• Save
Comprehensive Security for the Enterprise II: Guarding the Perimeter and Controlling Access

Like this? Share it with your network

Share

Comprehensive Security for the Enterprise II: Guarding the Perimeter and Controlling Access

  • 500 views
Uploaded on

One of the benefits of Hadoop is that it easily allows for multiple entry points both for data flow and user access. Here we discuss how Cloudera allows you to preserve the agility of having......

One of the benefits of Hadoop is that it easily allows for multiple entry points both for data flow and user access. Here we discuss how Cloudera allows you to preserve the agility of having multiple entry points while also providing strong, easy to manage authentication. Additionally, we discuss how Cloudera provides unified authorization to easily control access for multiple data processing engines.

More in: Software , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
500
On Slideshare
404
From Embeds
96
Number of Embeds
4

Actions

Shares
Downloads
0
Comments
0
Likes
1

Embeds 96

http://www.cloudera.com 77
http://cloudera.com 15
http://author01.core.cloudera.com 3
https://admin.mindtickle.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. 1 Comprehensive Security for the Enterprise: Guarding the Perimeter and Controlling Access Sam Heywood, Director Product Management - Security, Cloudera Joey Echeverria, Software Engineer, Cloudera
  • 2. 2 ©2014 Cloudera, Inc. All rights reserved. • Cloudera is the most secure Hadoop platform • Gazzang acquisition • Sign up for 7/22 webinar on encryption and key management • Cloudera Center for Security Excellence Webinar I: Compliance-Ready Hadoop Recap
  • 3. 3 ©2014 Cloudera, Inc. All rights reserved. Cloudera’s Vision for Hadoop Security Compliance-Ready Comprehensive Transparent • Standards-based Authentication • Centralized, Granular Authorization • Native Data Protection • End-to-End Data Audit and Lineage • Meet compliance requirements • HIPAA, PCI-DSS, FERPA, etc… • Encryption and key management • Security at the core • Minimal performance impact • Compatible with new components • Insight with compliance 3
  • 4. 4 ©2014 Cloudera, Inc. All rights reserved. • CDH supports Kerberos authentication and over-the-wire encryption • Cloudera Manager simplifies Kerberos configuration and enables direct AD integration • Sentry provides unified authorization across multiple access paths • A single authorization policy will be enforced for Impala, Hive and Search • Role based access at Server, Database, Table or View granularity • Multi-tenant: Separate policies for each database / schema • HDFS Extended ACL’s and HBase cell level access control • Navigator encryption and key management deliver compliant data security • Via Gazzang acquisition • Navigator provides data management layer including audit, access control reviews, data classification and discovery, and lineage 5.1 Cloudera Security Capabilities
  • 5. 5 ©2014 Cloudera, Inc. All rights reserved. Key Requirements for Security in Hadoop Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage
  • 6. 6 ©2014 Cloudera, Inc. All rights reserved. Guard the Perimeter Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage Kerberos | AD/LDAP Preserve multiple entry points while providing strong authentication that’s easy to manage • Kerberos • Industry Standard • Integrated into Manager • LDAP/AD • Username/Password • SAML • Single Sign-On
  • 7. 7 ©2014 Cloudera, Inc. All rights reserved. Core • Kerberos-based – use industry standard Kerberos • Provably strong authentication between all Hadoop services, and to clients or client proxies • Cloudera Manager hides complexity • Plug directly into AD for Kerberos Edge • Username/password – against LDAP/AD • SAML for SSO • Kerberos clients no longer required on most user end-points Perimeter: Authentication in Hadoop
  • 8. 8 ©2014 Cloudera, Inc. All rights reserved. • Users don’t want Yet Another Credential • Corp IT doesn’t want to provision and maintain thousands of service principals and keytabs • Solution: local KDC + one-way trust • Run MIT Kerberos KDC in the cluster • Put all service principals here • Set up one-way trust of central corporate realm by local KDC • Normal user credentials can be used to access Hadoop • Recommended: Use Cloudera Manager • To properly tune inter-related configuration knobs • To manage principals/keytabs creation and distribution • To preserve service monitoring with Kerberos security enabled IT Integration: Kerberos
  • 9. 9 ©2014 Cloudera, Inc. All rights reserved. Because... • Some companies don’t want to install and maintain MIT Kerberos • They have one department responsible for managing identities – and they use AD • They already have Active Directory running at scale • Concerns about setting up 1-way trust between MIT KDC and AD Proposed Solution: • Use existing Active Directory (AD) to manage both service and user principles • Already setup with HA and scale – can handle thousands of service principals • No need for 1-way trust to MIT KDC • Cloudera Manager to provide automation for a very tedious and error-prone process • Required: AD account with ability to create non-admin principals for Hadoop Alternative AD Integration Solution
  • 10. 10 ©2014 Cloudera, Inc. All rights reserved. Control Access Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Kerberos | AD/LDAP Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Sentry | Rhino Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage Cloudera Navigator Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Encrypt | Key Trustee Sentry • Apache project contributed by Cloudera in 2013 • Unified authorization for Hive, Impala and Search Rhino • Contributed by Intel in 2013 • Blueprint for enterprise-grade security, including authorization
  • 11. 11 ©2014 Cloudera, Inc. All rights reserved. Two Sub-Optimal Choices for SQL on Hadoop Security Challenges Prior to Sentry • Insecure Advisory Authorization • Users can grant themselves permissions • Intended to prevent accidental deletion of data Problem: Doesn’t guard against malicious users • HDFS Impersonation • Data is protected at the file level by HDFS permissions Problem: File-level not granular enough Problem: Not role-based
  • 12. 12 Apache Sentry + Project Rhino ©2014 Cloudera, Inc. All rights reserved. Open Source Sentry - Unified Authorization Mechanism Compliance-Ready Meet regulatory requirements with one system (PII, HIPAA, etc) Access Control Store sensitive data in Hadoop with fine-grained controls Unified Fine-grained authorization and RBAC with one system Multi-Tenancy Extend Hadoop to more users with central administration group Developed in collaboration with Intel and Community through Project Rhino BATCH PROCESSING WORKLOAD MANAGEMENT STORAGE FILESYSTEM ONLINE NOSQL ANALYTIC SQL SEARCH ENGINE IMPALA SOLRHIVE
  • 13. 13 Key Capabilities of Sentry 13 One Policy Enforced on Multiple Access Paths Unified authorization across Impala, Hive and Search Fine-Grained Authorization Specify security for SERVERS, DATABASES, TABLES & VIEWS Role-Based Authorization SELECT privilege on views & tables INSERT privilege on tables TRANSFORM privilege on servers ALL privilege on the server, databases, tables & views ALL privilege is needed to create/modify schema Multitenant Administration Separate policies for each database/schema Can be maintained by separate admins
  • 14. 14 ©2014 Cloudera, Inc. All rights reserved. Financial Services Organization • Identify patterns in financially-sensitive, PCI- compliant data • Before: Hadoop usage supported broad audience but restricted to non-sensitive workloads due to lack of data access controls • Now: Data access controls allow for sensitive workloads on restricted data sets inside general use cluster Financial data for fraud and purchasing behavior analysis
  • 15. 15 ©2014 Cloudera, Inc. All rights reserved. Health Care Organization • Eliminate multi-step process required to combine data sets for periodic reporting • Before: Combining data in Hadoop problematic as departments effectively given access to all columns in all data sets • Now: All data stored in Hadoop and report production greatly simplified while maintaining appropriate role based field level access restrictions Streamline reporting and administration tasks
  • 16. 16 ©2014 Cloudera, Inc. All rights reserved. Key Benefits of Sentry Store Sensitive Data in Hadoop Extend Hadoop to More Users Enable New Use Cases Enable Multi-User Applications Comply with Regulations
  • 17. 17 Cloudera Confidential. ©2014 Cloudera, Inc. All Rights Reserved. • Sentry continues to unify authorization permissions management across Hadoop ecosystem • Extension to additional components: Spark, MapReduce, Pig, Sqoop, Hive Metastore, etc • File and column level access in HDFS • Additional granularity • Including document-level permissions for Search • Streamlined Configuration Management • Delegated GRANT and REVOKE through SQL interfaces • Flat-file configuration no longer required (permissions stored in database) • Permissions GUI Sentry - Roadmap 17
  • 18. 18 ©2014 Cloudera, Inc. All rights reserved. Key Requirements for Security in Hadoop Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage Coming Soon Coming Soon Register for July 22 Webinar Register for Aug 7 Webinar
  • 19. 19 Batch Processing Analytic MPP SQL Search Engine Machine Learning Stream Processing End-to-End, Zero-Downtime System Administration Workload & Resource Management 3rd Party Apps Distributed Filesystem Online NoSQL Database Access Control Authorization Perimeter Authentication Data Protection Encryption, Key Management Data Lifecycle BDR, Snapshots Data Visibility Audit, Lineage ANALYTIC & PROCESSING ENGINES SYSTEMS MANAGEMENT UNIFIED DATA STORAGE & INTEGRATION SECURITY & GOVERNANCE CLOUDERA ENTERPRISE Comprehensive, Transparent, Compliance-Ready Security ©2014 Cloudera, Inc. All rights reserved.
  • 20. 20 ✔ Meet compliance requirements ✔ Innovate without compromise ✔ Comprehensive security for all data ©2014 Cloudera, Inc. All rights reserved.
  • 21. 21 ©2014 Cloudera, Inc. All rights reserved.