Securely explore your data
ENCRYPTION AND
SECURITY IN
ACCUMULO AND
SQRRL
Michael Allen
Security Architect
Sqrrl Data, Inc....
ISN’T
ACCUMULO
ALREADY
SECURE?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
I MEAN, THESE SMART GALS AND
GUYS MADE IT…
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
(Undisclosed ...
CELL-LEVEL SECURITY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CELL-LEVEL SECURITY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CELL-LEVEL SECURITY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHAT’S THE THREAT?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
A TYPICAL DEPLOYMENT
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
A TYPICAL DEPLOYMENT
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
(…ignoring master nodes, name nodes...
A TYPICAL CAST
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
THREATS INSIDE AND OUT
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHO CAN WE PUSH OUT?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
HOW?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ENCRYPTION
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
IN MOTION AND AT REST
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
IT’S NOT…
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
Source:http://bit.ly/HqScSr.CreativeCommons,
A...
FUNDAMENTAL QUESTIONS
What are you encrypting?
How are you encrypting it?
How are you protecting the key?
© 2013 Sqrrl | A...
ACCUMULO 1.6
SSL for Accumulo Clients
Encrypting data within HDFS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Con...
SSL AND ACCUMULO
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ACCUMULO-1009
Patch that adds configuri...
MAKE YOUR CERTS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CONFIGURE YOUR SERVERS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CONFIGURE YOUR SERVERS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
DISTRIBUTE YOUR CERTS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
DISTRIBUTE YOUR ROOTS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ENJOY YOUR SSL
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ENCRYPTION AT REST
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
ACCUMULO-998
Patch that adds encrypti...
ENCRYPTION AT REST
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
Uses Java Cryptography
Extensions (JC...
BEHIND THE SCENES
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
BEHIND THE SCENES
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
BEHIND THE SCENES
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
BEHIND THE SCENES
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHERE DOES THAT KEY GO?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHERE DOES THAT KEY GO?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
WHERE DOES THAT KEY GO?
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
PLUGGABLE STRATEGY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
•  Java class that mediates access to...
PLUGGABLE STRATEGY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
PLUGGABLE STRATEGY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
CONFIGURATION OPTIONS
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
Property Name “Usual” Value Meanin...
REDUCED THREAT
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
REDUCED THREAT
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
TOWARDS THE FUTURE
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
THANKS!
michael@sqrrl.com
Upcoming SlideShare
Loading in …5
×

Sqrrl November Webinar: Encryption and Security in Accumulo

278 views
188 views

Published on

Tightening Your Trusted Zone: Encryption for Accumulo. In this webinar we will provide a technical deep dive into the NoSQL database Apache Accumulo. Some of the topics that will be covered include: encryption in motion, encryption at rest, trust boundaries.

Published in: Data & Analytics, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
278
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Sqrrl November Webinar: Encryption and Security in Accumulo

  1. 1. Securely explore your data ENCRYPTION AND SECURITY IN ACCUMULO AND SQRRL Michael Allen Security Architect Sqrrl Data, Inc. michael@sqrrl.com
  2. 2. ISN’T ACCUMULO ALREADY SECURE? © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  3. 3. I MEAN, THESE SMART GALS AND GUYS MADE IT… © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential (Undisclosed location) Source:wikipedia.org.Publicdomain
  4. 4. CELL-LEVEL SECURITY © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  5. 5. CELL-LEVEL SECURITY © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  6. 6. CELL-LEVEL SECURITY © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  7. 7. WHAT’S THE THREAT? © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  8. 8. A TYPICAL DEPLOYMENT © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  9. 9. A TYPICAL DEPLOYMENT © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential (…ignoring master nodes, name nodes, garbage collectors, other ephemera…)
  10. 10. A TYPICAL CAST © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  11. 11. THREATS INSIDE AND OUT © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  12. 12. WHO CAN WE PUSH OUT? © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  13. 13. HOW? © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  14. 14. ENCRYPTION © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  15. 15. IN MOTION AND AT REST © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  16. 16. IT’S NOT… © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential Source:http://bit.ly/HqScSr.CreativeCommons, Attribution.
  17. 17. FUNDAMENTAL QUESTIONS What are you encrypting? How are you encrypting it? How are you protecting the key? © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  18. 18. ACCUMULO 1.6 SSL for Accumulo Clients Encrypting data within HDFS © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  19. 19. SSL AND ACCUMULO © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential ACCUMULO-1009 Patch that adds configuring and using SSL certificates
  20. 20. MAKE YOUR CERTS © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  21. 21. CONFIGURE YOUR SERVERS © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  22. 22. CONFIGURE YOUR SERVERS © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  23. 23. DISTRIBUTE YOUR CERTS © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  24. 24. DISTRIBUTE YOUR ROOTS © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  25. 25. ENJOY YOUR SSL © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  26. 26. ENCRYPTION AT REST © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential ACCUMULO-998 Patch that adds encryption for Rfiles and WAL
  27. 27. ENCRYPTION AT REST © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential Uses Java Cryptography Extensions (JCE) for encryption interface / engine (Guess what? It’s pluggable.)
  28. 28. BEHIND THE SCENES © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  29. 29. BEHIND THE SCENES © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  30. 30. BEHIND THE SCENES © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  31. 31. BEHIND THE SCENES © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  32. 32. WHERE DOES THAT KEY GO? © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  33. 33. WHERE DOES THAT KEY GO? © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  34. 34. WHERE DOES THAT KEY GO? © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  35. 35. PLUGGABLE STRATEGY © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential •  Java class that mediates access to KEK •  Encrypts and decrypts per-file keys •  Passes back to callers opaque ID to identify KEK used to do encryption •  Callers should store opaque ID along with encrypted key
  36. 36. PLUGGABLE STRATEGY © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  37. 37. PLUGGABLE STRATEGY © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  38. 38. CONFIGURATION OPTIONS © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential Property Name “Usual” Value Meaning !"#$%&'(&)*+,'!+-../ &"0'-$-!1,'-!!*(*+&'/ !&",'.,!*"2%#'!"#$%&'/ 3,4-*+%5"#$%&6&)*+,/ The class that creates encrypting and decrypting data streams !"#$%&'!2$1,"'.*2%, 789:5;<:=>59?=-))2@0/ Encryption algorithm spec !"#$%&'!2$1,"'A,#'+,@0%1 BCD/ Key length !"#$%&'(&)*+,'!+-../ &"0'-$-!1,'-!!*(*+&'/ !&",'.,!*"2%#'!"#$%&'/ 3,4-*+%9,!",%E >,#8@!"#$%2&@9%"-%,0#/ Class that mediates access to KEK
  39. 39. REDUCED THREAT © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  40. 40. REDUCED THREAT © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  41. 41. TOWARDS THE FUTURE © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
  42. 42. © 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential THANKS! michael@sqrrl.com

×