Cloudera training secure your cloudera cluster 7.10.18

SECURITY TRAINING OVERVIEW
Tom Wheeler

2© 2018 Cloudera, Inc. All rights reserved.
Big data training delivered by industry experts
In-Person | Virtual Classroom | OnDemand | Blended Learning
university.cloudera.com

AGENDA
About the Cloudera Security Training course
Presentation: Based on material from the Cloudera Security Training course
Conclusion

PURPOSE
Why this course is valuable
• Teaches important aspects of security in Cloudera's platform
• Covers relevant tools and technologies
• Makes your Cloudera professional services engagement more productive

FORMAT
How this course is delivered
• Cloudera Security Training is available exclusively through Cloudera
OnDemand
• Learn at your own pace
Cloudera
OnDemand
Cloudera’s world-class training courses. Available anytime,
anywhere.

FEATURES OF CLOUDERA ONDEMAND
• Start and pause
the videos
• Control playback
speed
• Read or search
the transcript
• Participate in
online discussion

INTENDED AUDIENCE
Who should take this course
• System administrators and those in similar roles
• Experience performing system administration tasks in Linux
• Must understand the basics of the platform (CDH and Cloudera Manager)
• Recommended prerequisite: Cloudera Administrator Training
• No background in computer security is necessary

LEARNING OBJECTIVES (1)
What skills will you gain
• To describe security in the context of Hadoop
• To assess threats to a production Hadoop cluster
• To plan and deploy defenses against these threats
• To improve the security of each node in the cluster
• To monitor a cluster for suspicious activity
• To perform common key management tasks

LEARNING OBJECTIVES (2)
What skills will you gain
• To use encryption for protecting data in motion and at rest
• To configure strong authentication with Kerberos and Active Directory
• To use permissions and ACLs to control access to files in HDFS
• To use platform authorization features to control data access
• To understand additional security considerations, including auditing, data
governance, and disaster recovery

COURSE OUTLINE
What we cover in the course
• Security Overview
• Security Architecture
• Host Security
• Encrypting Data in Motion
• Authentication
• Authorization
• Encrypting Data at Rest
• Additional Considerations

AGENDA
Conclusion

WHAT DO YOU NEED TO PROTECT?
• Business
• Merger or acquisition targets
• Customer information
• Product roadmap
• Trade secrets
• Government
• Ongoing criminal investigations
• Military strategies and capabilities
• Healthcare
• Medical records
• Charities
• Donor lists
• Education
• Student records
• Financial aid information

WHY SECURITY MATTERS
• Laws
• Industry regulations
• Contractual obligations
• Customer expectations

SECURITY IS A PROCESS

EXAMPLE: EVALUATING RISK AND PLANNING DEFENSES
• Asset: Table containing customer records
• Risk: Unauthorized party gains access to sensitive data
• Potential damages
• Loss of customer trust
• Regulatory non-compliance
• Possible defenses
• Improve perimeter security
• Limit access to database
• Encrypt sensitive data

DESIGN CONSIDERATION: LAYERED SECURITY
Also known as the castle approach
• Any individual line of defense may fail
• Solution: Use multiple layers of defense
• Redundancy can improve security
• Consider multiple areas of concern, such as
• Physical security
• Technology
• Processes
• People

DESIGNING FOR MULTIPLE LAYERS OF SECURITY
• Physical security
• Upgrade door locks and alarm system
• Technology
• Implement BIOS password and filesystem encryption
• Process
• Establish procedures for routine auditing and offsite backup
• People
• Train employees to report suspicious incidents and hire staff to respond to them
Example solutions for protecting a data center

CONCEPT: ACCESS CONTROL
• Relies on two abilities
• Authentication: Positively identifying each user
• Authorization: Determining level of access granted to each user
Allowing appropriate level of access to the “right” people

AUTHENTICATION: KERBEROS
• Kerberos is a mature protocol for network authentication
• Started at MIT in 1980s
• Widely used in large UNIX networks in the 1990s
• Part of Microsoft Active Directory
• Provides the foundation for strong authentication in Hadoop

AUTHORIZATION: APACHE SENTRY
• Provides fine-grained role-based access control for multiple applications
• Apache Hive
• Apache Impala
• Apache Solr
• Apache Kafka
• Relies on underlying authentication system
• On secured clusters, Kerberos authenticates the users
• Can also enforce restrictions on underlying data in HDFS

CONCEPT: CRYPTOGRAPHY
The science of hidden communication
• Encryption transforms data so that it is meaningless without a key
• We can keep encrypted data confidential by restricting access to the key need to decrypt it

PROTECTING DATA IN MOTION: TLS
Transport Layer Security
• TLS protects data during transit
• Relies on encryption
• Provides confidentiality and integrity
• Uses digital certificates for identity verification
• Makes spoofing attacks difficult

TLS SUPPORT IN CLOUDERA MANAGER
• Configuring Cloudera Manager for TLS protects data in motion
• Three cumulative levels of TLS support
1. Encryption only
2. Encryption, plus server-side certificate validation
3. Encryption, plus server-side and client-side certificate validation

PROTECTING DATA AT REST: HDFS DATA ENCRYPTION
• Transparent encryption for data stored in HDFS
• Uses industry-standard AES cipher
• Takes advantage of AES-NI processor instruction set
• Low overhead on modern hardware
• Protects data in designated encryption zones

PROTECTING DATA AT REST: CLOUDERA NAVIGATOR ENCRYPT
• Used to protect local directories containing sensitive data
• Log files
• Application databases
• Temporary files created during processing

AGENDA
Conclusion

Cloudera training secure your cloudera cluster 7.10.18

More Related Content

What's hot

Similar to Cloudera training secure your cloudera cluster 7.10.18

More from Cloudera, Inc.

Recently uploaded

Cloudera training secure your cloudera cluster 7.10.18

Editor's Notes