Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing deployments: top to bottom, all around – Couchbase Connect 2016

248 views

Published on

Regulatory compliance is a hot topic these days. As the volume of data and number of applications moving to Couchbase has increased, so has the need to secure that data and those applications. While meeting the challenges of compliance can be a daunting task, Couchbase provides a rich set of features that can help customers achieve their compliance goals quickly and easily. In this presentation, we will examine and explain the security controls used across the stack for authentication, authorization, audit, and encryption. We’ll also take a brief look at where Couchbase security is today and then peer into the future to see where Couchbase security is headed. Come and attend this demo filled session to hear how the latest innovations can let you securely connect more data to more users across your organizations.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Securing deployments: top to bottom, all around – Couchbase Connect 2016

  1. 1. ©2016 Couchbase Inc. Securing Couchbase Deployments Top to bottom, all around 1
  2. 2. ©2016 Couchbase Inc. 2 Don Pinto Sr. Product Manager don@couchbase.com Ritam Sharma Sr. QE Manager ritam@couchbase.com
  3. 3. ©2016 Couchbase Inc.©2016 Couchbase Inc. Disclaimer The following is intended to outline our general product direction. Details presented in this presentation might change based on customer feedback and other factors by the time the final version of the product is released. 3
  4. 4. ©2016 Couchbase Inc.©2016 Couchbase Inc. Responsibility and Cost 4 Hackers and criminal insiders cause the most data breaches * 2016 Ponemon Report
  5. 5. ©2016 Couchbase Inc.©2016 Couchbase Inc. Overview • Security Outside Couchbase Server • Defense In Depth • Security Inside Couchbase Server • Couchbase Security Pillars • What’s New In 4.5 • Couchbase Security Roadmap • Demo “Securing Couchbase Server” • Q&A 5
  6. 6. ©2016 Couchbase Inc.©2016 Couchbase Inc. Defense-In-Depth for Maximum Security 6
  7. 7. ©2016 Couchbase Inc.©2016 Couchbase Inc. Security – A Major Question at Different LevelsOutside Network Users COUCHBASE CLUSTER Internal Network Perimeter Network External Firewall Internal Firewall Web Server Application Server Applications Infrastructure Data Users
  8. 8. ©2016 Couchbase Inc. 8 Securing Couchbase Deployments Inside the Database
  9. 9. ©2016 Couchbase Inc.©2016 Couchbase Inc. Security Pillars in Couchbase 9 Authentication Authorization Crypto Auditing Operations App/Data: SASL AuthN Admin: Local or LDAP Local Admin User Local Read-Only User RBAC for Admins TLS admin access TLS client-server access Secure XDCR X.509 certificates for TLS Data-at-rest Encryption* Field-level Encryption* Admin auditing Security management via UI/CLI/REST * Via third-party partners
  10. 10. ©2016 Couchbase Inc.©2016 Couchbase Inc. Role-Based Access Control (RBAC) for Administrators Regulatory Compliance A strong demand for applications to meet standards recommended by regulatory authorities Segregation of Admin Duties Every admin does not have all the privileges. Depending on the job duties, admins can hold only those privileges that are required. Security Privilege Separation Only the full-admin has the privilege to manage security, and his/her actions can be audited just like other administrators. Role-Based Access Control (RBAC) allows you to specify what each admin can access in couchbase through role membership
  11. 11. ©2016 Couchbase Inc.©2016 Couchbase Inc. RBAC for Administrators – How it works • Administrative users can be mapped to out-of-the-box roles • Roles pre-defined with permissions for specific resources • Full Admin • Cluster Admin • Bucket Admin • View Admin • XDCR Admin • Requires LDAP administrator accounts • Also works with PAM (Coming in 4.6!) Full Admin Cluster Admin Bucket Admin View AdminXDCR Admin Enterprise Only Feature
  12. 12. ©2016 Couchbase Inc.©2016 Couchbase Inc. X.509 Certificates for Client-ServerTLS Regulatory Compliance A strong demand for applications to meet standards recommended by regulatory authorities Trusted Encryption Bring-your-own certificate authority with support for commercial and internally used X.509 certificates Simplified Management Simplified certificate management and rotation with zero downtime X.509 is a public-key cryptography standard to manage digital certificates used in secure client-server communication
  13. 13. ©2016 Couchbase Inc.©2016 Couchbase Inc. X.509 Certificates for Client-ServerTLS – How it works 13 SDK, Web Browser, XDCR Couchbase Server OpenSSL / Certificate Creation Tool
  14. 14. ©2016 Couchbase Inc.©2016 Couchbase Inc. Administrator Auditing in Couchbase Regulatory Compliance A strong demand for applications to meet standards recommended by regulatory authorities Understand Privileged Activity Get detailed audit trail describing what actions are done by the administrator Administrator auditing captures who does what, when and how for Couchbase administrators
  15. 15. ©2016 Couchbase Inc.©2016 Couchbase Inc. Administrator Auditing in Couchbase – How it works 15 JSON COMPATIBLE SIEM TOOLS Configurable auditing Rich auditing Easy integration Couchbase Cluster JSON Audit Logs SIEM analysis tools and alerting
  16. 16. ©2016 Couchbase Inc. 16 What’s new in 4.6 (Beta) ?
  17. 17. ©2016 Couchbase Inc.©2016 Couchbase Inc. Secret Management In Couchbase 4.6 Secret management provides encryption of system secrets using encryption hierarchy • Zero-knowledge secret management system driven by user specified master password • Allows online password rotation without application downtime Master Password Data Password PBKDF2 AES-256-CBC Pa$$wor4 Regulatory Compliance Simplified Management Simplified secret rotation with zero downtime 3.5 Store cryptographic keys in a secure form (3.5.2), in the fewest possible locations (3.5.3) and with access restricted to the fewest possible custodians (3.5.1) 3.6 Verify that key-management procedures are implemented for periodic key changes (3.6.4) And more! PCI DSS v3.0
  18. 18. ©2016 Couchbase Inc.©2016 Couchbase Inc. Pluggable Authentication Modules (PAM) in Couchbase 4.6 • Allows UNIX local accounts to authenticate as Couchbase administrators • Pluggable authentication architecture that is policy driven Centralized Management Centralized and synchronize administrator account management using UNIX user management services Security Policy Enforcement Allows configuration of strong security policies such as strong password requirements
  19. 19. ©2016 Couchbase Inc. 19 Securing Couchbase Deployments Outside the Database Layer
  20. 20. ©2016 Couchbase Inc.©2016 Couchbase Inc. User Security • Identify and Access Management • Configuration of LDAP/PAM users for access to infrastructure • Permit authorized users to login via bastion hosts • ACL users for access to apps, tools, and configuration files • OS Auditing • OS level auditing turned on to track user activity 20 User identities and access control
  21. 21. ©2016 Couchbase Inc.©2016 Couchbase Inc. Infrastructure Security 21 • Server Protection • OS Patches • Anti-virus, anti-malware software • Application whitelisting • Network Protection • Host firewall • On-disk encryption • Cloud Protection • Private IP addresses • Security groups • Network access control lists A multi-layered protection including servers, networks and cloud
  22. 22. ©2016 Couchbase Inc.©2016 Couchbase Inc. Infrastructure Security – On-Disk Encryption • Transparent and simplified on-disk encryption • Agent based, and policy driven • Coarse and fine grained protection • Zero application changes • Consolidated control through DSM/HSM • Disk encryption keys isolated from data • Easy to disconnect when breached! • FIPS 140-2 certified solution STRATEGIC PARTNERS
  23. 23. ©2016 Couchbase Inc.©2016 Couchbase Inc. Application Security • Identify and Access Management • Configuration of wallets to store application passwords • Encryption • Strong challenge-response password protocols • Client-server encryption using X.509TLS • Application field-level encryption • Auditing • Application data auditing • Development Security Best Practices • N1QL security 23
  24. 24. ©2016 Couchbase Inc.©2016 Couchbase Inc. Application Field-Level Encryption • Leverage encryption and key management technologies likeVormetric, SafeNet, and Protegrity • APIs, libraries, and sample code in Java, .NET, C/C++. VAE Application Vormetric Application Encryption Encryption Key Request / Response* DSM Client-server SSL COUCHBASE CLUSTER
  25. 25. ©2016 Couchbase Inc.©2016 Couchbase Inc. N1QL Language Security Best Practices • Use named or positional query parameters • Use strongly typed language constructs such as .NET POCOs or Java POJOs Check-out N1QL injection best practices blog - http://blog.couchbase.com/2015/september/couchbase-and-n1ql-security-centeredgesoftware 25
  26. 26. ©2016 Couchbase Inc. 26 Security Roadmap
  27. 27. ©2016 Couchbase Inc.©2016 Couchbase Inc. Couchbase Security Feature Roadmap – At-a-glance • Secret Management • PAMAuthentication • RBAC for Applications (MB-16036) • Application Auditing(MB-11346) • Kerberos(MB-16037) • Native on-disk encryption(MB- 16143) Short-term (4.6) Medium-term (“Spock”) Long Term * The following is intended to outline our general product direction. It is intended for information purposes and is only a plan. ProductFeatures 4-6 months 8-12 months 12+months
  28. 28. ©2016 Couchbase Inc. ©2015 Couchbase Inc. 28 PCI and Couchbase PCI Requirements Couchbase Support Install firewall configuration to protect cardholder data Corporate security policy (Outside Couchbase Scope) Remove vendor defaults for passwords and security configuration LDAP & PAM support, X509 certs, Key Management (4.6) Protect stored cardholder data Vormetric/Protegrity/Gemalto, native encryption (Future) Encrypt transmission of cardholder data across open, public networks TLS support for client/server and XDCR, x509 certs Protect systems against malware and update anti-virus software Anti-virus scans for Couchbase binaries Develop and maintain secure systems and applications Fuzz testing, vulnerabilities response plan, security fixes Restrict access to cardholder data by business need to know RBAC for admin, RBAC for application (Spock) Identify and authenticate access to system components LDAP & PAM, 2-factor authN (Future), SSO (Future) Restrict physical access to cardholder data Corporate security policy (Outside Couchbase Scope) Track, monitor access to network resources and cardholder data Admin auditing, application auditing (Future) Regularly test security systems and processes Vulnerabilities response plan Maintain a policy that addresses infosec for all personnel Corporate security policy (Outside Couchbase Scope) Any digital economy app dealing with credit card payment data
  29. 29. ©2016 Couchbase Inc. Demo
  30. 30. ©2016 Couchbase Inc. ThankYou 30 @NoSQLDon | don@couchbase.com ritam@couchbase.com

×