Securely explore your data

ENCRYPTION AND
SECURITY IN
ACCUMULO
Michael Allen
Security Architect
Sqrrl Data, Inc.
michael@...
ISN’T
ACCUMULO
ALREADY
SECURE?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
Source: wikipedia.org. Public domain

I MEAN, THESE SMART GALS AND
GUYS MADE IT…

(Undisclosed location)
© 2013 Sqrrl | Al...
CELL-LEVEL SECURITY

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CELL-LEVEL SECURITY

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CELL-LEVEL SECURITY

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHAT’S THE THREAT?

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
A TYPICAL DEPLOYMENT

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
A TYPICAL DEPLOYMENT

(…ignoring master nodes, name nodes,
garbage collectors, other ephemera…)
© 2013 Sqrrl | All Rights ...
A TYPICAL CAST

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
THREATS INSIDE AND OUT

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHO CAN WE PUSH OUT?

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
HOW?

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ENCRYPTION

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
IN MOTION AND AT REST

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
Source: http://bit.ly/HqScSr. Creative Commons,
Attribution.

IT’S NOT…

© 2013 Sqrrl | All Rights Reserved | Proprietary ...
FUNDAMENTAL QUESTIONS

What are you encrypting?
How are you encrypting it?
How are you protecting the key?
© 2013 Sqrrl | ...
ACCUMULO 1.6

SSL for Accumulo Clients
Encrypting data within HDFS

© 2013 Sqrrl | All Rights Reserved | Proprietary and C...
SSL AND ACCUMULO

ACCUMULO-1009
Patch that adds configuring and
using SSL certificates
© 2013 Sqrrl | All Rights Reserved ...
MAKE YOUR CERTS

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CONFIGURE YOUR SERVERS

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CONFIGURE YOUR SERVERS

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
DISTRIBUTE YOUR CERTS

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
DISTRIBUTE YOUR ROOTS

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ENJOY YOUR SSL

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ENCRYPTION AT REST

ACCUMULO-998
Patch that adds encryption for
Rfiles and WAL
© 2013 Sqrrl | All Rights Reserved | Propri...
ENCRYPTION AT REST

Uses Java Cryptography
Extensions (JCE) for encryption
interface / engine

(Guess what? It’s pluggable...
BEHIND THE SCENES

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
BEHIND THE SCENES

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
BEHIND THE SCENES

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
BEHIND THE SCENES

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHERE DOES THAT KEY GO?

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHERE DOES THAT KEY GO?

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHERE DOES THAT KEY GO?

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
PLUGGABLE STRATEGY

• Java class that mediates access to KEK
• Encrypts and decrypts per-file keys

• Passes back to calle...
PLUGGABLE STRATEGY

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
PLUGGABLE STRATEGY

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CONFIGURATION OPTIONS
Property Name

“Usual” Value

Meaning

crypto.module.class

org.apache.accumulo.
core.security.crypt...
REDUCED THREAT

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
REDUCED THREAT

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
TOWARDS THE FUTURE

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
THANKS
!michael@sqrrl.com

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
Upcoming SlideShare
Loading in...5
×

Accumulo Security and Encryption

1,211

Published on

Speaker: Michael Allen, Security Architect, Sqrrl
Venue: October 28th Accumulo Users Group (along with Strata NY / Hadoop World)

The early Accumulo developers made security a core part of Accumulo's codebase. As the open source community around Accumulo continues to thrive, this talk examines the current state of Accumulo's security features. The talk will detail some exciting developments in the upcoming 1.6 release, which include enhancements around encryption at rest and in motion. We will also take a broader look at new use cases suggesting a wider set of threats, and how current and future work addresses those threats.

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,211
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
56
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Accumulo Security and Encryption

  1. 1. Securely explore your data ENCRYPTION AND SECURITY IN ACCUMULO Michael Allen Security Architect Sqrrl Data, Inc. michael@sqrrl.com
  2. 2. ISN’T ACCUMULO ALREADY SECURE? © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  3. 3. Source: wikipedia.org. Public domain I MEAN, THESE SMART GALS AND GUYS MADE IT… (Undisclosed location) © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  4. 4. CELL-LEVEL SECURITY © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  5. 5. CELL-LEVEL SECURITY © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  6. 6. CELL-LEVEL SECURITY © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  7. 7. WHAT’S THE THREAT? © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  8. 8. A TYPICAL DEPLOYMENT © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  9. 9. A TYPICAL DEPLOYMENT (…ignoring master nodes, name nodes, garbage collectors, other ephemera…) © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  10. 10. A TYPICAL CAST © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  11. 11. THREATS INSIDE AND OUT © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  12. 12. WHO CAN WE PUSH OUT? © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  13. 13. HOW? © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  14. 14. ENCRYPTION © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  15. 15. IN MOTION AND AT REST © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  16. 16. Source: http://bit.ly/HqScSr. Creative Commons, Attribution. IT’S NOT… © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  17. 17. FUNDAMENTAL QUESTIONS What are you encrypting? How are you encrypting it? How are you protecting the key? © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  18. 18. ACCUMULO 1.6 SSL for Accumulo Clients Encrypting data within HDFS © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  19. 19. SSL AND ACCUMULO ACCUMULO-1009 Patch that adds configuring and using SSL certificates © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  20. 20. MAKE YOUR CERTS © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  21. 21. CONFIGURE YOUR SERVERS © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  22. 22. CONFIGURE YOUR SERVERS © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  23. 23. DISTRIBUTE YOUR CERTS © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  24. 24. DISTRIBUTE YOUR ROOTS © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  25. 25. ENJOY YOUR SSL © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  26. 26. ENCRYPTION AT REST ACCUMULO-998 Patch that adds encryption for Rfiles and WAL © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  27. 27. ENCRYPTION AT REST Uses Java Cryptography Extensions (JCE) for encryption interface / engine (Guess what? It’s pluggable.) © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  28. 28. BEHIND THE SCENES © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  29. 29. BEHIND THE SCENES © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  30. 30. BEHIND THE SCENES © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  31. 31. BEHIND THE SCENES © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  32. 32. WHERE DOES THAT KEY GO? © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  33. 33. WHERE DOES THAT KEY GO? © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  34. 34. WHERE DOES THAT KEY GO? © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  35. 35. PLUGGABLE STRATEGY • Java class that mediates access to KEK • Encrypts and decrypts per-file keys • Passes back to callers opaque ID to identify KEK used to do encryption • Callers should store opaque ID along with encrypted key © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  36. 36. PLUGGABLE STRATEGY © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  37. 37. PLUGGABLE STRATEGY © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  38. 38. CONFIGURATION OPTIONS Property Name “Usual” Value Meaning crypto.module.class org.apache.accumulo. core.security.crypto. DefaultCryptoModule The class that creates encrypting and decrypting data streams crypto.cipher.suite AES/CFB/PKCS5Padding Encryption algorithm spec crypto.cipher.key.length 128 Key length crypto.module.class Class that mediates access to KEK org.apache.accumulo. core.security.crypto. DefaultSecretKeyEncryptionStrategy © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  39. 39. REDUCED THREAT © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  40. 40. REDUCED THREAT © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  41. 41. TOWARDS THE FUTURE © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  42. 42. THANKS !michael@sqrrl.com © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×