© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
MARKLOGIC SECURITY Caio Milani, Director, Product Management, MarkLogic Rangan Doreswamy, Technical Product Manager, MarkLogic
SLIDE: 2
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
Disclaimer
MarkLogic 9 is currently under development. The features and how they are implemented are subject to change.
SLIDE: 3
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
Agenda Enterprise deployment architecture
MarkLogic security
Deploying MarkLogic securely
On the horizon
Q&A
SECURITY
Only As Strong As The Weakest Link
SLIDE: 5
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
DMZ DBMS
Typical Enterprise Architecture
PUBLIC NETWORK (ENDPOINTS)
END USER APPS
THIRD PARTY SERVICES
IDAM (IDENTITY MANAGEMENT)
Authentication Authorization
Auditing
FIREWALL FIREWALL
Data App Policy
Use logs for… Auditing
APPLICATION SERVERS
SLIDE: 6
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
Pillars of Security Confidentiality
Integrity
Authenticity
SECURITY OVERVIEW SECURITY C
ON
FID
ENTI
ALIT
Y
INTE
GR
ITY
AUTH
ENTI
CIT
Y
Encryption Track changes Verify users
SLIDE: 7
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
The 3 A’s of Application Security Authentication – Validate the identity of the security principle (Users, application
service, machines etc.)
Authorization – Validate that the authenticated security principal has the right to access the requested resource
Auditing – Prevent repudiation with the systematic examination and verification of the actions or events using the authenticated security principles
SLIDE: 8
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
MarkLogic Security Security is core to the product
MarkLogic is a leader in the industry
Strong track record
Customer trust
OVERVIEW
PROVENANCE AVAILABILITY
CERTIFIED
AUTHENTICITY INTEGRITY
CONFIDENTIALITY
SLIDE: 9
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
Common Criteria Certified
One of 6 database vendors carrying the Common Criteria Security Certification – Only NoSQL database
Certified to run in classified government systems - PL3/ICD 503 and DITSCAP
CERTIFIED SECURITY
SLIDE: 10
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
Authentication Local, Distributed and Delegated
Identification and Authentication via LDAP/Kerberos mapped roles
HOW MARKLOGIC DELIVERS
AUTHORIZATION
AUTHENTICATION
AUDITING
SLIDE: 11
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
Authorization Utilize Roles, Compartments, Labels
and Privileges to support any content access control rules
DBA’s not excessively privileged. Fine grained controls, no OS access required
HOW MARKLOGIC DELIVERS
AUTHORIZATION
AUTHENTICATION
AUDITING
SLIDE: 12
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
RBAC – Role Based Access Control
Other Models – Attribute-Based Access Control ( ABAC), Policy-Based Access Control (PBAC), Label-Based Access Control (LBAC).
SLIDE: 13
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
Auditing Secure version control supports non-
repudiation/lineage
Robust Audit capability
Audit document access and updates, configuration changes, administrative actions, code execution, and changes to access control.
Mature security patch process
HOW MARKLOGIC DELIVERS
AUTHORIZATION
AUTHENTICATION
AUDITING
SLIDE: 14
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
APP SERVERS
DATABASE CLUSTER
How do we make this system secure?
END USER CLIENTS
FIREWALL FIREWALL
SLIDE: 15
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
APP SERVERS
DATABASE CLUSTER
PHASE 1
Harden the Environment END USER CLIENTS
END USER ENDPOINTS All devices are untrusted to begin with – Need to authenticate device endpoints Provision credentials using a well known trusted CA Enforce Password policy for end users and devices Consider using MFA (Multi-factor-authentication)
FIREWALL FIREWALL
SLIDE: 16
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
APP SERVERS
DATABASE CLUSTER
END USER CLIENTS
APP SERVER MACHINES OS and security patches Remove unsecure services (FTP, Telnet, etc.) Disable un-used TCP/UDP ports (e.g., port 80) Consider using M-2-M authentication Ensure Load balancers are configured correctly
Always use mutual authentication between endpoints Monitor SysLog and EventLog for unusual activities Close all ports except 8000, 8001, 8002 IdAM Services – For LDAP disable 389, ensure
communication is only on 443
PHASE 1
Harden the Environment
FIREWALL FIREWALL
SLIDE: 17
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
APP SERVERS
END USER CLIENTS
DB CLUSTER MACHINES OS and security patches Consider M2M Authentication Separation of Roles – SysAdmin & DBAdmin Create Network Fencing
PHASE 1
Harden the Environment DATABASE CLUSTER
Change all default passwords Monitor SysLog and EventLog for unusual activities
FIREWALL FIREWALL
SLIDE: 19
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
APP SERVERS
DATABASE CLUSTER
END USER CLIENTS
1. Secure end user client authentication
PHASE 2
Securing the Application Deployment
FIREWALL FIREWALL
SLIDE: 20
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
APP SERVERS
DATABASE CLUSTER
END USER CLIENTS
2. Communication security (“secure the pipes”)
PHASE 2
Securing the Application Deployment
FIREWALL FIREWALL
SLIDE: 21
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
DATABASE CLUSTER
END USER CLIENTS
3. Secure connection b/w app servers and end users
APP SERVERS
PHASE 2
Securing the Application Deployment
FIREWALL FIREWALL
SLIDE: 22
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
APP SERVERS
DATABASE CLUSTER
END USER CLIENTS
4. Secure connection b/w app servers and the database
Authentication Authorization
Auditing
PHASE 2
Securing the Application Deployment
FIREWALL FIREWALL
SLIDE: 23
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
MARKLOGIC APP SERVERS
MARKLOGIC CLUSTER
Authentication Authorization
Auditing
MarkLogic Security Deployment Architecture
END USER CLIENTS
FIREWALL FIREWALL
SECURITY ROADMAP
SLIDE: 25
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
Transparent Encryption of Data, Configuration and Logs Encryption
Prevent Sys Admin access to sensitive information
Prevent tampering of information on disk
Separate key management control:
Reduce DBA authority
Reduce ability to hack a system
Match stringent security standards
PREVIEW IN
EARLY ACCESS
SLIDE: 26
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
Security At the Database Layer Matters Financials – customer data, financial data
Government – citizen data , classified data (defense)
HealthCare – Protected Health Information (PHI)
Publishing – nonpublic information
Online Businesses – customer data, financial data
Business Wire, Marketwired and PR Newswire Infiltrated… reaped $100M in illicit profits
Ashley Madison 32 million members exposed Questionable business
practices exposed CEO stepped down Lawsuits piling up
SLIDE: 27
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
Encryption in MarkLogic 9 Transparent Encryption of…
Databases Logs Config Files Backup
Key Management Local or External KMS Separation of control
(Sec Admin vs DB Admin) Key Rotation
High performance encryption
CLUSTER OR LAPTOP
KMS
DB BACKUP LOCAL KEY STORE
DB ADMIN
SEC ADMIN
SYS ADMIN
SLIDE: 28
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
ELKEY Logs
Per configuration file CKEY
Per object Encryption key
OKEY Object := [Stands|Journals|etc]
Encryption Keys Hierarchy
MKEK
CKEK
Data KEK (CDKEK) Configuration KEK (CCKEK) Logs KEK (CLKEK)
Recommended hierarchy ML has no knowledge or control over these
Keys reside in KMS Key IDs are stored in keystore.xml Individual database keys can be provided
Generated by MarkLogic KEKs are stored encrypted in configuration files Per file Keys are stored encrypted as file headers
SLIDE: 29
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
Granular control on data visibility and data exported Redaction and Element-Level Security
Completely conceal sensitive information from queries and updates at element or property level
Share information with minimal effort by masking data when exporting datasets to QA, Dev or external entities
Manage visibility and masking at the element or property level based on roles
PREVIEW IN
EARLY ACCESS
SLIDE: 30
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
Element-Level Security
<person cls=“U”>John</person> <location cls“S”>Florida</location> <gps cls=“S”>28°N,81°W</gps> <informant cls=“TS”>Mike</informant>
SLIDE: 31
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
Element-Level Security Based on a new concept: Protected Path Uses XPath expressions to find information to conceal sec:protect-path("/root/emp[@cls=u]", (), ((“u_role", "read")))
sec:protect-path("/root/emp[@cls=ts]", (), ((“ts_role", "read")))
Can be combined with compartment security
Protected Paths are indexed separately
Queries, updates and search are all redacted
Works on XML and JSON with the same XPath expression
© COPYRIGHT 2015 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED. SLIDE: 32
Redaction
Name: John Telefone: 777-3400-0889 SSN: 345-57-9877 Doctors Notes: Very Sick
EXPORT COPY WITH MLCP
Name: Sudhasddd Telefone: 768-757-5757 SSN: XXX-XX-9877 Doctors Notes: Very Sick
SLIDE: 33
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
Redaction Base on a new concept: Redaction Rules Collection Rules are documents in one collection, e.g. “my_redaction”
Each rule uses XPath expressions to find information to conceal or mask (e.g., path: '//ssn', across XML and JSON documents)
Use mlcp to export data applying the rules (e.g., mlcp.sh -redaction "my_redaction")
Support custom Rules in addition to the following out-of-the-box rules:
Conceal
Cryptic Masking: Random or Deterministic
Patterns: SSN, US Phone, email, IPv4, Regex
SLIDE: 34
© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.
Key Takeaways Security is only as strong as the weakest link, therefore you need to protect the
entire stack and not only MarkLogic
MarkLogic enables you to implement comprehensive AAA security with
Local, Distributed and Delegated Identification and Authentication
Multiple Access Control types: RBAC, ABAC, PBAC, LBAC
Robust Auditing
MarkLogic 9 will bring additional capabilities to keep you ahead of threats
Encryption, Redaction, Element-Level Security
Q&A