LAMySQL/LAPHP Talk:Securing Open-Source Databases in the Cloud<br />Mike Frank, Director of Products<br />
Session Agenda<br />Cyber-security fears and the risks to your data in the cloud<br />Overview of cloud and virtualized in...
Like everything <br />The cloud has both <br />Rewards<br />And<br />Concerns<br />7/21/2011<br />3<br />
The Cloud Rewards <br />Scalable (Up or down)<br />Agile – Quick to Market<br />Service Oriented<br />Pay as you go – like...
The Cloud Concerns<br />Information Security<br />Privacy<br />Data Location<br />Data Migration<br />Legal<br />7/21/2011...
The Cloud is the<br />Same<br />Components are like any other IT assets. <br />computing resources <br />used to do a job ...
Enterprise Cybersecurity<br />Fears and the Risks to Data in Clouds<br />7/21/2011<br />7<br />
What is DATA is vulnerable?<br />Its all about DATA<br />DIRECT - Real actual data<br />Via various services – web, databa...
Threat Agents<br />Internal<br />Company executives, Employees, Independent contractors, Interns<br />Former Employees<br ...
 Added Risks - In the Cloud<br />These risks are accentuated<br />Data is more distributed<br />Its in “Cloud Storage”<br ...
 Added Threat Agents - In the Cloud<br />There are more<br />And they hit your public cloud server immediately<br />Just l...
User Privileges<br />Users typically have plenty to get the data<br />Just taking advantage of privileges granted to them<...
Main Attack Methods for Breaches <br />Remote Access Services<br />Backdoor or control channel<br />Web Application<br />N...
Attack Vectors and Data Protection<br />Get OS login access <br />Get access to files on storage<br />Network<br />Injecti...
Overview of cloud infrastructure, open-source products, and security applications<br />7/21/2011<br />15<br />
Open-Source and the Cloud<br />Currently majority of cloud is Open Source<br />Linux Based<br />Apache Based<br />Database...
Open Source Security Opinions<br />Thinking is different from commercial<br />Fewer requests from community of end users<b...
This discussion focuses “below the yellow line”<br />7/21/2011<br />18<br />Data in<br />File System<br />----------------...
Insecure direct object reference<br />The problem - attackers: <br />Manipulate direct object references <br />Use to gain...
Insecure cryptographic storage<br />But:  <br />All to often Web devs don’t encrypt sensitive data <br />OR <br />Encrypti...
Data in File System<br />How, Where, Why is this “Vulnerable”?<br />Filesystem within the OS – from an “OS user”<br />Whet...
Per OSS DB Product – What to “Protect”<br />7/21/2011<br />22<br />
MySQL<br />The files for InnoDB tables (tablespace) or MyISAM<br />User schemas but also things like my.user<br />Logs <br...
Postgres<br />Tablespace<br />Protect the directory and all the files for a tablespace<br />Logs <br />Is log_statement TR...
MongoDB<br />The data dir<br />The dbpath  e.g. /var/lib/mongodb/<br />Configuration Files – specify auth etc.<br />--conf...
Cassandra<br />Data Files<br />/var/lib/cassandra/data/<keyspace>/…<br />Configuration Files<br />cassandra.yaml<br />-Dpa...
Hadoop<br />From CDH3 doc<br />Hadoop'scurrent threat model assumes that users cannot:<br />Have root access to cluster or...
Overview of cloud infrastructure, <br />open-source products, and security applications<br />7/21/2011<br />28<br />
Linux Tools<br />IP Tables / Netfilter<br />Linux Kernel Firewall<br />Host based <br />AppAmor / SELinux<br />Restrict th...
Encryption tools<br />Network - OpenSSL<br />File – mcrypt, OpenSSL<br />Filesystem based encryption – ecrypfts<br />Dm-cr...
Clouds Security Tools<br />Can provide not just servers but also<br />Firewalls<br />Load Balancers<br />Dedicated Firewal...
Methods for protecting data: <br />considering the pros and cons<br />7/21/2011<br />32<br />
AS-IS for Linux<br />OS Users <br />And especially ROOT <br />Can Read and Copy Data Files<br />
Open Source Databases Don’t Protect Files<br />With encryption - MySQL doesn’t<br />The thief <br />Has your data<br />Cop...
On the cloud the data is either<br />In the Hypervisor Image<br />Hypervisor Image<br />
Or a mounted data store<br />Hypervisor Image<br />Cloud Storage<br />Storage volumes that can be attached to a running in...
Partial 1 – Solve with encryption<br />OS with OS Filesystem Mounts<br />Encryption  - block or other filesystem<br /><ul>...
Doesn’t protect from OS user access. Doesn’t protect keys or passwords</li></li></ul><li>Partial 2 – Access Control<br />P...
Doesn’t protect data at rest etc.
Doesn’t protect keys or passwords</li></li></ul><li>Partial 3 –Key Management<br />OS Kernel Memory<br />Key Ring<br />The...
Not stored on in the local or mounted filesystem
Control access to keys and key store</li></li></ul><li>Types of Database Encryption<br />Encrypt data as it moves across t...
How ezNcrypt is Different<br />Provides on-disk encryption architecture <br />Application and process transparency<br />Ke...
Use Cases for Database Encryption	<br />Export of virtualized database machines<br />Lost or stolen hardware <br />Complia...
GazzangsezNcrypt<br />Its AES Encrypted <br />The file is worthless<br />to the Thief<br />If root copies a file and then ...
ezNcrypt Flex Edition<br />Work Flow <br />Is this Linux Exe Trusted?<br /><ul><li>Name
Owner
Upcoming SlideShare
Loading in …5
×

Securing Open Source Databases

2,338
-1

Published on

Discusses cyber-security fears and the risks to your data in the cloud, an overview of cloud and virtualized infrastructures, open-source products, and security application, and lastly, methods for protecting databases.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,338
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
46
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • Export of virtualized databases can be imported into another host machineOftentimes, those closest to the data are responsible for security breaches – disgruntled employee….
  • Securing Open Source Databases

    1. 1. LAMySQL/LAPHP Talk:Securing Open-Source Databases in the Cloud<br />Mike Frank, Director of Products<br />
    2. 2. Session Agenda<br />Cyber-security fears and the risks to your data in the cloud<br />Overview of cloud and virtualized infrastructures, open-source products, and security applications<br />Methods for protecting databases<br />7/21/2011<br />2<br />
    3. 3. Like everything <br />The cloud has both <br />Rewards<br />And<br />Concerns<br />7/21/2011<br />3<br />
    4. 4. The Cloud Rewards <br />Scalable (Up or down)<br />Agile – Quick to Market<br />Service Oriented<br />Pay as you go – like a “utility”<br />Cost sharing / benefits<br />SLA driven – HA<br />Provides built in “automation” – APIs, tools, etc.<br />Maintenance<br />7/21/2011<br />4<br />
    5. 5. The Cloud Concerns<br />Information Security<br />Privacy<br />Data Location<br />Data Migration<br />Legal<br />7/21/2011<br />5<br />
    6. 6. The Cloud is the<br />Same<br />Components are like any other IT assets. <br />computing resources <br />used to do a job <br />must be monitored and managed<br />Different<br />Controlled and monitored through the APIs / Tools<br />available from the cloud provider. <br />Can’t get “under the hood”<br />7/21/2011<br />6<br />
    7. 7. Enterprise Cybersecurity<br />Fears and the Risks to Data in Clouds<br />7/21/2011<br />7<br />
    8. 8. What is DATA is vulnerable?<br />Its all about DATA<br />DIRECT - Real actual data<br />Via various services – web, database,…<br />In the end it resides in files and utimately on storage<br />INDIRECT - Data that points to or protects data<br />Usernames and Passwords<br />Keys<br />Configuration files or code for services and applications<br />Hypervisor Images <br />Firewalls<br />Web Servers<br />Middleware servers<br />Data Caching Servers/Services<br />Database Servers<br />Applications<br />7/21/2011<br />8<br />
    9. 9. Threat Agents<br />Internal<br />Company executives, Employees, Independent contractors, Interns<br />Former Employees<br /> External<br />Lone hackers, Organized crime, and Government entities<br />Partners <br />Third party sharing a business relationship <br />Suppliers, Vendors, Hosting Providers, Outsourced IT support, etc. <br />Business partners<br />7/21/2011<br />9<br />
    10. 10. Added Risks - In the Cloud<br />These risks are accentuated<br />Data is more distributed<br />Its in “Cloud Storage”<br />Its in server “images”<br />More “elastic”<br />It moves around<br />Its transient <br />Servers going up and down<br />Its on the Cloud Server <br />Public, Hybrid, Private, Private Managed, etcetcetc<br />APIs to “control”<br />Or within a Hosted Service<br />7/21/2011<br />10<br />
    11. 11. Added Threat Agents - In the Cloud<br />There are more<br />And they hit your public cloud server immediately<br />Just launch a new cloud server with monitoring on<br />Attacks occur immediately<br />They might be “closer”<br />In the same cloud<br />On the same hardware, network, hypervisor<br />On the same storage systems<br />You have less control<br />More “managed”<br />Some Cloud utilities have OS Server User Access<br />More unknown resources<br />7/21/2011<br />11<br />
    12. 12. User Privileges<br />Users typically have plenty to get the data<br />Just taking advantage of privileges granted to them<br />Don’t even need to be root<br />Suspect in the cloud this is more so the case<br />More with powerful privileges<br />Not as well managed in many cases<br />7/21/2011<br />12<br />
    13. 13. Main Attack Methods for Breaches <br />Remote Access Services<br />Backdoor or control channel<br />Web Application<br />Network File Sharing<br />Majority of data is from Servers<br />Followed by user devices<br />7/21/2011<br />13<br />
    14. 14. Attack Vectors and Data Protection<br />Get OS login access <br />Get access to files on storage<br />Network<br />Injection<br />Not as important as it once was<br />Buffer Overflows<br />Not as important as it once was<br />Social Engineering<br />Code<br />Malware, viruses, trojans, etc.<br />7/21/2011<br />14<br />
    15. 15. Overview of cloud infrastructure, open-source products, and security applications<br />7/21/2011<br />15<br />
    16. 16. Open-Source and the Cloud<br />Currently majority of cloud is Open Source<br />Linux Based<br />Apache Based<br />Databases<br />MySQL – 90% of databases<br />PostgreSQL - surging<br />NoSQL / Big Data coming on strong<br />MongoDB<br />Cassandra<br />Hadoop<br />And more<br />Other components<br />Solr, Sphinx<br />7/21/2011<br />16<br />
    17. 17. Open Source Security Opinions<br />Thinking is different from commercial<br />Fewer requests from community of end users<br />Less effort put into installers / configuration tools<br />And more need to have users get started easily<br />Less time spent on security (or has been)<br />Preference is for functional things – like performance<br />Expectation for OS or Applications to provide security<br />Delineated boundaries<br />Adding security features breaks things<br />Security takes time – products are typically younger<br />Or security features may be “add ons”<br />Defaults are less secure <br />7/21/2011<br />17<br />
    18. 18. This discussion focuses “below the yellow line”<br />7/21/2011<br />18<br />Data in<br />File System<br />-----------------<br />Local<br />Or<br />Network/Cloud <br />File Storage<br />
    19. 19. Insecure direct object reference<br />The problem - attackers: <br />Manipulate direct object references <br />Use to gain unauthorized access to other objects. <br />URLs or form parameters contain references to objects such as files, directories, database records or keys.<br />7/21/2011<br />19<br />
    20. 20. Insecure cryptographic storage<br />But: <br />All to often Web devs don’t encrypt sensitive data <br />OR <br />Encryption is present but poorly designed<br />Leads to disclosure of sensitive data <br />How to protect : <br />Use good technology / design patterns<br />AES, RSA public key cryptography, and SHA-256 <br />Generate keys offline <br />Only transmit keys over secured communications<br />7/21/2011<br />20<br />
    21. 21. Data in File System<br />How, Where, Why is this “Vulnerable”?<br />Filesystem within the OS – from an “OS user”<br />Whether from a shell or other method<br />Communications network<br />Electronic eavesdropping – files and keys<br />Storage communications<br />Electronic eavesdropping<br />Virtual Images<br />Active or inactive<br />Other access to the storage<br />Physical storage device <br />7/21/2011<br />21<br />
    22. 22. Per OSS DB Product – What to “Protect”<br />7/21/2011<br />22<br />
    23. 23. MySQL<br />The files for InnoDB tables (tablespace) or MyISAM<br />User schemas but also things like my.user<br />Logs <br />Query Files - log=/var/log/mysql-queries.log<br />Bin Log<br />Configuration Files – may contain user/pass<br />my.cnf<br />master.info<br />Other “client” configs (ie used by mysqldumpetc)<br />Backup Files/Exports<br />Whether hot,cold, warm, or logical (mysqldump)<br />7/21/2011<br />23<br />
    24. 24. Postgres<br />Tablespace<br />Protect the directory and all the files for a tablespace<br />Logs <br />Is log_statement TRUE<br />Encrypt the log file then<br />And more important = See where its going <br />Configuration Files – may contain user/pass<br />Pg_hba.conf, pg_Ident.con, postgresql.conf, <br />“client” configs - pgpass.conf<br />Backup Files<br />Whether hot,cold, warm, or some Logical or CDP<br />7/21/2011<br />24<br />
    25. 25. MongoDB<br />The data dir<br />The dbpath e.g. /var/lib/mongodb/<br />Configuration Files – specify auth etc.<br />--config<br />Log Files<br />Depending on what level is set<br />Backup/Exports<br />Where ever you direct your mongodump/bsondump<br />Fsynv+lock – then copy<br />Other – LVM etc<br />7/21/2011<br />25<br />
    26. 26. Cassandra<br />Data Files<br />/var/lib/cassandra/data/<keyspace>/…<br />Configuration Files<br />cassandra.yaml<br />-Dpasswd.properties=conf/passwd.properties<br />-Daccess.properties=conf/access.properties<br />Logs<br />conf/log4j-server.properties<br />Backup Files<br />/var/lib/cassandra/data/mykeyspace/backups/<br />/var/lib/cassandra/data/mykeyspace/snapshots/<br />7/21/2011<br />26<br />
    27. 27. Hadoop<br />From CDH3 doc<br />Hadoop'scurrent threat model assumes that users cannot:<br />Have root access to cluster or shared client machines.<br />But someone will have root access or other access<br />Note: Various “flavors” and variance at this level<br />But still need to protect <br />Data Files<br />Config files <br />hdfs-site.xml<br />7/21/2011<br />27<br />
    28. 28. Overview of cloud infrastructure, <br />open-source products, and security applications<br />7/21/2011<br />28<br />
    29. 29. Linux Tools<br />IP Tables / Netfilter<br />Linux Kernel Firewall<br />Host based <br />AppAmor / SELinux<br />Restrict the actions that installed software can take<br />Add Roles and Policy Concept<br />Seldom enabled<br />7/21/2011<br />29<br />
    30. 30. Encryption tools<br />Network - OpenSSL<br />File – mcrypt, OpenSSL<br />Filesystem based encryption – ecrypfts<br />Dm-crypt – block based device encryption<br />Note: Each represents just one component in a comprehensive set of mechanisms to protect the confidentiality of your data.<br />7/21/2011<br />30<br />
    31. 31. Clouds Security Tools<br />Can provide not just servers but also<br />Firewalls<br />Load Balancers<br />Dedicated Firewalls<br />Dedicated servers and storage<br />Firewalls with options like <br />Stateful inspection, IDS, AV, SSL, IPsec VPN, and more<br />Encrypted Cloud Storage<br />Block storage – at the FS mount level<br />Or API level<br />Still need to protect and manage the Keys <br />7/21/2011<br />31<br />
    32. 32. Methods for protecting data: <br />considering the pros and cons<br />7/21/2011<br />32<br />
    33. 33. AS-IS for Linux<br />OS Users <br />And especially ROOT <br />Can Read and Copy Data Files<br />
    34. 34. Open Source Databases Don’t Protect Files<br />With encryption - MySQL doesn’t<br />The thief <br />Has your data<br />Copy a file and you have the data<br />
    35. 35. On the cloud the data is either<br />In the Hypervisor Image<br />Hypervisor Image<br />
    36. 36. Or a mounted data store<br />Hypervisor Image<br />Cloud Storage<br />Storage volumes that can be attached to a running instance and mounted as a device within the instance. Examples – Amazon EC2, vCloud VMFS or NFS<br />
    37. 37. Partial 1 – Solve with encryption<br />OS with OS Filesystem Mounts<br />Encryption - block or other filesystem<br /><ul><li>Protects from disk theft, pulling data from io protocol taps, access physical volume (like a san), …
    38. 38. Doesn’t protect from OS user access. Doesn’t protect keys or passwords</li></li></ul><li>Partial 2 – Access Control<br />Process / User only have access<br />OS with OS Filesystem Mounts<br /><ul><li>Protects from OS user access.
    39. 39. Doesn’t protect data at rest etc.
    40. 40. Doesn’t protect keys or passwords</li></li></ul><li>Partial 3 –Key Management<br />OS Kernel Memory<br />Key Ring<br />The key is safely stored<br /><ul><li>Protects key from open access. Stored in protect kernel.
    41. 41. Not stored on in the local or mounted filesystem
    42. 42. Control access to keys and key store</li></li></ul><li>Types of Database Encryption<br />Encrypt data as it moves across the network<br />SSL certificates<br />Encrypt data as it sits at rest within the database storage system<br />Database functions<br />Keys are stored within the database<br />Keys stored outside of database<br />Usually from an application<br />Can be other “key store”<br />Application Encryption<br />
    43. 43. How ezNcrypt is Different<br />Provides on-disk encryption architecture <br />Application and process transparency<br />Key is kept outside of the database schema<br />Database or table-level encryption available<br />Also its not just for databases <br />Rules based – ACLs from Process to File for TDE<br />Towards “Zero Trust”<br />
    44. 44. Use Cases for Database Encryption <br />Export of virtualized database machines<br />Lost or stolen hardware <br />Compliance Requirements<br />PCI compliance with customer data<br />HIPAA compliance with protection of medical records <br />Other government agency compliance<br />Safeguard personnel records<br />Protect data from privileged access users<br />
    45. 45. GazzangsezNcrypt<br />Its AES Encrypted <br />The file is worthless<br />to the Thief<br />If root copies a file and then all they have is an encrypted file<br />
    46. 46. ezNcrypt Flex Edition<br />Work Flow <br />Is this Linux Exe Trusted?<br /><ul><li>Name
    47. 47. Owner
    48. 48. Location
    49. 49. Process Identifiers/Fingerprints</li></ul>OK – then Provide Key – <br /><ul><li>Gets Transparent R/W access</li></ul>Where is this Linux Exe Allowed or Denied Access to files/dir?<br /><ul><li>Limited Files or Directories</li></ul>OK?<br /><ul><li>Transparently uses key for R/W etc.</li></ul>Not OK<br /><ul><li>Access is Denied</li></ul>Linux Exe<br />Access Control<br />
    50. 50. Store<br />4. The key is encrypted with a one time use secret and sent over SSL<br />5. The authenticity of ezNcrypt is verified <br />*provisional patent<br />3. ezNcrypt calls KSS to store the master key<br />2. The passphrase and salt or RSA key is used to protect the server and all the file keys<br />6. The key is safely stored<br />KSS<br />Key Storage System<br />1. Each individual file is encrypted with a unique and random key<br />
    51. 51. 4. The key is encrypted with a one time use secret and sent over SSL<br />2. The authenticity of ezNcrypt is verified <br />*provisional patent<br />1. ezNcrypt calls KSS to retrieve the master key<br />5. The Master Key is loaded into the keyring<br />3. The key is extracted<br />KSS<br />Key Storage System<br />6. Each individual file is unlocked with the master key<br />Retrieve<br />
    52. 52. Summary<br />There are risks and rewards in the cloud<br />By using a secure platform additional cloud security risks are greatly reduced and rewards recognized<br />Thank you for your time<br />Mike Frank – mike.frank@gazzang.com<br />7/21/2011<br />47<br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×