages for encryption / decryption in the java driver
Connection.java
pipeline.addLast("messageDecryptor", new MessageDecryptor(transformDB));
pipeline.addLast("messageEncryptor", new MessageEncryptor.Encryptor(transformDB));
Confidential & Proprietary 11
12. Tiers of Security
PARAMETER STOCK CASSANDRA SECURE CASSANDRA
PROTECTION
Data on disk Encrypted Encrypted
Data in Cassandra server memory Clear Encrypted
Data in App memory Clear Clear
Vulnerability
No data Protection
(App, DB Server, Disk)
Data Protection below CQL Interface
(DB Server & Disk)
IMPACT
Driver Unchanged Added pipeline stages
DB Binaries Unchanged Add support for custom types
OPERATIONS ON ENCRYPTED DATA None Search, Sort, Aggregate
Confidential & Proprietary 12
13. Cassandra Modifications
Added custom types for encrypted values with serializers/ deserializers
Added custom functions for operations such as compares and aggregates on
the encrypted values
Custom Integer Type:
Db/marshal/EncIntType.java
public class EncIntType extends AbstractType<BlindInt>
{
public static final EncIntType instance = new EncIntType();
private EncIntType()
{
super(ComparisonType.CUSTOM);
}
…
}
public synchronized int compareCustom(ByteBuffer o1, ByteBuffer o2)
{
Confidential & Proprietary 13
14. Conclusion
Cloud hosted databases have perils for stored data
Practical approach to protecting Cassandra data
§ Driver level modifications to enable encryption
§ Support custom types and functions for encrypted operations
The promise of keeping data encrypted…always! is attainable
§ No threats to availability
§ No impact on stability
§ Minimal impact on performance
Confidential & Proprietary 14