Accumulo Security and Encryption

Securely explore your data

ENCRYPTION AND SECURITY IN ACCUMULO

Michael Allen

Security Architect

Sqrrl Data, Inc.

michael@sqrrl.com

ISN’T ACCUMULO ALREADY SECURE?

I MEAN, THESE SMART GALS AND GUYS MADE IT…

(Undisclosed location)

CELL-LEVEL SECURITY

WHAT’S THE THREAT?

A TYPICAL DEPLOYMENT

(…ignoring master nodes, name nodes,garbage collectors, other ephemera…)

A TYPICAL CAST

THREATS INSIDE AND OUT

WHO CAN WE PUSH OUT?

ENCRYPTION

IN MOTION AND AT REST

IT’S NOT…

FUNDAMENTAL QUESTIONS

What are you encrypting?

How are you encrypting it?

How are you protecting the key?

ACCUMULO 1.6

SSL for Accumulo Clients

Encrypting data within HDFS

SSL AND ACCUMULO

ACCUMULO-1009

Patch that adds configuring and using SSL certificates

MAKE YOUR CERTS

CONFIGURE YOUR SERVERS

DISTRIBUTE YOUR CERTS

DISTRIBUTE YOUR ROOTS

ENJOY YOUR SSL

ENCRYPTION AT REST

ACCUMULO-998

Patch that adds encryption for Rfiles and WAL

ENCRYPTION AT REST

Uses Java Cryptography Extensions (JCE) for encryption

interface / engine

(Guess what? It’s pluggable.)

BEHIND THE SCENES

WHERE DOES THAT KEY GO?

PLUGGABLE STRATEGY

• Java class that mediates access to KEK

• Encrypts and decrypts per-file keys

• Passes back to callers opaque ID to identifyKEK used to do encryption

• Callers should store opaque ID along withencrypted key

PLUGGABLE STRATEGY

CONFIGURATION OPTIONSProperty Name “Usual” Value Meaning

crypto.module.class org.apache.accumulo.core.security.crypto.DefaultCryptoModule

The class that creates encrypting and decrypting data streams

crypto.cipher.suite AES/CFB/PKCS5Padding Encryption algorithm spec

crypto.cipher.key.length

128 Key length

crypto.module.class org.apache.accumulo.core.security.crypto.DefaultSecret-KeyEncryptionStrategy

Class that mediates access to KEK

REDUCED THREAT

TOWARDS THE FUTURE

THANKS!michael@sqrrl.com

Accumulo Security and Encryption

Technology

Large Scale Accumulo - Koverse Data Platform - Koverse Orders of Magnitude: Running Large Scale Accumulo Clusters Aaron Cordova Accumulo Summit, June 2014 Scale, Security, Schema Scale

Security Characteristics - Desktop Email Encryption · PDF fileCPA Security Characteristics for CPA-SC Desktop Email Encryption 1.0.doc 17th ... Integration with desktop encryption

Configuring Wire Encryption - Cloudera · 2020-07-16 · HDP Security Configuring Wire Encryption Wire Encryption Wire Encryption Encryption is applied to electronic information to

Cloud Security & Cloud Encryption Explained

02-Security & Encryption-CPWR 2

Cryptography Provable Security Security of Signatures ... · Cryptography Provable Security Security of Signatures Security of Encryption First Encryption Mechanisms The goal of encryption

Accumulo Extensions to Google's Bigtable Designpeople.apache.org/~afuchs/slides/morgan_state_talk.pdf · Accumulo { Extensions to Google’s Bigtable Design Adam Fuchs National Security

WEB SECURITY USING XML ENCRYPTION

Accumulo Summit 2015: Attempting to answer unanswerable questions: Key management in Accumulo for Encryption at Rest [Security]

Oracle security 07-transparent data encryption

Classical Encryption Techniques in Network Security

SQL Server Security And Encryption

Granular Access Control Using Cell Level Security In Accumulo

1. Encryption & Security

VANET SECURITY THROUGH GROUP BROADCAST ENCRYPTION

Encryption and Security

Security fundamentals Topic 4 Encryption. Agenda Using encryption Cryptography Symmetric encryption Hash functions Public key encryption Applying cryptography

iOS Security and Encryption

Accumulo Summit 2014: Past and Future Threats: Encryption and Security in Accumulo

Fingerprinting and Broadcast Encryption Multimedia Security