Contenu connexe Similaire à Securing the Data Hub--Protecting your Customer IP (Technical Workshop) (20) Plus de Cloudera, Inc. (20) Securing the Data Hub--Protecting your Customer IP (Technical Workshop)1. 1© Cloudera, Inc. All rights reserved.
Securing the Data Hub
Protecting your Customer IP
Mahdi Askari, System Engineer, Cloudera
2. 2© Cloudera, Inc. All rights reserved.
Building a Secure Big Data
Environment
Mahdi Askari| Systems Engineer
3. 3© Cloudera, Inc. All rights reserved.
Today’s Agenda
• Understanding the threat
• Addressing the four pillars
• In depth analysis
• Role based access control (demo)
• Navigator audit (demo)
• Competitive Comparison ( discussion )
5. 5© Cloudera, Inc. All rights reserved.
Security: Why is this Important?
• Big Data is maturing
• Was initially used by small segment of organisation
• Many solutions moving from the “can it work” to “how can we do it
responsibly”
• Focus on inside user threats:
• Standard users
• Administrators
• Compromised accounts
6. 6© Cloudera, Inc. All rights reserved.
Threat: standard users
• Big Data combines multiple datasets
• A lot of value in the matched data
• Very tempting to abuse:
• Looking at ex-spouse or neighbours details
• Dumping data to work on “offline” (on home systems)
• Taking intellectual property to competitors
7. 7© Cloudera, Inc. All rights reserved.
Threat: administrators
• Changing attitudes: Administrators recognised as point of failure
• Have all the same incentives as regular users
• Plus:
• Can potentially remove all trace of dumps
• Could encrypt all your data, take the keys to non-extradition country.
• How much would you pay to get it back?
8. 8© Cloudera, Inc. All rights reserved.
Threat: compromised accounts
• Technology is often hard to break. ( At least ours ;-) )
• Single point of failure is often human element
• Source: Kevin Mitnick: The Art of Deception
• How would you recognise different behaviour?
10. 10© Cloudera, Inc. All rights reserved.
Demonstration: RBAC
• Sentry Service: allows dynamic change to security policy
• Prefered over policy files (require re-deployment)
• We will demonstrate 3 core areas:
• Basic RBAC on tables
• RBAC on columns
• RBAC on rows (via Record Service)
11. 11© Cloudera, Inc. All rights reserved.
Demo Roles and Access
• User Bob: Member’s of
• Staff
• Sensitive
• User Alice: Member’s of
• Staff
• Finance
12. 12© Cloudera, Inc. All rights reserved.
Demonstration: Navigator Audit
• Cloudera provides an Enterprise Audit solution which is inescapable
• Navigator Audit:
• Even if Audit Service disabled, events still gathered asynchronously
• Administrator actions audited
• These are differentiators: competitor products don’t necessarily cover those
points
13. 13© Cloudera, Inc. All rights reserved.
Cloudera Manager & Ambari Roles Hierarchy
Full
Administrator
Key
Administrator
Cluster
Administrator
Configurator Operator
Limited
Operator
Read Only
BDR
Administrator
User
Administrator
Navigator
Administrator
Auditor Ambari Roles
14. 14© Cloudera, Inc. All rights reserved.
Competative Scenario - Compliance required auditing
Required capability: All action are audited and data access can be reconstructed.
With HDP Ranger admin:
1. Turns off audit on a policy , and grants themselves access to table.
2. Reads data from the financial details DB.
3. Sets policy back to the way it was.
4. Security officer sees NONE of this.
5. Use information to short the company on the margin.
With Cloudera Enterprise, Cloudera Admin:
1. Grants themselves access to a given table. (can’t turn off audit, could pause service, but logs accumulate anyway)
2. Reads data from the financial details DB.
3. Sets policy back to the way it was.
4. Security officer sees ALL of this, alerts security
5. Admin is fired, arrested, escorted off property.
15. 15© Cloudera, Inc. All rights reserved.
Thank you
mahdi@cloudera.com | +61 432 126 777
Notes de l'éditeur Standard Users- How to spot a single user different behavior
Administrators – Edward Snowden
External Users-> Kevin Mitnick