Securing Couchbase for your enterprise – Connect Silicon Valley 2017

Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved.

SECURITYCouchbase Server 5.0 & Couchbase Mobile 2.0


WHY SECURITY?

The Net is Dark and

Full of Terrors

Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 3

Recent Security Breaches

WannaCry Ransomware

(May 2017)Wikileaks CIA Vault 7

(March 2017)

Cloudflare

Cloudbleed

(Feb 2017)

MongoDB hack

(Jan 2017)

Equifax

(Sept 2017)DocuSign

(May 2017)Verizon

(July 2017)Deloitte

(Sep 2017)

Securities and

Exchange

Commission (SEC)

(Sep 2017)


REVIEW | SECURITY CAPABILITIESA quick refresher

4


Security – A Major Question at Different LevelsO

uts

ide

Netw

ork

Users

COUCHBASE CLUSTER

Inte

rnal

Netw

ork

Peri

mete

r

Netw

ork

External

Firewall

Internal

Firewall

Web Server

Application Server

Applications

Infrastructure

Data

Users


Facility

Network perimeter

Internal network

Host

Application

Admin

Data

Defense in Depth:Layered approach to customer environment

Physical controls, video surveillance, access control

Edge routers, firewalls, intrusion detection, vulnerability

scanning

Intrusion detection, vulnerability scanning

Access control and monitoring, anti-malware, patch and

configuration management

Secure engineering (SDL), Access Control, security

monitoring, anti-malware

Account Management, training and awareness,

screening

Authorization, Data Encryption, Data Masking, Secret

Management


Security Pillars in Couchbase

7

Authentication Authorization Crypto Auditing Operations

App/Data: SASL

AuthN

Admin: Local or LDAP

PAM Authentication

(4.6)

Local Admin User

Local Read-Only User

RBAC for Admins

RBAC for Applications

(5.0)

TLS admin access

TLS client-server access

Secure XDCR

X.509 certificates for

TLS

Data-at-rest Encryption*

Field-level Encryption*

Secret Management

(4.6)

Admin auditing Security

management via

UI/CLI/REST

* Via third-party partners


Couchbase addresses Security concerns for the full stack

8

Client Tier

Mobile Client

Web Client

Desktop Client

Data Tier

DatabaseWeb Services

Middle Tier

COUCHBASE LITE

SYNC GATEWAY

COUCHBASE SERVER

Internet Intranet

1

Local StorageFull Database

AES-256 Encryption

5

Secure Data Storage in the

Cloud with Partner

Solutions

4

User and Role Based Data

Access Control

2

Secure Transport Over Wire

3

Pluggable Authentication

2



Authentication

9

Internal (local) External

Internal users managed by Couchbase

• Challenge-response

• User management (New)

Cluster Authentication

• Shared erlang token

External users managed by 3rd party Identity Management System

• LDAP integration

• Pluggable Authentication Modules (PAM)

Authentication Domains


Pluggable Authentication Modules (PAM) in Couchbase 4.6

• Allows UNIX local accounts to authenticate as Couchbase administrators

• Pluggable authentication architecture that is policy driven

Centralized

Management

Centralized and synchronize

administrator account

management using UNIX user

management services

Security Policy

Enforcement

Allows configuration of strong

security policies such as

strong password requirements


Authorization

1

1

Authorization for Admins Authorization for Apps

• Role based access control for Administrators

• RBAC for applications (New)


Role-Based Access Control (RBAC) for Administrators

Regulatory

Compliance

A strong demand for

applications to meet standards

recommended by regulatory

authorities

Segregation of

Admin Duties

Every admin does not have all

the privileges. Depending on

the job duties, admins can

hold only those privileges that

are required.

Security

Privilege

Separation

Only the full-admin has the

privilege to manage security,

and his/her actions can be

audited just like other

administrators.

Role-Based Access Control (RBAC) allows you to specify what each admin can access in couchbase through role

membership


RBAC for Administrators – How it works

• Administrative users can be mapped to out-of-the-box roles

• Roles pre-defined with permissions for specific resources

• Full Admin

• Cluster Admin

• Bucket Admin

• View Admin

• XDCR Admin

• Can work with internal and external users

Full Admin

Cluster AdminBucket Admin

View Admin

XDCR

Admin


Encryption

1

4

On-the-wire Encryption On-Disk Encryption

• TLS between client and server

• TLS between datacenters using secure XDCR

• X.509 CA Certificates for trusted encryption between client and server

• Volume and application level encryption through our trusted 3rd partners (Vormetric, Protegrity, SafeNet)

• FIPS 140-2 compliant

Role Based Access ControlRBAC for Applications – New in 5.0

15


Role-Based Access Control (RBAC) for Applications

Regulatory

Compliance

A strong demand for

applications to meet standards

recommended by regulatory

authorities

Segregation of

User Duties

Depending on the job duties,

users can hold only those

privileges that are required

Locking Down

Services

Depending on what the

service is needed for, only

those roles can be assigned

• Meet regulatory compliance requirements for data users and applications

• Simplified access control management for data and admin users across the cluster


RBAC Security Model

• NIST Model

• Scalable users accounts

• Fixed out-of-the-box data roles in 5.0

• 1:N User-to-role mapping

• Roles can be applied for specific buckets / across all buckets [*]

PrivilegeA set of actions on a given resource

Eg. Read documents on “foo” bucket

RoleA fixed grouping of privileges

that defines the access given

Action: an operation eg. read,

write, read metadata

Resource: some system object

that an action can be performed

on. eg. bucket, index, etc.

UserUser is a human user or service


High Level Process of Securing your Environment

1

8

• Secure the Perimeter and Layers:

• Identify the secure perimeter.

• Secure the perimeter via firewall rules

• Secure the full stack with appropriate procedures – OS, Database, Application

• Encrypt at Rest and in Transit:

• Encrypt all communication that traverses the secure perimeter

• Encrypt data on disk

• Control Access

• Limit access to the database and data and sensitive files (configuration, logs etc.)

• Leverage Couchbase-specific feature functionality to further enhance / augment the security at the database level

(e.g. SSL, RBAC)

• Assess and further minimize your attack surface area.



WHAT’S NEW IN COUCHBASE 5.0?

20Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved.


Couchbase Server 5.0


New security capabilities

Authorization

Role Based Access Control for Applications

Authentication

X509 Certificate based authentication


RBAC



RBAC for users and applications


Data Access Compliance

Unique identities for users and apps

- Internally / Externally (LDAP, PAM) managed authentication

domains

Segregated data access

- Roles for locking down access to data, query and full text

services

- Roles that will allow users and services to only do their jobs

and nothing more

Simplified Access Control

Built-in roles for data and admin access

- Simplified security management through roles not individual

users

Centralized security management

- Full-admin can configure cluster-wide RBAC through UI, REST

and CLI


RBAC for users and applications

Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 25©2017 Couchbase. All rights reserved. 25

• GRANT a role to a user

• REVOKE a role from a user

• Distinct roles for each N1QL statement type

GRANT query_insert ON `travel-sample` TO don;

REVOKE query_insert ON `travel-sample` FROM jdoe;

N1QL GRANT and REVOKE statements

New system catalogs for RBAC

system:user_info

system:my_user_info

system:applicable_roles


User Management

26

Flexible User Management

• Internal and External authorization support

• Unique identities for data users and services

• REST and CLI configurable

• Seamless upgrades without application changes

• Scalable


New Roles for Data Service – RBAC in 5.0

27

• Read data from bucket Data Reader

• Write data to bucketData Writer

• Can read the DCP stream from bucketData DCP Reader

• Can backup/restore the bucketData Backup

• Can monitor statistics for bucketData Monitoring


New Roles for Query Service – RBAC in 5.0

28

• Can execute SELECT N1QL statement for bucketQuery Select

• Can execute UPDATE N1QL statement for bucketQuery Update

• Can execute INSERT N1QL statement for bucketQuery Insert

• Can execute DELETE N1QL statement for bucketQuery Delete

• Can execute index management statements for bucketQuery Manage Index

• Can query system tables for bucket Query System Catalog

• Can execute N1QL CURL statement Query External Access


New Roles for Full Text Search Service – RBAC in 5.0

29

• Can administer FTS serviceFTS Admin

• Can execute search queries for a bucket FTS Searcher


Bucket Roles – RBAC in 5.0

30

• Can administer FTS serviceBucket Full Access

• Can execute search queries for a bucket Bucket Admin

So, can I get a role that gives me the application behavior similar to pre-5.0?


Password Policy and Rotation

31

Policy and Rotation

• Simple password policy rules enforced when initially set or rotated

• Policy can be set using REST or CLI

• Password can be reset using UI, REST or CLI

Default Policy

{

"enforceDigits": false,

"enforceLowercase": false,

"enforceSpecialChars": false,

"enforceUppercase": false,

"minLength": 6

}


Role Assignment – Using REST and CLI

32

Using REST

Using CLI

curl -X PUT http://localhost:8091/settings/rbac/users/local/doug-data-user

-u Administrator:password -d "roles=data_reader[travel-sample]" -d

"password=dougpassword”

./couchbase-cli user-manage --set --rbac-username doug-n1ql-user --rbac-

password dougpassword --auth-domain local --roles "data_reader[*],

query_select[*]" -c http://localhost:8091 -u Administrator -p password


GRANT/REVOKE statements in N1QL for RBAC

33

GRANT ROLE

REVOKE ROLE

GRANT ROLE data_reader(`*`) to doug

REVOKE ROLE data_reader(`*`) from doug


Web Console For Administrators and Developers

34

Who gets to log into web console ?

1. Administrators (Any administrator role)

2. Developers (Users who have one or more query role)


AUTHENTICATION


Why Certificate Auth

Certificates are widely available across the enterprise infrastructure

• Stronger security by mutually authenticating the client and server

• Stronger guarantees against non-repudiation of user actions

• Stronger crypto on the communication channel

• Users forget passwords, or may set a weak one. No easy cracking passwords!


High-Level Requirements

Deployment Each service can have their own certificate

Multiple services can be co-located on same app server

Services on the same app host can talk to two different CB buckets

Certificate & CA Certificate should be in .pem format

Certificates can be signed by intermediaries, which are then signed by root CA

Service certificates (client-certs) are signed by the same chain of trust that terminate at root CA authority as

Server certificates

Certificates will be manually generated and loaded into Couchbase

Access Points Certificate based authentication is needed for memcached access

Certificate based authentication is needed for N1QL and FTS access

Certificate based authentication is needed for UI access


High-Level Requirements

AuthZ RBAC should be able to authorize users based on the details presented in the certificate

SDK Support Certificate support should be available in all Couchbase clients starting first with Java

Certificate Rotation Certificate rotation must be done completely online without disconnecting existing connections


The Handshake

Java Client

Server Certificate 4.5

(X.509 for trusted client-

server encryption)

Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 40Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 40©2017 Couchbase. All rights reserved. 40

SDK

Enhancements

New Password Authenticator Class

• Upgrade to latest SDK versions!


SDK

Enhancements

Shorthand URI Approach

• Pre-5.0 approach assumes bucket with matching username

• Similar URI approach can be used with full bucket, user and

password parameters

• Available for subset of libraries

• Not recommended, but available for ease of migration

Further reading...

• https://blog.couchbase.com/new-sdk-authentication/

• Minimal versions for 5.0 Beta SDK support

• Java 2.4.5 – .NET 2.4.5 – Node.js 2.3.3

Python 2.2.4 – PHP 2.3.2 – Go 1.2.3 – C 2.7.5

https://blog.couchbase.com/new-sdk-authentication/


Big Data

Connectors

• Configuration-wide username is now available

• Not limited to bucket passwords

• Kafka 3.1.3 (May 2017)

• Spark release pending – build from source


Security Overview -Couchbase Mobile 2.0



Typical 3-Tier architecture

Client Tier

Mobile Client

Web Client

Desktop Client

Internet Data Tier


Middle Tier Intranet


Security concerns for mobile applications

1

Data Storage on Device

• File System Encryption• Data Encryption• Key Rotation• Offline Login

2

Data Transport on the Wire

• Secure Transport 3

Authentication

• Principal Instantiation• Session Management

4

Data Access Control

• Read Access• Write Validation 5

Data Storage in the Cloud

• File System Encryption• Data Encryption


Security concerns across the full stack

Client Tier

Mobile Client

Web Client

Desktop Client

Data Tier


Middle Tier

1

Local Storage

2

Transport Over Wire

3

Authentication

4

Data Access Control

2

Transport Over Wire

5


Internet Intranet



Client Tier

Mobile Client

Web Client

Desktop Client

Data Tier


Middle Tier

COUCHBASE LITE

SYNC GATEWAY

COUCHBASE SERVER

Internet Intranet

1


AES-256 Encryption

5


Cloud with Partner

Solutions

4


Access Control

2


3

PluggableAuthentication

2




Client Tier

Mobile Client

Web Client

Desktop Client

Data Tier


Middle Tier

COUCHBASE LITE

SYNC GATEWAY

COUCHBASE SERVER

Internet Intranet

1


AES-256 Encryption

5


4

Data Access Control

2


3

Authentication

2



Securing Local Storage

Encrypted Data Requires Key for Access


Securing Local Storage—what’s available OOB?

Couchbase Provides• Full database encryption

• File system encryption

• Key rotation

• Offline login

Application Developer Responsibilities• Key Selection

• Key Storage


How Couchbase addresses Security concerns for the full stack

Client Tier

Mobile Client

Web Client

Desktop Client

Data Tier


Middle Tier

COUCHBASE LITE

SYNC GATEWAY

COUCHBASE SERVER

Internet Intranet

1


AES-256 Encryption

5


4

Data Access Control

2


3

Authentication

2



Secure Data Transport over the Internet

SYNC GATEWAY

{

"SSLCert": "cert.pem",

"SSLKey": "privkey.pem",

"databases": {

"todo": {

……

}

}

}


SYNC GATEWAY

Secure Data Transport over the Intranet

"databases": {

"todo": {

"server":"https://cb-server:8091",

"bucket": "data-bucket",

"username":"data-bucket",

……

}

COUCHBASE SERVER

SE

RV

ER

1

SE

RV

ER

2

SE

RV

ER

3



Client Tier

Mobile Client

Web Client

Desktop Client

Data Tier


Middle Tier

COUCHBASE LITE

SYNC GATEWAY

COUCHBASE SERVER

Internet Intranet

1


AES-256 Encryption

5


4

Data Access Control

2


3


2



Authentication

• Basic Authentication

• OpenID Connect

• Custom Authentication

• Facebook Login


Authentication: OpenID Connect

• OpenID Connect is an interoperable authentication protocol based

on the OAuth 2.0 family of specifications

• Supported flows

• Authorization Code Flow

• Implicit Flow

• Production deployments of OpenID Connect


OpenID Connect

ProviderSystem

Browser

Mobile

Device

Sync

Gateway Identity

Provider

Application Initiates Authentication by connecting to Sync Gateway’s OIDC

end-point

Sync Gateway responds with redirect to OIDC Provider

User is sent to OIDC provider endpoint

Validate credentials

Validation result

(true/false)Upon successful authentication, redirect to Sync Gateway with

authorization code

Sync Gateway returns ID token, session

ID, refresh token

Challenge for user authentication

Receive Credentials from user

End user is redirected to Sync

Gateway with authorization codeSync Gateway uses authorization

code to make access request to token

endpointOIDC Provider returns access token,

ID token, refresh token to Sync

Gateway

Application sets session cookie in

replication headers

Sync Gateway creates a session

for authenticated user

Sync Gateway Session Cookie sent in the replication

requests

Device opens endpoint in browser

OpenID Connect – Authorization Code Flow


OpenID Connect – Implicit Flow

OpenID Connect

Provider

System

Browser

Mobile

Device

Sync

Gateway

Identity

Provider

Application Initiates Authentication

and opens system browser

Redirect to OIDC Provider for user

authentication

Challenge for user authentication

Receive credentials from user


Validation result

(true/false)

Client receives tokens in the response

Sync Gateway Session Cookie Returned

CBL uses JWT token to get a Sync Gateway

session

Replicator session cookie is

set

Sync Gateway provides option to create user

based on JWT token

Cookies sent in the replication request to Sync Gateway


Custom Authentication

Custom

Authentication

Provider

Application Initiates Authentication with Custom Auth

Provider

Request credential for user authentication

Receive credentials from user


Validation result

(true/false)

Set authentication session cookie

Client receives response

POST request with the user name to the Admin REST API

http://server/dbname/_session

Cookie value set in response body

Cookies sent in the replication request to Sync

Gateway

Replicator cookie parameter

set

Create user (if needed) with the Admin REST API http://server/dbname/_user

Mobile

Device

Sync

Gateway

Identity

Provider

http://server/dbname/_session

http://server/dbname/_user



Client Tier

Mobile Client

Web Client

Desktop Client

Data Tier


Middle Tier

COUCHBASE LITE

SYNC GATEWAY

COUCHBASE SERVER

Internet Intranet

1


AES-256 Encryption

5


4


Access Control

2


3

Authentication

2



tent

survival gear

camping supplies

sleeping bags

Data Access in mobile apps

SHARE

Bob

JohnAlice

SHARE


Data Access Control in Couchbase

User Permissions

APIs for Role Definition & Assignment

Channels

Access Grants

Sync Function

Sync Function

User Based Access

Roles

Data partitioning

Read Access

Write Access

Data Validation



Client Tier

Mobile Client

Web Client

Desktop Client

Data Tier


Middle Tier

COUCHBASE LITE

SYNC GATEWAY

COUCHBASE SERVER

Internet Intranet

1


AES-256 Encryption

5


Cloud with Partner

Solutions

4

Data Access Control

2


3

Authentication

2



Securing data at Rest in Couchbase Server



Client Tier

Mobile Client

Web Client

Desktop Client

Data Tier


Middle Tier

COUCHBASE LITE

SYNC GATEWAY

COUCHBASE SERVER

Internet Intranet

1


AES-256 Encryption

5


Cloud with Partner

Solutions

4


Access Control

2


3


2



QA

©2017 Couchbase. All rights reserved. 67


THANK YOU

Date post:	21-Jan-2018
Category:	Technology
Upload:	couchbase
View:	377 times
Download:	0 times

Securing Couchbase for your enterprise – Connect Silicon Valley 2017

Technology