Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Solve BigData Security Puzzle?

Published byJewel Rice Modified over 6 years ago

Similar presentations

Presentation on theme: "How to Solve BigData Security Puzzle?"— Presentation transcript:

1 How to Solve BigData Security Puzzle?

2 Two Reasons for Security in BigData
1 Hadoop Contains Sensitive Data As Hadoop adoption grows so too has the types of data organizations look to store. Often the data is proprietary or personal and it must be protected. In this context, Hadoop is governed by the same security requirements as any data center platform. Hadoop is subject to Compliance adherence Organizations are often subject to comply with regulations such as HIPAA, PHI, PCI, DSS, FISAM that require protection of personal information. Adherence to other Corporate security policies. 2

3 BigData Security: Key Aspects
Centralized Security Administration Kerberos API security Authentication Who am I/prove it? Authorization What can I do? Fine grain access control Centralized audit reporting Audit What did I do? Wire encryption in Hadoop Native and partner encryption Data Protection Can data be encrypted at rest and over the wire?

4 Authentication: Kerberos
Provides Strong Authentication Prevents impersonation on unauthorized account Supports token delegation model Works with existing directory services Basis for Authorization

5 API Security Pattern Hadoop Cluster Application Tier App A App N App B
App C Data Ingest ETL Admin/ Operators Bastian Node SSH RPC Call Falcon Oozie Scoop Flume Data Operator Business User JDBC/ODBC REST/HTTPS API Gateway

6 API Security …. Why we need it? Challenges/Limitations
Extend reach of Hadoop APIs to Anyone on Any device Enterprise authentication Apply Enterprise capabilities to All REST APIs – IdM Integration, SSO, OAuth, SAML Avoid exposing Cluster port, hostnames to all users Challenges/Limitations Not suitable for heavy data ingestion activities Supports specific services WebHDFS (HDFS) Templeton (HCatalog) Stargate (HBase) Oozie Hive/JDBC Yarn RM Storm

7 Authorization and Audit
Fine grain access control HDFS – Folder, File Hive – Database, Table, Column HBase – Table, Column Family, Column Storm, Knox and more Audit Extensive user access auditing in HDFS, Hive and Hbase etc. IP Address Resource type/ resource Timestamp Access granted or denied Flexibility in defining policies Monitoring through Auditing

8 Authorization Apache Ranger
Delivers a ‘single pane of glass’ for the security administrator Centralizes administration of security policy Ensures consistent coverage across the entire Hadoop stack

9 Audit

10 Data Protection in Hadoop
must be applied at three different layers in Apache Hadoop Storage: encrypt data while it is at rest Direct data flows “into” and “out of” 3rd party encryption tools and/or rely upon hardware specific techniques (i.e. drive-level encryption). Transmission: encrypt data as it is in motion Native Apache Hadoop 2.0 provides wire encryption. Upon Access: apply restrictions when accessed Direct data flows “into” and “out of” 3rd party encryption tools.

11 Data Protection: Data at Rest
Encryption Data converted to binary Ciphertext using mathematical algorithm. Can be one-way (Hash) or reversible (Symmetric/Asymmetric). Tokenization Real data is replaced with randomly generated characters of same data type.

12 Data Protection: Transmission
WebHDFS Provides read/write access to HDFS Optionally enable HTTPS Authenticated using SPNEGO (Kerberos for HTTP) filter RPC Communications between NNs, DNs, etc. and Clients SASL based wire encryption JDBC/ODBC SSL based wire encryption Shuffle Mapper to Reducer over HTTP(S) with SSL

13 Data Protection: Upon Access
Hadoop Ecosystem KMS Encryption server/agent Ingestion stream Hadoop Component UDFs (e.g. HIVE) Encrypt/ Decrypt Reporting HDFS File/Directory encryption – HDFS Column level encryption – Hadoop Ecosystem components or ingestion framework Data tokenization – Encryption server/agent

14 Infrastructure Security
A physically zoned off Data lake using Firewall with network segmentation Data lake cluster nodes running on specific ports open & IP tables turned on SSSD or Centrify for users and groups OS Hardening Security scans to shut down non-essentials services on individual hosts. Up-to date patching levels applied to the server.

15 Enterprise-wide Authorization Policy Management
AD is identity store with existing user and group provisioning process as prescribed at an enterprise level. Active Directory Group & User Group & user sync Enterprise Policy authorization Software Integration API Hadoop Policy Server DBMS Enterprise Policy authorization software is the enterprise level repository for defining policies across all applications managed under this umbrella for a seamless authorization experience based on role and group participations in AD. Policy store Hadoop Component Hadoop Ecosystem

16 Application Access Security Pattern
LDAP Sync users/groups from LDAP Policy Manager SSL SSL SSL 2.Knox Authenticates user/pass 5. Ranger AuthZ HDFS HiveServer 2 1.Original request w/user id/password Gateway Security 6.Hive creates map reduce using NN ST 4.Knox calls as proxy user SASL A B C SSL SSL Client gets query result Use Hive ST, submit query O/JDBC Client Hive gets Namenode (NN) service ticket At rest data encryption option at HDFS level 3.Knox gets service ticket for Hive KDC

17 Lessons Learned .. Start Early Think Enterprise Engage Experts
Collaborate and Socialize Manage Vulnerabilities Monitor, Report and Audit

Download ppt "How to Solve BigData Security Puzzle?"

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.

A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Confidential FullArmor Corp. 2015 Platform for SaaS and mobile apps to remotely access, migrate, and sync Active Directory resources with the cloud ADanywhere.

Confidential FullArmor Corp Platform for SaaS and mobile apps to remotely access, migrate, and sync Active Directory resources with the cloud ADanywhere.
Hortonworks. We do Hadoop.

Hortonworks. We do Hadoop.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Understanding Active Directory

Understanding Active Directory
MongoDB Sharding and its Threats

MongoDB Sharding and its Threats
Making Apache Hadoop Secure Devaraj Das Yahoo’s Hadoop Team.

Making Apache Hadoop Secure Devaraj Das Yahoo’s Hadoop Team.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.
Survey of Identity Repository Security Models JSR 351, Sep 2012.

Survey of Identity Repository Security Models JSR 351, Sep 2012.
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.

Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.

Similar presentations

Ads by Google