Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing Couchbase for your enterprise – Connect Silicon Valley 2017

1,059 views

Published on

Speaker: Davis Chapman, Solutions Architect, Couchbase

One catch with handling data, no matter the context, is that there’s a good chance that you are dealing with something that’s sensitive and needs to be secured. In this session, we’ll look at the various decisions that need to be weighed, and actions taken to secure data in the Couchbase platform. This session will cover the full stack, from data at rest in a Couchbase cluster, to data residing in Couchbase Lite on a mobile device, as well as every point in-between.

Visit our website for more information:

https://www.couchbase.com/

Published in: Technology
  • Be the first to comment

Securing Couchbase for your enterprise – Connect Silicon Valley 2017

  1. 1. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. SECURITY Couchbase Server 5.0 & Couchbase Mobile 2.0
  2. 2. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. WHY SECURITY? The Net is Dark and Full of Terrors
  3. 3. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 3 Recent Security Breaches WannaCry Ransomware (May 2017) Wikileaks CIA Vault 7 (March 2017) Cloudflare Cloudbleed (Feb 2017) MongoDB hack (Jan 2017) Equifax (Sept 2017) DocuSign (May 2017) Verizon (July 2017) Deloitte (Sep 2017) Securities and Exchange Commission (SEC) (Sep 2017)
  4. 4. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. REVIEW | SECURITY CAPABILITIES A quick refresher 4
  5. 5. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 5 Security – A Major Question at Different Levels Outside Network Users COUCHBASE CLUSTER Internal Network Perimeter Network External Firewall Internal Firewall Web Server Application Server Applications Infrastructure Data Users
  6. 6. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 6 Facility Network perimeter Internal network Host Application Admin Data Defense in Depth: Layered approach to customer environment Physical controls, video surveillance, access control Edge routers, firewalls, intrusion detection, vulnerability scanning Intrusion detection, vulnerability scanning Access control and monitoring, anti-malware, patch and configuration management Secure engineering (SDL), Access Control, security monitoring, anti-malware Account Management, training and awareness, screening Authorization, Data Encryption, Data Masking, Secret Management
  7. 7. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 7 Security Pillars in Couchbase Authentication Authorization Crypto Auditing Operations App/Data: SASL AuthN Admin: Local or LDAP PAM Authentication (4.6) Local Admin User Local Read-Only User RBAC for Admins RBAC for Applications (5.0) TLS admin access TLS client-server access Secure XDCR X.509 certificates for TLS Data-at-rest Encryption* Field-level Encryption* Secret Management (4.6) Admin auditing Security management via UI/CLI/REST * Via third-party partners
  8. 8. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 8 Couchbase addresses Security concerns for the full stack 8 ClientTier Mobile Client Web Client Desktop Client DataTier DatabaseWeb Services MiddleTier COUCHBASE LITE SYNC GATEWAY COUCHBASE SERVER Internet Intranet 1 Local Storage Full Database AES-256 Encryption 5 Secure Data Storage in the Cloud with Partner Solutions 4 User and Role Based Data AccessControl 2 Secure Transport OverWire 3 Pluggable Authentication 2 Secure Transport OverWire
  9. 9. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 9 Authentication Internal (local) External Internal users managed by Couchbase • Challenge-response • User management (New) Cluster Authentication • Shared erlang token External users managed by 3rd party Identity Management System • LDAP integration • Pluggable Authentication Modules (PAM) Authentication Domains
  10. 10. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 10 Pluggable Authentication Modules (PAM) in Couchbase 4.6 • Allows UNIX local accounts to authenticate as Couchbase administrators • Pluggable authentication architecture that is policy driven Centralized Management Centralized and synchronize administrator account management using UNIX user management services Security Policy Enforcement Allows configuration of strong security policies such as strong password requirements
  11. 11. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 11 Authorization Authorization for Admins Authorization for Apps • Role based access control for Administrators • RBAC for applications (New)
  12. 12. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 12 Role-Based Access Control (RBAC) for Administrators Regulatory Compliance A strong demand for applications to meet standards recommended by regulatory authorities Segregation of Admin Duties Every admin does not have all the privileges. Depending on the job duties, admins can hold only those privileges that are required. Security Privilege Separation Only the full-admin has the privilege to manage security, and his/her actions can be audited just like other administrators. Role-Based Access Control (RBAC) allows you to specify what each admin can access in couchbase through role membership
  13. 13. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 13 RBAC for Administrators – How it works • Administrative users can be mapped to out-of-the-box roles • Roles pre-defined with permissions for specific resources • Full Admin • Cluster Admin • Bucket Admin • View Admin • XDCR Admin • Can work with internal and external users Full Admin Cluster Admin Bucket Admin View Admin XDCR Admin
  14. 14. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 14 Encryption On-the-wire Encryption On-Disk Encryption • TLS between client and server • TLS between datacenters using secure XDCR • X.509 CA Certificates for trusted encryption between client and server • Volume and application level encryption through our trusted 3rd partners (Vormetric, Protegrity, SafeNet) • FIPS 140-2 compliant
  15. 15. Role Based Access Control RBAC for Applications – New in 5.0 15
  16. 16. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 16 Role-Based Access Control (RBAC) for Applications Regulatory Compliance A strong demand for applications to meet standards recommended by regulatory authorities Segregation of User Duties Depending on the job duties, users can hold only those privileges that are required Locking Down Services Depending on what the service is needed for, only those roles can be assigned • Meet regulatory compliance requirements for data users and applications • Simplified access control management for data and admin users across the cluster
  17. 17. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 17 RBAC Security Model • NIST Model • Scalable users accounts • Fixed out-of-the-box data roles in 5.0 • 1:N User-to-role mapping • Roles can be applied for specific buckets / across all buckets [*] Privilege A set of actions on a given resource Eg. Read documents on “foo” bucket Role A fixed grouping of privileges that defines the access given Action: an operation eg. read, write, read metadata Resource: some system object that an action can be performed on. eg. bucket, index, etc. User User is a human user or service
  18. 18. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 18 High Level Process of Securing your Environment • Secure the Perimeter and Layers: • Identify the secure perimeter. • Secure the perimeter via firewall rules • Secure the full stack with appropriate procedures – OS, Database, Application • Encrypt at Rest and in Transit: • Encrypt all communication that traverses the secure perimeter • Encrypt data on disk • Control Access • Limit access to the database and data and sensitive files (configuration, logs etc.) • Leverage Couchbase-specific feature functionality to further enhance / augment the security at the database level (e.g. SSL, RBAC) • Assess and further minimize your attack surface area. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved.
  19. 19. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. WHAT’S NEW IN COUCHBASE 5.0? 20Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved.
  20. 20. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 21 Couchbase Server 5.0 21Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. New security capabilities Authorization Role Based Access Control for Applications Authentication X509 Certificate based authentication
  21. 21. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. RBAC 23Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved.
  22. 22. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 24 RBAC for users and applications Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 24 Data Access Compliance Unique identities for users and apps - Internally / Externally (LDAP, PAM) managed authentication domains Segregated data access - Roles for locking down access to data, query and full text services - Roles that will allow users and services to only do their jobs and nothing more Simplified Access Control Built-in roles for data and admin access - Simplified security management through roles not individual users Centralized security management - Full-admin can configure cluster-wide RBAC through UI, REST
  23. 23. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 25 RBAC for users and applications Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 25©2017 Couchbase. All rights reserved. 25 • GRANT a role to a user • REVOKE a role from a user • Distinct roles for each N1QL statement type GRANT query_insert ON `travel-sample` TO don; REVOKE query_insert ON `travel-sample` FROM jdoe; N1QL GRANT and REVOKE statements New system catalogs for RBAC system:user_info system:my_user_info system:applicable_roles
  24. 24. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 26 User Management Flexible User Management • Internal and External authorization support • Unique identities for data users and services • REST and CLI configurable • Seamless upgrades without application changes • Scalable
  25. 25. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 27 New Roles for Data Service – RBAC in 5.0 • Read data from bucketData Reader • Write data to bucketData Writer • Can read the DCP stream from bucketData DCP Reader • Can backup/restore the bucketData Backup • Can monitor statistics for bucketData Monitoring
  26. 26. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 28 New Roles for Query Service – RBAC in 5.0 • Can execute SELECT N1QL statement for bucketQuery Select • Can execute UPDATE N1QL statement for bucketQuery Update • Can execute INSERT N1QL statement for bucketQuery Insert • Can execute DELETE N1QL statement for bucketQuery Delete • Can execute index management statements for bucketQuery Manage Index • Can query system tables for bucketQuery System Catalog • Can execute N1QL CURL statementQuery External Access
  27. 27. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 29 New Roles for Full Text Search Service – RBAC in 5.0 • Can administer FTS serviceFTS Admin • Can execute search queries for a bucketFTS Searcher
  28. 28. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 30 Bucket Roles – RBAC in 5.0 • Can administer FTS serviceBucket Full Access • Can execute search queries for a bucketBucket Admin So, can I get a role that gives me the application behavior similar to pre-5.0?
  29. 29. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 31 Password Policy and Rotation Policy and Rotation • Simple password policy rules enforced when initially set or rotated • Policy can be set using REST or CLI • Password can be reset using UI, REST or CLI Default Policy { "enforceDigits": false, "enforceLowercase": false, "enforceSpecialChars": false, "enforceUppercase": false, "minLength": 6 }
  30. 30. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 32 Role Assignment – Using REST and CLI Using REST Using CLI curl -X PUT http://localhost:8091/settings/rbac/users/local/doug-data-user -u Administrator:password -d "roles=data_reader[travel-sample]" -d "password=dougpassword” ./couchbase-cli user-manage --set --rbac-username doug-n1ql-user --rbac- password dougpassword --auth-domain local --roles "data_reader[*], query_select[*]" -c http://localhost:8091 -u Administrator -p password
  31. 31. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 33 GRANT/REVOKE statements in N1QL for RBAC GRANT ROLE REVOKE ROLE GRANT ROLE data_reader(`*`) to doug REVOKE ROLE data_reader(`*`) from doug
  32. 32. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 34 Web Console For Administrators and Developers Who gets to log into web console ? 1. Administrators (Any administrator role) 2. Developers (Users who have one or more query role)
  33. 33. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. AUTHENTICATION
  34. 34. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 36 Why Certificate Auth Certificates are widely available across the enterprise infrastructure • Stronger security by mutually authenticating the client and server • Stronger guarantees against non-repudiation of user actions • Stronger crypto on the communication channel • Users forget passwords, or may set a weak one. No easy cracking passwords!
  35. 35. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 37 High-Level Requirements Deployment Each service can have their own certificate Multiple services can be co-located on same app server Services on the same app host can talk to two different CB buckets Certificate & CA Certificate should be in .pem format Certificates can be signed by intermediaries, which are then signed by root CA Service certificates (client-certs) are signed by the same chain of trust that terminate at root CA authority as Server certificates Certificates will be manually generated and loaded into Couchbase Access Points Certificate based authentication is needed for memcached access Certificate based authentication is needed for N1QL and FTS access Certificate based authentication is needed for UI access
  36. 36. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 38 High-Level Requirements AuthZ RBAC should be able to authorize users based on the details presented in the certificate SDK Support Certificate support should be available in all Couchbase clients starting first with Java Certificate Rotation Certificate rotation must be done completely online without disconnecting existing connections
  37. 37. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 39 The Handshake Java Client Server Certificate 4.5 (X.509 for trusted client- server encryption)
  38. 38. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 40Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 40©2017 Couchbase. All rights reserved. 40 SDK Enhancements New Password Authenticator Class • Upgrade to latest SDK versions!
  39. 39. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 41Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 41©2017 Couchbase. All rights reserved. 41 SDK Enhancements Shorthand URI Approach • Pre-5.0 approach assumes bucket with matching username • Similar URI approach can be used with full bucket, user and password parameters • Available for subset of libraries • Not recommended, but available for ease of migration Further reading... • https://blog.couchbase.com/new-sdk-authentication/ • Minimal versions for 5.0 Beta SDK support • Java 2.4.5 – .NET 2.4.5 – Node.js 2.3.3 Python 2.2.4 – PHP 2.3.2 – Go 1.2.3 – C 2.7.5
  40. 40. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 42Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 42©2017 Couchbase. All rights reserved. 42 Big Data Connectors • Configuration-wide username is now available • Not limited to bucket passwords • Kafka 3.1.3 (May 2017) • Spark release pending – build from source
  41. 41. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. Security Overview - Couchbase Mobile 2.0 43Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved.
  42. 42. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 45 Typical 3-Tier architecture ClientTier Mobile Client Web Client Desktop Client Internet DataTier DatabaseWeb Services MiddleTier Intranet
  43. 43. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 46 Security concerns for mobile applications 1 Data Storage on Device • File System Encryption • Data Encryption • Key Rotation • Offline Login 2 DataTransport on the Wire • SecureTransport 3 Authentication • Principal Instantiation • Session Management 4 Data Access Control • Read Access • WriteValidation 5 Data Storage in the Cloud • File System Encryption • Data Encryption
  44. 44. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 47 Security concerns across the full stack ClientTier Mobile Client Web Client Desktop Client DataTier DatabaseWeb Services MiddleTier 1 Local Storage 2 Transport OverWire 3 Authentication 4 Data Access Control 2 Transport OverWire 5 Data Storage in the Cloud Internet Intranet
  45. 45. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 48 Couchbase addresses Security concerns for the full stack ClientTier Mobile Client Web Client Desktop Client DataTier DatabaseWeb Services MiddleTier COUCHBASE LITE SYNC GATEWAY COUCHBASE SERVER Internet Intranet 1 Local Storage Full Database AES-256 Encryption 5 Secure Data Storage in the Cloud with Partner Solutions 4 User and Role Based Data AccessControl 2 Secure Transport OverWire 3 Pluggable Authentication 2 Secure Transport OverWire
  46. 46. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 49 Couchbase addresses Security concerns for the full stack ClientTier Mobile Client Web Client Desktop Client DataTier DatabaseWeb Services MiddleTier COUCHBASE LITE SYNC GATEWAY COUCHBASE SERVER Internet Intranet 1 Local Storage Full Database AES-256 Encryption 5 Data Storage in the Cloud 4 Data Access Control 2 Secure Transport OverWire 3 Authentication 2 Secure Transport OverWire
  47. 47. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 50 Securing Local Storage Encrypted Data Requires Key for Access
  48. 48. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 51 Securing Local Storage—what’s available OOB? Couchbase Provides • Full database encryption • File system encryption • Key rotation • Offline login Application Developer Responsibilities • Key Selection • Key Storage
  49. 49. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 52 How Couchbase addresses Security concerns for the full stack ClientTier Mobile Client Web Client Desktop Client DataTier DatabaseWeb Services MiddleTier COUCHBASE LITE SYNC GATEWAY COUCHBASE SERVER Internet Intranet 1 Local Storage Full Database AES-256 Encryption 5 Data Storage in the Cloud 4 Data Access Control 2 Secure Transport OverWire 3 Authentication 2 Secure Transport OverWire
  50. 50. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 53 Secure Data Transport over the Internet SYNC GATEWAY { "SSLCert": "cert.pem", "SSLKey": "privkey.pem", "databases": { "todo": { …… } } }
  51. 51. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 54 SYNC GATEWAY Secure Data Transport over the Intranet "databases": { "todo": { "server":"https://cb-server:8091", "bucket": "data-bucket", "username":"data-bucket", …… } COUCHBASE SERVER SERVER1 SERVER2 SERVER3
  52. 52. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 55 How Couchbase addresses Security concerns for the full stack ClientTier Mobile Client Web Client Desktop Client DataTier DatabaseWeb Services MiddleTier COUCHBASE LITE SYNC GATEWAY COUCHBASE SERVER Internet Intranet 1 Local Storage Full Database AES-256 Encryption 5 Data Storage in the Cloud 4 Data Access Control 2 Secure Transport OverWire 3 Pluggable Authentication 2 Secure Transport OverWire
  53. 53. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 56 Authentication • Basic Authentication • OpenID Connect • Custom Authentication • Facebook Login
  54. 54. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 57 Authentication: OpenID Connect • OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 family of specifications • Supported flows • Authorization Code Flow • Implicit Flow • Production deployments of OpenID Connect
  55. 55. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 58 OpenID Connect Provider System Browser Mobile Device Sync Gateway Identity Provider Application Initiates Authentication by connecting to Sync Gateway’s OIDC end-point Sync Gateway responds with redirect to OIDC Provider User is sent to OIDC provider endpoint Validate credentials Validation result (true/false) Upon successful authentication, redirect to Sync Gateway with authorization code Sync Gateway returns ID token, session ID, refresh token Challenge for user authentication Receive Credentials from user End user is redirected to Sync Gateway with authorization code Sync Gateway uses authorization code to make access request to token endpoint OIDC Provider returns access token, ID token, refresh token to Sync Gateway Application sets session cookie in replication headers Sync Gateway creates a session for authenticated user Sync Gateway Session Cookie sent in the replication requests Device opens endpoint in browser OpenID Connect – Authorization Code Flow
  56. 56. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 59 OpenID Connect – Implicit Flow OpenID Connect Provider System Browser Mobile Device Sync Gateway Identity Provider Application Initiates Authentication and opens system browser Redirect to OIDC Provider for user authentication Challenge for user authentication Receive credentials from user Validate credentials Validation result (true/false) Client receives tokens in the response Sync Gateway Session Cookie Returned CBL uses JWT token to get a Sync Gateway session Replicator session cookie is set Sync Gateway provides option to create user based on JWT token Cookies sent in the replication request to Sync Gateway
  57. 57. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 60 Custom Authentication Custom Authentication Provider Application Initiates Authentication with Custom Auth Provider Request credential for user authentication Receive credentials from user Validate credentials Validation result (true/false) Set authentication session cookie Client receives response POST request with the user name to the Admin REST API http://server/dbname/_session Cookie value set in response body Cookies sent in the replication request to Sync Gateway Replicator cookie parameter set Create user (if needed) with the Admin REST API http://server/dbname/_user Mobile Device Sync Gateway Identity Provider
  58. 58. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 61 How Couchbase addresses Security concerns for the full stack ClientTier Mobile Client Web Client Desktop Client DataTier DatabaseWeb Services MiddleTier COUCHBASE LITE SYNC GATEWAY COUCHBASE SERVER Internet Intranet 1 Local Storage Full Database AES-256 Encryption 5 Data Storage in the Cloud 4 User and Role Based Data AccessControl 2 Secure Transport OverWire 3 Authentication 2 Secure Transport OverWire
  59. 59. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 62 tent survival gear camping supplies sleeping bags Data Access in mobile apps SHARE Bob JohnAlice SHARE
  60. 60. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 63 Data Access Control in Couchbase User Permissions APIs for Role Definition & Assignment Channels Access Grants Sync Function Sync Function User Based Access Roles Data partitioning Read Access Write Access DataValidation
  61. 61. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 64 How Couchbase addresses Security concerns for the full stack ClientTier Mobile Client Web Client Desktop Client DataTier DatabaseWeb Services MiddleTier COUCHBASE LITE SYNC GATEWAY COUCHBASE SERVER Internet Intranet 1 Local Storage Full Database AES-256 Encryption 5 Secure Data Storage in the Cloud with Partner Solutions 4 Data Access Control 2 Secure Transport OverWire 3 Authentication 2 Secure Transport OverWire
  62. 62. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 65 Securing data at Rest in Couchbase Server
  63. 63. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 66 Couchbase addresses Security concerns for the full stack ClientTier Mobile Client Web Client Desktop Client DataTier DatabaseWeb Services MiddleTier COUCHBASE LITE SYNC GATEWAY COUCHBASE SERVER Internet Intranet 1 Local Storage Full Database AES-256 Encryption 5 Secure Data Storage in the Cloud with Partner Solutions 4 User and Role Based Data AccessControl 2 Secure Transport OverWire 3 Pluggable Authentication 2 Secure Transport OverWire
  64. 64. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. QA ©2017 Couchbase. All rights reserved. 67
  65. 65. Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. THANK YOU

×