SlideShare a Scribd company logo

Search Guard Architecure | Security for Elasticsearch

Jochen Kressin
Jochen Kressin

Search Guard is a security plugin for Elasticsearch that provides transport layer security (TLS) and REST layer security to encrypt data in transit. It uses node, admin, and client certificates to authenticate nodes and users. When a request is made, Search Guard extracts and validates credentials, fetches roles, maps users to roles, and evaluates permissions to implement access controls before executing the request in Elasticsearch. The Search Guard configuration is stored in an Elasticsearch index for hot-reloading without configuration files on nodes.

Software
1 of 14
Download to read offline
© 2018 floragunn GmbH - All Rights Reserved SEARCH GUARD ARCHITECTURE & REQUEST FLOW DOCUMENTS
© 2018 floragunn GmbH - All Rights Reserved Search Guard – Architecture & Request flow 01. SEARCH GUARD TLS Search Guard uses TLS on transport and REST layer Data encryption: No one can spy on your data Data integrity: No on can alter your data Cluster integrity: Only trusted nodes can join the cluster TLS on transport layer: Protects data travelling between the nodes Mandatory, cannot be switched off TLS on REST layer: Adds HTTPS support
© 2018 floragunn GmbH - All Rights Reserved Search Guard – Quickstart and first steps ENCRYPTION IN TRANSIT Search Guard Search Guard Search Guard Search GuardNode 1 Node 2 TLS Secured TLS Secured RESTLayerTRANSPORTLayer TLS Secured https://example.com:9200
© 2018 floragunn GmbH - All Rights Reserved Search Guard – Architecture & Request flow 02. TLS CERTIFICATES Search Guard uses three types of certificates Node certificates Used for inter-node traffic Only nodes with a valid certificate can join the cluster Admin certificates Grant root access to the cluster Client certificates Can be used for client authentication and authorisation
© 2018 floragunn GmbH - All Rights Reserved Search Guard – Quickstart and first steps TLS CERTIFICATES Search GuardNode 1 Node 2 TLS Secured RESTLayerTRANSPORTLayer Search GuardNode Certificate Node Certificate Client Certificate Search GuardSearch Guard https://example.com:9200 Admin Certificate
© 2018 floragunn GmbH - All Rights Reserved Search Guard – Architecture & Request flow 03. SEARCH GUARD REQUEST FLOW Applies to REST and transport layer likewise TLS certificate validation E.g. for transport traffic, validate the certificate of the peer node Extract and validate user credentials Depends on the configured authentication domains Assign Search Guard roles and evaluate permissions Apply index-, document- and field-level access control Apply audit and compliance logging Execute the request in Elasticsearch
© 2018 floragunn GmbH - All Rights Reserved Search Guard – Quickstart and first steps SEARCH GUARD REQUEST FLOW • JSON web token • Kerberos / SPNEGO • PKI • Proxy • SAML • OpenID • Actice Directory • LDAP • Internal User Database • HTTP Basic SSO Non - SSO Audit trails of security and compliance relevant events Index-, document- and field level access control Audit and compliance logging Authentication / Authorisation TLS on REST and Transport Hot-reloadable Search Guard configuration PEM certificates Keystores PKCS #12 Elasticsearch REST client TRANSPORT client
© 2018 floragunn GmbH - All Rights Reserved Search Guard – Architecture & Request flow 04. SEARCH GUARD AUTHENTICATION FLOW Extract user credentials from request E.g. HTTP Basic, JSON web token, Kerberos ticket Validate provided credentials E.g. LDAP authentication, JWT signature checks Fetch backend roles for the authenticated user E.g. LDAP groups, JWT claims, SAML assertions Map user to Search Guard role(s) Using username, backend roles or hosts Evaluate the permissions assigned to the roles
© 2018 floragunn GmbH - All Rights Reserved Search Guard – Quickstart and first steps AUTHENTICATION FLOW https://example.com:9200 Extract and validate credentials Fetch roles Map user to Search Guard roles Evaluate Permissions Elasticsearch user:john pass:doe Userverified Active Directory / LDAP Active Directory / LDAP user:john Roles:devops Role Mappings Roles and Permissions devops sg_operations sg_operations Permissions
© 2018 floragunn GmbH - All Rights Reserved Search Guard – Architecture & Request flow 05. SEARCH GUARD CONFIGURATION INDEX Search Guard configuration is stored in an Elasticsearch index Hot-reloadable Changes take effect immediately No configuration files necessary on nodes Accessible only with TLS admin certificate Configuration changes can be applied by sgadmin command line tool REST API Kibana configuration GUI
© 2018 floragunn GmbH - All Rights Reserved Search Guard – Quickstart and first steps SEARCH GUARD CONFIGURATION INDEX Node 1 Search Guard Index Primary Shard Node 2 Search Guard Index Replica Shard Config files sgadmin.sh
© 2018 floragunn GmbH - All Rights Reserved Search Guard – Architecture & Request flow 06. RESOURCES Search Guard website https://search-guard.com/ Documentation https://docs.search-guard.com Community Forum https://groups.google.com/d/forum/search-guard GitHub https://github.com/floragunncom
© 2018 floragunn GmbH - All Rights Reserved WE LOOK FORWARD TO YOUR MESSAGE CONTACT US: info@search-guard.com
© 2018 floragunn GmbH - All Rights Reserved floragunn GmbH Tempelhofer Ufer 16 D-10963 Berlin, Germany 
 E-Mail: info@search-guard.com Web: search-guard.com Managing Directors: Claudia Kressin, Jochen Kressin
 Registergericht: Amtsgericht Charlottenburg 
 Registernummer: HRB 147010 B E-Mail: info@floragunn.com Search Guard is a trademark of floragunn GmbH, registered in the U.S. and in other countries. Elasticsearch, Kibana, Logstash, and Beats are trademarks of Elasticsearch BV, registered in the U.S. and in other countries. floragunn GmbH is not affiliated with Elasticsearch BV. Search Guard is an independent implementation of a security access layer for Elasticsearch. It is completely independent from Elasticsearch own products.

Recommended

Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)Logsign
 
Preso: LogLogic Agrees to Acquire Exaprotect
Preso: LogLogic Agrees to Acquire ExaprotectPreso: LogLogic Agrees to Acquire Exaprotect
Preso: LogLogic Agrees to Acquire Exaprotectloglogic
 
Detecting s3 breaches with panther slide deck
Detecting s3 breaches with panther slide deckDetecting s3 breaches with panther slide deck
Detecting s3 breaches with panther slide deckKartikey Pandey
 
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationMTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationLaurentiu Meirosu
 
1. introduction to_cloud_services_architecture
1. introduction to_cloud_services_architecture1. introduction to_cloud_services_architecture
1. introduction to_cloud_services_architectureCloud Genius
 
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Amanda MacLeod
 
vpn_1104046
vpn_1104046vpn_1104046
vpn_1104046Sohel Rana
 
Sftp Workflows for Data Lakes and Enterprise Applications STG221
Sftp Workflows for Data Lakes and Enterprise Applications STG221Sftp Workflows for Data Lakes and Enterprise Applications STG221
Sftp Workflows for Data Lakes and Enterprise Applications STG221JonOstrander1
 

Recommended

Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)Logsign Data Policy Manager(DPM)
Logsign Data Policy Manager(DPM)Logsign
 
Preso: LogLogic Agrees to Acquire Exaprotect
Preso: LogLogic Agrees to Acquire ExaprotectPreso: LogLogic Agrees to Acquire Exaprotect
Preso: LogLogic Agrees to Acquire Exaprotectloglogic
 
Detecting s3 breaches with panther slide deck
Detecting s3 breaches with panther slide deckDetecting s3 breaches with panther slide deck
Detecting s3 breaches with panther slide deckKartikey Pandey
 
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationMTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationLaurentiu Meirosu
 
1. introduction to_cloud_services_architecture
1. introduction to_cloud_services_architecture1. introduction to_cloud_services_architecture
1. introduction to_cloud_services_architectureCloud Genius
 
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...
Secure and Convenient Workflows: Integrating HashiCorp Vault with Pivotal Clo...Amanda MacLeod
 
vpn_1104046
vpn_1104046vpn_1104046
vpn_1104046Sohel Rana
 
Sftp Workflows for Data Lakes and Enterprise Applications STG221
Sftp Workflows for Data Lakes and Enterprise Applications STG221Sftp Workflows for Data Lakes and Enterprise Applications STG221
Sftp Workflows for Data Lakes and Enterprise Applications STG221JonOstrander1
 
Search Guard | Meetup Presentation | Security for Elasticsearch
Search Guard | Meetup Presentation | Security for ElasticsearchSearch Guard | Meetup Presentation | Security for Elasticsearch
Search Guard | Meetup Presentation | Security for ElasticsearchJochen Kressin
 
Search Guard Configuration | Security for Elasticsearch
Search Guard Configuration | Security for ElasticsearchSearch Guard Configuration | Security for Elasticsearch
Search Guard Configuration | Security for ElasticsearchJochen Kressin
 
Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...
Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...
Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...Amazon Web Services
 
Oracle Blockchain Platform
Oracle Blockchain PlatformOracle Blockchain Platform
Oracle Blockchain PlatformJuarez Junior
 
Lock It Down: Configure End-to-End Security & Access Control on Amazon EMR (A...
Lock It Down: Configure End-to-End Security & Access Control on Amazon EMR (A...Lock It Down: Configure End-to-End Security & Access Control on Amazon EMR (A...
Lock It Down: Configure End-to-End Security & Access Control on Amazon EMR (A...Amazon Web Services
 
CWIN17 India / Insights platform architecture v1 0 virtual - subhadeep dutta
CWIN17 India / Insights platform architecture v1 0 virtual - subhadeep duttaCWIN17 India / Insights platform architecture v1 0 virtual - subhadeep dutta
CWIN17 India / Insights platform architecture v1 0 virtual - subhadeep duttaCapgemini
 
Cloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving itCloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving itHentsū
 
What’s New at Cloudflare: New Product Launches
What’s New at Cloudflare: New Product LaunchesWhat’s New at Cloudflare: New Product Launches
What’s New at Cloudflare: New Product LaunchesCloudflare
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXCisco Canada
 
Deep Dive on Accelerating Content, APIs, and Applications with Amazon CloudFr...
Deep Dive on Accelerating Content, APIs, and Applications with Amazon CloudFr...Deep Dive on Accelerating Content, APIs, and Applications with Amazon CloudFr...
Deep Dive on Accelerating Content, APIs, and Applications with Amazon CloudFr...Amazon Web Services
 
FIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE
 
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017Big Data Spain
 
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018Amazon Web Services
 
(SEC304) Architecting for HIPAA Compliance on AWS
(SEC304) Architecting for HIPAA Compliance on AWS(SEC304) Architecting for HIPAA Compliance on AWS
(SEC304) Architecting for HIPAA Compliance on AWSAmazon Web Services
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful APIMuhammad Zbeedat
 
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsAdaCore
 
Introducing PagerDuty Process Automation
Introducing PagerDuty Process AutomationIntroducing PagerDuty Process Automation
Introducing PagerDuty Process AutomationRundeck
 
FIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL PracticesBrian A. McHenry
 
Using Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesUsing Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesAlcide
 
Zero trusted networks: Why permiterer security is dead
Zero trusted networks: Why permiterer security is deadZero trusted networks: Why permiterer security is dead
Zero trusted networks: Why permiterer security is deadJochen Kressin
 
Elasticsearch audit logging | Search Guard
Elasticsearch audit logging | Search GuardElasticsearch audit logging | Search Guard
Elasticsearch audit logging | Search GuardJochen Kressin
 

More Related Content

Similar to Search Guard Architecure | Security for Elasticsearch

Search Guard | Meetup Presentation | Security for Elasticsearch
Search Guard | Meetup Presentation | Security for ElasticsearchSearch Guard | Meetup Presentation | Security for Elasticsearch
Search Guard | Meetup Presentation | Security for ElasticsearchJochen Kressin
 
Search Guard Configuration | Security for Elasticsearch
Search Guard Configuration | Security for ElasticsearchSearch Guard Configuration | Security for Elasticsearch
Search Guard Configuration | Security for ElasticsearchJochen Kressin
 
Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...
Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...
Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...Amazon Web Services
 
Oracle Blockchain Platform
Oracle Blockchain PlatformOracle Blockchain Platform
Oracle Blockchain PlatformJuarez Junior
 
Lock It Down: Configure End-to-End Security & Access Control on Amazon EMR (A...
Lock It Down: Configure End-to-End Security & Access Control on Amazon EMR (A...Lock It Down: Configure End-to-End Security & Access Control on Amazon EMR (A...
Lock It Down: Configure End-to-End Security & Access Control on Amazon EMR (A...Amazon Web Services
 
CWIN17 India / Insights platform architecture v1 0 virtual - subhadeep dutta
CWIN17 India / Insights platform architecture v1 0 virtual - subhadeep duttaCWIN17 India / Insights platform architecture v1 0 virtual - subhadeep dutta
CWIN17 India / Insights platform architecture v1 0 virtual - subhadeep duttaCapgemini
 
Cloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving itCloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving itHentsū
 
What’s New at Cloudflare: New Product Launches
What’s New at Cloudflare: New Product LaunchesWhat’s New at Cloudflare: New Product Launches
What’s New at Cloudflare: New Product LaunchesCloudflare
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXCisco Canada
 
Deep Dive on Accelerating Content, APIs, and Applications with Amazon CloudFr...
Deep Dive on Accelerating Content, APIs, and Applications with Amazon CloudFr...Deep Dive on Accelerating Content, APIs, and Applications with Amazon CloudFr...
Deep Dive on Accelerating Content, APIs, and Applications with Amazon CloudFr...Amazon Web Services
 
FIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE
 
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017Big Data Spain
 
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018Amazon Web Services
 
(SEC304) Architecting for HIPAA Compliance on AWS
(SEC304) Architecting for HIPAA Compliance on AWS(SEC304) Architecting for HIPAA Compliance on AWS
(SEC304) Architecting for HIPAA Compliance on AWSAmazon Web Services
 
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsAdaCore
 
Introducing PagerDuty Process Automation
Introducing PagerDuty Process AutomationIntroducing PagerDuty Process Automation
Introducing PagerDuty Process AutomationRundeck
 
FIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE
 
Using Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesUsing Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesAlcide
 

Similar to Search Guard Architecure | Security for Elasticsearch (20)

Search Guard | Meetup Presentation | Security for Elasticsearch
Search Guard | Meetup Presentation | Security for ElasticsearchSearch Guard | Meetup Presentation | Security for Elasticsearch
Search Guard | Meetup Presentation | Security for Elasticsearch
 
Search Guard Configuration | Security for Elasticsearch
Search Guard Configuration | Security for ElasticsearchSearch Guard Configuration | Security for Elasticsearch
Search Guard Configuration | Security for Elasticsearch
 
Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...
Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...
Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...
 
Oracle Blockchain Platform
Oracle Blockchain PlatformOracle Blockchain Platform
Oracle Blockchain Platform
 
Lock It Down: Configure End-to-End Security & Access Control on Amazon EMR (A...
Lock It Down: Configure End-to-End Security & Access Control on Amazon EMR (A...Lock It Down: Configure End-to-End Security & Access Control on Amazon EMR (A...
Lock It Down: Configure End-to-End Security & Access Control on Amazon EMR (A...
 
CWIN17 India / Insights platform architecture v1 0 virtual - subhadeep dutta
CWIN17 India / Insights platform architecture v1 0 virtual - subhadeep duttaCWIN17 India / Insights platform architecture v1 0 virtual - subhadeep dutta
CWIN17 India / Insights platform architecture v1 0 virtual - subhadeep dutta
 
Cloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving itCloud Security for Regulated Firms - Securing my cloud and proving it
Cloud Security for Regulated Firms - Securing my cloud and proving it
 
What’s New at Cloudflare: New Product Launches
What’s New at Cloudflare: New Product LaunchesWhat’s New at Cloudflare: New Product Launches
What’s New at Cloudflare: New Product Launches
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
 
Deep Dive on Accelerating Content, APIs, and Applications with Amazon CloudFr...
Deep Dive on Accelerating Content, APIs, and Applications with Amazon CloudFr...Deep Dive on Accelerating Content, APIs, and Applications with Amazon CloudFr...
Deep Dive on Accelerating Content, APIs, and Applications with Amazon CloudFr...
 
FIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access ControlFIWARE Training: Identity Management and Access Control
FIWARE Training: Identity Management and Access Control
 
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
Big Data security: Facing the challenge by Carlos Gómez at Big Data Spain 2017
 
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
AWS and Symantec: Cyber Defense at Scale (SEC311-S) - AWS re:Invent 2018
 
(SEC304) Architecting for HIPAA Compliance on AWS
(SEC304) Architecting for HIPAA Compliance on AWS(SEC304) Architecting for HIPAA Compliance on AWS
(SEC304) Architecting for HIPAA Compliance on AWS
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
 
Introducing PagerDuty Process Automation
Introducing PagerDuty Process AutomationIntroducing PagerDuty Process Automation
Introducing PagerDuty Process Automation
 
FIWARE Identity Management and Access Control
FIWARE Identity Management and Access ControlFIWARE Identity Management and Access Control
FIWARE Identity Management and Access Control
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
Using Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesUsing Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your Services
 

More from Jochen Kressin

Zero trusted networks: Why permiterer security is dead
Zero trusted networks: Why permiterer security is deadZero trusted networks: Why permiterer security is dead
Zero trusted networks: Why permiterer security is deadJochen Kressin
 
Elasticsearch audit logging | Search Guard
Elasticsearch audit logging | Search GuardElasticsearch audit logging | Search Guard
Elasticsearch audit logging | Search GuardJochen Kressin
 
Elasticsearch JSON web token authentication | Search Guard
Elasticsearch JSON web token authentication | Search GuardElasticsearch JSON web token authentication | Search Guard
Elasticsearch JSON web token authentication | Search GuardJochen Kressin
 
Elasticsearch Document- and Field-Level Security | Search Guard
Elasticsearch Document- and Field-Level Security | Search GuardElasticsearch Document- and Field-Level Security | Search Guard
Elasticsearch Document- and Field-Level Security | Search GuardJochen Kressin
 
Active Directory & LDAP | Security for Elasticsearch
Active Directory & LDAP | Security for ElasticsearchActive Directory & LDAP | Security for Elasticsearch
Active Directory & LDAP | Security for ElasticsearchJochen Kressin
 
Search Guard Installation Quickstart | Security for Elasticsearch
Search Guard Installation Quickstart | Security for ElasticsearchSearch Guard Installation Quickstart | Security for Elasticsearch
Search Guard Installation Quickstart | Security for ElasticsearchJochen Kressin
 

More from Jochen Kressin (6)

Zero trusted networks: Why permiterer security is dead
Zero trusted networks: Why permiterer security is deadZero trusted networks: Why permiterer security is dead
Zero trusted networks: Why permiterer security is dead
 
Elasticsearch audit logging | Search Guard
Elasticsearch audit logging | Search GuardElasticsearch audit logging | Search Guard
Elasticsearch audit logging | Search Guard
 
Elasticsearch JSON web token authentication | Search Guard
Elasticsearch JSON web token authentication | Search GuardElasticsearch JSON web token authentication | Search Guard
Elasticsearch JSON web token authentication | Search Guard
 
Elasticsearch Document- and Field-Level Security | Search Guard
Elasticsearch Document- and Field-Level Security | Search GuardElasticsearch Document- and Field-Level Security | Search Guard
Elasticsearch Document- and Field-Level Security | Search Guard
 
Active Directory & LDAP | Security for Elasticsearch
Active Directory & LDAP | Security for ElasticsearchActive Directory & LDAP | Security for Elasticsearch
Active Directory & LDAP | Security for Elasticsearch
 
Search Guard Installation Quickstart | Security for Elasticsearch
Search Guard Installation Quickstart | Security for ElasticsearchSearch Guard Installation Quickstart | Security for Elasticsearch
Search Guard Installation Quickstart | Security for Elasticsearch
 

Recently uploaded

WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareJim McKeeth
 
WSO2Con2024 - Unleashing the Financial Potential of 13 Million People
WSO2Con2024 - Unleashing the Financial Potential of 13 Million PeopleWSO2Con2024 - Unleashing the Financial Potential of 13 Million People
WSO2Con2024 - Unleashing the Financial Potential of 13 Million PeopleWSO2
 
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...WSO2
 
WSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration ToolingWSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration ToolingWSO2
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...masabamasaba
 
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...WSO2
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2
 
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxAnnaArtyushina1
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2
 
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public AdministrationWSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public AdministrationWSO2
 
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...WSO2
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024VictoriaMetrics
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2
 

Recently uploaded (20)

WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
WSO2Con2024 - Unleashing the Financial Potential of 13 Million People
WSO2Con2024 - Unleashing the Financial Potential of 13 Million PeopleWSO2Con2024 - Unleashing the Financial Potential of 13 Million People
WSO2Con2024 - Unleashing the Financial Potential of 13 Million People
 
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
 
WSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration ToolingWSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration Tooling
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AI
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public AdministrationWSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
 
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 

Search Guard Architecure | Security for Elasticsearch

  • 1. © 2018 floragunn GmbH - All Rights Reserved SEARCH GUARD ARCHITECTURE & REQUEST FLOW DOCUMENTS
  • 2. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Architecture & Request flow 01. SEARCH GUARD TLS Search Guard uses TLS on transport and REST layer Data encryption: No one can spy on your data Data integrity: No on can alter your data Cluster integrity: Only trusted nodes can join the cluster TLS on transport layer: Protects data travelling between the nodes Mandatory, cannot be switched off TLS on REST layer: Adds HTTPS support
  • 3. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Quickstart and first steps ENCRYPTION IN TRANSIT Search Guard Search Guard Search Guard Search GuardNode 1 Node 2 TLS Secured TLS Secured RESTLayerTRANSPORTLayer TLS Secured https://example.com:9200
  • 4. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Architecture & Request flow 02. TLS CERTIFICATES Search Guard uses three types of certificates Node certificates Used for inter-node traffic Only nodes with a valid certificate can join the cluster Admin certificates Grant root access to the cluster Client certificates Can be used for client authentication and authorisation
  • 5. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Quickstart and first steps TLS CERTIFICATES Search GuardNode 1 Node 2 TLS Secured RESTLayerTRANSPORTLayer Search GuardNode Certificate Node Certificate Client Certificate Search GuardSearch Guard https://example.com:9200 Admin Certificate
  • 6. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Architecture & Request flow 03. SEARCH GUARD REQUEST FLOW Applies to REST and transport layer likewise TLS certificate validation E.g. for transport traffic, validate the certificate of the peer node Extract and validate user credentials Depends on the configured authentication domains Assign Search Guard roles and evaluate permissions Apply index-, document- and field-level access control Apply audit and compliance logging Execute the request in Elasticsearch
  • 7. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Quickstart and first steps SEARCH GUARD REQUEST FLOW • JSON web token • Kerberos / SPNEGO • PKI • Proxy • SAML • OpenID • Actice Directory • LDAP • Internal User Database • HTTP Basic SSO Non - SSO Audit trails of security and compliance relevant events Index-, document- and field level access control Audit and compliance logging Authentication / Authorisation TLS on REST and Transport Hot-reloadable Search Guard configuration PEM certificates Keystores PKCS #12 Elasticsearch REST client TRANSPORT client
  • 8. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Architecture & Request flow 04. SEARCH GUARD AUTHENTICATION FLOW Extract user credentials from request E.g. HTTP Basic, JSON web token, Kerberos ticket Validate provided credentials E.g. LDAP authentication, JWT signature checks Fetch backend roles for the authenticated user E.g. LDAP groups, JWT claims, SAML assertions Map user to Search Guard role(s) Using username, backend roles or hosts Evaluate the permissions assigned to the roles
  • 9. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Quickstart and first steps AUTHENTICATION FLOW https://example.com:9200 Extract and validate credentials Fetch roles Map user to Search Guard roles Evaluate Permissions Elasticsearch user:john pass:doe Userverified Active Directory / LDAP Active Directory / LDAP user:john Roles:devops Role Mappings Roles and Permissions devops sg_operations sg_operations Permissions
  • 10. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Architecture & Request flow 05. SEARCH GUARD CONFIGURATION INDEX Search Guard configuration is stored in an Elasticsearch index Hot-reloadable Changes take effect immediately No configuration files necessary on nodes Accessible only with TLS admin certificate Configuration changes can be applied by sgadmin command line tool REST API Kibana configuration GUI
  • 11. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Quickstart and first steps SEARCH GUARD CONFIGURATION INDEX Node 1 Search Guard Index Primary Shard Node 2 Search Guard Index Replica Shard Config files sgadmin.sh
  • 12. © 2018 floragunn GmbH - All Rights Reserved Search Guard – Architecture & Request flow 06. RESOURCES Search Guard website https://search-guard.com/ Documentation https://docs.search-guard.com Community Forum https://groups.google.com/d/forum/search-guard GitHub https://github.com/floragunncom
  • 13. © 2018 floragunn GmbH - All Rights Reserved WE LOOK FORWARD TO YOUR MESSAGE CONTACT US: info@search-guard.com
  • 14. © 2018 floragunn GmbH - All Rights Reserved floragunn GmbH Tempelhofer Ufer 16 D-10963 Berlin, Germany 
 E-Mail: info@search-guard.com Web: search-guard.com Managing Directors: Claudia Kressin, Jochen Kressin
 Registergericht: Amtsgericht Charlottenburg 
 Registernummer: HRB 147010 B E-Mail: info@floragunn.com Search Guard is a trademark of floragunn GmbH, registered in the U.S. and in other countries. Elasticsearch, Kibana, Logstash, and Beats are trademarks of Elasticsearch BV, registered in the U.S. and in other countries. floragunn GmbH is not affiliated with Elasticsearch BV. Search Guard is an independent implementation of a security access layer for Elasticsearch. It is completely independent from Elasticsearch own products.