SlideShare a Scribd company logo

The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).

DataStax Academy
DataStax Academy

Security is always at odds with usability, particularly in the context of operations and development. More so when dealing with a distributed system such as Apache Cassandra. In this presentation, we'll walk through the steps required to completely secure a Cassandra cluster to meet most regulatory and compliance guidelines. Topics will include: - Encrypting cross-DC traffic - Different types of at-rest disk encryption options available (and how to tune them) - Configuring SSL for inter-cluster communication - Configuring SSL between clients and the API - Configuring and managing client authentication Attendees will leave this presentation with the knowledge required to harden Cassandra to meet most guidelines imposed by regulations and compliance.

Technology
1 of 78
Download to read offline
CASSANDRA DAY ATLANTA 2015 HARDENING CASSANDRA FOR COMPLIANCE (OR PARANOIA) Nate McCall @zznate #CassandraSummit Co-Founder & Sr.Technical Consultant Licensed under a Creative Commons Attribution-NonCommercial 3.0 New Zealand License
AboutThe Last Pickle. Work with clients to deliver and improve Apache Cassandra based solutions. Based in New Zealand,Australia & USA.
OVERVIEW
Encryption at Rest Inter-node Communication Client-Server Communication Authentication and Authorization Management andTooling
Overview: Security is usually necessitated by Industry Guidelines (depending on organization size)
Overview: Industry Guidelines - Financial: PCI-CSS - Healthcare: HIPPAA - Defense/Govt: FIPS - TelCo: CPNI
Overview: Industry Guidelines Their heart is in the right place... (Do you really need node to node SSL if it never leaves a backplane?)
Overview: But good security practices can save you ...
Overview: By necessity we abstract and encapsulate, making it easier to have un-intended side effects knife ssh -x ${knifeUser} -a hostname -E $chefEnv "role:${role}" "${executeCommand}" Then eventually: rm -rf /var/lib/cassandra/*
Overview: Basic systems hardening can also protect from common operational errors
Overview: System Hardening Limit account access "sudo su -" = trouble
Overview: System Hardening Limit filesystem access. Only C* needs /var/lib/cassandra (configuration management does not need access after initialization)
Overview: System Hardening Networking - Limit network access - network segmentation and ACLs - iptables, etc
Overview: System Hardening: Limit Network Access C* only needs inbound on: - 9042/9160 (clients) - 7000/7001 (cluster) - 7199 (JMX)
Encryption at Rest Inter-node Communication Client-Server Communication Authentication and Authorization Management andTooling
Encryption At Rest: Why it's a good idea: - Do you know how your cloud provider is actually using storage under the hood? - What does IT do with decommissioned disks? (Are you sure?)
Encryption At Rest: There are good open source and commercial options for at-rest encryption
Encryption At Rest: It's a distributed system. Make sure you understand the HA Story in context of your needs. Otherwise you introduced an SOPF! eg. "EBS snapshots of the key server" Is this going to work for you?
Encryption At Rest: File level vs. Block level
Encryption At Rest: Open Source dmCrypt (block) eCrypt-FS (file) Major vendors probably support both https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Installation_Guide/ch29s02.html https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-efs.html
Encryption At Rest: Commercial - Cloudera Gazzang! -Vormetric
Encryption At Rest: Commercial DataStax Enterprise*: CREATETABLE users ... WITH compression_parameters:sstable_compression = 'Encryptor' and compression_parameters:cipher_algorithm = 'AES/ECB/PKCS5Padding' and compression_parameters:secret_key_strength = 128; *commit log not included! (eCrypt-fs to the rescue)
Encryption At Rest: Commercial-ish EBS Encryption! (a.k.a. "not my problem") http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
Encryption at Rest Inter-Node Communication Client-Server Communication Authentication and Authorization Management andTooling
Inter-Node Communication: SSL Inter-Node encryption can be rolled out on production with no downtime* * Depending on client consistency levels
Inter-Node Communication: SSL Why it's a good idea
Inter-Node Communication: SSL:Why It's a Good Idea: -Dcassandra.write_survey=true "I can has your writes" from: http://icanhascheeseburger.com
Inter-Node Communication: SSL:Why It's a Good Idea: Every operation is a Message on the wire
Inter-Node Communication: SSL:Why It's a Good Idea: It takes one Message to insert an admin account into the system_auth table
Inter-Node Communication: SSL SSL Certificates: a brief interlude
Inter-Node Communication: SSL: Certificates Done Right BYO Certificate Authority A CA in this case provides the root certificate which can be used to validate a node's identity without needing direct knowledge of that node.
Inter-Node Communication: SSL: Certificates Done Right Don't do this: http://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureSSLCertificates_t.html <- BAD! LOL!
Inter-Node Communication: SSL: Certificates Done Right What we should do: 1. create the CA with a "root" certificate 2. create certificates for each node 3. export each node's certificates to be signed by CA 4. sign each nodes certificate with the CA 5. add the CA root public certificate into each node's key store 5. add the signed result back into that node's key store 6. import CA root public certificate into each node's trust store (or build one and copy it around)
Inter-Node Communication: SSL: Certificates Done Right Be your own CA openssl req -config gen_ca_cert.conf -new -x509 -keyout ca-key -out ca-cert -days 365
Inter-Node Communication: SSL: Certificates Done Right 'gen_ca_cert.conf' [ req ] distinguished_name = req_distinguished_name prompt = no output_password = mypass default_bits = 2048 [ req_distinguished_name ] C = US ST = TX L = Austin O = TLP OU = TestCluster CN = TestClusterMasterCA emailAddress = info@thelastpickl.com
Inter-Node Communication: SSL: Certificates Done Right What we just did - `req`:An OpenSSL sub-command saying that we are (in this case) creating a PKCS#10 X.509 Certificate (see https://www.openssl.org/docs/manmaster/apps/req.html for full details) The following parameters are all options of "-req" `-config`: The path to the config file (avoids having to provide information on STDIN) `-new`: This is a new signing request we are making `-x509`: The output will be a self-signed certificate we can use as a root CA `-keyout`: The filename to which we will write our key `-out`: The filename to which we will write our certificate `-days`: The number of days for which the generated certificate will be valid
Inter-Node Communication: SSL: Certificates Done Right Per-Node Certificate Creation keytool -genkeypair -keyalg RSA -alias node1 -keystore node1-server-keystore.jks -storepass awesomekeypass -keypass awesomekeypass -validity 365 -keysize 2048 -dname "CN=node1, OU=SSL-verification-cluster, O=TheLastPickle, C=US"
Inter-Node Communication: SSL: Certificates Done Right What we just did `-genkeypair`: the keytool command to generate a public/private key pair combination `-keyalg`:The algorithm to use, RSA in this case* `-alias`:An alias to use for this public/private key pair. It needs to identify the public key when imported into a key store. I usually use some form of $hostname-cassandra `-keystore`:The location of our key store (created if it does not already exist) `-storepass`:The password for the key store `-keypass`:The password for the key `-validity`:The number of days for which this key pair will be valid `-keysize`:The size of the key to generate https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html
Inter-Node Communication: SSL: Certificates Done Right A note about "-dname": CN=node1 Common Name: Best practice is to use hostname OU=SSL-verification-cluster Organizational Unit: I like to use the environment specific cluster name O=TheLastPickle Organization C=US" Country Note: Hostname verification can be done against subjectAlternativeName Add "-ext SAN=DNS:thelastpickle.com" to keytool invocation if desired.
Inter-Node Communication: SSL: Certificates Done Right Exporting certificates for signing by the CA keytool -keystore node1-server-keystore.jks -alias node1 -certreq -file node1_cert_sr -keypass awesomekeypass -storepass awesomekeypass
Inter-Node Communication: SSL: Certificates Done Right Sign each node's certificate with the CA openssl x509 -req -CA ca-cert -CAkey ca-key -in node1_cert_sr -out node1_cert_signed -days 365 -CAcreateserial -passin pass:mypass
Inter-Node Communication: SSL: Certificates Done Right What did we just do: - `x509` Use the display and signing subcommand (https://www.openssl.org/docs/manmaster/apps/ x509.html) The following parameters are options of "x509" - `-req` We are signing a certificate request as opposed to a certificate - `-CA` The CA cert file created above - `-CAKey` The CA key file created above - `-in` The certificate request we are signing - `-out` The newly-signed certificate file to create - `-days` The number of days for which the signed certificate will be valid - `-CAcreateserial` Create a serialnumber for this CSR - `-passin` The keypassword source.The arguments to 'passin' have their own formatting instructions. See 'Pass Phrase Arguments' on https://www.openssl.org/docs/manmaster/apps/openssl.html
Inter-Node Communication: SSL: Certificates Done Right Add the CA's public key to the node's key stores keytool -keystore node1-server-keystore.jks -alias CARoot -import -file ca-cert -noprompt -keypass awesomekeypass -storepass awesomekeypass
Inter-Node Communication: SSL: Certificates Done Right Import that node's signed certificate back into it's trust store keytool -keystore node1-server-keystore.jks -alias node1 -import -file node1_cert_signed -keypass awesomekeypass -storepass awesomekeypass
Inter-Node Communication: SSL: Certificates Done Right Build a trust store from the CA's public certificate (this can be shared among all nodes) keytool -keystore generic-server-truststore.jks -alias CARoot -importcert -file ca-cert -keypass mypass -storepass truststorepass -noprompt
Inter-Node Communication: SSL: Certificates Done Right OMG! A Trust Chain!
Inter-Node Communication: SSL Done Right server_encryption_options: internode_encryption: all keystore: conf/server-keystore.jks keystore_password: awesomekeypass truststore: conf/server-truststore.jks truststore_password: truststorepass protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA] require_client_auth: true
Inter-Node Communication: SSL Done Right server_encryption_options: internode_encryption: all keystore: conf/server-keystore.jks keystore_password: awesomekeypass truststore: conf/server-truststore.jks truststore_password: truststorepass protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA] require_client_auth: true If you don't set this to true, you might as well turn encryption off
Inter-Node Communication: SSL Done Right Also: Key store password and key password *must be the same* server_encryption_options: ... keystore_password: awesomekeypass require_client_auth: true ... keytool ... -keypass awesomekeypass ...
Inter-Node Communication: SSL Done Right Export restrictions? Use128 bit keys cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA] http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#importlimits
Inter-Node Communication: SSL: Certificates Done Right Trouble? -Djavax.net.debug=ssl http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
Inter-Node Communication: SSL: Certificates Done Right This Just In! Netflix Lemur: "x.509 Certificate Orchestration Framework" http://techblog.netflix.com/2015/09/introducing-lemur.html https://github.com/Netflix/lemur
Inter-Node Communication internode_authenticator
Inter-Node Communication:Authenticator Available commercially in DSE
Inter-Node Communication:Authenticator Pretty easy to roll your own
Inter-Node Communication:Authenticator o.a.c.auth.IInternodeAuthenticator boolean authenticate(InetAddress remoteAddress, int remotePort); void validateConfiguration() throws ConfigurationException;
Encryption at Rest Inter-Node Communication Client-Server Communication Authentication and Authorization Management andTooling
Client-Server Communication Same CA setup as Server-to-Server (same limitations, too)
Client-Server Communication client_encryption_options: enabled: true keystore: conf/client-keystore.jks keystore_password: clientkeypass truststore: conf/client-truststore.jks truststore_password: clienttrustpass protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA] require_client_auth: true
Client-Server Communication client_encryption_options: enabled: false keystore: conf/client-keystore.jks keystore_password: clientkeypass truststore: conf/client-truststore.jks truststore_password: clienttrustpass protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA] require_client_auth: true If you don't set this to true, you might as well turn encryption off
Encryption at Rest Inter-Node Communication Client-Server Communication Authentication and Authorization Management andTooling
Authentication and Authorization: Why it's a good idea
Authentication and Authorization: Best practices are the same as for RDBMS
Authentication and Authorization: Best Practices Segment users: - Admin - Per-service CRUD - CRUD (reporting)
Authentication and Authorization: Best Practices Limit access to tables and keyspaces
Authentication and Authorization: Role-based access control (RBAC) in 2.2
Authentication and Authorization:Authentication authenticator: PasswordAuthenticator Tip: keep your read-only cqlsh credentials in $HOME/.cassandra/cqlshrc of the system's admin account
Authentication and Authorization:Authorization authorizer: CassandraAuthorizer TIP: turn permissions_validity_in_ms WAY UP default is 2000 (2 seconds!!) can use permissions_update_interval_in_ms for async refresh if needed
Authentication and Authorization:Authorization These tables have default read permission for every authenticated user: system.schema_keyspace system.schema_columns system.schema_columnfamilies system.local system.peers
Authentication and Authorization:Authentication IMPORTANT: "Please increase system_auth keyspace replication factor if you use this..." RF=Number of Nodes
Encryption at Rest Inter-Node Communication Client-Server Communication Authentication and Authorization Management and Tooling
Mangement andTooling: Securing JMX
Management andTooling: Securing JMX Options as of 2.1.8 will look familiar: JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/path/to/keystore" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=<keystore-password>" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/path/to/truststore" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=<truststore-password>" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher- suites>"
Management andTooling: Securing JMX Thus: as of 2.1.8, nodetool can use SSL* * https://issues.apache.org/jira/browse/CASSANDRA-9090
Management andTooling: Securing JMX Configure authentication for JMX* Now you can do: nodetool status -u monitor -pw monitorpass * http://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureJmxAuthentication.html
Management andTooling: Securing JMX JMX user/password and role configuration is flexible For details, take a look at the defaults: $JAVA_HOME/jre/lib/management/jmxremote.access $JAVA_HOME/jre/lib/management/jmxremote.password.template
Thanks.
Nate McCall @zznate Co-Founder & Sr.Technical Consultant www.thelastpickle.com #CassandraSummit

Recommended

Software defined storage
Software defined storageSoftware defined storage
Software defined storageGluster.org
 
Getting Demo & POV Ready
Getting Demo & POV ReadyGetting Demo & POV Ready
Getting Demo & POV ReadyThousandEyes
 
MariaDB 제품 소개
MariaDB 제품 소개MariaDB 제품 소개
MariaDB 제품 소개NeoClova
 
IBM Spectrum Scale Security
IBM Spectrum Scale Security IBM Spectrum Scale Security
IBM Spectrum Scale Security Sandeep Patil
 
Nokia 5529 SDC 9.4.pptx
Nokia 5529 SDC 9.4.pptxNokia 5529 SDC 9.4.pptx
Nokia 5529 SDC 9.4.pptxAayushGupta81010
 
VLAN, VTP, DTP, Ether channel Cheat Sheet With examples.pptx
VLAN, VTP, DTP, Ether channel Cheat Sheet With examples.pptxVLAN, VTP, DTP, Ether channel Cheat Sheet With examples.pptx
VLAN, VTP, DTP, Ether channel Cheat Sheet With examples.pptxINFitunes
 
Amazon DynamoDB - Use Cases and Cost Optimization - 발표자: 이혁, DynamoDB Special...
Amazon DynamoDB - Use Cases and Cost Optimization - 발표자: 이혁, DynamoDB Special...Amazon DynamoDB - Use Cases and Cost Optimization - 발표자: 이혁, DynamoDB Special...
Amazon DynamoDB - Use Cases and Cost Optimization - 발표자: 이혁, DynamoDB Special...Amazon Web Services Korea
 
Mainframe cloud computing presentation
Mainframe cloud computing presentationMainframe cloud computing presentation
Mainframe cloud computing presentationxKinAnx
 

Recommended

Software defined storage
Software defined storageSoftware defined storage
Software defined storageGluster.org
 
Getting Demo & POV Ready
Getting Demo & POV ReadyGetting Demo & POV Ready
Getting Demo & POV ReadyThousandEyes
 
MariaDB 제품 소개
MariaDB 제품 소개MariaDB 제품 소개
MariaDB 제품 소개NeoClova
 
IBM Spectrum Scale Security
IBM Spectrum Scale Security IBM Spectrum Scale Security
IBM Spectrum Scale Security Sandeep Patil
 
Nokia 5529 SDC 9.4.pptx
Nokia 5529 SDC 9.4.pptxNokia 5529 SDC 9.4.pptx
Nokia 5529 SDC 9.4.pptxAayushGupta81010
 
VLAN, VTP, DTP, Ether channel Cheat Sheet With examples.pptx
VLAN, VTP, DTP, Ether channel Cheat Sheet With examples.pptxVLAN, VTP, DTP, Ether channel Cheat Sheet With examples.pptx
VLAN, VTP, DTP, Ether channel Cheat Sheet With examples.pptxINFitunes
 
Amazon DynamoDB - Use Cases and Cost Optimization - 발표자: 이혁, DynamoDB Special...
Amazon DynamoDB - Use Cases and Cost Optimization - 발표자: 이혁, DynamoDB Special...Amazon DynamoDB - Use Cases and Cost Optimization - 발표자: 이혁, DynamoDB Special...
Amazon DynamoDB - Use Cases and Cost Optimization - 발표자: 이혁, DynamoDB Special...Amazon Web Services Korea
 
Mainframe cloud computing presentation
Mainframe cloud computing presentationMainframe cloud computing presentation
Mainframe cloud computing presentationxKinAnx
 
Using the New Network Load Balancer with Amazon ECS - AWS Online Tech Talks
Using the New Network Load Balancer with Amazon ECS - AWS Online Tech TalksUsing the New Network Load Balancer with Amazon ECS - AWS Online Tech Talks
Using the New Network Load Balancer with Amazon ECS - AWS Online Tech TalksAmazon Web Services
 
MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)JuHwan Lee
 
BMC Discovery (ADDM) Cheat Sheet by Traversys Limited
BMC Discovery (ADDM) Cheat Sheet by Traversys LimitedBMC Discovery (ADDM) Cheat Sheet by Traversys Limited
BMC Discovery (ADDM) Cheat Sheet by Traversys LimitedWes Moskal-Fitzpatrick
 
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...Nati Shalom
 
OpenvSwitch Deep Dive
OpenvSwitch Deep DiveOpenvSwitch Deep Dive
OpenvSwitch Deep Diverajdeep
 
Network Monitoring System
Network Monitoring SystemNetwork Monitoring System
Network Monitoring SystemRofiq Fauzi
 
Mainframe Architecture & Product Overview
Mainframe Architecture & Product OverviewMainframe Architecture & Product Overview
Mainframe Architecture & Product Overviewabhi1112
 
OpenNMS introduction
OpenNMS introductionOpenNMS introduction
OpenNMS introductionGuider Lee
 
DPDK & Cloud Native
DPDK & Cloud NativeDPDK & Cloud Native
DPDK & Cloud NativeMichelle Holley
 
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackAlexandre Moneger
 
ARC319_Multi-Region Active-Active Architecture
ARC319_Multi-Region Active-Active ArchitectureARC319_Multi-Region Active-Active Architecture
ARC319_Multi-Region Active-Active ArchitectureAmazon Web Services
 
Building and running cloud native cassandra
Building and running cloud native cassandraBuilding and running cloud native cassandra
Building and running cloud native cassandraVinay Kumar Chella
 
Nutanix Technology Bootcamp
Nutanix Technology BootcampNutanix Technology Bootcamp
Nutanix Technology BootcampICT-Partners
 
Rap installation updated
Rap installation updatedRap installation updated
Rap installation updatedAruba, a Hewlett Packard Enterprise company
 
Migrate Oracle database to Amazon RDS
Migrate Oracle database to Amazon RDSMigrate Oracle database to Amazon RDS
Migrate Oracle database to Amazon RDSJesus Guzman
 
Amazon Aurora Storage Demystified: How It All Works (DAT363) - AWS re:Invent ...
Amazon Aurora Storage Demystified: How It All Works (DAT363) - AWS re:Invent ...Amazon Aurora Storage Demystified: How It All Works (DAT363) - AWS re:Invent ...
Amazon Aurora Storage Demystified: How It All Works (DAT363) - AWS re:Invent ...Amazon Web Services
 
Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...
Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...
Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...Odinot Stanislas
 
BYOD with ClearPass
BYOD with ClearPassBYOD with ClearPass
BYOD with ClearPassAruba, a Hewlett Packard Enterprise company
 
Oracle GoldenGate Roadmap Oracle OpenWorld 2020
Oracle GoldenGate Roadmap Oracle OpenWorld 2020 Oracle GoldenGate Roadmap Oracle OpenWorld 2020
Oracle GoldenGate Roadmap Oracle OpenWorld 2020 Oracle
 
(BDT309) Data Science & Best Practices for Apache Spark on Amazon EMR
(BDT309) Data Science & Best Practices for Apache Spark on Amazon EMR(BDT309) Data Science & Best Practices for Apache Spark on Amazon EMR
(BDT309) Data Science & Best Practices for Apache Spark on Amazon EMRAmazon Web Services
 
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiaSeattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiazznate
 
Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Max Kleiner
 

More Related Content

What's hot

Using the New Network Load Balancer with Amazon ECS - AWS Online Tech Talks
Using the New Network Load Balancer with Amazon ECS - AWS Online Tech TalksUsing the New Network Load Balancer with Amazon ECS - AWS Online Tech Talks
Using the New Network Load Balancer with Amazon ECS - AWS Online Tech TalksAmazon Web Services
 
MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)JuHwan Lee
 
BMC Discovery (ADDM) Cheat Sheet by Traversys Limited
BMC Discovery (ADDM) Cheat Sheet by Traversys LimitedBMC Discovery (ADDM) Cheat Sheet by Traversys Limited
BMC Discovery (ADDM) Cheat Sheet by Traversys LimitedWes Moskal-Fitzpatrick
 
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...Nati Shalom
 
OpenvSwitch Deep Dive
OpenvSwitch Deep DiveOpenvSwitch Deep Dive
OpenvSwitch Deep Diverajdeep
 
Network Monitoring System
Network Monitoring SystemNetwork Monitoring System
Network Monitoring SystemRofiq Fauzi
 
Mainframe Architecture & Product Overview
Mainframe Architecture & Product OverviewMainframe Architecture & Product Overview
Mainframe Architecture & Product Overviewabhi1112
 
OpenNMS introduction
OpenNMS introductionOpenNMS introduction
OpenNMS introductionGuider Lee
 
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackAlexandre Moneger
 
ARC319_Multi-Region Active-Active Architecture
ARC319_Multi-Region Active-Active ArchitectureARC319_Multi-Region Active-Active Architecture
ARC319_Multi-Region Active-Active ArchitectureAmazon Web Services
 
Building and running cloud native cassandra
Building and running cloud native cassandraBuilding and running cloud native cassandra
Building and running cloud native cassandraVinay Kumar Chella
 
Nutanix Technology Bootcamp
Nutanix Technology BootcampNutanix Technology Bootcamp
Nutanix Technology BootcampICT-Partners
 
Migrate Oracle database to Amazon RDS
Migrate Oracle database to Amazon RDSMigrate Oracle database to Amazon RDS
Migrate Oracle database to Amazon RDSJesus Guzman
 
Amazon Aurora Storage Demystified: How It All Works (DAT363) - AWS re:Invent ...
Amazon Aurora Storage Demystified: How It All Works (DAT363) - AWS re:Invent ...Amazon Aurora Storage Demystified: How It All Works (DAT363) - AWS re:Invent ...
Amazon Aurora Storage Demystified: How It All Works (DAT363) - AWS re:Invent ...Amazon Web Services
 
Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...
Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...
Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...Odinot Stanislas
 
Oracle GoldenGate Roadmap Oracle OpenWorld 2020
Oracle GoldenGate Roadmap Oracle OpenWorld 2020 Oracle GoldenGate Roadmap Oracle OpenWorld 2020
Oracle GoldenGate Roadmap Oracle OpenWorld 2020 Oracle
 
(BDT309) Data Science & Best Practices for Apache Spark on Amazon EMR
(BDT309) Data Science & Best Practices for Apache Spark on Amazon EMR(BDT309) Data Science & Best Practices for Apache Spark on Amazon EMR
(BDT309) Data Science & Best Practices for Apache Spark on Amazon EMRAmazon Web Services
 

What's hot (20)

Using the New Network Load Balancer with Amazon ECS - AWS Online Tech Talks
Using the New Network Load Balancer with Amazon ECS - AWS Online Tech TalksUsing the New Network Load Balancer with Amazon ECS - AWS Online Tech Talks
Using the New Network Load Balancer with Amazon ECS - AWS Online Tech Talks
 
MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)MP BGP-EVPN 실전기술-1편(개념잡기)
MP BGP-EVPN 실전기술-1편(개념잡기)
 
BMC Discovery (ADDM) Cheat Sheet by Traversys Limited
BMC Discovery (ADDM) Cheat Sheet by Traversys LimitedBMC Discovery (ADDM) Cheat Sheet by Traversys Limited
BMC Discovery (ADDM) Cheat Sheet by Traversys Limited
 
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
Orchestration tool roundup kubernetes vs. docker vs. heat vs. terra form vs...
 
OpenvSwitch Deep Dive
OpenvSwitch Deep DiveOpenvSwitch Deep Dive
OpenvSwitch Deep Dive
 
Network Monitoring System
Network Monitoring SystemNetwork Monitoring System
Network Monitoring System
 
Mainframe Architecture & Product Overview
Mainframe Architecture & Product OverviewMainframe Architecture & Product Overview
Mainframe Architecture & Product Overview
 
OpenNMS introduction
OpenNMS introductionOpenNMS introduction
OpenNMS introduction
 
DPDK & Cloud Native
DPDK & Cloud NativeDPDK & Cloud Native
DPDK & Cloud Native
 
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stack
 
ARC319_Multi-Region Active-Active Architecture
ARC319_Multi-Region Active-Active ArchitectureARC319_Multi-Region Active-Active Architecture
ARC319_Multi-Region Active-Active Architecture
 
Building and running cloud native cassandra
Building and running cloud native cassandraBuilding and running cloud native cassandra
Building and running cloud native cassandra
 
Nutanix Technology Bootcamp
Nutanix Technology BootcampNutanix Technology Bootcamp
Nutanix Technology Bootcamp
 
Rap installation updated
Rap installation updatedRap installation updated
Rap installation updated
 
Migrate Oracle database to Amazon RDS
Migrate Oracle database to Amazon RDSMigrate Oracle database to Amazon RDS
Migrate Oracle database to Amazon RDS
 
Amazon Aurora Storage Demystified: How It All Works (DAT363) - AWS re:Invent ...
Amazon Aurora Storage Demystified: How It All Works (DAT363) - AWS re:Invent ...Amazon Aurora Storage Demystified: How It All Works (DAT363) - AWS re:Invent ...
Amazon Aurora Storage Demystified: How It All Works (DAT363) - AWS re:Invent ...
 
Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...
Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...
Ceph: Open Source Storage Software Optimizations on Intel® Architecture for C...
 
BYOD with ClearPass
BYOD with ClearPassBYOD with ClearPass
BYOD with ClearPass
 
Oracle GoldenGate Roadmap Oracle OpenWorld 2020
Oracle GoldenGate Roadmap Oracle OpenWorld 2020 Oracle GoldenGate Roadmap Oracle OpenWorld 2020
Oracle GoldenGate Roadmap Oracle OpenWorld 2020
 
(BDT309) Data Science & Best Practices for Apache Spark on Amazon EMR
(BDT309) Data Science & Best Practices for Apache Spark on Amazon EMR(BDT309) Data Science & Best Practices for Apache Spark on Amazon EMR
(BDT309) Data Science & Best Practices for Apache Spark on Amazon EMR
 

Similar to The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).

Seattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiaSeattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiazznate
 
Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Max Kleiner
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB
 
Apache Httpd and TLS certificates validations
Apache Httpd and TLS certificates validationsApache Httpd and TLS certificates validations
Apache Httpd and TLS certificates validationsJean-Frederic Clere
 
Best Practices of IoT in the Cloud
Best Practices of IoT in the CloudBest Practices of IoT in the Cloud
Best Practices of IoT in the CloudAmazon Web Services
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudAmazon Web Services
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudAmazon Web Services
 
When Securing Access to Data is About Life and Death
When Securing Access to Data is About Life and DeathWhen Securing Access to Data is About Life and Death
When Securing Access to Data is About Life and DeathHostedbyConfluent
 
SSL Certificates and Operations
SSL Certificates and OperationsSSL Certificates and Operations
SSL Certificates and OperationsNisheed KM
 
Issue certificates with PyOpenSSL
Issue certificates with PyOpenSSLIssue certificates with PyOpenSSL
Issue certificates with PyOpenSSLPau Freixes
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
 
Adobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL GuideAdobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL GuideRapidSSLOnline.com
 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications nishchal29
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytoolCheapSSLsecurity
 
Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)Netwax Lab
 
Cassandra Security Configuration
Cassandra Security ConfigurationCassandra Security Configuration
Cassandra Security ConfigurationBraja Krishna Das
 

Similar to The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia). (20)

Seattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoiaSeattle C* Meetup: Hardening cassandra for compliance or paranoia
Seattle C* Meetup: Hardening cassandra for compliance or paranoia
 
Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21
 
Java security
Java securityJava security
Java security
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
 
Apache Httpd and TLS certificates validations
Apache Httpd and TLS certificates validationsApache Httpd and TLS certificates validations
Apache Httpd and TLS certificates validations
 
Best Practices of IoT in the Cloud
Best Practices of IoT in the CloudBest Practices of IoT in the Cloud
Best Practices of IoT in the Cloud
 
320.1-Cryptography
320.1-Cryptography320.1-Cryptography
320.1-Cryptography
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
 
When Securing Access to Data is About Life and Death
When Securing Access to Data is About Life and DeathWhen Securing Access to Data is About Life and Death
When Securing Access to Data is About Life and Death
 
TLS and Certificates
TLS and CertificatesTLS and Certificates
TLS and Certificates
 
SSL Certificates and Operations
SSL Certificates and OperationsSSL Certificates and Operations
SSL Certificates and Operations
 
Issue certificates with PyOpenSSL
Issue certificates with PyOpenSSLIssue certificates with PyOpenSSL
Issue certificates with PyOpenSSL
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
 
Adobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL GuideAdobe Connect on-premise SSL Guide
Adobe Connect on-premise SSL Guide
 
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications
 
Types of ssl commands and keytool
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
 
Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)
 
Cassandra Security Configuration
Cassandra Security ConfigurationCassandra Security Configuration
Cassandra Security Configuration
 

More from DataStax Academy

Forrester CXNYC 2017 - Delivering great real-time cx is a true craft
Forrester CXNYC 2017 - Delivering great real-time cx is a true craftForrester CXNYC 2017 - Delivering great real-time cx is a true craft
Forrester CXNYC 2017 - Delivering great real-time cx is a true craftDataStax Academy
 
Introduction to DataStax Enterprise Graph Database
Introduction to DataStax Enterprise Graph DatabaseIntroduction to DataStax Enterprise Graph Database
Introduction to DataStax Enterprise Graph DatabaseDataStax Academy
 
Introduction to DataStax Enterprise Advanced Replication with Apache Cassandra
Introduction to DataStax Enterprise Advanced Replication with Apache CassandraIntroduction to DataStax Enterprise Advanced Replication with Apache Cassandra
Introduction to DataStax Enterprise Advanced Replication with Apache CassandraDataStax Academy
 
Cassandra on Docker @ Walmart Labs
Cassandra on Docker @ Walmart LabsCassandra on Docker @ Walmart Labs
Cassandra on Docker @ Walmart LabsDataStax Academy
 
Cassandra 3.0 Data Modeling
Cassandra 3.0 Data ModelingCassandra 3.0 Data Modeling
Cassandra 3.0 Data ModelingDataStax Academy
 
Cassandra Adoption on Cisco UCS & Open stack
Cassandra Adoption on Cisco UCS & Open stackCassandra Adoption on Cisco UCS & Open stack
Cassandra Adoption on Cisco UCS & Open stackDataStax Academy
 
Data Modeling for Apache Cassandra
Data Modeling for Apache CassandraData Modeling for Apache Cassandra
Data Modeling for Apache CassandraDataStax Academy
 
Production Ready Cassandra
Production Ready CassandraProduction Ready Cassandra
Production Ready CassandraDataStax Academy
 
Cassandra @ Netflix: Monitoring C* at Scale, Gossip and Tickler & Python
Cassandra @ Netflix: Monitoring C* at Scale, Gossip and Tickler & PythonCassandra @ Netflix: Monitoring C* at Scale, Gossip and Tickler & Python
Cassandra @ Netflix: Monitoring C* at Scale, Gossip and Tickler & PythonDataStax Academy
 
Cassandra @ Sony: The good, the bad, and the ugly part 1
Cassandra @ Sony: The good, the bad, and the ugly part 1Cassandra @ Sony: The good, the bad, and the ugly part 1
Cassandra @ Sony: The good, the bad, and the ugly part 1DataStax Academy
 
Cassandra @ Sony: The good, the bad, and the ugly part 2
Cassandra @ Sony: The good, the bad, and the ugly part 2Cassandra @ Sony: The good, the bad, and the ugly part 2
Cassandra @ Sony: The good, the bad, and the ugly part 2DataStax Academy
 
Standing Up Your First Cluster
Standing Up Your First ClusterStanding Up Your First Cluster
Standing Up Your First ClusterDataStax Academy
 
Real Time Analytics with Dse
Real Time Analytics with DseReal Time Analytics with Dse
Real Time Analytics with DseDataStax Academy
 
Introduction to Data Modeling with Apache Cassandra
Introduction to Data Modeling with Apache CassandraIntroduction to Data Modeling with Apache Cassandra
Introduction to Data Modeling with Apache CassandraDataStax Academy
 
Enabling Search in your Cassandra Application with DataStax Enterprise
Enabling Search in your Cassandra Application with DataStax EnterpriseEnabling Search in your Cassandra Application with DataStax Enterprise
Enabling Search in your Cassandra Application with DataStax EnterpriseDataStax Academy
 
Advanced Data Modeling with Apache Cassandra
Advanced Data Modeling with Apache CassandraAdvanced Data Modeling with Apache Cassandra
Advanced Data Modeling with Apache CassandraDataStax Academy
 

More from DataStax Academy (20)

Forrester CXNYC 2017 - Delivering great real-time cx is a true craft
Forrester CXNYC 2017 - Delivering great real-time cx is a true craftForrester CXNYC 2017 - Delivering great real-time cx is a true craft
Forrester CXNYC 2017 - Delivering great real-time cx is a true craft
 
Introduction to DataStax Enterprise Graph Database
Introduction to DataStax Enterprise Graph DatabaseIntroduction to DataStax Enterprise Graph Database
Introduction to DataStax Enterprise Graph Database
 
Introduction to DataStax Enterprise Advanced Replication with Apache Cassandra
Introduction to DataStax Enterprise Advanced Replication with Apache CassandraIntroduction to DataStax Enterprise Advanced Replication with Apache Cassandra
Introduction to DataStax Enterprise Advanced Replication with Apache Cassandra
 
Cassandra on Docker @ Walmart Labs
Cassandra on Docker @ Walmart LabsCassandra on Docker @ Walmart Labs
Cassandra on Docker @ Walmart Labs
 
Cassandra 3.0 Data Modeling
Cassandra 3.0 Data ModelingCassandra 3.0 Data Modeling
Cassandra 3.0 Data Modeling
 
Cassandra Adoption on Cisco UCS & Open stack
Cassandra Adoption on Cisco UCS & Open stackCassandra Adoption on Cisco UCS & Open stack
Cassandra Adoption on Cisco UCS & Open stack
 
Data Modeling for Apache Cassandra
Data Modeling for Apache CassandraData Modeling for Apache Cassandra
Data Modeling for Apache Cassandra
 
Coursera Cassandra Driver
Coursera Cassandra DriverCoursera Cassandra Driver
Coursera Cassandra Driver
 
Production Ready Cassandra
Production Ready CassandraProduction Ready Cassandra
Production Ready Cassandra
 
Cassandra @ Netflix: Monitoring C* at Scale, Gossip and Tickler & Python
Cassandra @ Netflix: Monitoring C* at Scale, Gossip and Tickler & PythonCassandra @ Netflix: Monitoring C* at Scale, Gossip and Tickler & Python
Cassandra @ Netflix: Monitoring C* at Scale, Gossip and Tickler & Python
 
Cassandra @ Sony: The good, the bad, and the ugly part 1
Cassandra @ Sony: The good, the bad, and the ugly part 1Cassandra @ Sony: The good, the bad, and the ugly part 1
Cassandra @ Sony: The good, the bad, and the ugly part 1
 
Cassandra @ Sony: The good, the bad, and the ugly part 2
Cassandra @ Sony: The good, the bad, and the ugly part 2Cassandra @ Sony: The good, the bad, and the ugly part 2
Cassandra @ Sony: The good, the bad, and the ugly part 2
 
Standing Up Your First Cluster
Standing Up Your First ClusterStanding Up Your First Cluster
Standing Up Your First Cluster
 
Real Time Analytics with Dse
Real Time Analytics with DseReal Time Analytics with Dse
Real Time Analytics with Dse
 
Introduction to Data Modeling with Apache Cassandra
Introduction to Data Modeling with Apache CassandraIntroduction to Data Modeling with Apache Cassandra
Introduction to Data Modeling with Apache Cassandra
 
Cassandra Core Concepts
Cassandra Core ConceptsCassandra Core Concepts
Cassandra Core Concepts
 
Enabling Search in your Cassandra Application with DataStax Enterprise
Enabling Search in your Cassandra Application with DataStax EnterpriseEnabling Search in your Cassandra Application with DataStax Enterprise
Enabling Search in your Cassandra Application with DataStax Enterprise
 
Bad Habits Die Hard
Bad Habits Die Hard Bad Habits Die Hard
Bad Habits Die Hard
 
Advanced Data Modeling with Apache Cassandra
Advanced Data Modeling with Apache CassandraAdvanced Data Modeling with Apache Cassandra
Advanced Data Modeling with Apache Cassandra
 
Advanced Cassandra
Advanced CassandraAdvanced Cassandra
Advanced Cassandra
 

Recently uploaded

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 

Recently uploaded (20)

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 

The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).

  • 1. CASSANDRA DAY ATLANTA 2015 HARDENING CASSANDRA FOR COMPLIANCE (OR PARANOIA) Nate McCall @zznate #CassandraSummit Co-Founder & Sr.Technical Consultant Licensed under a Creative Commons Attribution-NonCommercial 3.0 New Zealand License
  • 2. AboutThe Last Pickle. Work with clients to deliver and improve Apache Cassandra based solutions. Based in New Zealand,Australia & USA.
  • 4. Encryption at Rest Inter-node Communication Client-Server Communication Authentication and Authorization Management andTooling
  • 5. Overview: Security is usually necessitated by Industry Guidelines (depending on organization size)
  • 6. Overview: Industry Guidelines - Financial: PCI-CSS - Healthcare: HIPPAA - Defense/Govt: FIPS - TelCo: CPNI
  • 7. Overview: Industry Guidelines Their heart is in the right place... (Do you really need node to node SSL if it never leaves a backplane?)
  • 8. Overview: But good security practices can save you ...
  • 9. Overview: By necessity we abstract and encapsulate, making it easier to have un-intended side effects knife ssh -x ${knifeUser} -a hostname -E $chefEnv "role:${role}" "${executeCommand}" Then eventually: rm -rf /var/lib/cassandra/*
  • 10. Overview: Basic systems hardening can also protect from common operational errors
  • 11. Overview: System Hardening Limit account access "sudo su -" = trouble
  • 12. Overview: System Hardening Limit filesystem access. Only C* needs /var/lib/cassandra (configuration management does not need access after initialization)
  • 13. Overview: System Hardening Networking - Limit network access - network segmentation and ACLs - iptables, etc
  • 14. Overview: System Hardening: Limit Network Access C* only needs inbound on: - 9042/9160 (clients) - 7000/7001 (cluster) - 7199 (JMX)
  • 15. Encryption at Rest Inter-node Communication Client-Server Communication Authentication and Authorization Management andTooling
  • 16. Encryption At Rest: Why it's a good idea: - Do you know how your cloud provider is actually using storage under the hood? - What does IT do with decommissioned disks? (Are you sure?)
  • 17. Encryption At Rest: There are good open source and commercial options for at-rest encryption
  • 18. Encryption At Rest: It's a distributed system. Make sure you understand the HA Story in context of your needs. Otherwise you introduced an SOPF! eg. "EBS snapshots of the key server" Is this going to work for you?
  • 19. Encryption At Rest: File level vs. Block level
  • 20. Encryption At Rest: Open Source dmCrypt (block) eCrypt-FS (file) Major vendors probably support both https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Installation_Guide/ch29s02.html https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-efs.html
  • 21. Encryption At Rest: Commercial - Cloudera Gazzang! -Vormetric
  • 22. Encryption At Rest: Commercial DataStax Enterprise*: CREATETABLE users ... WITH compression_parameters:sstable_compression = 'Encryptor' and compression_parameters:cipher_algorithm = 'AES/ECB/PKCS5Padding' and compression_parameters:secret_key_strength = 128; *commit log not included! (eCrypt-fs to the rescue)
  • 23. Encryption At Rest: Commercial-ish EBS Encryption! (a.k.a. "not my problem") http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
  • 24. Encryption at Rest Inter-Node Communication Client-Server Communication Authentication and Authorization Management andTooling
  • 25. Inter-Node Communication: SSL Inter-Node encryption can be rolled out on production with no downtime* * Depending on client consistency levels
  • 27. Inter-Node Communication: SSL:Why It's a Good Idea: -Dcassandra.write_survey=true "I can has your writes" from: http://icanhascheeseburger.com
  • 28. Inter-Node Communication: SSL:Why It's a Good Idea: Every operation is a Message on the wire
  • 29. Inter-Node Communication: SSL:Why It's a Good Idea: It takes one Message to insert an admin account into the system_auth table
  • 30. Inter-Node Communication: SSL SSL Certificates: a brief interlude
  • 31. Inter-Node Communication: SSL: Certificates Done Right BYO Certificate Authority A CA in this case provides the root certificate which can be used to validate a node's identity without needing direct knowledge of that node.
  • 32. Inter-Node Communication: SSL: Certificates Done Right Don't do this: http://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureSSLCertificates_t.html <- BAD! LOL!
  • 33. Inter-Node Communication: SSL: Certificates Done Right What we should do: 1. create the CA with a "root" certificate 2. create certificates for each node 3. export each node's certificates to be signed by CA 4. sign each nodes certificate with the CA 5. add the CA root public certificate into each node's key store 5. add the signed result back into that node's key store 6. import CA root public certificate into each node's trust store (or build one and copy it around)
  • 34. Inter-Node Communication: SSL: Certificates Done Right Be your own CA openssl req -config gen_ca_cert.conf -new -x509 -keyout ca-key -out ca-cert -days 365
  • 35. Inter-Node Communication: SSL: Certificates Done Right 'gen_ca_cert.conf' [ req ] distinguished_name = req_distinguished_name prompt = no output_password = mypass default_bits = 2048 [ req_distinguished_name ] C = US ST = TX L = Austin O = TLP OU = TestCluster CN = TestClusterMasterCA emailAddress = info@thelastpickl.com
  • 36. Inter-Node Communication: SSL: Certificates Done Right What we just did - `req`:An OpenSSL sub-command saying that we are (in this case) creating a PKCS#10 X.509 Certificate (see https://www.openssl.org/docs/manmaster/apps/req.html for full details) The following parameters are all options of "-req" `-config`: The path to the config file (avoids having to provide information on STDIN) `-new`: This is a new signing request we are making `-x509`: The output will be a self-signed certificate we can use as a root CA `-keyout`: The filename to which we will write our key `-out`: The filename to which we will write our certificate `-days`: The number of days for which the generated certificate will be valid
  • 37. Inter-Node Communication: SSL: Certificates Done Right Per-Node Certificate Creation keytool -genkeypair -keyalg RSA -alias node1 -keystore node1-server-keystore.jks -storepass awesomekeypass -keypass awesomekeypass -validity 365 -keysize 2048 -dname "CN=node1, OU=SSL-verification-cluster, O=TheLastPickle, C=US"
  • 38. Inter-Node Communication: SSL: Certificates Done Right What we just did `-genkeypair`: the keytool command to generate a public/private key pair combination `-keyalg`:The algorithm to use, RSA in this case* `-alias`:An alias to use for this public/private key pair. It needs to identify the public key when imported into a key store. I usually use some form of $hostname-cassandra `-keystore`:The location of our key store (created if it does not already exist) `-storepass`:The password for the key store `-keypass`:The password for the key `-validity`:The number of days for which this key pair will be valid `-keysize`:The size of the key to generate https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html
  • 39. Inter-Node Communication: SSL: Certificates Done Right A note about "-dname": CN=node1 Common Name: Best practice is to use hostname OU=SSL-verification-cluster Organizational Unit: I like to use the environment specific cluster name O=TheLastPickle Organization C=US" Country Note: Hostname verification can be done against subjectAlternativeName Add "-ext SAN=DNS:thelastpickle.com" to keytool invocation if desired.
  • 40. Inter-Node Communication: SSL: Certificates Done Right Exporting certificates for signing by the CA keytool -keystore node1-server-keystore.jks -alias node1 -certreq -file node1_cert_sr -keypass awesomekeypass -storepass awesomekeypass
  • 41. Inter-Node Communication: SSL: Certificates Done Right Sign each node's certificate with the CA openssl x509 -req -CA ca-cert -CAkey ca-key -in node1_cert_sr -out node1_cert_signed -days 365 -CAcreateserial -passin pass:mypass
  • 42. Inter-Node Communication: SSL: Certificates Done Right What did we just do: - `x509` Use the display and signing subcommand (https://www.openssl.org/docs/manmaster/apps/ x509.html) The following parameters are options of "x509" - `-req` We are signing a certificate request as opposed to a certificate - `-CA` The CA cert file created above - `-CAKey` The CA key file created above - `-in` The certificate request we are signing - `-out` The newly-signed certificate file to create - `-days` The number of days for which the signed certificate will be valid - `-CAcreateserial` Create a serialnumber for this CSR - `-passin` The keypassword source.The arguments to 'passin' have their own formatting instructions. See 'Pass Phrase Arguments' on https://www.openssl.org/docs/manmaster/apps/openssl.html
  • 43. Inter-Node Communication: SSL: Certificates Done Right Add the CA's public key to the node's key stores keytool -keystore node1-server-keystore.jks -alias CARoot -import -file ca-cert -noprompt -keypass awesomekeypass -storepass awesomekeypass
  • 44. Inter-Node Communication: SSL: Certificates Done Right Import that node's signed certificate back into it's trust store keytool -keystore node1-server-keystore.jks -alias node1 -import -file node1_cert_signed -keypass awesomekeypass -storepass awesomekeypass
  • 45. Inter-Node Communication: SSL: Certificates Done Right Build a trust store from the CA's public certificate (this can be shared among all nodes) keytool -keystore generic-server-truststore.jks -alias CARoot -importcert -file ca-cert -keypass mypass -storepass truststorepass -noprompt
  • 46. Inter-Node Communication: SSL: Certificates Done Right OMG! A Trust Chain!
  • 47. Inter-Node Communication: SSL Done Right server_encryption_options: internode_encryption: all keystore: conf/server-keystore.jks keystore_password: awesomekeypass truststore: conf/server-truststore.jks truststore_password: truststorepass protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA] require_client_auth: true
  • 48. Inter-Node Communication: SSL Done Right server_encryption_options: internode_encryption: all keystore: conf/server-keystore.jks keystore_password: awesomekeypass truststore: conf/server-truststore.jks truststore_password: truststorepass protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA] require_client_auth: true If you don't set this to true, you might as well turn encryption off
  • 49. Inter-Node Communication: SSL Done Right Also: Key store password and key password *must be the same* server_encryption_options: ... keystore_password: awesomekeypass require_client_auth: true ... keytool ... -keypass awesomekeypass ...
  • 50. Inter-Node Communication: SSL Done Right Export restrictions? Use128 bit keys cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA] http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#importlimits
  • 51. Inter-Node Communication: SSL: Certificates Done Right Trouble? -Djavax.net.debug=ssl http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
  • 52. Inter-Node Communication: SSL: Certificates Done Right This Just In! Netflix Lemur: "x.509 Certificate Orchestration Framework" http://techblog.netflix.com/2015/09/introducing-lemur.html https://github.com/Netflix/lemur
  • 56. Inter-Node Communication:Authenticator o.a.c.auth.IInternodeAuthenticator boolean authenticate(InetAddress remoteAddress, int remotePort); void validateConfiguration() throws ConfigurationException;
  • 57. Encryption at Rest Inter-Node Communication Client-Server Communication Authentication and Authorization Management andTooling
  • 58. Client-Server Communication Same CA setup as Server-to-Server (same limitations, too)
  • 59. Client-Server Communication client_encryption_options: enabled: true keystore: conf/client-keystore.jks keystore_password: clientkeypass truststore: conf/client-truststore.jks truststore_password: clienttrustpass protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA] require_client_auth: true
  • 60. Client-Server Communication client_encryption_options: enabled: false keystore: conf/client-keystore.jks keystore_password: clientkeypass truststore: conf/client-truststore.jks truststore_password: clienttrustpass protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA] require_client_auth: true If you don't set this to true, you might as well turn encryption off
  • 61. Encryption at Rest Inter-Node Communication Client-Server Communication Authentication and Authorization Management andTooling
  • 63. Authentication and Authorization: Best practices are the same as for RDBMS
  • 64. Authentication and Authorization: Best Practices Segment users: - Admin - Per-service CRUD - CRUD (reporting)
  • 65. Authentication and Authorization: Best Practices Limit access to tables and keyspaces
  • 66. Authentication and Authorization: Role-based access control (RBAC) in 2.2
  • 67. Authentication and Authorization:Authentication authenticator: PasswordAuthenticator Tip: keep your read-only cqlsh credentials in $HOME/.cassandra/cqlshrc of the system's admin account
  • 68. Authentication and Authorization:Authorization authorizer: CassandraAuthorizer TIP: turn permissions_validity_in_ms WAY UP default is 2000 (2 seconds!!) can use permissions_update_interval_in_ms for async refresh if needed
  • 69. Authentication and Authorization:Authorization These tables have default read permission for every authenticated user: system.schema_keyspace system.schema_columns system.schema_columnfamilies system.local system.peers
  • 70. Authentication and Authorization:Authentication IMPORTANT: "Please increase system_auth keyspace replication factor if you use this..." RF=Number of Nodes
  • 71. Encryption at Rest Inter-Node Communication Client-Server Communication Authentication and Authorization Management and Tooling
  • 73. Management andTooling: Securing JMX Options as of 2.1.8 will look familiar: JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/path/to/keystore" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=<keystore-password>" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/path/to/truststore" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=<truststore-password>" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher- suites>"
  • 74. Management andTooling: Securing JMX Thus: as of 2.1.8, nodetool can use SSL* * https://issues.apache.org/jira/browse/CASSANDRA-9090
  • 75. Management andTooling: Securing JMX Configure authentication for JMX* Now you can do: nodetool status -u monitor -pw monitorpass * http://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureJmxAuthentication.html
  • 76. Management andTooling: Securing JMX JMX user/password and role configuration is flexible For details, take a look at the defaults: $JAVA_HOME/jre/lib/management/jmxremote.access $JAVA_HOME/jre/lib/management/jmxremote.password.template
  • 78. Nate McCall @zznate Co-Founder & Sr.Technical Consultant www.thelastpickle.com #CassandraSummit