Embed Size (px)
Citation preview
Achieving Data Security and Compliance with DataStax Enterprise
1
Achieving Data Security and Compliancewith DataStax Enterprise
2
Achieving Data Security and Compliance with DataStax Enterprise
Achieving Data Security and Compliance
with DataStax Enterprise
Achieving Data Security and Compliance with DataStax Enterprise
3
CONTENTSIt’s Your Data That’s At Risk � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 4
The Importance of Data Security � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 4
How DSE Keeps Your Data Secure � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 5
Encryption 5Authentication 6Authorization 6Auditing 7Drivers 8
DataStax Software Delivery Security Processes � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 9
DataStax Software Development Security Program (DSDSP) 9Developer Training 9Secure Coding Standards 9Expert/External Review 9
Customer Support and Maintenance � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 9
Regular Patch Releases 9Vulnerability Reporting 10
Customer Examples � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 10
Nexgate 10Surescripts 10ProtectWise 11
Protect Your Data with DSE � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 11
About DataStax � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 12
Achieving Data Security and Compliance with DataStax Enterprise
4
IT’S YOUR DATA THAT’S AT RISKAs organizations struggle with rising security threats and expanding compliance requirements, they seek data management solutions with strong security controls and best practices in place to ensure data protection regardless of the applications or devices being used�
DataStax Enterprise (DSE) Advanced Security is a feature suite that allows administrators to fortify their databases against potential harm from either deliberate attackers or user error� It includes advanced mechanisms for:
Encryption of data in-flight and at-rest
Authentication
Authorization
Data auditing
DSE Advanced Security leverages enterprise standards to integrate cohesively with the existing technology estate, including support for Active Directory (AD), the Lightweight Directory Access Protocol (LDAP), Kerberos, Public Key Infrastructure (PKI), and Key Management Interoperability Protocol (KMIP)� In addition, DSE is compatible with various partner security solutions to address advanced functionality and industry-specific requirements.
DSE also allows you to achieve compliance with a variety of commercial and government security standards by leveraging advanced security features in accordance with best practices outlined in this paper�
This paper provides a comprehensive overview of the fundamental topics surrounding data management security and reviews the DSE features that address those fundamental topics�
This document is intended for developers, architects, operators, and administrators� It’s also a resource for security personnel who need to understand how DSE Advanced Security features intersect with organizational security standards to achieve compliance�
THE IMPORTANCE OF DATA SECURITYData security threats and breaches are becoming ever more prevalent, sophisticated, and powerful. The recent high-profile Equifax breach, which exposed the sensitive personal information of nearly 146 million Americans, is a great example�
These types of data breaches not only result in the loss of sensitive, confidential data, but also cause huge financial losses and irreparable damage to brand reputation. All your business-critical data, including financial transactions, confidential customer records, and credit card numbers, is stored in databases, and yet not many companies have the right data management infrastructure and security practices in place, making them an attractive target for attackers looking for high-value data theft� Also, government regulations and industry standards such as the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), and the Payment Card Industry Data Security Standard (PCI DSS) are requiring companies to implement stronger global data security measures�
To protect their data from all of these threats and meet regulatory compliance requirements, companies need data management solutions that enable them to detect and prevent any suspicious activities, mitigate threats, and apply access controls at the data source - and they need to be able to do this in an on-premises, multi-cloud, or hybrid environment�
Achieving Data Security and Compliance with DataStax Enterprise
5
HOW DSE KEEPS YOUR DATA SECUREDSE provides advanced data protection capabilities to ensure increased security of your application data and address any industry or governmental regulatory requirements�
EncryptionEncryption is the means by which data confidentiality is maintained. In general, encryption of database data falls into two categories:
Encryption At-Rest
This refers to the data that is stored on persistent storage (disk drives) in an encrypted format� Encryption at-rest protects against data exposure in the event of the physical theft of a device, or if an unauthorized party gains access to a system where data is stored but has not gained access to the database yet. Encryption at-rest also offers a degree of protection in environments where storage resources might be re-used, such as in public clouds�
DSE Transparent Data Encryption (TDE) is the feature responsible for the encryption of at-rest data in a DSE system� DSE TDE protects sensitive at-rest data using a local encryption key file or a remotely stored and managed Key Management Interoperability Protocol (KMIP) encryption key. TDE encrypts only specific sensitive files as opposed to entire filesystems. This increases the security of files that are migrated, as moving a file from its origin does not result in decryption. DSE TDE provides encryption for:
Entire tables (except for partition keys which are always stored in plain text)
SSTables containing data, including system tables such as system�batchlog and system�paxos
DSE Search indexes
File-based hints
Commit logs
Sensitive properties in dse�yaml and cassandra�yaml
For more details, read DSE Transparent Data Encryption�
Encryption In-Flight
This refers to the encryption of data as it moves over a network between nodes� In a distributed environment like DSE, network traffic is constant. If the network is not secure, the data moving between the nodes could be intercepted by an unauthorized party�
DSE supports encrypting data and protects it from being stolen when it moves: 1) between nodes within a DSE cluster (node-to-node encryption), and 2) between the client nodes and the DSE cluster (client-to-node encryption)� In DSE, encryption can be enforced at the node, rack, or data center level. DSE supports SSL encryption for data in-flight for the following components:
Transactional nodes
DSE Search, DSE Analytics, and DSE Graph
DSE drivers and tools
DSE OpsCenter
For more information, read Configuring SSL with DSE�
Achieving Data Security and Compliance with DataStax Enterprise
6
AuthenticationAuthentication refers to the process of establishing the identity of the person or system performing an operation against the database� In the context of DSE, this identity could be a person, application, or monitoring service, each of which often works best with a particular authentication strategy�
To address this, DSE Unified Authentication facilitates connectivity to four primary mechanisms for authentication as described below. DSE Unified Authentication also extends the same authentication schemes to the database, DSE Search, and DSE Analytics�
Lightweight Directory Access Protocol (LDAP)
LDAP is a widely used repository to store user data and authenticate users across applications�
DSE supports LDAP authentication for external LDAP services� When you enable LDAP authentication in DSE, users that are managed by external LDAP servers can be authenticated by DSE� In addition, applications that leverage LDAP for authentication simplify IT operations by eliminating the need to provision user accounts on a per-application basis� LDAP can also be employed for data authorization. For more information on configuring LDAP with DSE, read this DSE tutorial�
Kerberos
Kerberos is a computer network authentication protocol that allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner using tickets� When a user wants to log in to a service, the user must first obtain a Kerberos Ticket by authenticating to the Key Distribution Center.
DSE authentication with Kerberos protocol uses cryptographically secure Kerberos Tickets to prove identity for users and applications that communicate over non-secure networks without the need to pass credentials� This enables a deployment to have fewer attack vectors and can eliminate the need to embed passwords in config files. Read this DSE tutorial to learn more about configuring Kerberos with DSE�
Internal Authentication
DSE supports internal password authentication, a mechanism that stores usernames and bcrypt-hashed passwords in the system_auth�credentials table in DSE and checks the hash of a supplied password against the value stored in the CQL table for a given username� In addition to passwords, DSE also supports role-based internal authentication� Roles can represent either actual individual users or roles that those users have in administering and accessing the DSE cluster�
Active Directory
In addition to internal authentication, Kerberos, and LDAP, DSE also allows Microsoft’s Active Directory to be employed to service as the Kerberos and LDAP host� Fundamentally, Active Directory is composed of the open Kerberos and LDAP protocols�
AuthorizationAuthorization is the process of establishing which database objects a known user can see and manipulate� Authorization does not really make any sense without having authentication in place, as it does not make any sense to differentiate permissions if there is not a way to tell users apart�
In DSE, once an entity has authenticated, specific authorizations are granted to control access to database resources.
Achieving Data Security and Compliance with DataStax Enterprise
7
These authorizations determine which resources (ie, tables, keyspaces, etc.) can be read, written, or modified by a connected entity, as well as the mechanisms by which an entity can connect� DSE uses the GRANT/REVOKE paradigm for authorization to prevent any improper access to the data� DSE uses three mechanisms to grant user authorizations:
Role-Based Access Control (RBAC)
RBAC allows specific database object permissions to be assigned to abstract role entities, which can then be granted to concrete database users� In DSE, RBAC is only available after DSE Unified Authentication is enabled�
DSE Role Manager automatically assigns roles to authenticated users using one of the following methods:
Internal: 1-to-1 mapping by assigning a primary role to each individual user� You can also assign additional roles to the primary role to manage permissions as a set�
LDAP: 1-to-many mapping by assigning permissions to roles/groups� The DSE Role Manager looks up the users in LDAP and these users are assigned all the roles that match a group name� Roles for each individual user are not required and roles automatically change as LDAP group membership changes. The DSE Unified Authenticator also enables the roles to be stored in LDAP, which simplifies various tasks, including adding/removing roles, modification of roles, and auditing role assignments�
Row-Level Access Control (RLAC)
RLAC allows permissions to be granted/revoked on rows within a table by filtering a text-based partition column. It provides fine-grained user access control down to the row level so that only authorized users are able to view or modify subsets of the data� In addition, having RLAC support within DSE allows you to easily manage multi-tenant SaaS applications on a single DSE platform�
Proxy Auth
DSE Proxy Management allows roles to log in and execute CQL queries as other roles� This is particularly useful for secure middleware like web servers; the web server can log in once and proxy execute queries as its clients, keeping the audit log intact and leveraging DSE role-based access control�
AuditingData auditing enables an administrator to track and log all the user activity that occurs on a database to prevent unauthorized access to information and meet compliance requirements� Many companies today have either external mandates (Sarbanes-Oxley Act, Payment Card Industry, etc�) or internal security policies that require the auditing of user actions on a database, so having a platform that has data auditing built-in is helpful for administrators in such environments�
With DSE, all or a subset of the activity that takes place on a DataStax cluster is recorded along with the identity of the user and the time the activity occurred� Auditing in DSE is implemented via the log4J mechanism that’s built into the platform. This allows for the most efficient way of auditing large amounts of activity on a cluster. It also provides a good deal of flexibility to the administrator to monitor and record what is audited, where the data is written, and how it is presented, aiding an organization in its auditing compliance�
Achieving Data Security and Compliance with DataStax Enterprise
8
DriversDataStax provides drivers for C/C++, C#, Java, Node�js, ODBC, Python, PHP, and Ruby that work with any cluster size whether deployed across multiple on-premise or cloud data centers� These drivers are built with the following features to ensure our customers interact with the DSE clusters in a safe and secure way�
Secure Socket Layer (SSL) Encryption
Enabling SSL encryption ensures that data in-flight is not compromised and is transferred securely between a client and a database cluster, and also between nodes in a cluster. The DataStax drivers can also be configured to secure traffic between the driver and DSE nodes�
Parameterized Statements
DataStax provides parameterized statements functionality in its drivers to help you prevent attacks similar to SQL Injection attacks�
AuthProvider
Each of the DSE Drivers ships with a form of a PlainTextAuthProvider for username/password internal DSE and LDAP role authentication/authorization and a GSSAPIAuthProvider or SASLAuthProvider for Kerberos role authentication/authorization� The DSE driver AuthProviders are also built in a way that allows customers to extend this to build their own custom auth implementations if needed�
To learn more, below are the links to the security docs for DSE Drivers:
Java Security Docs
Python Security Docs
C++ Security Docs
C# Security Docs
PHP Security Docs
Ruby Security Docs
Achieving Data Security and Compliance with DataStax Enterprise
9
DATASTAX SOFTWARE DELIVERY SECURITY PROCESSESBecause DSE is the data management platform of choice for some of the world’s most visible and demanding cloud applications, we take security seriously and have implemented several programs to make security a priority�
DataStax Software Development Security Program (DSDSP)DSDSP integrates security into our engineering processes with the goal of making our products as secure as possible� It covers the design, development, and testing of DSE with a focus on reducing the likelihood that DSE will serve as the entry point for an attack or intrusion�
Developer TrainingAs part of our on-boarding process, all the newly-hired software engineers are required to take online secure coding training from the Software Assurance Forum for Excellence in Code (SAFECode)� SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware, and services�
Secure Coding StandardsDataStax has a software development policy that requires code reviews, including review of security-related issues on all code before it is checked into our code repository�
Expert/External ReviewDataStax has retained external security experts to code-review our security features on an ongoing basis� Based on their feedback, we have made improvements and added features such as support for off-server key storage.
CUSTOMER SUPPORT AND MAINTENANCEDataStax offers 24x7 worldwide customer support. If you have questions or concerns, our Service Level Agreement (SLA) ensures you have access to the experts required�
Regular Patch ReleasesSecurity breaches due to delays in patching software illustrate the challenges around ensuring updated software� DataStax makes the right patches available to you for your supported production environment so you don’t have to figure out the urgency of which patch needs to be applied and how. Additionally, DataStax backports bug fixes to your supported production version for you according to the support policy�
Achieving Data Security and Compliance with DataStax Enterprise
10
Vulnerability ReportingDataStax has a team of security experts and processes in place to support our customers whenever a security issue arises� An important strategy DataStax uses in building secure applications is to respond to vulnerability reports� DataStax employs the following process to handle vulnerability reports:
The reporter reports the vulnerability privately to DataStax via a support ticket�
1� The appropriate project’s security team works privately with the reporter to resolve the vulnerability�
2� A new release or patch of the DataStax product that includes the fix is produced.
3� The vulnerability is publicly announced and the patched software made available�
CUSTOMER EXAMPLESA number of companies rely on DSE to keep their data protected and deliver enterprise-grade security products and services to their customers� Below are three customer examples� For other customer case studies, visit the DataStax Customers page�
NexgateNexgate is the visionary leader in the social media security market, providing social media security and compliance solutions and products� With more than 116 brand-name customers, Nexgate is the only social media security vendor recognized by Gartner and Forrester�
Nexgate has successfully developed social media security technology to help companies manage social media risks and security and privacy concerns such as account hacking; content and publishing mistakes; and fraudulent representation of brands� They do this by classifying social information to monitor, analyze, and respond to anomalies on social channels in real time�
To accommodate the growing volumes of social media data and to analyze trends instantly, Nexgate needed a data management platform with flexible linear scale and real-time data analytics capabilities.
With DSE, Nexgate’s security and compliance suite benefits from real-time search and 100% uptime. Relying on DSE as its data management backbone guarantees Nexgate predictable scale at a fraction of the cost of a traditional relational database system�
Also thanks to DSE, Nexgate can classify social contact data to monitor and analyze trends and anomalies of accounts and content on social channels, and is able to take action in real time� With DataStax, Nexgate protects customer privacy across all major social networks by providing a secure social media infrastructure for customers to discover and communicate with each other�
SurescriptsSurescripts serves the nation with a trusted and capable health information network built to increase patient safety, lower costs, and ensure quality care� The company connects more than 1 million healthcare professionals, including clinicians, EHRs, hospitals, pharmacies, and technology vendors to deliver accurate, comprehensive patient information to the point of care using e-prescriptions�
Achieving Data Security and Compliance with DataStax Enterprise
11
Surescripts chose DSE for its always-on, linear scalability and built-in enterprise security features� Surescripts uses DSE to power its transaction service, a core component of its e-prescription transaction processing switch, to track who sent what, when, where, and how at the various touch points, including the clinic and the pharmacy�
Such visibility allows Surescripts to audit a transaction throughout its entire journey� In addition, DSE Advanced security with Transparent Data Encryption and LDAP integration allows SureScripts to ensure the data stored in DSE is HIPAA and PII (Personally identifiable information) compliant.
ProtectWiseProtectWise offers companies a new utility model for security, powering real-time, retrospective and automated threat detection for enterprise, cloud, and industrial control environments� They do this by deploying clusters of lightweight sensors at points on a network that record network data and then ship it securely to the cloud where the ProtectWise platform performs a variety of analyses to identify out-of-the-ordinary patterns and anomalies�
When ProtectWise embarked on its journey to take enterprise network security to the cloud, it quickly realized it needed to build its application on a data management platform that could not only handle the enormous volumes of streaming, time-series data, but do so without taking a hit on performance and availability�
With DSE, ProtectWise now handles millions of transactions and writes per second without any downtime or data loss� Further, DSE gives ProtectWise the ability to search through billions of network communications very quickly and then derive answers from these data points in mere seconds� Having DSE as the backbone database of its cloud-based enterprise network solution has given ProtectWise the ability to operate very efficiently and innovate in ways that are empowering the company to reinvent the space of enterprise network security�
PROTECT YOUR DATA WITH DSEIn today’s digital economy, data is constantly increasing in volume and value to businesses� In addition, companies are moving their business-critical data and applications into the cloud, and users are adopting increasing variety of devices to access these applications� Keeping the company’s and its customer’s data protected from unauthorized access and ensuring regulatory compliance is therefore a top concern for business leaders�
DSE Advanced Security enables you to leverage your data to drive business growth and innovation while providing complete control of the security and compliance of your data� With advanced security controls such as transparent data encryption, LDAP authentication, RBAC, and robust security processes in place, DSE Advanced Security helps companies maintain the security and privacy of their sensitive data in this increasingly complex digital environment�
Achieving Data Security and Compliance with DataStax Enterprise
12
ABOUT DATASTAXIt starts with a human desire, and when a universe of technology, devices and data aligns, it ends in a moment of fulfillment and insight. Billions of these moments occur each second around the globe. They are moments that can define an era, launch an innovation, and forever alter for the better how we relate to our environment� DataStax is the power behind the moment� Built on the unique architecture of Apache CassandraTM, DataStax Enterprise is the always-on data platform and has been battle-tested for the world’s most innovative, global applications�
With more than 500 customers in over 50 countries, DataStax provide data management to the world’s most innovative companies, such as Netflix, Safeway, ING, Adobe, Intuit, and eBay. Based in Santa Clara, Calif., DataStax is backed by industry-leading investors including Comcast Ventures, Crosslink Capital, Lightspeed Venture Partners, Kleiner Perkins Caufield & Byers, Meritech Capital, Premji Invest and Scale Venture Partners. For more information, visit DataStax.com or follow us on @DataStax�
