SlideShare a Scribd company logo

Hardening Cassandra for Compliance and Security

ā€¢
ā€¢
Z
zznate

Cassandra at rest encryption, inter-node communication encryption, client-server communication encryption, authentication, authorization, and securing JMX management were discussed. The document provided guidance on implementing encryption at rest using commercial and open source options, setting up SSL for inter-node and client-server communication using self-signed certificates, implementing authentication and authorization best practices from RBMS, and securing JMX access.

Technology
1 of 78
Download to read offline
CASSANDRA DAY ATLANTA 2015 HARDENING CASSANDRA FOR COMPLIANCE (OR PARANOIA) Nate McCall @zznate #CassandraSummit Co-Founder & Sr.Technical Consultant Licensed under a Creative Commons Attribution-NonCommercial 3.0 New Zealand License
AboutThe Last Pickle. Work with clients to deliver and improve Apache Cassandra based solutions. Based in New Zealand,Australia & USA.
OVERVIEW
Encryption at Rest Inter-node Communication Client-Server Communication Authentication and Authorization Management andTooling
Overview: Security is usually necessitated by Industry Guidelines (depending on organization size)
Overview: Industry Guidelines - Financial: PCI-CSS - Healthcare: HIPPAA - Defense/Govt: FIPS - TelCo: CPNI
Overview: Industry Guidelines Their heart is in the right place... (Do you really need node to node SSL if it never leaves a backplane?)
Overview: But good security practices can save you ...
Overview: By necessity we abstract and encapsulate, making it easier to have un-intended side effects knife ssh -x ${knifeUser} -a hostname -E $chefEnv "role:${role}" "${executeCommand}" Then eventually: rm -rf /var/lib/cassandra/*
Overview: Basic systems hardening can also protect from common operational errors
Overview: System Hardening Limit account access "sudo su -" = trouble
Overview: System Hardening Limit ļ¬lesystem access. Only C* needs /var/lib/cassandra (conļ¬guration management does not need access after initialization)
Overview: System Hardening Networking - Limit network access - network segmentation and ACLs - iptables, etc
Overview: System Hardening: Limit Network Access C* only needs inbound on: - 9042/9160 (clients) - 7000/7001 (cluster) - 7199 (JMX)
Encryption at Rest Inter-node Communication Client-Server Communication Authentication and Authorization Management andTooling
Encryption At Rest: Why it's a good idea: - Do you know how your cloud provider is actually using storage under the hood? - What does IT do with decommissioned disks? (Are you sure?)
Encryption At Rest: There are good open source and commercial options for at-rest encryption
Encryption At Rest: It's a distributed system. Make sure you understand the HA Story in context of your needs. Otherwise you introduced an SOPF! eg. "EBS snapshots of the key server" Is this going to work for you?
Encryption At Rest: File level vs. Block level
Encryption At Rest: Open Source dmCrypt (block) eCrypt-FS (ļ¬le) Major vendors probably support both https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Installation_Guide/ch29s02.html https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-efs.html
Encryption At Rest: Commercial - Cloudera Gazzang! -Vormetric
Encryption At Rest: Commercial DataStax Enterprise*: CREATETABLE users ... WITH compression_parameters:sstable_compression = 'Encryptor' and compression_parameters:cipher_algorithm = 'AES/ECB/PKCS5Padding' and compression_parameters:secret_key_strength = 128; *commit log not included! (eCrypt-fs to the rescue)
Encryption At Rest: Commercial-ish EBS Encryption! (a.k.a. "not my problem") http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
Encryption at Rest Inter-Node Communication Client-Server Communication Authentication and Authorization Management andTooling
Inter-Node Communication: SSL Inter-Node encryption can be rolled out on production with no downtime* * Depending on client consistency levels
Inter-Node Communication: SSL Why it's a good idea
Inter-Node Communication: SSL:Why It's a Good Idea: -Dcassandra.write_survey=true "I can has your writes" from: http://icanhascheeseburger.com
Inter-Node Communication: SSL:Why It's a Good Idea: Every operation is a Message on the wire
Inter-Node Communication: SSL:Why It's a Good Idea: It takes one Message to insert an admin account into the system_auth table
Inter-Node Communication: SSL SSL Certiļ¬cates: a brief interlude
Inter-Node Communication: SSL: Certiļ¬cates Done Right BYO Certiļ¬cate Authority A CA in this case provides the root certiļ¬cate which can be used to validate a node's identity without needing direct knowledge of that node.
Inter-Node Communication: SSL: Certiļ¬cates Done Right Don't do this: http://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureSSLCertiļ¬cates_t.html <- BAD! LOL!
Inter-Node Communication: SSL: Certiļ¬cates Done Right What we should do: 1. create the CA with a "root" certiļ¬cate 2. create certiļ¬cates for each node 3. export each node's certiļ¬cates to be signed by CA 4. sign each nodes certiļ¬cate with the CA 5. add the CA root public certiļ¬cate into each node's key store 5. add the signed result back into that node's key store 6. import CA root public certiļ¬cate into each node's trust store (or build one and copy it around)
Inter-Node Communication: SSL: Certiļ¬cates Done Right Be your own CA openssl req -config gen_ca_cert.conf -new -x509 -keyout ca-key -out ca-cert -days 365
Inter-Node Communication: SSL: Certiļ¬cates Done Right 'gen_ca_cert.conf' [ req ] distinguished_name = req_distinguished_name prompt = no output_password = mypass default_bits = 2048 [ req_distinguished_name ] C = US ST = TX L = Austin O = TLP OU = TestCluster CN = TestClusterMasterCA emailAddress = info@thelastpickl.com
Inter-Node Communication: SSL: Certiļ¬cates Done Right What we just did - `req`:An OpenSSL sub-command saying that we are (in this case) creating a PKCS#10 X.509 Certiļ¬cate (see https://www.openssl.org/docs/manmaster/apps/req.html for full details) The following parameters are all options of "-req" `-conļ¬g`: The path to the conļ¬g ļ¬le (avoids having to provide information on STDIN) `-new`: This is a new signing request we are making `-x509`: The output will be a self-signed certiļ¬cate we can use as a root CA `-keyout`: The ļ¬lename to which we will write our key `-out`: The ļ¬lename to which we will write our certiļ¬cate `-days`: The number of days for which the generated certiļ¬cate will be valid
Inter-Node Communication: SSL: Certiļ¬cates Done Right Per-Node Certiļ¬cate Creation keytool -genkeypair -keyalg RSA -alias node1 -keystore node1-server-keystore.jks -storepass awesomekeypass -keypass awesomekeypass -validity 365 -keysize 2048 -dname "CN=node1, OU=SSL-verification-cluster, O=TheLastPickle, C=US"
Inter-Node Communication: SSL: Certiļ¬cates Done Right What we just did `-genkeypair`: the keytool command to generate a public/private key pair combination `-keyalg`:The algorithm to use, RSA in this case* `-alias`:An alias to use for this public/private key pair. It needs to identify the public key when imported into a key store. I usually use some form of $hostname-cassandra `-keystore`:The location of our key store (created if it does not already exist) `-storepass`:The password for the key store `-keypass`:The password for the key `-validity`:The number of days for which this key pair will be valid `-keysize`:The size of the key to generate https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html
Inter-Node Communication: SSL: Certiļ¬cates Done Right A note about "-dname": CN=node1 Common Name: Best practice is to use hostname OU=SSL-verification-cluster Organizational Unit: I like to use the environment speciļ¬c cluster name O=TheLastPickle Organization C=US" Country Note: Hostname veriļ¬cation can be done againstĀ subjectAlternativeName Add "-extĀ SAN=DNS:thelastpickle.com" to keytool invocation if desired.
Inter-Node Communication: SSL: Certiļ¬cates Done Right Exporting certiļ¬cates for signing by the CA keytool -keystore node1-server-keystore.jks -alias node1 -certreq -file node1_cert_sr -keypass awesomekeypass -storepass awesomekeypass
Inter-Node Communication: SSL: Certiļ¬cates Done Right Sign each node's certiļ¬cate with the CA openssl x509 -req -CA ca-cert -CAkey ca-key -in node1_cert_sr -out node1_cert_signed -days 365 -CAcreateserial -passin pass:mypass
Inter-Node Communication: SSL: Certiļ¬cates Done Right What did we just do: - `x509` Use the display and signing subcommand (https://www.openssl.org/docs/manmaster/apps/ x509.html) The following parameters are options of "x509" - `-req` We are signing a certiļ¬cate request as opposed to a certiļ¬cate - `-CA` The CA cert ļ¬le created above - `-CAKey` The CA key ļ¬le created above - `-in` The certiļ¬cate request we are signing - `-out` The newly-signed certiļ¬cate ļ¬le to create - `-days` The number of days for which the signed certiļ¬cate will be valid - `-CAcreateserial` Create a serialnumber for this CSR - `-passin` The keypassword source.The arguments to 'passin' have their own formatting instructions. See 'Pass Phrase Arguments' on https://www.openssl.org/docs/manmaster/apps/openssl.html
Inter-Node Communication: SSL: Certiļ¬cates Done Right Add the CA's public key to the node's key stores keytool -keystore node1-server-keystore.jks -alias CARoot -import -file ca-cert -noprompt -keypass awesomekeypass -storepass awesomekeypass
Inter-Node Communication: SSL: Certiļ¬cates Done Right Import that node's signed certiļ¬cate back into it's trust store keytool -keystore node1-server-keystore.jks -alias node1 -import -file node1_cert_signed -keypass awesomekeypass -storepass awesomekeypass
Inter-Node Communication: SSL: Certiļ¬cates Done Right Build a trust store from the CA's public certiļ¬cate (this can be shared among all nodes) keytool -keystore generic-server-truststore.jks -alias CARoot -importcert -file ca-cert -keypass mypass -storepass truststorepass -noprompt
Inter-Node Communication: SSL: Certiļ¬cates Done Right OMG! A Trust Chain!
Inter-Node Communication: SSL Done Right server_encryption_options: internode_encryption: all keystore: conf/server-keystore.jks keystore_password: awesomekeypass truststore: conf/server-truststore.jks truststore_password: truststorepass protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA] require_client_auth: true
Inter-Node Communication: SSL Done Right server_encryption_options: internode_encryption: all keystore: conf/server-keystore.jks keystore_password: awesomekeypass truststore: conf/server-truststore.jks truststore_password: truststorepass protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA] require_client_auth: true If you don't set this to true, you might as well turn encryption off
Inter-Node Communication: SSL Done Right Also: Key store password and key password *must be the same* server_encryption_options: ... keystore_password: awesomekeypass require_client_auth: true ... keytool ... -keypass awesomekeypass ...
Inter-Node Communication: SSL Done Right Export restrictions? Use128 bit keys cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA] http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#importlimits
Inter-Node Communication: SSL: Certiļ¬cates Done Right Trouble? -Djavax.net.debug=ssl http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
Inter-Node Communication: SSL: Certiļ¬cates Done Right This Just In! Netļ¬‚ix Lemur: "x.509 Certiļ¬cate Orchestration Framework" http://techblog.netļ¬‚ix.com/2015/09/introducing-lemur.html https://github.com/Netļ¬‚ix/lemur
Inter-Node Communication internode_authenticator
Inter-Node Communication:Authenticator Available commercially in DSE
Inter-Node Communication:Authenticator Pretty easy to roll your own
Inter-Node Communication:Authenticator o.a.c.auth.IInternodeAuthenticator boolean authenticate(InetAddress remoteAddress, int remotePort); void validateConfiguration() throws ConfigurationException;
Encryption at Rest Inter-Node Communication Client-Server Communication Authentication and Authorization Management andTooling
Client-Server Communication Same CA setup as Server-to-Server (same limitations, too)
Client-Server Communication client_encryption_options: enabled: true keystore: conf/client-keystore.jks keystore_password: clientkeypass truststore: conf/client-truststore.jks truststore_password: clienttrustpass protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA] require_client_auth: true
Client-Server Communication client_encryption_options: enabled: false keystore: conf/client-keystore.jks keystore_password: clientkeypass truststore: conf/client-truststore.jks truststore_password: clienttrustpass protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA] require_client_auth: true If you don't set this to true, you might as well turn encryption off
Encryption at Rest Inter-Node Communication Client-Server Communication Authentication and Authorization Management andTooling
Authentication and Authorization: Why it's a good idea
Authentication and Authorization: Best practices are the same as for RDBMS
Authentication and Authorization: Best Practices Segment users: - Admin - Per-service CRUD - CRUD (reporting)
Authentication and Authorization: Best Practices Limit access to tables and keyspaces
Authentication and Authorization: Role-based access control (RBAC) in 2.2
Authentication and Authorization:Authentication authenticator: PasswordAuthenticator Tip: keep your read-only cqlsh credentials in $HOME/.cassandra/cqlshrc of the system's admin account
Authentication and Authorization:Authorization authorizer: CassandraAuthorizer TIP: turn permissions_validity_in_ms WAY UP default is 2000 (2 seconds!!) can use permissions_update_interval_in_ms for async refresh if needed
Authentication and Authorization:Authorization These tables have default read permission for every authenticated user: system.schema_keyspace system.schema_columns system.schema_columnfamilies system.local system.peers
Authentication and Authorization:Authentication IMPORTANT: "Please increase system_auth keyspace replication factor if you use this..." RF=Number of Nodes
Encryption at Rest Inter-Node Communication Client-Server Communication Authentication and Authorization Management and Tooling
Mangement andTooling: Securing JMX
Management andTooling: Securing JMX Options as of 2.1.8 will look familiar: JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/path/to/keystore" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=<keystore-password>" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/path/to/truststore" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=<truststore-password>" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher- suites>"
Management andTooling: Securing JMX Thus: as of 2.1.8, nodetool can use SSL* * https://issues.apache.org/jira/browse/CASSANDRA-9090
Management andTooling: Securing JMX Conļ¬gure authentication for JMX* Now you can do: nodetool status -u monitor -pw monitorpass * http://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureJmxAuthentication.html
Management andTooling: Securing JMX JMX user/password and role conļ¬guration is ļ¬‚exible For details, take a look at the defaults: $JAVA_HOME/jre/lib/management/jmxremote.access $JAVA_HOME/jre/lib/management/jmxremote.password.template
Thanks.
Nate McCall @zznate Co-Founder & Sr.Technical Consultant www.thelastpickle.com #CassandraSummit

Recommended

Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right WayDataStax Academy
Ā 
user Behavior Analysis with Session Windows and Apache Kafka's Streams API
user Behavior Analysis with Session Windows and Apache Kafka's Streams APIuser Behavior Analysis with Session Windows and Apache Kafka's Streams API
user Behavior Analysis with Session Windows and Apache Kafka's Streams APIconfluent
Ā 
C* Summit 2013: The World's Next Top Data Model by Patrick McFadin
C* Summit 2013: The World's Next Top Data Model by Patrick McFadinC* Summit 2013: The World's Next Top Data Model by Patrick McFadin
C* Summit 2013: The World's Next Top Data Model by Patrick McFadinDataStax Academy
Ā 
Bulk Loading Data into Cassandra
Bulk Loading Data into CassandraBulk Loading Data into Cassandra
Bulk Loading Data into CassandraDataStax
Ā 
ksqlDB - Stream Processing simplified!
ksqlDB - Stream Processing simplified!ksqlDB - Stream Processing simplified!
ksqlDB - Stream Processing simplified!Guido Schmutz
Ā 
ksqlDB: A Stream-Relational Database System
ksqlDB: A Stream-Relational Database SystemksqlDB: A Stream-Relational Database System
ksqlDB: A Stream-Relational Database Systemconfluent
Ā 
Performant Streaming in Production: Preventing Common Pitfalls when Productio...
Performant Streaming in Production: Preventing Common Pitfalls when Productio...Performant Streaming in Production: Preventing Common Pitfalls when Productio...
Performant Streaming in Production: Preventing Common Pitfalls when Productio...Databricks
Ā 
Getting Started with Confluent Schema Registry
Getting Started with Confluent Schema RegistryGetting Started with Confluent Schema Registry
Getting Started with Confluent Schema Registryconfluent
Ā 

Recommended

Securing Cassandra The Right Way
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right WayDataStax Academy
Ā 
user Behavior Analysis with Session Windows and Apache Kafka's Streams API
user Behavior Analysis with Session Windows and Apache Kafka's Streams APIuser Behavior Analysis with Session Windows and Apache Kafka's Streams API
user Behavior Analysis with Session Windows and Apache Kafka's Streams APIconfluent
Ā 
C* Summit 2013: The World's Next Top Data Model by Patrick McFadin
C* Summit 2013: The World's Next Top Data Model by Patrick McFadinC* Summit 2013: The World's Next Top Data Model by Patrick McFadin
C* Summit 2013: The World's Next Top Data Model by Patrick McFadinDataStax Academy
Ā 
Bulk Loading Data into Cassandra
Bulk Loading Data into CassandraBulk Loading Data into Cassandra
Bulk Loading Data into CassandraDataStax
Ā 
ksqlDB - Stream Processing simplified!
ksqlDB - Stream Processing simplified!ksqlDB - Stream Processing simplified!
ksqlDB - Stream Processing simplified!Guido Schmutz
Ā 
ksqlDB: A Stream-Relational Database System
ksqlDB: A Stream-Relational Database SystemksqlDB: A Stream-Relational Database System
ksqlDB: A Stream-Relational Database Systemconfluent
Ā 
Performant Streaming in Production: Preventing Common Pitfalls when Productio...
Performant Streaming in Production: Preventing Common Pitfalls when Productio...Performant Streaming in Production: Preventing Common Pitfalls when Productio...
Performant Streaming in Production: Preventing Common Pitfalls when Productio...Databricks
Ā 
Getting Started with Confluent Schema Registry
Getting Started with Confluent Schema RegistryGetting Started with Confluent Schema Registry
Getting Started with Confluent Schema Registryconfluent
Ā 
MongoDB Schema Design: Four Real-World Examples
MongoDB Schema Design: Four Real-World ExamplesMongoDB Schema Design: Four Real-World Examples
MongoDB Schema Design: Four Real-World ExamplesMike Friedman
Ā 
Deep Dive into Cassandra
Deep Dive into CassandraDeep Dive into Cassandra
Deep Dive into CassandraBrent Theisen
Ā 
Cassandra 101
Cassandra 101Cassandra 101
Cassandra 101Nader Ganayem
Ā 
Enabling Search in your Cassandra Application with DataStax Enterprise
Enabling Search in your Cassandra Application with DataStax EnterpriseEnabling Search in your Cassandra Application with DataStax Enterprise
Enabling Search in your Cassandra Application with DataStax EnterpriseDataStax Academy
Ā 
Exploring KSQL Patterns
Exploring KSQL PatternsExploring KSQL Patterns
Exploring KSQL Patternsconfluent
Ā 
Lessons Learned From Running 1800 Clusters (Brooke Jensen, Instaclustr) | Cas...
Lessons Learned From Running 1800 Clusters (Brooke Jensen, Instaclustr) | Cas...Lessons Learned From Running 1800 Clusters (Brooke Jensen, Instaclustr) | Cas...
Lessons Learned From Running 1800 Clusters (Brooke Jensen, Instaclustr) | Cas...DataStax
Ā 
Bulk Loading into Cassandra
Bulk Loading into CassandraBulk Loading into Cassandra
Bulk Loading into CassandraBrian Hess
Ā 
Introduction to ksqlDB and stream processing (Vish Srinivasan - Confluent)
Introduction to ksqlDB and stream processing (Vish Srinivasan - Confluent)Introduction to ksqlDB and stream processing (Vish Srinivasan - Confluent)
Introduction to ksqlDB and stream processing (Vish Srinivasan - Confluent)KafkaZone
Ā 
A Tale of Three Apache Spark APIs: RDDs, DataFrames, and Datasets with Jules ...
A Tale of Three Apache Spark APIs: RDDs, DataFrames, and Datasets with Jules ...A Tale of Three Apache Spark APIs: RDDs, DataFrames, and Datasets with Jules ...
A Tale of Three Apache Spark APIs: RDDs, DataFrames, and Datasets with Jules ...Databricks
Ā 
Bash: the #1 skill for Devops Engineers
Bash: the #1 skill for Devops EngineersBash: the #1 skill for Devops Engineers
Bash: the #1 skill for Devops Engineersandersjanmyr
Ā 
Introduction to Cassandra Basics
Introduction to Cassandra BasicsIntroduction to Cassandra Basics
Introduction to Cassandra Basicsnickmbailey
Ā 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultTom Kerkhove
Ā 
Kafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityKafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityJean-Paul Azar
Ā 
Why your Spark job is failing
Why your Spark job is failingWhy your Spark job is failing
Why your Spark job is failingSandy Ryza
Ā 
Arbitrary Stateful Aggregations using Structured Streaming in Apache Spark
Arbitrary Stateful Aggregations using Structured Streaming in Apache SparkArbitrary Stateful Aggregations using Structured Streaming in Apache Spark
Arbitrary Stateful Aggregations using Structured Streaming in Apache SparkDatabricks
Ā 
Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Michel Schudel
Ā 
Maximum Overdrive: Tuning the Spark Cassandra Connector (Russell Spitzer, Dat...
Maximum Overdrive: Tuning the Spark Cassandra Connector (Russell Spitzer, Dat...Maximum Overdrive: Tuning the Spark Cassandra Connector (Russell Spitzer, Dat...
Maximum Overdrive: Tuning the Spark Cassandra Connector (Russell Spitzer, Dat...DataStax
Ā 
Kafka Streams State Stores Being Persistent
Kafka Streams State Stores Being PersistentKafka Streams State Stores Being Persistent
Kafka Streams State Stores Being Persistentconfluent
Ā 
Storage Capacity Management on Multi-tenant Kafka Cluster with Nurettin Omeroglu
Storage Capacity Management on Multi-tenant Kafka Cluster with Nurettin OmerogluStorage Capacity Management on Multi-tenant Kafka Cluster with Nurettin Omeroglu
Storage Capacity Management on Multi-tenant Kafka Cluster with Nurettin OmerogluHostedbyConfluent
Ā 
KSQL: Streaming SQL for Kafka
KSQL: Streaming SQL for KafkaKSQL: Streaming SQL for Kafka
KSQL: Streaming SQL for Kafkaconfluent
Ā 
Cassandra Day London 2015: Securing Cassandra and DataStax Enterprise
Cassandra Day London 2015: Securing Cassandra and DataStax EnterpriseCassandra Day London 2015: Securing Cassandra and DataStax Enterprise
Cassandra Day London 2015: Securing Cassandra and DataStax EnterpriseDataStax Academy
Ā 
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiaSeattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiazznate
Ā 

More Related Content

What's hot

MongoDB Schema Design: Four Real-World Examples
MongoDB Schema Design: Four Real-World ExamplesMongoDB Schema Design: Four Real-World Examples
MongoDB Schema Design: Four Real-World ExamplesMike Friedman
Ā 
Deep Dive into Cassandra
Deep Dive into CassandraDeep Dive into Cassandra
Deep Dive into CassandraBrent Theisen
Ā 
Enabling Search in your Cassandra Application with DataStax Enterprise
Enabling Search in your Cassandra Application with DataStax EnterpriseEnabling Search in your Cassandra Application with DataStax Enterprise
Enabling Search in your Cassandra Application with DataStax EnterpriseDataStax Academy
Ā 
Exploring KSQL Patterns
Exploring KSQL PatternsExploring KSQL Patterns
Exploring KSQL Patternsconfluent
Ā 
Lessons Learned From Running 1800 Clusters (Brooke Jensen, Instaclustr) | Cas...
Lessons Learned From Running 1800 Clusters (Brooke Jensen, Instaclustr) | Cas...Lessons Learned From Running 1800 Clusters (Brooke Jensen, Instaclustr) | Cas...
Lessons Learned From Running 1800 Clusters (Brooke Jensen, Instaclustr) | Cas...DataStax
Ā 
Bulk Loading into Cassandra
Bulk Loading into CassandraBulk Loading into Cassandra
Bulk Loading into CassandraBrian Hess
Ā 
Introduction to ksqlDB and stream processing (Vish Srinivasan - Confluent)
Introduction to ksqlDB and stream processing (Vish Srinivasan - Confluent)Introduction to ksqlDB and stream processing (Vish Srinivasan - Confluent)
Introduction to ksqlDB and stream processing (Vish Srinivasan - Confluent)KafkaZone
Ā 
A Tale of Three Apache Spark APIs: RDDs, DataFrames, and Datasets with Jules ...
A Tale of Three Apache Spark APIs: RDDs, DataFrames, and Datasets with Jules ...A Tale of Three Apache Spark APIs: RDDs, DataFrames, and Datasets with Jules ...
A Tale of Three Apache Spark APIs: RDDs, DataFrames, and Datasets with Jules ...Databricks
Ā 
Bash: the #1 skill for Devops Engineers
Bash: the #1 skill for Devops EngineersBash: the #1 skill for Devops Engineers
Bash: the #1 skill for Devops Engineersandersjanmyr
Ā 
Introduction to Cassandra Basics
Introduction to Cassandra BasicsIntroduction to Cassandra Basics
Introduction to Cassandra Basicsnickmbailey
Ā 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultTom Kerkhove
Ā 
Kafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityKafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityJean-Paul Azar
Ā 
Why your Spark job is failing
Why your Spark job is failingWhy your Spark job is failing
Why your Spark job is failingSandy Ryza
Ā 
Arbitrary Stateful Aggregations using Structured Streaming in Apache Spark
Arbitrary Stateful Aggregations using Structured Streaming in Apache SparkArbitrary Stateful Aggregations using Structured Streaming in Apache Spark
Arbitrary Stateful Aggregations using Structured Streaming in Apache SparkDatabricks
Ā 
Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Michel Schudel
Ā 
Maximum Overdrive: Tuning the Spark Cassandra Connector (Russell Spitzer, Dat...
Maximum Overdrive: Tuning the Spark Cassandra Connector (Russell Spitzer, Dat...Maximum Overdrive: Tuning the Spark Cassandra Connector (Russell Spitzer, Dat...
Maximum Overdrive: Tuning the Spark Cassandra Connector (Russell Spitzer, Dat...DataStax
Ā 
Kafka Streams State Stores Being Persistent
Kafka Streams State Stores Being PersistentKafka Streams State Stores Being Persistent
Kafka Streams State Stores Being Persistentconfluent
Ā 
Storage Capacity Management on Multi-tenant Kafka Cluster with Nurettin Omeroglu
Storage Capacity Management on Multi-tenant Kafka Cluster with Nurettin OmerogluStorage Capacity Management on Multi-tenant Kafka Cluster with Nurettin Omeroglu
Storage Capacity Management on Multi-tenant Kafka Cluster with Nurettin OmerogluHostedbyConfluent
Ā 
KSQL: Streaming SQL for Kafka
KSQL: Streaming SQL for KafkaKSQL: Streaming SQL for Kafka
KSQL: Streaming SQL for Kafkaconfluent
Ā 

What's hot (20)

MongoDB Schema Design: Four Real-World Examples
MongoDB Schema Design: Four Real-World ExamplesMongoDB Schema Design: Four Real-World Examples
MongoDB Schema Design: Four Real-World Examples
Ā 
Deep Dive into Cassandra
Deep Dive into CassandraDeep Dive into Cassandra
Deep Dive into Cassandra
Ā 
Cassandra 101
Cassandra 101Cassandra 101
Cassandra 101
Ā 
Enabling Search in your Cassandra Application with DataStax Enterprise
Enabling Search in your Cassandra Application with DataStax EnterpriseEnabling Search in your Cassandra Application with DataStax Enterprise
Enabling Search in your Cassandra Application with DataStax Enterprise
Ā 
Exploring KSQL Patterns
Exploring KSQL PatternsExploring KSQL Patterns
Exploring KSQL Patterns
Ā 
Lessons Learned From Running 1800 Clusters (Brooke Jensen, Instaclustr) | Cas...
Lessons Learned From Running 1800 Clusters (Brooke Jensen, Instaclustr) | Cas...Lessons Learned From Running 1800 Clusters (Brooke Jensen, Instaclustr) | Cas...
Lessons Learned From Running 1800 Clusters (Brooke Jensen, Instaclustr) | Cas...
Ā 
Bulk Loading into Cassandra
Bulk Loading into CassandraBulk Loading into Cassandra
Bulk Loading into Cassandra
Ā 
Introduction to ksqlDB and stream processing (Vish Srinivasan - Confluent)
Introduction to ksqlDB and stream processing (Vish Srinivasan - Confluent)Introduction to ksqlDB and stream processing (Vish Srinivasan - Confluent)
Introduction to ksqlDB and stream processing (Vish Srinivasan - Confluent)
Ā 
A Tale of Three Apache Spark APIs: RDDs, DataFrames, and Datasets with Jules ...
A Tale of Three Apache Spark APIs: RDDs, DataFrames, and Datasets with Jules ...A Tale of Three Apache Spark APIs: RDDs, DataFrames, and Datasets with Jules ...
A Tale of Three Apache Spark APIs: RDDs, DataFrames, and Datasets with Jules ...
Ā 
Bash: the #1 skill for Devops Engineers
Bash: the #1 skill for Devops EngineersBash: the #1 skill for Devops Engineers
Bash: the #1 skill for Devops Engineers
Ā 
Introduction to Cassandra Basics
Introduction to Cassandra BasicsIntroduction to Cassandra Basics
Introduction to Cassandra Basics
Ā 
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key VaultAzure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Ā 
Kafka Tutorial: Kafka Security
Kafka Tutorial: Kafka SecurityKafka Tutorial: Kafka Security
Kafka Tutorial: Kafka Security
Ā 
Why your Spark job is failing
Why your Spark job is failingWhy your Spark job is failing
Why your Spark job is failing
Ā 
Arbitrary Stateful Aggregations using Structured Streaming in Apache Spark
Arbitrary Stateful Aggregations using Structured Streaming in Apache SparkArbitrary Stateful Aggregations using Structured Streaming in Apache Spark
Arbitrary Stateful Aggregations using Structured Streaming in Apache Spark
Ā 
Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019Cryptography 101 for Java Developers - JavaZone2019
Cryptography 101 for Java Developers - JavaZone2019
Ā 
Maximum Overdrive: Tuning the Spark Cassandra Connector (Russell Spitzer, Dat...
Maximum Overdrive: Tuning the Spark Cassandra Connector (Russell Spitzer, Dat...Maximum Overdrive: Tuning the Spark Cassandra Connector (Russell Spitzer, Dat...
Maximum Overdrive: Tuning the Spark Cassandra Connector (Russell Spitzer, Dat...
Ā 
Kafka Streams State Stores Being Persistent
Kafka Streams State Stores Being PersistentKafka Streams State Stores Being Persistent
Kafka Streams State Stores Being Persistent
Ā 
Storage Capacity Management on Multi-tenant Kafka Cluster with Nurettin Omeroglu
Storage Capacity Management on Multi-tenant Kafka Cluster with Nurettin OmerogluStorage Capacity Management on Multi-tenant Kafka Cluster with Nurettin Omeroglu
Storage Capacity Management on Multi-tenant Kafka Cluster with Nurettin Omeroglu
Ā 
KSQL: Streaming SQL for Kafka
KSQL: Streaming SQL for KafkaKSQL: Streaming SQL for Kafka
KSQL: Streaming SQL for Kafka
Ā 

Viewers also liked

Cassandra Day London 2015: Securing Cassandra and DataStax Enterprise
Cassandra Day London 2015: Securing Cassandra and DataStax EnterpriseCassandra Day London 2015: Securing Cassandra and DataStax Enterprise
Cassandra Day London 2015: Securing Cassandra and DataStax EnterpriseDataStax Academy
Ā 
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiaSeattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiazznate
Ā 
Cassandra SF 2015 - Repeatable, Scalable, Reliable, Observable Cassandra
Cassandra SF 2015 - Repeatable, Scalable, Reliable, Observable CassandraCassandra SF 2015 - Repeatable, Scalable, Reliable, Observable Cassandra
Cassandra SF 2015 - Repeatable, Scalable, Reliable, Observable Cassandraaaronmorton
Ā 
Cassandra Summit 2015: Real World DTCS For Operators
Cassandra Summit 2015: Real World DTCS For OperatorsCassandra Summit 2015: Real World DTCS For Operators
Cassandra Summit 2015: Real World DTCS For OperatorsJeff Jirsa
Ā 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and securityBen Bromhead
Ā 
Counters At Scale - A Cautionary Tale
Counters At Scale - A Cautionary TaleCounters At Scale - A Cautionary Tale
Counters At Scale - A Cautionary TaleEric Lubow
Ā 
Pythian: My First 100 days with a Cassandra Cluster
Pythian: My First 100 days with a Cassandra ClusterPythian: My First 100 days with a Cassandra Cluster
Pythian: My First 100 days with a Cassandra ClusterDataStax Academy
Ā 
Manage your compactions before they manage you!
Manage your compactions before they manage you!Manage your compactions before they manage you!
Manage your compactions before they manage you!Carlos Juzarte Rolo
Ā 
Cassandra from tarball to production
Cassandra from tarball to productionCassandra from tarball to production
Cassandra from tarball to productionRon Kuris
Ā 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016zznate
Ā 
A deep look at the cql where clause
A deep look at the cql where clauseA deep look at the cql where clause
A deep look at the cql where clauseBenjamin Lerer
Ā 
Devoxx France: Fault tolerant microservices on the JVM with Cassandra
Devoxx France: Fault tolerant microservices on the JVM with CassandraDevoxx France: Fault tolerant microservices on the JVM with Cassandra
Devoxx France: Fault tolerant microservices on the JVM with CassandraChristopher Batey
Ā 
Case Study: Troubleshooting Cassandra performance issues as a developer
Case Study: Troubleshooting Cassandra performance issues as a developerCase Study: Troubleshooting Cassandra performance issues as a developer
Case Study: Troubleshooting Cassandra performance issues as a developerCarlos Alonso PĆ©rez
Ā 
Advanced Apache Cassandra Operations with JMX
Advanced Apache Cassandra Operations with JMXAdvanced Apache Cassandra Operations with JMX
Advanced Apache Cassandra Operations with JMXzznate
Ā 
Tombstones and Compaction
Tombstones and CompactionTombstones and Compaction
Tombstones and CompactionDataStax Academy
Ā 
Cassandra Summit 2015 - A Change of Seasons
Cassandra Summit 2015 - A Change of SeasonsCassandra Summit 2015 - A Change of Seasons
Cassandra Summit 2015 - A Change of SeasonsEiti Kimura
Ā 
Securing Cassandra
Securing CassandraSecuring Cassandra
Securing CassandraInstaclustr
Ā 
Instaclustr: Securing Cassandra
Instaclustr: Securing CassandraInstaclustr: Securing Cassandra
Instaclustr: Securing CassandraDataStax Academy
Ā 
Ficstar Software: Cassandra Installation to Optimization
Ficstar Software: Cassandra Installation to OptimizationFicstar Software: Cassandra Installation to Optimization
Ficstar Software: Cassandra Installation to OptimizationDataStax Academy
Ā 
Indexing in Cassandra
Indexing in CassandraIndexing in Cassandra
Indexing in CassandraEd Anuff
Ā 

Viewers also liked (20)

Cassandra Day London 2015: Securing Cassandra and DataStax Enterprise
Cassandra Day London 2015: Securing Cassandra and DataStax EnterpriseCassandra Day London 2015: Securing Cassandra and DataStax Enterprise
Cassandra Day London 2015: Securing Cassandra and DataStax Enterprise
Ā 
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiaSeattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
Ā 
Cassandra SF 2015 - Repeatable, Scalable, Reliable, Observable Cassandra
Cassandra SF 2015 - Repeatable, Scalable, Reliable, Observable CassandraCassandra SF 2015 - Repeatable, Scalable, Reliable, Observable Cassandra
Cassandra SF 2015 - Repeatable, Scalable, Reliable, Observable Cassandra
Ā 
Cassandra Summit 2015: Real World DTCS For Operators
Cassandra Summit 2015: Real World DTCS For OperatorsCassandra Summit 2015: Real World DTCS For Operators
Cassandra Summit 2015: Real World DTCS For Operators
Ā 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and security
Ā 
Counters At Scale - A Cautionary Tale
Counters At Scale - A Cautionary TaleCounters At Scale - A Cautionary Tale
Counters At Scale - A Cautionary Tale
Ā 
Pythian: My First 100 days with a Cassandra Cluster
Pythian: My First 100 days with a Cassandra ClusterPythian: My First 100 days with a Cassandra Cluster
Pythian: My First 100 days with a Cassandra Cluster
Ā 
Manage your compactions before they manage you!
Manage your compactions before they manage you!Manage your compactions before they manage you!
Manage your compactions before they manage you!
Ā 
Cassandra from tarball to production
Cassandra from tarball to productionCassandra from tarball to production
Cassandra from tarball to production
Ā 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016
Ā 
A deep look at the cql where clause
A deep look at the cql where clauseA deep look at the cql where clause
A deep look at the cql where clause
Ā 
Devoxx France: Fault tolerant microservices on the JVM with Cassandra
Devoxx France: Fault tolerant microservices on the JVM with CassandraDevoxx France: Fault tolerant microservices on the JVM with Cassandra
Devoxx France: Fault tolerant microservices on the JVM with Cassandra
Ā 
Case Study: Troubleshooting Cassandra performance issues as a developer
Case Study: Troubleshooting Cassandra performance issues as a developerCase Study: Troubleshooting Cassandra performance issues as a developer
Case Study: Troubleshooting Cassandra performance issues as a developer
Ā 
Advanced Apache Cassandra Operations with JMX
Advanced Apache Cassandra Operations with JMXAdvanced Apache Cassandra Operations with JMX
Advanced Apache Cassandra Operations with JMX
Ā 
Tombstones and Compaction
Tombstones and CompactionTombstones and Compaction
Tombstones and Compaction
Ā 
Cassandra Summit 2015 - A Change of Seasons
Cassandra Summit 2015 - A Change of SeasonsCassandra Summit 2015 - A Change of Seasons
Cassandra Summit 2015 - A Change of Seasons
Ā 
Securing Cassandra
Securing CassandraSecuring Cassandra
Securing Cassandra
Ā 
Instaclustr: Securing Cassandra
Instaclustr: Securing CassandraInstaclustr: Securing Cassandra
Instaclustr: Securing Cassandra
Ā 
Ficstar Software: Cassandra Installation to Optimization
Ficstar Software: Cassandra Installation to OptimizationFicstar Software: Cassandra Installation to Optimization
Ficstar Software: Cassandra Installation to Optimization
Ā 
Indexing in Cassandra
Indexing in CassandraIndexing in Cassandra
Indexing in Cassandra
Ā 

Similar to Hardening Cassandra for Compliance and Security

Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Max Kleiner
Ā 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB
Ā 
Apache Httpd and TLS certificates validations
Apache Httpd and TLS certificates validationsApache Httpd and TLS certificates validations
Apache Httpd and TLS certificates validationsJean-Frederic Clere
Ā 
Best Practices of IoT in the Cloud
Best Practices of IoT in the CloudBest Practices of IoT in the Cloud
Best Practices of IoT in the CloudAmazon Web Services
Ā 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudAmazon Web Services
Ā 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudAmazon Web Services
Ā 
When Securing Access to Data is About Life and Death
When Securing Access to Data is About Life and DeathWhen Securing Access to Data is About Life and Death
When Securing Access to Data is About Life and DeathHostedbyConfluent
Ā 
TLS and Certificates
TLS and CertificatesTLS and Certificates
TLS and CertificatesKarri Huhtanen
Ā 
SSL Certificates and Operations
SSL Certificates and OperationsSSL Certificates and Operations
SSL Certificates and OperationsNisheed KM
Ā 
Issue certificates with PyOpenSSL
Issue certificates with PyOpenSSLIssue certificates with PyOpenSSL
Issue certificates with PyOpenSSLPau Freixes
Ā 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
Ā 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
Ā 
Adobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL GuideAdobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL GuideRapidSSLOnline.com
Ā 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications nishchal29
Ā 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytoolCheapSSLsecurity
Ā 
Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)Netwax Lab
Ā 
Cassandra Security Configuration
Cassandra Security ConfigurationCassandra Security Configuration
Cassandra Security ConfigurationBraja Krishna Das
Ā 
February 2016 Webinar Series - Best Practices for IoT Security in the Cloud
February 2016 Webinar Series - Best Practices for IoT Security in the CloudFebruary 2016 Webinar Series - Best Practices for IoT Security in the Cloud
February 2016 Webinar Series - Best Practices for IoT Security in the CloudAmazon Web Services
Ā 

Similar to Hardening Cassandra for Compliance and Security (20)

Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21
Ā 
Java security
Java securityJava security
Java security
Ā 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
Ā 
Apache Httpd and TLS certificates validations
Apache Httpd and TLS certificates validationsApache Httpd and TLS certificates validations
Apache Httpd and TLS certificates validations
Ā 
Best Practices of IoT in the Cloud
Best Practices of IoT in the CloudBest Practices of IoT in the Cloud
Best Practices of IoT in the Cloud
Ā 
320.1-Cryptography
320.1-Cryptography320.1-Cryptography
320.1-Cryptography
Ā 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
Ā 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
Ā 
When Securing Access to Data is About Life and Death
When Securing Access to Data is About Life and DeathWhen Securing Access to Data is About Life and Death
When Securing Access to Data is About Life and Death
Ā 
TLS and Certificates
TLS and CertificatesTLS and Certificates
TLS and Certificates
Ā 
SSL Certificates and Operations
SSL Certificates and OperationsSSL Certificates and Operations
SSL Certificates and Operations
Ā 
Issue certificates with PyOpenSSL
Issue certificates with PyOpenSSLIssue certificates with PyOpenSSL
Issue certificates with PyOpenSSL
Ā 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Ā 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
Ā 
Adobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL GuideAdobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL Guide
Ā 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications
Ā 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
Ā 
Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)
Ā 
Cassandra Security Configuration
Cassandra Security ConfigurationCassandra Security Configuration
Cassandra Security Configuration
Ā 
February 2016 Webinar Series - Best Practices for IoT Security in the Cloud
February 2016 Webinar Series - Best Practices for IoT Security in the CloudFebruary 2016 Webinar Series - Best Practices for IoT Security in the Cloud
February 2016 Webinar Series - Best Practices for IoT Security in the Cloud
Ā 

More from zznate

Software Development with Apache Cassandra
Software Development with Apache CassandraSoftware Development with Apache Cassandra
Software Development with Apache Cassandrazznate
Ā 
Successful Software Development with Apache Cassandra
Successful Software Development with Apache CassandraSuccessful Software Development with Apache Cassandra
Successful Software Development with Apache Cassandrazznate
Ā 
Stampede con 2014 cassandra in the real world
Stampede con 2014 cassandra in the real worldStampede con 2014 cassandra in the real world
Stampede con 2014 cassandra in the real worldzznate
Ā 
An Introduction to the Vert.x framework
An Introduction to the Vert.x frameworkAn Introduction to the Vert.x framework
An Introduction to the Vert.x frameworkzznate
Ā 
Intravert atx meetup_condensed
Intravert atx meetup_condensedIntravert atx meetup_condensed
Intravert atx meetup_condensedzznate
Ā 
Apachecon cassandra transport
Apachecon cassandra transportApachecon cassandra transport
Apachecon cassandra transportzznate
Ā 
Oscon 2012 tdd_cassandra
Oscon 2012 tdd_cassandraOscon 2012 tdd_cassandra
Oscon 2012 tdd_cassandrazznate
Ā 
Strata west 2012_java_cassandra
Strata west 2012_java_cassandraStrata west 2012_java_cassandra
Strata west 2012_java_cassandrazznate
Ā 
Nyc summit intro_to_cassandra
Nyc summit intro_to_cassandraNyc summit intro_to_cassandra
Nyc summit intro_to_cassandrazznate
Ā 
Meetup cassandra sfo_jdbc
Meetup cassandra sfo_jdbcMeetup cassandra sfo_jdbc
Meetup cassandra sfo_jdbczznate
Ā 
Meetup cassandra for_java_cql
Meetup cassandra for_java_cqlMeetup cassandra for_java_cql
Meetup cassandra for_java_cqlzznate
Ā 
Introduciton to Apache Cassandra for Java Developers (JavaOne)
Introduciton to Apache Cassandra for Java Developers (JavaOne)Introduciton to Apache Cassandra for Java Developers (JavaOne)
Introduciton to Apache Cassandra for Java Developers (JavaOne)zznate
Ā 
Introduction to apache_cassandra_for_developers-lhg
Introduction to apache_cassandra_for_developers-lhgIntroduction to apache_cassandra_for_developers-lhg
Introduction to apache_cassandra_for_developers-lhgzznate
Ā 
Introduction to apache_cassandra_for_develope
Introduction to apache_cassandra_for_developeIntroduction to apache_cassandra_for_develope
Introduction to apache_cassandra_for_developezznate
Ā 
Hector v2: The Second Version of the Popular High-Level Java Client for Apach...
Hector v2: The Second Version of the Popular High-Level Java Client for Apach...Hector v2: The Second Version of the Popular High-Level Java Client for Apach...
Hector v2: The Second Version of the Popular High-Level Java Client for Apach...zznate
Ā 

More from zznate (15)

Software Development with Apache Cassandra
Software Development with Apache CassandraSoftware Development with Apache Cassandra
Software Development with Apache Cassandra
Ā 
Successful Software Development with Apache Cassandra
Successful Software Development with Apache CassandraSuccessful Software Development with Apache Cassandra
Successful Software Development with Apache Cassandra
Ā 
Stampede con 2014 cassandra in the real world
Stampede con 2014 cassandra in the real worldStampede con 2014 cassandra in the real world
Stampede con 2014 cassandra in the real world
Ā 
An Introduction to the Vert.x framework
An Introduction to the Vert.x frameworkAn Introduction to the Vert.x framework
An Introduction to the Vert.x framework
Ā 
Intravert atx meetup_condensed
Intravert atx meetup_condensedIntravert atx meetup_condensed
Intravert atx meetup_condensed
Ā 
Apachecon cassandra transport
Apachecon cassandra transportApachecon cassandra transport
Apachecon cassandra transport
Ā 
Oscon 2012 tdd_cassandra
Oscon 2012 tdd_cassandraOscon 2012 tdd_cassandra
Oscon 2012 tdd_cassandra
Ā 
Strata west 2012_java_cassandra
Strata west 2012_java_cassandraStrata west 2012_java_cassandra
Strata west 2012_java_cassandra
Ā 
Nyc summit intro_to_cassandra
Nyc summit intro_to_cassandraNyc summit intro_to_cassandra
Nyc summit intro_to_cassandra
Ā 
Meetup cassandra sfo_jdbc
Meetup cassandra sfo_jdbcMeetup cassandra sfo_jdbc
Meetup cassandra sfo_jdbc
Ā 
Meetup cassandra for_java_cql
Meetup cassandra for_java_cqlMeetup cassandra for_java_cql
Meetup cassandra for_java_cql
Ā 
Introduciton to Apache Cassandra for Java Developers (JavaOne)
Introduciton to Apache Cassandra for Java Developers (JavaOne)Introduciton to Apache Cassandra for Java Developers (JavaOne)
Introduciton to Apache Cassandra for Java Developers (JavaOne)
Ā 
Introduction to apache_cassandra_for_developers-lhg
Introduction to apache_cassandra_for_developers-lhgIntroduction to apache_cassandra_for_developers-lhg
Introduction to apache_cassandra_for_developers-lhg
Ā 
Introduction to apache_cassandra_for_develope
Introduction to apache_cassandra_for_developeIntroduction to apache_cassandra_for_develope
Introduction to apache_cassandra_for_develope
Ā 
Hector v2: The Second Version of the Popular High-Level Java Client for Apach...
Hector v2: The Second Version of the Popular High-Level Java Client for Apach...Hector v2: The Second Version of the Popular High-Level Java Client for Apach...
Hector v2: The Second Version of the Popular High-Level Java Client for Apach...
Ā 

Recently uploaded

Scaling API-first ā€“ The story of a global engineering organization
Scaling API-first ā€“ The story of a global engineering organizationScaling API-first ā€“ The story of a global engineering organization
Scaling API-first ā€“ The story of a global engineering organizationRadu Cotescu
Ā 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
Ā 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
Ā 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
Ā 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
Ā 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
Ā 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
Ā 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
Ā 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
Ā 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
Ā 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
Ā 
šŸ¬ The future of MySQL is Postgres šŸ˜
šŸ¬ The future of MySQL is Postgres šŸ˜šŸ¬ The future of MySQL is Postgres šŸ˜
šŸ¬ The future of MySQL is Postgres šŸ˜RTylerCroy
Ā 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
Ā 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
Ā 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
Ā 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
Ā 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
Ā 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
Ā 
Finology Group ā€“ Insurtech Innovation Award 2024
Finology Group ā€“ Insurtech Innovation Award 2024Finology Group ā€“ Insurtech Innovation Award 2024
Finology Group ā€“ Insurtech Innovation Award 2024The Digital Insurer
Ā 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
Ā 

Recently uploaded (20)

Scaling API-first ā€“ The story of a global engineering organization
Scaling API-first ā€“ The story of a global engineering organizationScaling API-first ā€“ The story of a global engineering organization
Scaling API-first ā€“ The story of a global engineering organization
Ā 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Ā 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
Ā 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Ā 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
Ā 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Ā 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Ā 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Ā 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Ā 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Ā 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Ā 
šŸ¬ The future of MySQL is Postgres šŸ˜
šŸ¬ The future of MySQL is Postgres šŸ˜šŸ¬ The future of MySQL is Postgres šŸ˜
šŸ¬ The future of MySQL is Postgres šŸ˜
Ā 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Ā 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
Ā 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Ā 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Ā 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Ā 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
Ā 
Finology Group ā€“ Insurtech Innovation Award 2024
Finology Group ā€“ Insurtech Innovation Award 2024Finology Group ā€“ Insurtech Innovation Award 2024
Finology Group ā€“ Insurtech Innovation Award 2024
Ā 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
Ā 

Hardening Cassandra for Compliance and Security

  • 1. CASSANDRA DAY ATLANTA 2015 HARDENING CASSANDRA FOR COMPLIANCE (OR PARANOIA) Nate McCall @zznate #CassandraSummit Co-Founder & Sr.Technical Consultant Licensed under a Creative Commons Attribution-NonCommercial 3.0 New Zealand License
  • 2. AboutThe Last Pickle. Work with clients to deliver and improve Apache Cassandra based solutions. Based in New Zealand,Australia & USA.
  • 4. Encryption at Rest Inter-node Communication Client-Server Communication Authentication and Authorization Management andTooling
  • 5. Overview: Security is usually necessitated by Industry Guidelines (depending on organization size)
  • 6. Overview: Industry Guidelines - Financial: PCI-CSS - Healthcare: HIPPAA - Defense/Govt: FIPS - TelCo: CPNI
  • 7. Overview: Industry Guidelines Their heart is in the right place... (Do you really need node to node SSL if it never leaves a backplane?)
  • 8. Overview: But good security practices can save you ...
  • 9. Overview: By necessity we abstract and encapsulate, making it easier to have un-intended side effects knife ssh -x ${knifeUser} -a hostname -E $chefEnv "role:${role}" "${executeCommand}" Then eventually: rm -rf /var/lib/cassandra/*
  • 10. Overview: Basic systems hardening can also protect from common operational errors
  • 11. Overview: System Hardening Limit account access "sudo su -" = trouble
  • 12. Overview: System Hardening Limit ļ¬lesystem access. Only C* needs /var/lib/cassandra (conļ¬guration management does not need access after initialization)
  • 13. Overview: System Hardening Networking - Limit network access - network segmentation and ACLs - iptables, etc
  • 14. Overview: System Hardening: Limit Network Access C* only needs inbound on: - 9042/9160 (clients) - 7000/7001 (cluster) - 7199 (JMX)
  • 15. Encryption at Rest Inter-node Communication Client-Server Communication Authentication and Authorization Management andTooling
  • 16. Encryption At Rest: Why it's a good idea: - Do you know how your cloud provider is actually using storage under the hood? - What does IT do with decommissioned disks? (Are you sure?)
  • 17. Encryption At Rest: There are good open source and commercial options for at-rest encryption
  • 18. Encryption At Rest: It's a distributed system. Make sure you understand the HA Story in context of your needs. Otherwise you introduced an SOPF! eg. "EBS snapshots of the key server" Is this going to work for you?
  • 19. Encryption At Rest: File level vs. Block level
  • 20. Encryption At Rest: Open Source dmCrypt (block) eCrypt-FS (ļ¬le) Major vendors probably support both https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Installation_Guide/ch29s02.html https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-efs.html
  • 21. Encryption At Rest: Commercial - Cloudera Gazzang! -Vormetric
  • 22. Encryption At Rest: Commercial DataStax Enterprise*: CREATETABLE users ... WITH compression_parameters:sstable_compression = 'Encryptor' and compression_parameters:cipher_algorithm = 'AES/ECB/PKCS5Padding' and compression_parameters:secret_key_strength = 128; *commit log not included! (eCrypt-fs to the rescue)
  • 23. Encryption At Rest: Commercial-ish EBS Encryption! (a.k.a. "not my problem") http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
  • 24. Encryption at Rest Inter-Node Communication Client-Server Communication Authentication and Authorization Management andTooling
  • 25. Inter-Node Communication: SSL Inter-Node encryption can be rolled out on production with no downtime* * Depending on client consistency levels
  • 27. Inter-Node Communication: SSL:Why It's a Good Idea: -Dcassandra.write_survey=true "I can has your writes" from: http://icanhascheeseburger.com
  • 28. Inter-Node Communication: SSL:Why It's a Good Idea: Every operation is a Message on the wire
  • 29. Inter-Node Communication: SSL:Why It's a Good Idea: It takes one Message to insert an admin account into the system_auth table
  • 30. Inter-Node Communication: SSL SSL Certiļ¬cates: a brief interlude
  • 31. Inter-Node Communication: SSL: Certiļ¬cates Done Right BYO Certiļ¬cate Authority A CA in this case provides the root certiļ¬cate which can be used to validate a node's identity without needing direct knowledge of that node.
  • 32. Inter-Node Communication: SSL: Certiļ¬cates Done Right Don't do this: http://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureSSLCertiļ¬cates_t.html <- BAD! LOL!
  • 33. Inter-Node Communication: SSL: Certiļ¬cates Done Right What we should do: 1. create the CA with a "root" certiļ¬cate 2. create certiļ¬cates for each node 3. export each node's certiļ¬cates to be signed by CA 4. sign each nodes certiļ¬cate with the CA 5. add the CA root public certiļ¬cate into each node's key store 5. add the signed result back into that node's key store 6. import CA root public certiļ¬cate into each node's trust store (or build one and copy it around)
  • 34. Inter-Node Communication: SSL: Certiļ¬cates Done Right Be your own CA openssl req -config gen_ca_cert.conf -new -x509 -keyout ca-key -out ca-cert -days 365
  • 35. Inter-Node Communication: SSL: Certiļ¬cates Done Right 'gen_ca_cert.conf' [ req ] distinguished_name = req_distinguished_name prompt = no output_password = mypass default_bits = 2048 [ req_distinguished_name ] C = US ST = TX L = Austin O = TLP OU = TestCluster CN = TestClusterMasterCA emailAddress = info@thelastpickl.com
  • 36. Inter-Node Communication: SSL: Certiļ¬cates Done Right What we just did - `req`:An OpenSSL sub-command saying that we are (in this case) creating a PKCS#10 X.509 Certiļ¬cate (see https://www.openssl.org/docs/manmaster/apps/req.html for full details) The following parameters are all options of "-req" `-conļ¬g`: The path to the conļ¬g ļ¬le (avoids having to provide information on STDIN) `-new`: This is a new signing request we are making `-x509`: The output will be a self-signed certiļ¬cate we can use as a root CA `-keyout`: The ļ¬lename to which we will write our key `-out`: The ļ¬lename to which we will write our certiļ¬cate `-days`: The number of days for which the generated certiļ¬cate will be valid
  • 37. Inter-Node Communication: SSL: Certiļ¬cates Done Right Per-Node Certiļ¬cate Creation keytool -genkeypair -keyalg RSA -alias node1 -keystore node1-server-keystore.jks -storepass awesomekeypass -keypass awesomekeypass -validity 365 -keysize 2048 -dname "CN=node1, OU=SSL-verification-cluster, O=TheLastPickle, C=US"
  • 38. Inter-Node Communication: SSL: Certiļ¬cates Done Right What we just did `-genkeypair`: the keytool command to generate a public/private key pair combination `-keyalg`:The algorithm to use, RSA in this case* `-alias`:An alias to use for this public/private key pair. It needs to identify the public key when imported into a key store. I usually use some form of $hostname-cassandra `-keystore`:The location of our key store (created if it does not already exist) `-storepass`:The password for the key store `-keypass`:The password for the key `-validity`:The number of days for which this key pair will be valid `-keysize`:The size of the key to generate https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html
  • 39. Inter-Node Communication: SSL: Certiļ¬cates Done Right A note about "-dname": CN=node1 Common Name: Best practice is to use hostname OU=SSL-verification-cluster Organizational Unit: I like to use the environment speciļ¬c cluster name O=TheLastPickle Organization C=US" Country Note: Hostname veriļ¬cation can be done againstĀ subjectAlternativeName Add "-extĀ SAN=DNS:thelastpickle.com" to keytool invocation if desired.
  • 40. Inter-Node Communication: SSL: Certiļ¬cates Done Right Exporting certiļ¬cates for signing by the CA keytool -keystore node1-server-keystore.jks -alias node1 -certreq -file node1_cert_sr -keypass awesomekeypass -storepass awesomekeypass
  • 41. Inter-Node Communication: SSL: Certiļ¬cates Done Right Sign each node's certiļ¬cate with the CA openssl x509 -req -CA ca-cert -CAkey ca-key -in node1_cert_sr -out node1_cert_signed -days 365 -CAcreateserial -passin pass:mypass
  • 42. Inter-Node Communication: SSL: Certiļ¬cates Done Right What did we just do: - `x509` Use the display and signing subcommand (https://www.openssl.org/docs/manmaster/apps/ x509.html) The following parameters are options of "x509" - `-req` We are signing a certiļ¬cate request as opposed to a certiļ¬cate - `-CA` The CA cert ļ¬le created above - `-CAKey` The CA key ļ¬le created above - `-in` The certiļ¬cate request we are signing - `-out` The newly-signed certiļ¬cate ļ¬le to create - `-days` The number of days for which the signed certiļ¬cate will be valid - `-CAcreateserial` Create a serialnumber for this CSR - `-passin` The keypassword source.The arguments to 'passin' have their own formatting instructions. See 'Pass Phrase Arguments' on https://www.openssl.org/docs/manmaster/apps/openssl.html
  • 43. Inter-Node Communication: SSL: Certiļ¬cates Done Right Add the CA's public key to the node's key stores keytool -keystore node1-server-keystore.jks -alias CARoot -import -file ca-cert -noprompt -keypass awesomekeypass -storepass awesomekeypass
  • 44. Inter-Node Communication: SSL: Certiļ¬cates Done Right Import that node's signed certiļ¬cate back into it's trust store keytool -keystore node1-server-keystore.jks -alias node1 -import -file node1_cert_signed -keypass awesomekeypass -storepass awesomekeypass
  • 45. Inter-Node Communication: SSL: Certiļ¬cates Done Right Build a trust store from the CA's public certiļ¬cate (this can be shared among all nodes) keytool -keystore generic-server-truststore.jks -alias CARoot -importcert -file ca-cert -keypass mypass -storepass truststorepass -noprompt
  • 46. Inter-Node Communication: SSL: Certiļ¬cates Done Right OMG! A Trust Chain!
  • 47. Inter-Node Communication: SSL Done Right server_encryption_options: internode_encryption: all keystore: conf/server-keystore.jks keystore_password: awesomekeypass truststore: conf/server-truststore.jks truststore_password: truststorepass protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA] require_client_auth: true
  • 48. Inter-Node Communication: SSL Done Right server_encryption_options: internode_encryption: all keystore: conf/server-keystore.jks keystore_password: awesomekeypass truststore: conf/server-truststore.jks truststore_password: truststorepass protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA] require_client_auth: true If you don't set this to true, you might as well turn encryption off
  • 49. Inter-Node Communication: SSL Done Right Also: Key store password and key password *must be the same* server_encryption_options: ... keystore_password: awesomekeypass require_client_auth: true ... keytool ... -keypass awesomekeypass ...
  • 50. Inter-Node Communication: SSL Done Right Export restrictions? Use128 bit keys cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA] http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#importlimits
  • 51. Inter-Node Communication: SSL: Certiļ¬cates Done Right Trouble? -Djavax.net.debug=ssl http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
  • 52. Inter-Node Communication: SSL: Certiļ¬cates Done Right This Just In! Netļ¬‚ix Lemur: "x.509 Certiļ¬cate Orchestration Framework" http://techblog.netļ¬‚ix.com/2015/09/introducing-lemur.html https://github.com/Netļ¬‚ix/lemur
  • 56. Inter-Node Communication:Authenticator o.a.c.auth.IInternodeAuthenticator boolean authenticate(InetAddress remoteAddress, int remotePort); void validateConfiguration() throws ConfigurationException;
  • 57. Encryption at Rest Inter-Node Communication Client-Server Communication Authentication and Authorization Management andTooling
  • 58. Client-Server Communication Same CA setup as Server-to-Server (same limitations, too)
  • 59. Client-Server Communication client_encryption_options: enabled: true keystore: conf/client-keystore.jks keystore_password: clientkeypass truststore: conf/client-truststore.jks truststore_password: clienttrustpass protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA] require_client_auth: true
  • 60. Client-Server Communication client_encryption_options: enabled: false keystore: conf/client-keystore.jks keystore_password: clientkeypass truststore: conf/client-truststore.jks truststore_password: clienttrustpass protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA] require_client_auth: true If you don't set this to true, you might as well turn encryption off
  • 61. Encryption at Rest Inter-Node Communication Client-Server Communication Authentication and Authorization Management andTooling
  • 63. Authentication and Authorization: Best practices are the same as for RDBMS
  • 64. Authentication and Authorization: Best Practices Segment users: - Admin - Per-service CRUD - CRUD (reporting)
  • 65. Authentication and Authorization: Best Practices Limit access to tables and keyspaces
  • 66. Authentication and Authorization: Role-based access control (RBAC) in 2.2
  • 67. Authentication and Authorization:Authentication authenticator: PasswordAuthenticator Tip: keep your read-only cqlsh credentials in $HOME/.cassandra/cqlshrc of the system's admin account
  • 68. Authentication and Authorization:Authorization authorizer: CassandraAuthorizer TIP: turn permissions_validity_in_ms WAY UP default is 2000 (2 seconds!!) can use permissions_update_interval_in_ms for async refresh if needed
  • 69. Authentication and Authorization:Authorization These tables have default read permission for every authenticated user: system.schema_keyspace system.schema_columns system.schema_columnfamilies system.local system.peers
  • 70. Authentication and Authorization:Authentication IMPORTANT: "Please increase system_auth keyspace replication factor if you use this..." RF=Number of Nodes
  • 71. Encryption at Rest Inter-Node Communication Client-Server Communication Authentication and Authorization Management and Tooling
  • 73. Management andTooling: Securing JMX Options as of 2.1.8 will look familiar: JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/path/to/keystore" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=<keystore-password>" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/path/to/truststore" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=<truststore-password>" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher- suites>"
  • 74. Management andTooling: Securing JMX Thus: as of 2.1.8, nodetool can use SSL* * https://issues.apache.org/jira/browse/CASSANDRA-9090
  • 75. Management andTooling: Securing JMX Conļ¬gure authentication for JMX* Now you can do: nodetool status -u monitor -pw monitorpass * http://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureJmxAuthentication.html
  • 76. Management andTooling: Securing JMX JMX user/password and role conļ¬guration is ļ¬‚exible For details, take a look at the defaults: $JAVA_HOME/jre/lib/management/jmxremote.access $JAVA_HOME/jre/lib/management/jmxremote.password.template
  • 78. Nate McCall @zznate Co-Founder & Sr.Technical Consultant www.thelastpickle.com #CassandraSummit