"Data privacy is a crucial issue in today's world: from medical to finance, from retail to the public sector, data must be handled in accordance with national laws, corporate policies and industry best-practices. Being able to ensure data is safe at all times is now a requirement in many use cases.
We’ll start by looking at the threat models that Apache Kafka users often have and requirements such as end-to-end and record encryption. We’ll cover why Apache Kafka’s built-in security features, such as authentication and wire-level encryption, don’t address them. We’ll then look at the various solutions we investigated, weighing their architectural pros and cons.
We’ll detail the solution we ended up building, which is an entirely open source end-to-end encryption mechanism using a L7 proxy for Apache Kafka. We’ll describe in detail some of the key concepts of our implementation as well as some pitfalls we hit, so attendees can learn to safeguard their data’s confidentiality, integrity and availability."
3. Why: GDPR
For especially severe violations… the fine framework can
be up to 20 million euros, or … up to 4% of their total
global turnover of the preceding fiscal year, whichever is
higher.
4. Why: SEC Cyber Rules
The SEC encourages companies to have board-level
oversight of cybersecurity risk management….
Corporate officers can also be held personally liable for
how they respond to data security issues, including through
lawsuits from investors.
16. Section summary: Why?
● Because your boss insists you do (because $$$$$$)
● Evesdroppers are defeated by TLS
● Disk-stealers are defeated by disk encryption
● But insider and hacker threats are unmitigated threats
24. Section summary: Where?
● Interceptor best option for client-side encryption
● Proxy has a number of advantages
● Pick what’s right for your use case
45. Section summary: How?
● Envelope encryption is a good compromise for security and scalability
● Key rotation is a requirement
● Key rotation for record keys is problematic
52. Section summary: What else?
● Decide whether active attacks are part of your threat model
● Additional Authenticated Data (AAD) is a partial defence
● Be clear about the trade-offs
58. Takeaways
● Decide your threat model, then choose appropriate mitigations
● Encryption is for the life of your data
○ Adding a KMS is a commitment
○ Adding a proxy is a commitment
● Remember: in real life the baddies don’t always wear black hats.
59. Join us!
https://kroxylicious.io +
https://kroxylicious.slack.com
● … if you’re interested in a fully open
source, proxy-based approach using
these techniques
● … if you have different threat models
than we’ve covered here
● … if you have ideas about alternative
techniques