A data-centric platform integrates multiple Big Data open source technologies. For example, at Stratio we use Spark, Kafka, Elastic search and many more. Most of these technologies do not offer native security. This lack of security, not only leaves companies open to critical risks like data leakage, unsecure communications or DoS attacks but is also a major barrier to complying with different regulations such as LOPD, PCI-DSS or the upcoming GDPR. This talk gives a technical and innovative overview of how companies can face the challenge of protecting the data and services that are in their data-centric platform, focusing on three main aspects: implementing network segmentation, managing AAA and securing data processing.
By: Carlos Gómez
5. DATA
GOVERNANCE
LOGS
CENTRALIZATION
PROJECTS FOR EVER ONGOING IN BIG COMPANIES
In a monolithic application centric it with data silos these
initiatives never get accomplished
HUNDRED OF MILLIONS OF EUROS SPENT DURING THE YEARS IN GLOBAL IT CROSS INITIATIVES
SAS
CRM
Earnix
(Pricing)
Towers Watson
ERP
Data Warehouse
Lab H0
(Plataforma Big Data
compartida por el grupo)
WebFocus
Oracle
Mainframe
MONITORING
SECURITYDATA SECURITY AUDIT
6. PROJECTS FOR EVER ONGOING IN BIG COMPANIES
DATA
GOVERNANCE
LOGS
CENTRALIZATION
MONITORING
DATA SECURITY AUDIT
1
2 3
4
5
7. PROJECTS FOR EVER ONGOING IN BIG COMPANIES
DATA
GOVERNANCE
LOGS
CENTRALIZATION
MONITORING
DATA SECURITY AUDIT
1
2 3
4
5
8. ETL
PROJECTS FOR EVER ONGOING IN BIG COMPANIES
DATA
GOVERNANCE
LOGS
CENTRALIZATION
MONITORING
DATA SECURITY AUDIT
1
2 3
4
5
9. GALGO CHASING ELECTRONIC RABBIT…
COMPANIES ALWAYS TRY TO GET THE RABBIT
In an application centric company with data silos you never will be able to
achieve successfully those projects
DATA
GOVERNANCE
LOGS
CENTRALIZATION MONITORING SECURITY
DATA
SECURITY AUDIT
10. STRUCTURAL INITIATIVES ARE SOLVED COMPLETELY WITH DATA CENTRIC
DaaS (data as a service)
Data
Data Intelligence
DATA
GOVERNANCE
LOGS
CENTRALIZATION
MONITORING
SECURITYDATA SECURITY AUDIT
Functionalities Implemented in the product
11. RABBIT IN A JAIL
MINIMUM EFFORT AND
COST TO GET THE RABBIT
14. DATA CENTER
OPERATING SYSTEM MESOS
SERVICE
ORCHESTATION
CONTAINERS NODE PROVISIONING
TERRAFORM
Kafka Zookeeper
VAULT
BAREMETAL PUBLIC CLOUD
SQL
PRIVATE CLOUD
Docker
DaaS
Apps Apps
Docker
Microservices
Microservices
Docker
Data Intelligence as a Service
Microservices
Apps with
Standalone
Applications
Standalone
Applications
A
P
P
S
SERVICE DISCOVERY
STRATIO EOS (Enterprise Operating System)
Microservices
Apps with
Docker Docker Docker
MARATHON CONSUL DOCKER
StratioDataCentric
INFRAS
NETWORK
ISOLATION
CALICO
15. DATA CENTER
OPERATING SYSTEM MESOS
SERVICE
ORCHESTATION
CONTAINERS NODE PROVISIONING
TERRAFORM
Kafka Zookeeper
VAULT
BAREMETAL PUBLIC CLOUD
SQL
PRIVATE CLOUD
Docker
DaaS
Apps Apps
Docker
Microservices
Microservices
Docker
Data Intelligence as a Service
Microservices
Apps with
Standalone
Applications
Standalone
Applications
A
P
P
S
SERVICE DISCOVERY
STRATIO EOS (Enterprise Operating System)
Microservices
Apps with
Docker Docker Docker
MARATHON CONSUL DOCKER
StratioDataCentric
INFRAS
NETWORK
ISOLATION
CALICO
16. DATA CENTER
OPERATING SYSTEM MESOS
SERVICE
ORCHESTATION
CONTAINERS NODE PROVISIONING
TERRAFORM
Kafka Zookeeper
VAULT
BAREMETAL PUBLIC CLOUD
SQL
PRIVATE CLOUD
Docker
DaaS
Apps Apps
Docker
Microservices
Microservices
Docker
Data Intelligence as a Service
Microservices
Apps with
Standalone
Applications
Standalone
Applications
A
P
P
S
SERVICE DISCOVERY
STRATIO EOS (Enterprise Operating System)
Microservices
Apps with
Docker Docker Docker
MARATHON CONSUL DOCKER
StratioDataCentric
INFRAS
NETWORK
ISOLATION
CALICO
17. DATA CENTER
OPERATING SYSTEM MESOS
SERVICE
ORCHESTATION
CONTAINERS NODE PROVISIONING
TERRAFORM
Kafka Zookeeper
VAULT
BAREMETAL PUBLIC CLOUD
SQL
PRIVATE CLOUD
Docker
DaaS
Apps Apps
Docker
Microservices
Microservices
Docker
Data Intelligence as a Service
Microservices
Apps with
Standalone
Applications
Standalone
Applications
A
P
P
S
SERVICE DISCOVERY
STRATIO EOS (Enterprise Operating System)
Microservices
Apps with
Docker Docker Docker
MARATHON CONSUL DOCKER
StratioDataCentric
INFRAS
NETWORK
ISOLATION
CALICO
18. DATA CENTER
OPERATING SYSTEM MESOS
SERVICE
ORCHESTATION
CONTAINERS NODE PROVISIONING
TERRAFORM
Kafka Zookeeper
VAULT
BAREMETAL PUBLIC CLOUD
SQL
PRIVATE CLOUD
Docker
DaaS
Apps Apps
Docker
Microservices
Microservices
Docker
Data Intelligence as a Service
Microservices
Apps with
Standalone
Applications
Standalone
Applications
A
P
P
S
SERVICE DISCOVERY
STRATIO EOS (Enterprise Operating System)
Microservices
Apps with
Docker Docker Docker
MARATHON CONSUL DOCKER
StratioDataCentric
INFRAS
NETWORK
ISOLATION
CALICO
Limitaciones: denegación de servicio por alto tráfico de red.
Gstion de identiades
Gestion de secretos
Retos
Sistemas distrubiodos
Sustemas dinamicas
Integracion global de soluciones
Authentication, Authorization and Audit.
Secure communications.
Secure data processing.
Multi-tenant capabilities.
Authentication, Authorization and Audit.
Secure communications.
Secure data processing.
Multi-tenant capabilities.
Authentication, Authorization and Audit.
Secure communications.
Secure data processing.
Multi-tenant capabilities.
Authentication, Authorization and Audit.
Secure communications.
Secure data processing.
Multi-tenant capabilities.
Authentication, Authorization and Audit.
Secure communications.
Secure data processing.
Multi-tenant capabilities.
Ayudamos a cumplir:
INCIDENCIAS
Bajo: Registro de incidencias: tipo, momento de su detección, persona que la notifica, efectos y medidas correctoras. Procedimiento de notificación y gestión de las incidencias.
Medio: SOLO FICHEROS AUTOMATIZADOS - Anotar los procedimientos de recuperación, persona que lo ejecuta, datos restaurados, y en su caso, datos grabados manualmente. Autorización del responsable del fichero para la recuperación de datos.
CONTROL DE ACCESO
Baja: Relación actualizada de usuarios y accesos autorizados. Control de accesos permitidos a cada usuario según las funciones asignadas. Mecanismos que eviten el acceso a datos o recursos con derechos distintos de los autorizados. Concesión de permisos de acceso sólo por personal autorizado. Mismas condiciones para personal ajeno con acceso a los recursos de datos.
Alta: Registro de accesos: usuario, hora, fichero, tipo de acceso, autorizado o denegado.Control de accesos autorizados.Identificación accesos para documentos accesibles por múltiples usuarios.
IDENTIFICACIÓN Y AUTENTICACIÓN
Baja: Identificación y autenticación personalizada. Procedimiento de asignación y distribución de contraseñas. Almacenamiento ininteligible de las contraseñas. Periodicidad del cambio de contraseñas (<1 año).
Medio: Límite de intentos reiterados de acceso no autorizado.
GESTIÓN DE SOPORTES
Baja: Inventario de soportes. Identificación del tipo de información que contienen, o sistema de etiquetado. Acceso restringido al lugar de almacenamiento. Autorización de las salidas de soportes (incluidas a través de email)
Media: Registro de entrada y salida de soportes: documento o soporte, fecha, emisor/destinatario, número, tipo de información, forma de envío, responsable autorizado para recepción/entrega.
Alta (NO CUMPLIDO??): Sistema de etiquetado confidencial.Cifrado de datos en la distribución de soportes. Cifrado de información en dispositivos portátiles fuera de las instalaciones (evitar el uso de dispositivos que no permitan cifrado, o adoptar medidas alternativas).
COPIAS DE RESPALDO
Baja: Copia de respaldo semanal. Procedimientos de generación de copias de respaldo y recuperación de datos. Verificación semestral de los procedimientos. Reconstrucción de los datos a partir de la última copia. Grabación manual en su caso, si existe documentación que lo permita. Pruebas con datos reales. Copia de seguridad y aplicación del nivel de seguridad correspondiente.
Alta (NO CUMPLIDO??): Copia de respaldo y procedimientos de recuperación en lugar diferente del que se encuentren los equipos.
AUDITORIA
Informe de detección de deficiencias y propuestas correctoras.
TELECOMUNICACIONES
Alta (No cumplida en todos los casos, pero si perimetral): Transmisión de datos a través de redes electrónicas cifradas.
Web: CAS Server with OAuth2 support. Its purpose is to permit a user to access multiple applications. It offers a consistent way to sign on the different modules and tools that have a web interface.
Services/Data Stores: authentication with Kerberos and TLS-Mutual, when the technology does not support Kerberos.
Applications/services need secrets: certificates, keytabs, passwords, tokens, API keys...
Although secrets are centralized in the Stratio KMS (Vault), each application need vault’s authentication tokens.
To manage these token dynamically DCS makes use of AppRole auth backend.
Each app is associated with a Vault’s Approle
A third party component manages temporary secrets to frameworks.
To get framework’s secrets, framework must log-in with its temporary secret.
Although secrets are centralized in the Stratio KMS (Vault), each application need vault’s authentication tokens.
To manage these token dynamically DCS makes use of AppRole auth backend.
Each app is associated with a Vault’s Approle
A third party component manages temporary secrets to frameworks.
To get framework’s secrets, framework must log-in with its temporary secret.
Although secrets are centralized in the Stratio KMS (Vault), each application need vault’s authentication tokens.
To manage these token dynamically DCS makes use of AppRole auth backend.
Each app is associated with a Vault’s Approle
A third party component manages temporary secrets to frameworks.
To get framework’s secrets, framework must log-in with its temporary secret.
Although secrets are centralized in the Stratio KMS (Vault), each application need vault’s authentication tokens.
To manage these token dynamically DCS makes use of AppRole auth backend.
Each app is associated with a Vault’s Approle
A third party component manages temporary secrets to frameworks.
To get framework’s secrets, framework must log-in with its temporary secret.
Although secrets are centralized in the Stratio KMS (Vault), each application need vault’s authentication tokens.
To manage these token dynamically DCS makes use of AppRole auth backend.
Each app is associated with a Vault’s Approle
A third party component manages temporary secrets to frameworks.
To get framework’s secrets, framework must log-in with its temporary secret.
Although secrets are centralized in the Stratio KMS (Vault), each application need vault’s authentication tokens.
To manage these token dynamically DCS makes use of AppRole auth backend.
Each app is associated with a Vault’s Approle
A third party component manages temporary secrets to frameworks.
To get framework’s secrets, framework must log-in with its temporary secret.
Although secrets are centralized in the Stratio KMS (Vault), each application need vault’s authentication tokens.
To manage these token dynamically DCS makes use of AppRole auth backend.
Each app is associated with a Vault’s Approle
A third party component manages temporary secrets to frameworks.
To get framework’s secrets, framework must log-in with its temporary secret.
Spark is the data processing engine in Stratio DCS.
Admin logins
Admin configures identities
Admin configures secrets
Admin configures Authorization
Crossdata requests HDFS secrets
Crossdata establish HDFS auth
User send identity and requests data
Crossdata requests user’s authorization
Crossdata audits
HDFS audits
Response to User
Admin logins
Admin configures identities
Admin configures secrets
Admin configures Authorization
Crossdata requests HDFS secrets
Crossdata establish HDFS auth
User send identity and requests data
Crossdata requests user’s authorization
Crossdata audits
HDFS audits
Response to User
Admin logins
Admin configures identities
Admin configures secrets
Admin configures Authorization
Crossdata requests HDFS secrets
Crossdata establish HDFS auth
User send identity and requests data
Crossdata requests user’s authorization
Crossdata audits
HDFS audits
Response to User
Admin logins
Admin configures identities
Admin configures secrets
Admin configures Authorization
Crossdata requests HDFS secrets
Crossdata establish HDFS auth
User send identity and requests data
Crossdata requests user’s authorization
Crossdata audits
HDFS audits
Response to User
Admin logins
Admin configures identities
Admin configures secrets
Admin configures Authorization
Crossdata requests HDFS secrets
Crossdata establish HDFS auth
User send identity and requests data
Crossdata requests user’s authorization
Crossdata audits
HDFS audits
Response to User
Admin logins
Admin configures identities
Admin configures secrets
Admin configures Authorization
Crossdata requests HDFS secrets
Crossdata establish HDFS auth
User send identity and requests data
Crossdata requests user’s authorization
Crossdata audits
HDFS audits
Response to User