SECURING YOUR COUCHBASE ENVIRONMENT
Don Pinto | Sr. Product Manager | [email protected] Darin Briskman | Professional Services | [email protected]
©2015 Couchbase Inc. 2
Disclaimer
Couchbase Server 4.0 is still in development. Details presented in this presentation might change based on customer feedback and other factors by the time the final version of the product is released.
“Prediction is very difficult, especially about the future.” - Niels Bohr
©2015 Couchbase Inc. 3
Key drivers of NoSQL data security
Regulatory compliance requirements PCI, HIPAA, EU Data Protection Directive, and
others Additional corporate security policies
Growing number of insider threats
*2015 Vormetric Insider Threat Report
©2015 Couchbase Inc. 4
Core security requirements
AUTHENTICATION
• Who am I/prove it
• Control access to cluster
AUTHORIZATION
• Admin/dataaccess separation
• Role based access
ENCRYPTION
• Encrypt data at rest and in-motion
ADMINISTRATION
• Security best practices
AUDITING
• Who did what, when, and how ?
©2015 Couchbase Inc. 5
Previously… In 2.2 In 2.5 In 3.0 New in 4.0
SASL AuthN with Bucket Passwords
Admin User
Secure Build Platform
Read-Only User
Easy Admin Password
Reset
Non-Root User
Deployments
Secure Communication for XDCR
Encrypted Client-Server Communicati
on
Encrypted Admin Access
Access Log
Data-at-Rest Encryption
• Simplified compliance with admin auditing
• External identity management for admins using LDAP
Couchbase security journey
In a fewslides...
©2015 Couchbase Inc. 6
Couchbase authentication
Application authentication Buckets are protected with challenge-response SASL
protocol AuthN happens over CRAM-MD5
Admin authentication Authentication through admin username and password Authentication through LDAP (New in 4.0)
AUTHENTICATION
©2015 Couchbase Inc. 7
External identity management using LDAP
Centralized identity management Define multiple read-only admins and full-admins Centralized security policy management for admin
accounts for stronger passwords, password rotation, and auto lockouts
Individual accountability. Simplified compliance. Define UIDs in LDAP, and map UIDs to
read-only/full admin role in Couchbase Comprehensive audit trails with LDAP UIDs
in audit records
AUTHENTICATION
©2015 Couchbase Inc. 8
LDAP architecture in Couchbase
Ad
min
U
ID /
passw
ord
UIDs defined inLDAP
OpenLDAPprotocol
saslauthdconfig file
SASLAUTHD
CHECK IN LDAP ?
SASLprotocol
YES / NO?
CHECK IN ADMIN
PASSWORD FILE
YES
Authentication SUCCESS!
NO
Authentication FAILED!
UID / passwordYES
AUTHENTICATION
©2015 Couchbase Inc. 9
New UI for authorizing LDAP administrators
Turn on/off LDAP
Add UIDs to read-only admins
Add UIDs to full admins Set default
behavior if UID is not mapped
Testing credentials to verify what
level of access
Plus REST APIs and CLI integration for programmatic setup
AUTHENTICATION
©2015 Couchbase Inc. 10
Couchbase authorization
Application data access Full access to specific buckets
Admin access Full administrator has full privileges on the cluster Read-only administrator cannot change cluster settings
AUTHORIZATION
©2015 Couchbase Inc. 11
Couchbase encryption – client
Encryption at the application Leverage Vormetric encryption and key management APIs, libraries, and sample code in Java, .NET, C/C++.
VAEApplication Vormetric
Application Encryption
SS N : 1 1 2 -1 1 1 - 6 7 6 2
Jon Dough
Encryption KeyRequest / Response*
$ # A d # $ g & * j% J 1 T J C Z
Jon Dough DSM
Clien
t-serv
er
SS
L
ENCRYPTION
©2015 Couchbase Inc. 12
Couchbase encryption – in motion
Data-in-motion encryption Client-server communication should be encrypted using
SSL Secure admin access using SSL over port 18091 Secure view access using SSL over port 18092 Secure XDCR for encryption across datacenters
Track all AccessSERVER 3SERVER 1 SERVER 2
Couchbase Server – New York SERVER 3SERVER 1 SERVER 2
Couchbase Server – London
SSL
Client applications
SecureXDCR over
SSL
Admin access over port
18091
SS
L
View access over port
18092
SS
L
https://couchbase_server:18091/…
https://couchbase_server:18092/…
ENCRYPTION
©2015 Couchbase Inc. 13
Couchbase encryption – at rest
Transparent data-at-rest encryption solution
ENCRYPTION
Storage
Database
Application
User
File Systems
VolumeManagers
DSM
VormetricData Security Manager
on Enterprise premise or in cloud
virtual or physical appliance
• Centrally manage keys and policy• Virtual and physical appliance • High-availability with cluster• Multi-tenant and strong separation of duties• Proven 10,000+ device and key management scale• Web, CLI, API Interfaces• FIPS 140-2 certified
Secure Personally Identifiable Information• User profile information• Login Credentials• IP Addresses
©2015 Couchbase Inc. 14
Admin auditing in Couchbase
Rich audit events Over 25+ different, detailed admin audit events Auditing for tools including backup
Configurable auditing Configurable file target Support for time-based log rotation and
audit filtering
Easy integration JSON format allows for easy integration
with downstream systems using Flume, Logstash, and syslogd
AUDITING
©2015 Couchbase Inc. 15
Auditing events
LIST OF ADMIN AUDIT EVENTS
Success/failure login for administratorAudit configuration changesEnable/disable auditAdd a node to the clusterRemove a node from the clusterFailover a nodeRebalance the clusterShutdown/startup of the system by the administratorCreate a bucketDelete a bucketFlush a bucketModify bucket settingsChange configured disk and index pathAdd read-only administrator userBackup
AUDITING
Remove read-only administrator userAdd admin userRemove admin userSetup remote cluster referenceDelete remote cluster referenceChanges to XDCRCreating/deleting XDCR profilePause resume XDCR streamChanging XDCR filter rulesAdd/remove query nodeAdd/remove index nodeCreate server groupAdd node to server groupRemove node from server groupDelete server groupAdmin password changes/resets
©2015 Couchbase Inc. 16
Auditing a successful login
{ "timestamp":"2015-02-20T08:48:49.408-08:00", "id":8192, "name":"login success", "description":"Successful login to couchbase cluster", "role":"admin", "real_userid": { "source":"ns_server", "user":"bjones” }, "sessionid":"0fd0b5305d1561ca2b10f9d795819b2e", "remote":{"ip":"172.23.107.165", "port":59383}}
WHEN
WHO
WHAT
HOW
AUDITING
©2015 Couchbase Inc. 17
ADMINISTRATION
Securely Deploying CouchbaseO
uts
ide
Net
wo
rk
WEB AND MOBILE APPS
Load Balancer
Allow Couchbase ingress and outgress ports
Allow Couchbase node-to-node ports on local internal networkCOUCHBASE CLUSTER
Inte
rnal
N
etw
ork
Per
imet
er
Net
wo
rk
End users & hack3rs
Web Server
External Firewall
Internal Firewall
Allow webserver ingress and outgress ports
Packet FilteringBlocking malicious IPs
IT Admins& App Developers
IT Admin & DBA
Check out our docs for in-depth security best practiceshttp://docs.couchbase.com/admin/admin/security/security-best-practices.html
©2015 Couchbase Inc. 18
©2014 Couchbase, Inc.
Pro
d
De
v, Q
A,
Test
StorageStorage
Backup Server
Sensitive
hAck3rs
Which ports are
open through
the firewall?
What if an
operator steals a disk?
Is sensitive data
encrypted?
Is there admin access and data
access separation?
Are backups encrypted ?
Is XDCR Secure?
What vulnerabilitie
s?
Questions to askADMINISTRATI
ON
XDCR to remote Cluster
©2015 Couchbase Inc. 21
Security roadmap
21
Simplified Compliance
Simplified compliance with auditing framework for admin actions
External identity management for admins with enterprise standard identity management tools through LDAP
Fine-Grained Authorization
User, roles, and permissions for admins and applications
Advanced Compliance
Application auditing
External authentication for applications
Today Next Future
* The following is intended to outline our general product direction. It is intended for information purposes and is only a plan.
Top Related