Describes in detail the security architecture of Apache Cassandra. We discuss encryption at rest, encryption on the wire, authentication and authorization and securing JMX and management tools
4. First, how did we get here and why is
securing Cassandra important?
5. "Target CEO Gregg Steinhafel Resigns In
Data Breach Fallout"
http://www.forbes.com/sites/clareoconnor/2014/05/05/target-ceo-gregg-steinhafel-resigns-in-wake-of-data-breach-fallout/
First, how did we get here and why is
securing Cassandra important?
12. Meanwhile, at the FCC...
We have to require two
factor, secure socket transport
encryption, something something...
ZZZzzzzzzzZZZzz
13. We did a regulation!
My staffers still print
out my email :)
14. Why
are we doing
this again?
Sssshhhh.
I'm AES'ing...
...even though the traffic
never leaves a backplane.
Some industries will require node to node SSL
15. 1. Encrypting data at rest
2. Encrypting data on the wire
3. Authentication and authorization
4. Management and tooling
Focusing our Discussion: Architecture
24. DSE Encryption
CREATETABLE users
...
WITH compression_parameters:sstable_compression = 'Encryptor'
and compression_parameters:cipher_algorithm = 'AES/ECB/
PKCS5Padding'
and compression_parameters:secret_key_strength = 128;
25. DSE Encryption
CREATETABLE users
...
WITH compression_parameters:sstable_compression = 'Encryptor'
and compression_parameters:cipher_algorithm = 'AES/ECB/
PKCS5Padding'
and compression_parameters:secret_key_strength = 128;
WARNING:
commitlog not included*
*eCryptFS would work fine for this
27. (Looks like this)
EBS Encryption
(a.k.a "not my problem")
http://www.slideshare.net/AmazonWebServices/bdt323-amazon-ebs-cassandra-1-million-writes-per-second
See Crowdstrike's presentation on
Cassandra GP2 performance (with encryption):
28. Maybe Client Side?
The Java Driver now has custom codecs
which would make this easy to implement
https://github.com/datastax/java-driver/tree/3.0/manual/custom_codecs
29. Maybe Client Side?
The Java Driver now has custom codecs
which would make this easy to implement
https://github.com/datastax/java-driver/tree/3.0/manual/custom_codecs
Column-level encryption!
30. New in Cassandra 3.4
(DSE 5.1?):
Commitlog Encryption: CASSANDRA-6018
Hint File Encryption: CASSANDRA-11040
https://issues.apache.org/jira/browse/CASSANDRA-6018
https://issues.apache.org/jira/browse/CASSANDRA-11040
35. The fix is straight forward:
node to node encryption and SSL client certificate
authentication to cluster traffic
36. Awwwwww.
The fix is straight forward:
node to node encryption and SSL client certificate
authentication to cluster traffic
37. Awwwwww.
The fix is straight forward:
node to node encryption and SSL client certificate
authentication to cluster traffic
Bonus: can be done
with NO downtime!!!
38. Awwwwww.
The fix is straight forward:
node to node encryption and SSL client certificate
authentication to cluster traffic
Bonus: can be done
with NO downtime!!!
How-to guide:
http://thelastpickle.com/blog/2015/09/30/hardening-cassandra-step-by-step-part-1-server-to-
server.html
43. Things to note:
256 bit means export restrictions
(requires JCE provider JAR)
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#importlimits
48. Client to Server SSL
(see slides 30 to 35)
Now with NO downtime!!!
https://issues.apache.org/jira/browse/CASSANDRA-10559
Available in: 2.1.12, 2.2.4, 3.0.0
49. Need to Debug SSL?
-Djavax.net.debug=ssl
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
50. Certs are hard :(
Netflix Lemur:
x.509 Certificate Orchestration Framework
http://techblog.netflix.com/2015/09/introducing-lemur.html
https://github.com/Netflix/lemur
51. Certs are hard :(
Hashicorp Vault
"secures, stores, and tightly controls access to
tokens, passwords, certificates, API keys, and
other secrets in modern computing. "
https://www.vaultproject.io/
56. Best practices should not be new to you.
user segmentation
schema access limitation
etc.
57. (Everything we did with an RDBMS)
Best practices should not be new to you.
user segmentation
schema access limitation
etc.
58. Best practices should not be new to you.
user segmentation
schema access limitation
etc.
(Everything we did with an RDBMS)
New in 2.2:
Role-based access control!
66. Turning it all on
authenticator: PasswordAuthenticator
Tip: keep your read-only cqlsh credentials in
$HOME/.cassandra/cqlshrc
of the system's admin account
69. Turning it all on
authorizer: CassandraAuthorizer
authenticator: PasswordAuthenticator
role_manager: CassandraRoleManager
WARNING:
potential downtime!
73. Turning it all on
authorizer: TransitionalAuthorizer
authenticator: TransitionalAuthenticator
DSE plugins to avoid downtime
74. Turning it all on
system.schema_keyspace
system.schema_columns
system.schema_columnfamilies
system.local
system.peers
These tables have default read permissions for every
authenticated user:
75. Turning it all on
IMPORTANT cassandra.yaml line note:
"Please increase system_auth keyspace
replication factor if you use this..."
Tip: replication factor for the system_auth
keyspace should be the same as the number
of nodes in the data center
76. Turning it all on
IMPORTANT cassandra.yaml line note:
"Please increase system_auth keyspace
replication factor if you use this..."
Tip: replication factor for the system_auth
keyspace should be the same as the number
of nodes in the data center
WARNING:
stupid defaults*
*https://issues.apache.org/jira/browse/CASSANDRA-11340
85. Securing JMX
SSL setup is like node to node and client to server
http://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html
86. Securing JMX
JMX Authentication is straightforward
and well documented
$JAVA_HOME/jre/lib/management/jmxremote.access
$JAVA_HOME/jre/lib/management/
jmxremote.password.template
http://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html