Securing Cassandra for Compliance

Securing Cassandra for Compliance SlideShare Explore You Successfully reported this slideshow.Securing Cassandra for ComplianceUpcoming SlideShareLoading in …5× 0 Comments 5 Likes Statistics Notes Tanyadesigan Kanako Ogorochi , Rakuten - DBA at Rakuten Sambaiah Kilaru Justin Miller , Senior Systems Engineer at Cotiviti at Cotiviti Jeremy Bae , DevSecOps, AppSec specialist No DownloadsNo notes for slide 1. Securing Cassandrafor Compliance (or Paranoia) 2. Hi, I'm Nate.@zznatehttps://www.linkedin.com/in/zznatehttp://www.slideshare.net/zznate/Co-Founder, CTOThe Last PickleCassandra user since 2009 (v0.4)Austin, Texas 3. Security presentations can be scary.Here's a cat. 4. First, how did we get here and why issecuring Cassandra important? 5. "Target CEO Gregg Steinhafel Resigns InData Breach Fallout"http://www.forbes.com/sites/clareoconnor/2014/05/05/target-ceo-gregg-steinhafel-resigns-in-wake-of-data-breach-fallout/First, how did we get here and why issecuring Cassandra important? 6. I haveyourpersonalinformationCustomers place a lot of trustin technology companies 7. LOL! Me too!Sometimes too much. 8. Ease of scalability comes with a price 9. HA! A bin-packedmessage format with no sourceverification!*Ease of scalability comes with a price* <currently reading o.a.c.net.MessageIn#read> 10. nmap -Pn -p7000 -oG logs/cass.gnmap 54.88.0.0/14 11. I'm publiclydiscussing yourtechnicalshortcomingsThen you end up in this situation. 12. Meanwhile, at the FCC...We have to require twofactor, secure socket transportencryption, something something...ZZZzzzzzzzZZZzz 13. We did a regulation!My staffers still printout my email :) 14. Whyare we doingthis again?Sssshhhh.I'm AES'ing......even though the trafficnever leaves a backplane.Some industries will require node to node SSL 15. 1. Encrypting data at rest2. Encrypting data on the wire3. Authentication and authorization4. Management and toolingFocusing our Discussion: Architecture 16. 1. Encryption at rest 17. No matter what:understand the failure modes 18. bit rot, entropy, etc.Horrible things can happen with on disk encryption. 19. Don't mind me, I'm justyour key server. 20. Haha! Later!xWhat's on thisdisk again?Shrug. 21. ...but you may not have a choice.Because we said "at rest" 22. dmcrypt, eCryptFSOpen source options: 23. Vormetric, GazzangCommercial options: 24. DSE EncryptionCREATETABLE users...WITH compression_parameters:sstable_compression = 'Encryptor'and compression_parameters:cipher_algorithm = 'AES/ECB/PKCS5Padding'and compression_parameters:secret_key_strength = 128; 25. DSE EncryptionCREATETABLE users...WITH compression_parameters:sstable_compression = 'Encryptor'and compression_parameters:cipher_algorithm = 'AES/ECB/PKCS5Padding'and compression_parameters:secret_key_strength = 128;WARNING:commitlog not included**eCryptFS would work fine for this 26. EBS Encryption(a.k.a "not my problem") 27. (Looks like this)EBS Encryption(a.k.a "not my problem")http://www.slideshare.net/AmazonWebServices/bdt323-amazon-ebs-cassandra-1-million-writes-per-secondSee Crowdstrike's presentation onCassandra GP2 performance (with encryption): 28. Maybe Client Side?The Java Driver now has custom codecswhich would make this easy to implementhttps://github.com/datastax/java-driver/tree/3.0/manual/custom_codecs 29. Maybe Client Side?The Java Driver now has custom codecswhich would make this easy to implementhttps://github.com/datastax/java-driver/tree/3.0/manual/custom_codecsColumn-level encryption! 30. New in Cassandra 3.4(DSE 5.1?):Commitlog Encryption: CASSANDRA-6018Hint File Encryption: CASSANDRA-11040https://issues.apache.org/jira/browse/CASSANDRA-6018https://issues.apache.org/jira/browse/CASSANDRA-11040 31. 2. Encryption on the wire 32. Because:It is really easy to attackan un-protected cluster 33. It takes a single Messageto insert an admin accountinto the system table 34. -Dcassandra.write_survey=trueHow to steal writes in real time: 35. The fix is straight forward:node to node encryption and SSL client certificateauthentication to cluster traffic 36. Awwwwww.The fix is straight forward:node to node encryption and SSL client certificateauthentication to cluster traffic 37. Awwwwww.The fix is straight forward:node to node encryption and SSL client certificateauthentication to cluster trafficBonus: can be donewith NO downtime!!! 38. Awwwwww.The fix is straight forward:node to node encryption and SSL client certificateauthentication to cluster trafficBonus: can be donewith NO downtime!!!How-to guide:http://thelastpickle.com/blog/2015/09/30/hardening-cassandra-step-by-step-part-1-server-to-server.html 39. When you are done it should look like: 40. Things to note:Use "dc" or "rack" to limit encryption toconnections between racks and data centers 41. Thanks for that!!Huzzah!(But AES on modern hardwarewill not be a bottleneck) 42. Things to note:Keystore and key password must match(artifact of JDK X.509 Impl complexity) 43. Things to note:256 bit means export restrictions(requires JCE provider JAR)http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.htmlhttp://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#importlimits 44. Don't forget this part or else...Things to note: 45. Hahaha!Now I'm hacking you over SSL.*Still* vulnerable AND you can't see what theattacker is doing. 46. Client to Server SSL 47. Client to Server SSL(see slides 30 to 35) 48. Client to Server SSL(see slides 30 to 35)Now with NO downtime!!!https://issues.apache.org/jira/browse/CASSANDRA-10559Available in: 2.1.12, 2.2.4, 3.0.0 49. Need to Debug SSL?-Djavax.net.debug=sslhttp://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html 50. Certs are hard :(Netflix Lemur:x.509 Certificate Orchestration Frameworkhttp://techblog.netflix.com/2015/09/introducing-lemur.htmlhttps://github.com/Netflix/lemur 51. Certs are hard :(Hashicorp Vault"secures, stores, and tightly controls access totokens, passwords, certificates, API keys, andother secrets in modern computing. "https://www.vaultproject.io/ 52. 2. Encryption on the wireBut wait! There's more! 53. The internode authentication API:BYO identity verification 54. Looks like this: 55. 3. Authentication and Authorization 56. Best practices should not be new to you.user segmentationschema access limitationetc. 57. (Everything we did with an RDBMS)Best practices should not be new to you.user segmentationschema access limitationetc. 58. Best practices should not be new to you.user segmentationschema access limitationetc.(Everything we did with an RDBMS)New in 2.2:Role-based access control! 59. An Example 60. An Example 61. An Example 62. An Example 63. An Examplebuzzword compliant! 64. An Example 65. An Example 66. Turning it all onauthenticator: PasswordAuthenticatorTip: keep your read-only cqlsh credentials in$HOME/.cassandra/cqlshrcof the system's admin account 67. Turning it all onauthorizer: CassandraAuthorizer 68. Turning it all onrole_manager: CassandraRoleManager 69. Turning it all onauthorizer: CassandraAuthorizerauthenticator: PasswordAuthenticatorrole_manager: CassandraRoleManagerWARNING:potential downtime! 70. authorizer: CassandraAuthorizerauthenticator: PasswordAuthenticatorrole_manager: CassandraRoleManagerTurning it all onWARNING:potential downtime!WARNING:stupid defaults 71. authorizer: CassandraAuthorizerauthenticator: PasswordAuthenticatorrole_manager: CassandraRoleManagerTurning it all onWARNING:potential downtime!WARNING:stupid defaultsTIP: turn these WAY UP:permissions_validity_in_msroles_validity_in_msAlso: use permissions_update_interval_in_msfor async refresh if needed 72. authorizer: CassandraAuthorizerauthenticator: PasswordAuthenticatorrole_manager: CassandraRoleManagerTurning it all onWARNING:potential downtime!WARNING:stupid defaultsNEW in 3.4:credentials_validity_in_ms** https://issues.apache.org/jira/browse/CASSANDRA-7715 73. Turning it all onauthorizer: TransitionalAuthorizerauthenticator: TransitionalAuthenticatorDSE plugins to avoid downtime 74. Turning it all onsystem.schema_keyspacesystem.schema_columnssystem.schema_columnfamiliessystem.localsystem.peersThese tables have default read permissions for everyauthenticated user: 75. Turning it all onIMPORTANT cassandra.yaml line note:"Please increase system_auth keyspacereplication factor if you use this..."Tip: replication factor for the system_authkeyspace should be the same as the numberof nodes in the data center 76. Turning it all onIMPORTANT cassandra.yaml line note:"Please increase system_auth keyspacereplication factor if you use this..."Tip: replication factor for the system_authkeyspace should be the same as the numberof nodes in the data centerWARNING:stupid defaults**https://issues.apache.org/jira/browse/CASSANDRA-11340 77. 4. Management and tooling 78. 4. Management and tooling 79. Securing JMX 80. nmap -Pn -p7199 -oG logs/cass.gnmap 54.88.0.0/14Always a few suckers thatTL,DR'ed 81. Why do I need to secure JMX? 82. Works as Advertised! 83. alsogood forsomeLOLs 84. Securing JMXSSL setup is like node to node and client to serverhttp://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html 85. Securing JMXJMX Authentication is straightforwardand well documented$JAVA_HOME/jre/lib/management/jmxremote.access$JAVA_HOME/jre/lib/management/jmxremote.password.templatehttp://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html 86. Securing JMX$JAVA_HOME/jre/lib/management/jmxremote.access$JAVA_HOME/jre/lib/management/jmxremote.password.templateNow you can:nodetool -u admin -pw secret compactionstatshttp://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.htmlJMX Authentication is straightforwardand well documented 87. Securing JMX$JAVA_HOME/jre/lib/management/jmxremote.access$JAVA_HOME/jre/lib/management/jmxremote.password.templateNow you can:nodetool -u admin -pw secret compactionstatsTip: -pwf option will read the password from a filehttp://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.htmlJMX Authentication is straightforwardand well documented 88. Securing JMX$JAVA_HOME/jre/lib/management/jmxremote.access$JAVA_HOME/jre/lib/management/jmxremote.password.templateNow you can:nodetool -u admin -pw secret compactionstatsJMX Authentication is straightforwardand well documentedTHIS JUST IN!!!RBAC for JMX Authentication and Authorizationhttps://issues.apache.org/jira/browse/CASSANDRA-10091 89. Thanks!@zznate Recommended Learning PowerPoint 2016Online Course - LinkedIn Learning Teaching Techniques: Writing Effective Learning ObjectivesOnline Course - LinkedIn Learning How to Use LinkedIn LearningOnline Course - LinkedIn Learning Securing Cassandra The Right WayDataStax Academy Webinar | Aligning GDPR Requirements with Today's Hybrid Cloud RealitiesDataStax Designing a Distributed Cloud Database for DummiesDataStax How to Power Innovation with Geo-Distributed Data Management in Hybrid CloudDataStax How to Evaluate Cloud Databases for eCommerceDataStax Webinar: DataStax Enterprise 6: 10 Ways to Multiply the Power of Apache Cassa...DataStax Webinar: DataStax and Microsoft Azure: Empowering the Right-Now Enterprise wi...DataStax About Blog Terms Privacy Copyright LinkedIn Corporation © 2018 Public clipboards featuring this slideNo public clipboards found for this slideSelect another clipboard ×Looks like you’ve clipped this slide to already.Create a clipboardYou just clipped your first slide! Clipping is a handy way to collect important slides you want to go back to later. Now customize the name of a clipboard to store your clips. Description Visibility Others can see my Clipboard