Elasticsearch, profile picture
Uploaded byElasticsearch
PDF, PPTX782 views

Securing the Elastic Stack for free

This presentation discusses securing the Elastic Stack for free. It provides an overview of how security features have evolved from separate plugins to being integrated and enabled by default. It then summarizes the three main steps to enable security: obtaining TLS certificates, configuring passwords, and enabling security in Elasticsearch. Finally, it discusses how role-based access control and Kibana spaces can be used to implement authorization and multitenancy.

Embed presentation

Download as PDF, PPTX
Securing the Elastic Stack for free Aris Papadopoulos Senior Product Manager, Kibana Fabio Busatto Senior Product Manager, Elasticsearch
This presentation and the accompanying oral presentation contain forward-looking statements, including statements concerning plans for future offerings; the expected strength, performance or benefits of our offerings; and our future operations and expected performance. These forward-looking statements are subject to the safe harbor provisions under the Private Securities Litigation Reform Act of 1995. Our expectations and beliefs in light of currently available information regarding these matters may not materialize. Actual outcomes and results may differ materially from those contemplated by these forward-looking statements due to uncertainties, risks, and changes in circumstances, including, but not limited to those related to: the impact of the COVID-19 pandemic on our business and our customers and partners; our ability to continue to deliver and improve our offerings and successfully develop new offerings, including security-related product offerings and SaaS offerings; customer acceptance and purchase of our existing offerings and new offerings, including the expansion and adoption of our SaaS offerings; our ability to realize value from investments in the business, including R&D investments; our ability to maintain and expand our user and customer base; our international expansion strategy; our ability to successfully execute our go-to-market strategy and expand in our existing markets and into new markets, and our ability to forecast customer retention and expansion; and general market, political, economic and business conditions. Additional risks and uncertainties that could cause actual outcomes and results to differ materially are included in our filings with the Securities and Exchange Commission (the “SEC”), including our Annual Report on Form 10-K for the most recent fiscal year, our quarterly report on Form 10-Q for the most recent fiscal quarter, and any subsequent reports filed with the SEC. SEC filings are available on the Investor Relations section of Elastic’s website at ir.elastic.co and the SEC’s website at www.sec.gov. Any features or functions of services or products referenced in this presentation, or in any presentations, press releases or public statements, which are not currently available or not currently available as a general availability release, may not be delivered on time or at all. The development, release, and timing of any features or functionality described for our products remains at our sole discretion. Customers who purchase our products and services should make the purchase decisions based upon services and product features and functions that are currently available. All statements are made only as of the date of the presentation, and Elastic assumes no obligation to, and does not currently intend to, update any forward-looking statements or statements relating to features or functions of services or products, except as required by law. Forward-Looking Statements
Data leaks never happ… oh, nevermind https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Elastic interaction map Kibana Interactive Users Visualize, navigate, share Administrators Security Professionals Data Analysts Languages ClientsPerl PHP Java Go .NET Rust Ruby Python JavaScript Servers, Containers Lightweight Data Shippers Logs Metrics Configs Messages Tickets Alerts Node Store, search, analyze Beats Elasticsearch Node Node
How can we protect our data? 431 2 Encryption Authentication MultitenancyAuthorization
● Security features were built as a separate plugin, named Shield ● Commercial license required, binary still available for (unsupported) download! ● Compatibility with Elasticsearch 1.x and 2.x ● Shield has been merged into the XPack plugin in Elasticsearch 5.0 ● Compatibility with Elasticsearch 5.x and newer ● Initially closed-source, old versions still available as a separate (unsupported) download ● XPack code was opened* and included in Elasticsearch 6.3 ● Available under the Elastic License, both free and commercial features ● All security features initially required a Gold+ (paid) license ● Basic security features became free for everyone** in Elasticsearch 7.1 (and 6.8 ● Available out of the box in the Elasticsearch distribution ● Must be enabled explicitly Evolution of Elastic security offering 1.0 5.0 6.3 7.1 * We opened XPack: https://www.elastic.co/what-is/open-x-pack ** Security for Elasticsearch is now free: https://www.elastic.co/blog/security-for-elasticsearch-is-now-free
Enable security in just 3 steps Encryption & Authentication
Obtain certificates Transport Layer Security (TLS, also known as SSL by the masses, is a protocol that encrypts data on network connections. ✔ Privacy ✔ Authentication ✔ Reliability TLS certificates are used in multiple places: ● Node to node internal communication ● HTTP client connections (Kibana, Beats, etc) ● Browser sessions to Kibana You can bring your own or generate with CLI $ bin/elasticsearch-certutil
Passwords for built-in users (elastic, kibana_system, etc) can be configured with CLI Enable Elasticsearch security Elasticsearch should force requests to be encrypted and authenticated with user credentials to avoid unauthorized access. $ bin/elasticsearch-setup-passwords # Enable security features xpack.security.enabled: true # Configure node to node encryption xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12 # Configure HTTP client encryption xpack.security.http.ssl.enabled: true xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12
Kibana is the primary interface to Elasticsearch for interactive users. As such, it has to guarantee a secure user experience. Users authenticate to Kibana, using Elasticsearch as the backend. The tight integration makes the end to end flow secure and flexible. Secure Kibana communications # Enable secure connection with browsers server.ssl.enabled: true server.ssl.keystore.path: "config/certs/http.p12" # Configure secure connection with Elasticsearch elasticsearch.hosts: [ "https://es01:9200" ] elasticsearch.ssl.certificateAuthorities: [ "config/certs/elasticsearch-ca.pem" ] elasticsearch.username: "kibana_system" elasticsearch.password: "R?^8WXL^-2fRP5y2" Browsers Kibana Elasticsearch
Secure your data using RBAC Authorization
Role-based access control ● Role A set of permissions ● Permission A set of privileges against the secured resource ● Privilege A set of actions that a user can execute against the secured resource
Role-based access control Role A set of privileges Privilege A set of actions that a user can execute against the secured resource Role Privilege Privilege Secured resources Role User
Users may have multiple roles. Roles may have multiple privileges. Privileges can be grouped in the following categories: ● Cluster privileges: read and write management access to cluster configuration, security, ML, snapshots, and much more ● Index privileges: policies to create, index, search, and manage every aspect of any index lifecycle, based on patterns ● Run as privileges: ability to execute calls on behalf of other users, actually using their privileges ● Application privileges: enable applications to represent and store their own privilege models within Elasticsearch roles Introduction to roles and privileges
Role management with Kibana
Dashboards Canvas Maps APM Index patterns Dashboards Canvas Maps APM Index patterns Dashboards Canvas Maps APM Index patterns Role 1 Role 2 Kibana space privileges ALL ALL READ NONE + = ALL ALL ALL READ READ ALL NONE READ NONE READ READ
Meet organization needs with Spaces Multitenancy
Overview of Spaces use cases Organization Phasing Multitenancy • Help users access the objects relevant to them more easily • Each Space can have different saved objects • Spaces for sandbox, QA, dev and production • Work on new objects and move to production space once ready • Isolate different teams or customers • Objects in the space will be visible only to the roles that have privileges to that space
Kibana Spaces for your organizational needs ● Need Organise your work to reflect your team's needs ● Pain point Long lists of saved objects
Secure Spaces with Role Based Access Control ● Need: Control access to Spaces based on user’s role ● Limit access to: ⎻ Departments ⎻ Teams ⎻ Levels ⎻ or even individual users to meet your organizational and security needs
Multitenancy conceptual model with Spaces ALL Space 1 ALL READ NONE ALL Dashboards Index patterns Canvas APM Maps READ Space 2 READ NONE READ NONE Dashboards Index patterns Canvas APM Maps Spaces can define different privilege sets for the same role Role 1
Additional resources
Elasticsearch Service on cloud https://www.elastic.co/products/elasticsearch/service
Everything in Gold, plus: ● Single sign-on ⎻ SAML ⎻ OpenID Connect ⎻ Kerberos ● Attribute-based access control ● Field- and document-level security ● Custom authentication & authorization realms ● Encryption at rest support ● FIPS 1402 mode Platinum Elastic Stack paid subscriptions Everything in Basic, plus: ● Audit logging ● IP filtering ● Advanced authentication ⎻ LDAP ⎻ PKI ⎻ Active Directory ● Elasticsearch Token Service Gold https://www.elastic.co/subscriptions
Elastic Stack subscriptions https://www.elastic.co/subscriptions Everything in Gold, plus: ● Single sign-on – SAML – OpenID Connect – Kerberos ● Field- and document-level security ● Attribute-based access control ● Custom realms ● Encryption at rest support ● FIPS 1402 Platinum Everything in Basic, plus: ● Advanced authentication – LDAP – PKI – Active Directory ● Audit logging ● IP filtering ● Elasticsearch Token Service Gold Already included, by default: ● Encrypted communications ● File and native authentication ● Role-based access control ● Kibana Spaces and feature control ● API keys management Basic (free)
Further reading ● Webinars ⎻ Elasticsearch security: Best practices to keep your data safe https://www.elastic.co/webinars/elasticsearch-security-best-practices-to-keep-your-data-safe ⎻ Kibana security: Access management, spaces, and feature controls https://www.elastic.co/webinars/kibana-security-access-management-spaces-and-feature-controls ● Tutorials ⎻ Secure a cluster https://www.elastic.co/guide/en/elasticsearch/reference/current/elasticsearch-security.html ⎻ Configure security in Kibana https://www.elastic.co/guide/en/kibana/current/using-kibana-with-security.html ● Trainings ⎻ Fundamentals of Securing Elasticsearch https://www.elastic.co/training/fundamentals-of-securing-elasticsearch
Demo time!
Thank you! Aris Papadopoulos Senior Product Manager, Kibana Fabio Busatto Senior Product Manager, Elasticsearch

More Related Content

PPTX
Azure Data Factory Data Flow
byMark Kromer
 
PDF
Introduction to Grafana
byKnoldus Inc.
 
PPTX
Presentation of Apache Cassandra
byNikiforos Botis
 
PDF
Elasticsearch: From development to production in 15 minutes
byElasticsearch
 
PPTX
Google Cloud and Data Pipeline Patterns
byLynn Langit
 
PPTX
Elasticsearch
byDivij Sehgal
 
PPTX
AWS Serverless Introduction
byDimosthenis Botsaris
 
PDF
Real-time, Exactly-once Data Ingestion from Kafka to ClickHouse at eBay
byAltinity Ltd
 
Azure Data Factory Data Flow
byMark Kromer
 
Introduction to Grafana
byKnoldus Inc.
 
Presentation of Apache Cassandra
byNikiforos Botis
 
Elasticsearch: From development to production in 15 minutes
byElasticsearch
 
Google Cloud and Data Pipeline Patterns
byLynn Langit
 
Elasticsearch
byDivij Sehgal
 
AWS Serverless Introduction
byDimosthenis Botsaris
 
Real-time, Exactly-once Data Ingestion from Kafka to ClickHouse at eBay
byAltinity Ltd
 

What's hot

PPTX
Kafka Tutorial - Introduction to Apache Kafka (Part 1)
byJean-Paul Azar
 
PDF
ACID ORC, Iceberg, and Delta Lake—An Overview of Table Formats for Large Scal...
byDatabricks
 
PDF
Building a centralized observability platform
byElasticsearch
 
PPTX
MongoDB Atlas
byMongoDB
 
PPTX
Disaster Recovery Synapse
byRicardoLinhares22
 
ODP
Elasticsearch for beginners
byNeil Baker
 
PDF
Elasticsearch
byShagun Rathore
 
PPT
Introduction to MongoDB
byRavi Teja
 
PPTX
Azure Synapse Analytics Overview (r2)
byJames Serra
 
PPT
Logstash
by琛琳 饶
 
PPTX
Prometheus and Grafana
byLhouceine OUHAMZA
 
PDF
Grafana Loki: like Prometheus, but for Logs
byMarco Pracucci
 
PDF
Apache Kafka Streams + Machine Learning / Deep Learning
byKai Wähner
 
PPTX
NoSql
byAnitaSenthilkumar
 
PDF
AWS Lambda
byScott Leberknight
 
PPTX
Introduction to Apache Kafka
byAIMDek Technologies
 
PDF
Elasticsearch Tutorial | Getting Started with Elasticsearch | ELK Stack Train...
byEdureka!
 
PPTX
Infrastructure as Code in AWS using Cloudformation
byJohn Reilly Pospos
 
PDF
Apache Spark Data Source V2 with Wenchen Fan and Gengliang Wang
byDatabricks
 
PPTX
Grafana.pptx
byBhushan Rane
 
Kafka Tutorial - Introduction to Apache Kafka (Part 1)
byJean-Paul Azar
 
ACID ORC, Iceberg, and Delta Lake—An Overview of Table Formats for Large Scal...
byDatabricks
 
Building a centralized observability platform
byElasticsearch
 
MongoDB Atlas
byMongoDB
 
Disaster Recovery Synapse
byRicardoLinhares22
 
Elasticsearch for beginners
byNeil Baker
 
Elasticsearch
byShagun Rathore
 
Introduction to MongoDB
byRavi Teja
 
Azure Synapse Analytics Overview (r2)
byJames Serra
 
Logstash
by琛琳 饶
 
Prometheus and Grafana
byLhouceine OUHAMZA
 
Grafana Loki: like Prometheus, but for Logs
byMarco Pracucci
 
Apache Kafka Streams + Machine Learning / Deep Learning
byKai Wähner
 
NoSql
byAnitaSenthilkumar
 
AWS Lambda
byScott Leberknight
 
Introduction to Apache Kafka
byAIMDek Technologies
 
Elasticsearch Tutorial | Getting Started with Elasticsearch | ELK Stack Train...
byEdureka!
 
Infrastructure as Code in AWS using Cloudformation
byJohn Reilly Pospos
 
Apache Spark Data Source V2 with Wenchen Fan and Gengliang Wang
byDatabricks
 
Grafana.pptx
byBhushan Rane
 

Similar to Securing the Elastic Stack for free

PDF
Keynote: Elastic Security evolution and vision
byElasticsearch
 
PDF
Elastic Security keynote
byElasticsearch
 
PDF
From secure VPC links to SSO with Elastic Cloud
byElasticsearch
 
PDF
Elastic Stack keynote
byElasticsearch
 
PDF
Elastic Enterprise Search keynote
byElasticsearch
 
PDF
Managing the Elastic Stack at Scale
byElasticsearch
 
PDF
Elastic Security: Unified protection for everyone
byElasticsearch
 
PDF
Using Elastic @ Elastic: InfoSec and Elastic Security
byElasticsearch
 
PDF
Examining OpenData with a Search Index using Elasticsearch
byFaithWestdorp
 
PDF
Why you should use Elastic for infrastructure metrics
byElasticsearch
 
PDF
Opening keynote | EMEA
byElasticsearch
 
PDF
Opening keynote | Americas
byElasticsearch
 
PDF
Opening keynote | Asia Pacific
byElasticsearch
 
PDF
Modernizing deployment in any environment with Elastic
byElasticsearch
 
PDF
Hands-on with data visualization in Kibana
byElasticsearch
 
PDF
What's new at Elastic: Update on major initiatives and releases
byElasticsearch
 
PDF
Keynote: Making search better, faster, easier
byElasticsearch
 
ODP
Introduction to Shield and kibana
byKnoldus Inc.
 
PDF
Elastic Security under the hood
byElasticsearch
 
PDF
Migrating to Elasticsearch Service on Elastic Cloud
byElasticsearch
 
Keynote: Elastic Security evolution and vision
byElasticsearch
 
Elastic Security keynote
byElasticsearch
 
From secure VPC links to SSO with Elastic Cloud
byElasticsearch
 
Elastic Stack keynote
byElasticsearch
 
Elastic Enterprise Search keynote
byElasticsearch
 
Managing the Elastic Stack at Scale
byElasticsearch
 
Elastic Security: Unified protection for everyone
byElasticsearch
 
Using Elastic @ Elastic: InfoSec and Elastic Security
byElasticsearch
 
Examining OpenData with a Search Index using Elasticsearch
byFaithWestdorp
 
Why you should use Elastic for infrastructure metrics
byElasticsearch
 
Opening keynote | EMEA
byElasticsearch
 
Opening keynote | Americas
byElasticsearch
 
Opening keynote | Asia Pacific
byElasticsearch
 
Modernizing deployment in any environment with Elastic
byElasticsearch
 
Hands-on with data visualization in Kibana
byElasticsearch
 
What's new at Elastic: Update on major initiatives and releases
byElasticsearch
 
Keynote: Making search better, faster, easier
byElasticsearch
 
Introduction to Shield and kibana
byKnoldus Inc.
 
Elastic Security under the hood
byElasticsearch
 
Migrating to Elasticsearch Service on Elastic Cloud
byElasticsearch
 

More from Elasticsearch

PDF
An introduction to Elasticsearch's advanced relevance ranking toolbox
byElasticsearch
 
PDF
From MSP to MSSP using Elastic
byElasticsearch
 
PDF
Cómo crear excelentes experiencias de búsqueda en sitios web
byElasticsearch
 
PDF
Te damos la bienvenida a una nueva forma de realizar búsquedas
byElasticsearch
 
PDF
Tirez pleinement parti d'Elastic grâce à Elastic Cloud
byElasticsearch
 
PDF
Comment transformer vos données en informations exploitables
byElasticsearch
 
PDF
Plongez au cœur de la recherche dans tous ses états.
byElasticsearch
 
PDF
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
byElasticsearch
 
PDF
An introduction to Elasticsearch's advanced relevance ranking toolbox
byElasticsearch
 
PDF
Welcome to a new state of find
byElasticsearch
 
PDF
Building great website search experiences
byElasticsearch
 
PDF
Keynote: Harnessing the power of Elasticsearch for simplified search
byElasticsearch
 
PDF
Cómo transformar los datos en análisis con los que tomar decisiones
byElasticsearch
 
PDF
Explore relève les défis Big Data avec Elastic Cloud
byElasticsearch
 
PDF
Comment transformer vos données en informations exploitables
byElasticsearch
 
PDF
Transforming data into actionable insights
byElasticsearch
 
PDF
Opening Keynote: Why Elastic?
byElasticsearch
 
PDF
Empowering agencies using Elastic as a Service inside Government
byElasticsearch
 
PDF
The opportunities and challenges of data for public good
byElasticsearch
 
PDF
Enterprise search and unstructured data with CGI and Elastic
byElasticsearch
 
An introduction to Elasticsearch's advanced relevance ranking toolbox
byElasticsearch
 
From MSP to MSSP using Elastic
byElasticsearch
 
Cómo crear excelentes experiencias de búsqueda en sitios web
byElasticsearch
 
Te damos la bienvenida a una nueva forma de realizar búsquedas
byElasticsearch
 
Tirez pleinement parti d'Elastic grâce à Elastic Cloud
byElasticsearch
 
Comment transformer vos données en informations exploitables
byElasticsearch
 
Plongez au cœur de la recherche dans tous ses états.
byElasticsearch
 
Modernising One Legal Se@rch with Elastic Enterprise Search [Customer Story]
byElasticsearch
 
An introduction to Elasticsearch's advanced relevance ranking toolbox
byElasticsearch
 
Welcome to a new state of find
byElasticsearch
 
Building great website search experiences
byElasticsearch
 
Keynote: Harnessing the power of Elasticsearch for simplified search
byElasticsearch
 
Cómo transformar los datos en análisis con los que tomar decisiones
byElasticsearch
 
Explore relève les défis Big Data avec Elastic Cloud
byElasticsearch
 
Comment transformer vos données en informations exploitables
byElasticsearch
 
Transforming data into actionable insights
byElasticsearch
 
Opening Keynote: Why Elastic?
byElasticsearch
 
Empowering agencies using Elastic as a Service inside Government
byElasticsearch
 
The opportunities and challenges of data for public good
byElasticsearch
 
Enterprise search and unstructured data with CGI and Elastic
byElasticsearch
 

Recently uploaded

PDF
A "Kill Switch" (Emergency Off Switch) for AI?
byScott M. Graffius
 
PDF
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
PDF
Early Signs of Constraint Loss in Modern System Design
byReality Drift Archive
 
PPTX
DVCON24-IBM ai/ml driven hardware verification
byArun Joseph
 
PPTX
TechSprint Kickoff - Everything You Need to Know
bygdgcodecellcmpn
 
PPTX
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
PPTX
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
PDF
Using Change Data Capture (CDC) to Ingest Data into Apache Kafka
byGiovanni Marigi
 
PPTX
Building Real-Time Voice AI — Udaiappa Ramachandran
byUdaiappa Ramachandran
 
PPTX
Visual Foxpro-VFP9-Access-Report-Variable-Outside-the-report.pptx
bymanojbkalla
 
PPTX
Flutter & Firebase Session Slides - GDG VESIT
bygdgcodecellcmpn
 
PDF
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
PDF
Best-Travel-Portal-Development-Solutions-for-Online-Growth
bykashishnagarrajput
 
PDF
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
PPTX
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
PDF
Higgsfield AI: The New Way to Create Cinematic Video
bytechnologyupside
 
PPTX
Software Tools for penetration Testing (1).pptx
byAmosCheruiyot13
 
PDF
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
PDF
Digital Transformation Services The Key to Futureproofing Your Business
byQuadrafort Technolgies
 
PDF
Purple Team - Active Directory and AzureAD v1
byVICTOR MAESTRE RAMIREZ
 
A "Kill Switch" (Emergency Off Switch) for AI?
byScott M. Graffius
 
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
Early Signs of Constraint Loss in Modern System Design
byReality Drift Archive
 
DVCON24-IBM ai/ml driven hardware verification
byArun Joseph
 
TechSprint Kickoff - Everything You Need to Know
bygdgcodecellcmpn
 
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
Using Change Data Capture (CDC) to Ingest Data into Apache Kafka
byGiovanni Marigi
 
Building Real-Time Voice AI — Udaiappa Ramachandran
byUdaiappa Ramachandran
 
Visual Foxpro-VFP9-Access-Report-Variable-Outside-the-report.pptx
bymanojbkalla
 
Flutter & Firebase Session Slides - GDG VESIT
bygdgcodecellcmpn
 
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
Best-Travel-Portal-Development-Solutions-for-Online-Growth
bykashishnagarrajput
 
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
Higgsfield AI: The New Way to Create Cinematic Video
bytechnologyupside
 
Software Tools for penetration Testing (1).pptx
byAmosCheruiyot13
 
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
Digital Transformation Services The Key to Futureproofing Your Business
byQuadrafort Technolgies
 
Purple Team - Active Directory and AzureAD v1
byVICTOR MAESTRE RAMIREZ
 

Securing the Elastic Stack for free

  • 1.
    Securing the ElasticStack for free Aris Papadopoulos Senior Product Manager, Kibana Fabio Busatto Senior Product Manager, Elasticsearch
  • 2.
    This presentation andthe accompanying oral presentation contain forward-looking statements, including statements concerning plans for future offerings; the expected strength, performance or benefits of our offerings; and our future operations and expected performance. These forward-looking statements are subject to the safe harbor provisions under the Private Securities Litigation Reform Act of 1995. Our expectations and beliefs in light of currently available information regarding these matters may not materialize. Actual outcomes and results may differ materially from those contemplated by these forward-looking statements due to uncertainties, risks, and changes in circumstances, including, but not limited to those related to: the impact of the COVID-19 pandemic on our business and our customers and partners; our ability to continue to deliver and improve our offerings and successfully develop new offerings, including security-related product offerings and SaaS offerings; customer acceptance and purchase of our existing offerings and new offerings, including the expansion and adoption of our SaaS offerings; our ability to realize value from investments in the business, including R&D investments; our ability to maintain and expand our user and customer base; our international expansion strategy; our ability to successfully execute our go-to-market strategy and expand in our existing markets and into new markets, and our ability to forecast customer retention and expansion; and general market, political, economic and business conditions. Additional risks and uncertainties that could cause actual outcomes and results to differ materially are included in our filings with the Securities and Exchange Commission (the “SEC”), including our Annual Report on Form 10-K for the most recent fiscal year, our quarterly report on Form 10-Q for the most recent fiscal quarter, and any subsequent reports filed with the SEC. SEC filings are available on the Investor Relations section of Elastic’s website at ir.elastic.co and the SEC’s website at www.sec.gov. Any features or functions of services or products referenced in this presentation, or in any presentations, press releases or public statements, which are not currently available or not currently available as a general availability release, may not be delivered on time or at all. The development, release, and timing of any features or functionality described for our products remains at our sole discretion. Customers who purchase our products and services should make the purchase decisions based upon services and product features and functions that are currently available. All statements are made only as of the date of the presentation, and Elastic assumes no obligation to, and does not currently intend to, update any forward-looking statements or statements relating to features or functions of services or products, except as required by law. Forward-Looking Statements
  • 3.
    Data leaks neverhapp… oh, nevermind https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
  • 4.
    Elastic interaction map Kibana InteractiveUsers Visualize, navigate, share Administrators Security Professionals Data Analysts Languages ClientsPerl PHP Java Go .NET Rust Ruby Python JavaScript Servers, Containers Lightweight Data Shippers Logs Metrics Configs Messages Tickets Alerts Node Store, search, analyze Beats Elasticsearch Node Node
  • 5.
    How can weprotect our data? 431 2 Encryption Authentication MultitenancyAuthorization
  • 6.
    ● Security featureswere built as a separate plugin, named Shield ● Commercial license required, binary still available for (unsupported) download! ● Compatibility with Elasticsearch 1.x and 2.x ● Shield has been merged into the XPack plugin in Elasticsearch 5.0 ● Compatibility with Elasticsearch 5.x and newer ● Initially closed-source, old versions still available as a separate (unsupported) download ● XPack code was opened* and included in Elasticsearch 6.3 ● Available under the Elastic License, both free and commercial features ● All security features initially required a Gold+ (paid) license ● Basic security features became free for everyone** in Elasticsearch 7.1 (and 6.8 ● Available out of the box in the Elasticsearch distribution ● Must be enabled explicitly Evolution of Elastic security offering 1.0 5.0 6.3 7.1 * We opened XPack: https://www.elastic.co/what-is/open-x-pack ** Security for Elasticsearch is now free: https://www.elastic.co/blog/security-for-elasticsearch-is-now-free
  • 7.
    Enable security in just3 steps Encryption & Authentication
  • 8.
    Obtain certificates Transport LayerSecurity (TLS, also known as SSL by the masses, is a protocol that encrypts data on network connections. ✔ Privacy ✔ Authentication ✔ Reliability TLS certificates are used in multiple places: ● Node to node internal communication ● HTTP client connections (Kibana, Beats, etc) ● Browser sessions to Kibana You can bring your own or generate with CLI $ bin/elasticsearch-certutil
  • 9.
    Passwords for built-inusers (elastic, kibana_system, etc) can be configured with CLI Enable Elasticsearch security Elasticsearch should force requests to be encrypted and authenticated with user credentials to avoid unauthorized access. $ bin/elasticsearch-setup-passwords # Enable security features xpack.security.enabled: true # Configure node to node encryption xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12 # Configure HTTP client encryption xpack.security.http.ssl.enabled: true xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12
  • 10.
    Kibana is theprimary interface to Elasticsearch for interactive users. As such, it has to guarantee a secure user experience. Users authenticate to Kibana, using Elasticsearch as the backend. The tight integration makes the end to end flow secure and flexible. Secure Kibana communications # Enable secure connection with browsers server.ssl.enabled: true server.ssl.keystore.path: "config/certs/http.p12" # Configure secure connection with Elasticsearch elasticsearch.hosts: [ "https://es01:9200" ] elasticsearch.ssl.certificateAuthorities: [ "config/certs/elasticsearch-ca.pem" ] elasticsearch.username: "kibana_system" elasticsearch.password: "R?^8WXL^-2fRP5y2" Browsers Kibana Elasticsearch
  • 11.
    Secure your data usingRBAC Authorization
  • 12.
    Role-based access control ●Role A set of permissions ● Permission A set of privileges against the secured resource ● Privilege A set of actions that a user can execute against the secured resource
  • 13.
    Role-based access control Role Aset of privileges Privilege A set of actions that a user can execute against the secured resource Role Privilege Privilege Secured resources Role User
  • 14.
    Users may havemultiple roles. Roles may have multiple privileges. Privileges can be grouped in the following categories: ● Cluster privileges: read and write management access to cluster configuration, security, ML, snapshots, and much more ● Index privileges: policies to create, index, search, and manage every aspect of any index lifecycle, based on patterns ● Run as privileges: ability to execute calls on behalf of other users, actually using their privileges ● Application privileges: enable applications to represent and store their own privilege models within Elasticsearch roles Introduction to roles and privileges
  • 15.
  • 16.
    Dashboards Canvas Maps APM Index patterns Dashboards Canvas Maps APM Index patterns Dashboards Canvas Maps APM Indexpatterns Role 1 Role 2 Kibana space privileges ALL ALL READ NONE + = ALL ALL ALL READ READ ALL NONE READ NONE READ READ
  • 17.
    Meet organization needs withSpaces Multitenancy
  • 18.
    Overview of Spacesuse cases Organization Phasing Multitenancy • Help users access the objects relevant to them more easily • Each Space can have different saved objects • Spaces for sandbox, QA, dev and production • Work on new objects and move to production space once ready • Isolate different teams or customers • Objects in the space will be visible only to the roles that have privileges to that space
  • 19.
    Kibana Spaces foryour organizational needs ● Need Organise your work to reflect your team's needs ● Pain point Long lists of saved objects
  • 20.
    Secure Spaces withRole Based Access Control ● Need: Control access to Spaces based on user’s role ● Limit access to: ⎻ Departments ⎻ Teams ⎻ Levels ⎻ or even individual users to meet your organizational and security needs
  • 21.
    Multitenancy conceptual modelwith Spaces ALL Space 1 ALL READ NONE ALL Dashboards Index patterns Canvas APM Maps READ Space 2 READ NONE READ NONE Dashboards Index patterns Canvas APM Maps Spaces can define different privilege sets for the same role Role 1
  • 22.
  • 23.
    Elasticsearch Service oncloud https://www.elastic.co/products/elasticsearch/service
  • 24.
    Everything in Gold,plus: ● Single sign-on ⎻ SAML ⎻ OpenID Connect ⎻ Kerberos ● Attribute-based access control ● Field- and document-level security ● Custom authentication & authorization realms ● Encryption at rest support ● FIPS 1402 mode Platinum Elastic Stack paid subscriptions Everything in Basic, plus: ● Audit logging ● IP filtering ● Advanced authentication ⎻ LDAP ⎻ PKI ⎻ Active Directory ● Elasticsearch Token Service Gold https://www.elastic.co/subscriptions
  • 25.
    Elastic Stack subscriptions https://www.elastic.co/subscriptions Everythingin Gold, plus: ● Single sign-on – SAML – OpenID Connect – Kerberos ● Field- and document-level security ● Attribute-based access control ● Custom realms ● Encryption at rest support ● FIPS 1402 Platinum Everything in Basic, plus: ● Advanced authentication – LDAP – PKI – Active Directory ● Audit logging ● IP filtering ● Elasticsearch Token Service Gold Already included, by default: ● Encrypted communications ● File and native authentication ● Role-based access control ● Kibana Spaces and feature control ● API keys management Basic (free)
  • 26.
    Further reading ● Webinars ⎻Elasticsearch security: Best practices to keep your data safe https://www.elastic.co/webinars/elasticsearch-security-best-practices-to-keep-your-data-safe ⎻ Kibana security: Access management, spaces, and feature controls https://www.elastic.co/webinars/kibana-security-access-management-spaces-and-feature-controls ● Tutorials ⎻ Secure a cluster https://www.elastic.co/guide/en/elasticsearch/reference/current/elasticsearch-security.html ⎻ Configure security in Kibana https://www.elastic.co/guide/en/kibana/current/using-kibana-with-security.html ● Trainings ⎻ Fundamentals of Securing Elasticsearch https://www.elastic.co/training/fundamentals-of-securing-elasticsearch
  • 27.
  • 28.
    Thank you! Aris Papadopoulos SeniorProduct Manager, Kibana Fabio Busatto Senior Product Manager, Elasticsearch