MARKLOGIC Security · RBAC – Role Based Access Control ... Secure version control supports...

© COPYRIGHT 2016 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED.

MARKLOGIC SECURITY Caio Milani, Director, Product Management, MarkLogic Rangan Doreswamy, Technical Product Manager, MarkLogic

SLIDE: 2


Disclaimer

MarkLogic 9 is currently under development. The features and how they are implemented are subject to change.

SLIDE: 3


Agenda Enterprise deployment architecture

MarkLogic security

Deploying MarkLogic securely

On the horizon

Q&A

SECURITY

Only As Strong As The Weakest Link

SLIDE: 5


DMZ DBMS

Typical Enterprise Architecture

PUBLIC NETWORK (ENDPOINTS)

END USER APPS

THIRD PARTY SERVICES

IDAM (IDENTITY MANAGEMENT)

Authentication Authorization

Auditing

FIREWALL FIREWALL

Data App Policy

Use logs for… Auditing

APPLICATION SERVERS

SLIDE: 6


Pillars of Security Confidentiality

Integrity

Authenticity

SECURITY OVERVIEW SECURITY C

ON

FID

ENTI

ALIT

Y

INTE

GR

ITY

AUTH

ENTI

CIT

Y

Encryption Track changes Verify users

SLIDE: 7


The 3 A’s of Application Security Authentication – Validate the identity of the security principle (Users, application

service, machines etc.)

Authorization – Validate that the authenticated security principal has the right to access the requested resource

Auditing – Prevent repudiation with the systematic examination and verification of the actions or events using the authenticated security principles

SLIDE: 8


MarkLogic Security Security is core to the product

MarkLogic is a leader in the industry

Strong track record

Customer trust

OVERVIEW

PROVENANCE AVAILABILITY

CERTIFIED

AUTHENTICITY INTEGRITY

CONFIDENTIALITY

SLIDE: 9


Common Criteria Certified

One of 6 database vendors carrying the Common Criteria Security Certification – Only NoSQL database

Certified to run in classified government systems - PL3/ICD 503 and DITSCAP

CERTIFIED SECURITY

SLIDE: 10


Authentication Local, Distributed and Delegated

Identification and Authentication via LDAP/Kerberos mapped roles

HOW MARKLOGIC DELIVERS

AUTHORIZATION

AUTHENTICATION

AUDITING

SLIDE: 11


Authorization Utilize Roles, Compartments, Labels

and Privileges to support any content access control rules

DBA’s not excessively privileged. Fine grained controls, no OS access required


AUTHORIZATION

AUTHENTICATION

AUDITING

SLIDE: 12


RBAC – Role Based Access Control

Other Models – Attribute-Based Access Control ( ABAC), Policy-Based Access Control (PBAC), Label-Based Access Control (LBAC).

SLIDE: 13


Auditing Secure version control supports non-

repudiation/lineage

Robust Audit capability

Audit document access and updates, configuration changes, administrative actions, code execution, and changes to access control.

Mature security patch process


AUTHORIZATION

AUTHENTICATION

AUDITING

SLIDE: 14


APP SERVERS

DATABASE CLUSTER

How do we make this system secure?

END USER CLIENTS

FIREWALL FIREWALL

SLIDE: 15


APP SERVERS

DATABASE CLUSTER

PHASE 1

Harden the Environment END USER CLIENTS

END USER ENDPOINTS All devices are untrusted to begin with – Need to authenticate device endpoints Provision credentials using a well known trusted CA Enforce Password policy for end users and devices Consider using MFA (Multi-factor-authentication)

FIREWALL FIREWALL

SLIDE: 16


APP SERVERS

DATABASE CLUSTER

END USER CLIENTS

APP SERVER MACHINES OS and security patches Remove unsecure services (FTP, Telnet, etc.) Disable un-used TCP/UDP ports (e.g., port 80) Consider using M-2-M authentication Ensure Load balancers are configured correctly

Always use mutual authentication between endpoints Monitor SysLog and EventLog for unusual activities Close all ports except 8000, 8001, 8002 IdAM Services – For LDAP disable 389, ensure

communication is only on 443

PHASE 1

Harden the Environment

FIREWALL FIREWALL

SLIDE: 17


APP SERVERS

END USER CLIENTS

DB CLUSTER MACHINES OS and security patches Consider M2M Authentication Separation of Roles – SysAdmin & DBAdmin Create Network Fencing

PHASE 1

Harden the Environment DATABASE CLUSTER

Change all default passwords Monitor SysLog and EventLog for unusual activities

FIREWALL FIREWALL

SLIDE: 19


APP SERVERS

DATABASE CLUSTER

END USER CLIENTS

1. Secure end user client authentication

PHASE 2

Securing the Application Deployment

FIREWALL FIREWALL

SLIDE: 20


APP SERVERS

DATABASE CLUSTER

END USER CLIENTS

2. Communication security (“secure the pipes”)

PHASE 2


FIREWALL FIREWALL

SLIDE: 21


DATABASE CLUSTER

END USER CLIENTS

3. Secure connection b/w app servers and end users

APP SERVERS

PHASE 2


FIREWALL FIREWALL

SLIDE: 22


APP SERVERS

DATABASE CLUSTER

END USER CLIENTS

4. Secure connection b/w app servers and the database


Auditing

PHASE 2


FIREWALL FIREWALL

SLIDE: 23


MARKLOGIC APP SERVERS

MARKLOGIC CLUSTER


Auditing

MarkLogic Security Deployment Architecture

END USER CLIENTS

FIREWALL FIREWALL

SECURITY ROADMAP

SLIDE: 25


Transparent Encryption of Data, Configuration and Logs Encryption

Prevent Sys Admin access to sensitive information

Prevent tampering of information on disk

Separate key management control:

Reduce DBA authority

Reduce ability to hack a system

Match stringent security standards

PREVIEW IN

EARLY ACCESS

SLIDE: 26


Security At the Database Layer Matters Financials – customer data, financial data

Government – citizen data , classified data (defense)

HealthCare – Protected Health Information (PHI)

Publishing – nonpublic information

Online Businesses – customer data, financial data

Business Wire, Marketwired and PR Newswire Infiltrated… reaped $100M in illicit profits

Ashley Madison 32 million members exposed Questionable business

practices exposed CEO stepped down Lawsuits piling up

SLIDE: 27


Encryption in MarkLogic 9 Transparent Encryption of…

Databases Logs Config Files Backup

Key Management Local or External KMS Separation of control

(Sec Admin vs DB Admin) Key Rotation

High performance encryption

CLUSTER OR LAPTOP

KMS

DB BACKUP LOCAL KEY STORE

DB ADMIN

SEC ADMIN

SYS ADMIN

SLIDE: 28


ELKEY Logs

Per configuration file CKEY

Per object Encryption key

OKEY Object := [Stands|Journals|etc]

Encryption Keys Hierarchy

MKEK

CKEK

Data KEK (CDKEK) Configuration KEK (CCKEK) Logs KEK (CLKEK)

Recommended hierarchy ML has no knowledge or control over these

Keys reside in KMS Key IDs are stored in keystore.xml Individual database keys can be provided

Generated by MarkLogic KEKs are stored encrypted in configuration files Per file Keys are stored encrypted as file headers

SLIDE: 29


Granular control on data visibility and data exported Redaction and Element-Level Security

Completely conceal sensitive information from queries and updates at element or property level

Share information with minimal effort by masking data when exporting datasets to QA, Dev or external entities

Manage visibility and masking at the element or property level based on roles

PREVIEW IN

EARLY ACCESS

SLIDE: 30


Element-Level Security

<person cls=“U”>John</person> <location cls“S”>Florida</location> <gps cls=“S”>28°N,81°W</gps> <informant cls=“TS”>Mike</informant>

SLIDE: 31


Element-Level Security Based on a new concept: Protected Path Uses XPath expressions to find information to conceal sec:protect-path("/root/emp[@cls=u]", (), ((“u_role", "read")))

sec:protect-path("/root/emp[@cls=ts]", (), ((“ts_role", "read")))

Can be combined with compartment security

Protected Paths are indexed separately

Queries, updates and search are all redacted

Works on XML and JSON with the same XPath expression

© COPYRIGHT 2015 MARKLOGIC CORPORATION. ALL RIGHTS RESERVED. SLIDE: 32

Redaction

Name: John Telefone: 777-3400-0889 SSN: 345-57-9877 Doctors Notes: Very Sick

EXPORT COPY WITH MLCP

Name: Sudhasddd Telefone: 768-757-5757 SSN: XXX-XX-9877 Doctors Notes: Very Sick

SLIDE: 33


Redaction Base on a new concept: Redaction Rules Collection Rules are documents in one collection, e.g. “my_redaction”

Each rule uses XPath expressions to find information to conceal or mask (e.g., path: '//ssn', across XML and JSON documents)

Use mlcp to export data applying the rules (e.g., mlcp.sh -redaction "my_redaction")

Support custom Rules in addition to the following out-of-the-box rules:

Conceal

Cryptic Masking: Random or Deterministic

Patterns: SSN, US Phone, email, IPv4, Regex

SLIDE: 34


Key Takeaways Security is only as strong as the weakest link, therefore you need to protect the

entire stack and not only MarkLogic

MarkLogic enables you to implement comprehensive AAA security with

Local, Distributed and Delegated Identification and Authentication

Multiple Access Control types: RBAC, ABAC, PBAC, LBAC

Robust Auditing

MarkLogic 9 will bring additional capabilities to keep you ahead of threats

Encryption, Redaction, Element-Level Security

Q&A

Date post:	20-Apr-2020
Category:	Documents
Upload:	others
View:	12 times
Download:	0 times

MARKLOGIC Security · RBAC – Role Based Access Control ... Secure version control supports...

Documents