Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

De-mystifying security in Couchbase Mobile – Couchbase Connect New York 2017

482 views

Published on

Building mobile apps typically means that you have decentralized, distributed data, which introduces a number of security risks that are critical to manage. In this session, Sachin Smotra will discuss the five key security concerns to consider when building mobile apps and why addressing them are critical for mobile success. Specifically, he will cover User Authentication, Data Read/Write Access, Data Transport on the Wire, Data Storage on the Device, and Data Storage in the Cloud.

Published in: Software
  • Be the first to comment

De-mystifying security in Couchbase Mobile – Couchbase Connect New York 2017

  1. 1. ©2017 Couchbase Inc. De-mystifying Security in Couchbase Mobile Sachin Smotra Product Management @ Couchbase 1
  2. 2. ©2017 Couchbase Inc. Agenda 2 1 2 3 4 5 6 Security concerns for mobile applications Securing Data at Rest Securing Data in Motion Authentication DataAccess Resources
  3. 3. ©2017 Couchbase Inc. Typical 3-Tier architecture 3 ClientTier Mobile Client Web Client Desktop Client Internet DataTier DatabaseWeb Services MiddleTier Intranet
  4. 4. ©2017 Couchbase Inc. Security concerns for mobile applications 4 1 Data Storage on Device • File System Encryption • Data Encryption • Key Rotation • Offline Login 2 DataTransport on the Wire • SecureTransport 3 Authentication • Principal Instantiation • Session Management 4 Data Access Control • Read Access • WriteValidation 5 Data Storage in the Cloud • File System Encryption • Data Encryption
  5. 5. ©2017 Couchbase Inc. Security concerns across the full stack 5 ClientTier Mobile Client Web Client Desktop Client DataTier DatabaseWeb Services MiddleTier 1 Local Storage 2 Transport OverWire 3 Authentication 4 Data Access Control 2 Transport OverWire 5 Data Storage in the Cloud Internet Intranet
  6. 6. ©2017 Couchbase Inc. Couchbase addresses Security concerns for the full stack 6 ClientTier Mobile Client Web Client Desktop Client DataTier DatabaseWeb Services MiddleTier COUCHBASE LITE SYNC GATEWAY COUCHBASE SERVER Internet Intranet 1 Local Storage Full Database AES-256 Encryption 5 Secure Data Storage in the Cloud with Partner Solutions 4 User and Role Based Data AccessControl 2 Secure Transport OverWire 3 Pluggable Authentication 2 Secure Transport OverWire
  7. 7. ©2017 Couchbase Inc. Couchbase addresses Security concerns for the full stack 7 ClientTier Mobile Client Web Client Desktop Client DataTier DatabaseWeb Services MiddleTier COUCHBASE LITE SYNC GATEWAY COUCHBASE SERVER Internet Intranet 1 Local Storage Full Database AES-256 Encryption 5 Data Storage in the Cloud 4 Data Access Control 2 Secure Transport OverWire 3 Authentication 2 Secure Transport OverWire
  8. 8. ©2017 Couchbase Inc. Securing Local Storage Encrypted Data Requires Key for Access
  9. 9. ©2017 Couchbase Inc. Securing Local Storage—what’s available OOB? 9 Couchbase Provides • Full database encryption • File system encryption • Key rotation • Offline login Application Developer Responsibilities • Key Selection • Key Storage
  10. 10. ©2017 Couchbase Inc. How Couchbase addresses Security concerns for the full stack 10 ClientTier Mobile Client Web Client Desktop Client DataTier DatabaseWeb Services MiddleTier COUCHBASE LITE SYNC GATEWAY COUCHBASE SERVER Internet Intranet 1 Local Storage Full Database AES-256 Encryption 5 Data Storage in the Cloud 4 Data Access Control 2 Secure Transport OverWire 3 Authentication 2 Secure Transport OverWire
  11. 11. ©2017 Couchbase Inc. Secure DataTransport over the Internet SYNC GATEWAY { "SSLCert": "cert.pem", "SSLKey": "privkey.pem", "databases": { "todo": { …… } } }
  12. 12. ©2017 Couchbase Inc. SYNC GATEWAY Secure DataTransport over the Intranet "databases": { "todo": { "server":"https://cb-server:8091", "bucket": "data-bucket", "username":"data-bucket", …… } COUCHBASE SERVER SERVER1 SERVER2 SERVER3 12
  13. 13. ©2017 Couchbase Inc. How Couchbase addresses Security concerns for the full stack 13 ClientTier Mobile Client Web Client Desktop Client DataTier DatabaseWeb Services MiddleTier COUCHBASE LITE SYNC GATEWAY COUCHBASE SERVER Internet Intranet 1 Local Storage Full Database AES-256 Encryption 5 Data Storage in the Cloud 4 Data Access Control 2 Secure Transport OverWire 3 Pluggable Authentication 2 Secure Transport OverWire
  14. 14. ©2017 Couchbase Inc. Authentication • Basic Authentication • OpenID Connect • Custom Authentication • Facebook Login
  15. 15. ©2017 Couchbase Inc. Authentication: OpenID Connect • OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 family of specifications • Supported flows • Authorization Code Flow • Implicit Flow • Production deployments of OpenID Connect
  16. 16. ©2017 Couchbase Inc. OpenID Connect Provider System Browser Mobile Device Sync Gateway Identity Provider Application Initiates Authentication by connecting to Sync Gateway’s OIDC end-point Sync Gateway responds with redirect to OIDC Provider User is sent to OIDC provider endpoint Validate credentials Validation result (true/false) Upon successful authentication, redirect to Sync Gateway with authorization code Sync Gateway returns ID token, session ID, refresh token Challenge for user authentication Receive Credentials from user End user is redirected to Sync Gateway with authorization code Sync Gateway uses authorization code to make access request to token endpoint OIDC Provider returns access token, ID token, refresh token to Sync Gateway Application sets session cookie in replication headers Sync Gateway creates a session for authenticated user Sync Gateway Session Cookie sent in the replication requests Device opens endpoint in browser OpenID Connect – Authorization Code Flow
  17. 17. ©2017 Couchbase Inc. OpenID Connect – Implicit Flow OpenID Connect Provider System Browser Mobile Device Sync Gateway Identity Provider Application Initiates Authentication and opens system browser Redirect to OIDC Provider for user authentication Challenge for user authentication Receive credentials from user Validate credentials Validation result (true/false) Client receives tokens in the response Sync Gateway Session Cookie Returned CBL uses JWT token to get a Sync Gateway session Replicator session cookie is set Sync Gateway provides option to create user based on JWT token Cookies sent in the replication request to Sync Gateway
  18. 18. ©2017 Couchbase Inc. Custom Authentication Custom Authentication Provider Application Initiates Authentication with Custom Auth Provider Request credential for user authentication Receive credentials from user Validate credentials Validation result (true/false) Set authentication session cookie Client receives response POST request with the user name to the Admin REST API http://server/dbname/_session Cookie value set in response body Cookies sent in the replication request to Sync Gateway Replicator cookie parameter set Create user (if needed) with the Admin REST API http://server/dbname/_user Mobile Device Sync Gateway Identity Provider
  19. 19. ©2017 Couchbase Inc. How Couchbase addresses Security concerns for the full stack 19 ClientTier Mobile Client Web Client Desktop Client DataTier DatabaseWeb Services MiddleTier COUCHBASE LITE SYNC GATEWAY COUCHBASE SERVER Internet Intranet 1 Local Storage Full Database AES-256 Encryption 5 Data Storage in the Cloud 4 User and Role Based Data AccessControl 2 Secure Transport OverWire 3 Authentication 2 Secure Transport OverWire
  20. 20. ©2017 Couchbase Inc. tent survival gear camping supplies sleeping bags Data Access in mobile apps SHARE Bob JohnAlice SHARE 20
  21. 21. ©2017 Couchbase Inc. Data Access Control in Couchbase User Permissions APIs for Role Definition & Assignment Channels Access Grants Sync Function Sync Function User Based Access Roles Data partitioning Read Access Write Access DataValidation
  22. 22. ©2017 Couchbase Inc. How Couchbase addresses Security concerns for the full stack 22 ClientTier Mobile Client Web Client Desktop Client DataTier DatabaseWeb Services MiddleTier COUCHBASE LITE SYNC GATEWAY COUCHBASE SERVER Internet Intranet 1 Local Storage Full Database AES-256 Encryption 5 Secure Data Storage in the Cloud with Partner Solutions 4 Data Access Control 2 Secure Transport OverWire 3 Authentication 2 Secure Transport OverWire
  23. 23. ©2017 Couchbase Inc. Securing data at Rest in Couchbase Server 23
  24. 24. ©2017 Couchbase Inc. Couchbase addresses Security concerns for the full stack 24 ClientTier Mobile Client Web Client Desktop Client DataTier DatabaseWeb Services MiddleTier COUCHBASE LITE SYNC GATEWAY COUCHBASE SERVER Internet Intranet 1 Local Storage Full Database AES-256 Encryption 5 Secure Data Storage in the Cloud with Partner Solutions 4 User and Role Based Data AccessControl 2 Secure Transport OverWire 3 Pluggable Authentication 2 Secure Transport OverWire
  25. 25. ©2017 Couchbase Inc. 25 Sachin Smotra sachin@couchbase.com @ssmotra IMAGE GOES HERE • Download links • Server 5.0 Beta • Sync Gateway 1.5 Beta • Couchbase Lite 2.0 Preview • Blog Posts • Security Concerns for Mobile Data Synchronization • OpenIDConnect in Couchbase blog
  26. 26. ©2017 Couchbase Inc.©2017 Couchbase Inc. ThankYou! 26
  27. 27. ©2017 Couchbase Inc. 27 The CouchbaseConnect mobile app Take our in-app survey!
  28. 28. ©2017 Couchbase Inc. 28 Share your opinion on Couchbase 1. Go here: http://gtnr.it/2eRxYWn 2. Create a profile 3. Provide feedback (~15 minutes)
  29. 29. ©2017 Couchbase Inc.©2017 Couchbase Inc. Follow us on social media Twitter @couchbase Facebook /couchbase Instagram @couchbase Linkedin /company/couchbase

×