Securing deployments: top to bottom, all around – Couchbase Connect 2016

©2016 Couchbase Inc. 1

Securing Couchbase Deployments

Top to bottom, all around


Don PintoSr. Product Manager [email protected]

Ritam SharmaSr. QE [email protected]

mailto:[email protected]


©2016 Couchbase Inc. 3©2016 Couchbase Inc.

Disclaimer

The following is intended to outline our general product direction. Details presented in this presentation might change based on customer feedback and other factors by the time the final version of the product is released.


Responsibility and Cost

Hackers and criminal insiders cause the most data breaches* 2016 Ponemon Report


Overview

• Security Outside Couchbase Server• Defense In Depth

• Security Inside Couchbase Server• Couchbase Security Pillars• What’s New In 4.5

• Couchbase Security Roadmap

• Demo “Securing Couchbase Server”

• Q&A


Defense-In-Depth for Maximum Security

©2016 Couchbase Inc.©2016 Couchbase Inc.

Security – A Major Question at Different LevelsO

utsi

de

Net

wor

k

Users

COUCHBASE CLUSTER

Inte

rnal

N

etw

ork

Perim

eter

N

etw

ork External

Firewall

Internal Firewall

Web Server

Application Server

Applications

Infrastructure

Data

Users



Inside the Database


Security Pillars in Couchbase

Authentication Authorization Crypto Auditing Operations

App/Data: SASL AuthN

Admin: Local or LDAP

Local Admin UserLocal Read-Only

UserRBAC for Admins

TLS admin accessTLS client-server

accessSecure XDCR

X.509 certificates for TLS

Data-at-rest Encryption*Field-level

Encryption*

Admin auditing Security management via

UI/CLI/REST

* Via third-party partners


Role-Based Access Control (RBAC) for Administrators

Regulatory ComplianceA strong demand for applications to meet standards recommended by regulatory authorities

Segregation of Admin DutiesEvery admin does not have all the privileges. Depending on the job duties, admins can hold only those privileges that are required.

Security Privilege Separation Only the full-admin has the privilege to manage security, and his/her actions can be audited just like other administrators.

Role-Based Access Control (RBAC) allows you to specify what each admin can access in couchbase through role membership


RBAC for Administrators – How it works

• Administrative users can be mapped to out-of-the-box roles• Roles pre-defined with permissions for specific resources

• Full Admin • Cluster Admin• Bucket Admin• View Admin• XDCR Admin

• Requires LDAP administrator accounts• Also works with PAM (Coming in 4.6!)

Full Admin

Cluster AdminBucket Admin

View AdminXDCR Admin

Enterprise Only Feature


X.509 Certificates for Client-Server TLS


Trusted EncryptionBring-your-own certificate authority with support for commercial and internally used X.509 certificates

Simplified ManagementSimplified certificate management and rotation with zero downtime

X.509 is a public-key cryptography standard to manage digital certificates used in secure client-server communication


X.509 Certificates for Client-Server TLS – How it works

SDK, Web Browser, XDCR Couchbase Server

OpenSSL / Certificate

Creation Tool


Administrator Auditing in Couchbase


Understand Privileged ActivityGet detailed audit trail describing what actions are done by the administrator

Administrator auditing captures who does what, when and how for Couchbase administrators


Administrator Auditing in Couchbase – How it works

JSON COMPATIBLE SIEM TOOLS

Configurable auditing Rich auditing Easy integration

Couchbase Cluster JSON Audit Logs SIEM analysis tools and alerting


What’s new in 4.6 (Beta) ?


Secret Management In Couchbase 4.6Secret management provides encryption of system secrets using encryption hierarchy• Zero-knowledge secret management system driven by user specified master

password• Allows online password rotation without application downtime

Master Password

DataPassword

PBKDF2

AES-256-CBC

Pa$$wor4

Regulatory Compliance

Simplified ManagementSimplified secret rotation with zero downtime

3.5 Store cryptographic keys in a secure form (3.5.2), in the fewest possible locations (3.5.3) and with access restricted to the fewest possible custodians (3.5.1)

3.6 Verify that key-management procedures are implemented for periodic key changes (3.6.4)

And more!

PCI DSS v3.0


Pluggable Authentication Modules (PAM) in Couchbase 4.6

• Allows UNIX local accounts to authenticate as Couchbase administrators• Pluggable authentication architecture that is policy driven

Centralized ManagementCentralized and synchronize administrator account management using UNIX user management services

Security Policy EnforcementAllows configuration of strong security policies such as strong password requirements



Outside the Database Layer


User Security

• Identify and Access Management• Configuration of LDAP/PAM users for access to infrastructure• Permit authorized users to login via bastion hosts• ACL users for access to apps, tools, and configuration files

• OS Auditing• OS level auditing turned on to track user activity

User identities and access control


Infrastructure Security

• Server Protection• OS Patches• Anti-virus, anti-malware software• Application whitelisting

• Network Protection • Host firewall• On-disk encryption

• Cloud Protection• Private IP addresses • Security groups• Network access control lists

A multi-layered protection including servers, networks and cloud


Infrastructure Security – On-Disk Encryption

• Transparent and simplified on-disk encryption• Agent based, and policy driven • Coarse and fine grained protection• Zero application changes

• Consolidated control through DSM/HSM• Disk encryption keys isolated from data• Easy to disconnect when breached!

• FIPS 140-2 certified solution

STRATEGIC PARTNERS


Application Security

• Identify and Access Management• Configuration of wallets to store application passwords

• Encryption • Strong challenge-response password protocols• Client-server encryption using X.509 TLS • Application field-level encryption

• Auditing• Application data auditing

• Development Security Best Practices• N1QL security


Application Field-Level Encryption

• Leverage encryption and key management technologies like Vormetric, SafeNet, and Protegrity

• APIs, libraries, and sample code in Java, .NET, C/C++.

VAEApplication Vormetric

Application Encryption

S S N : 1 1 2 - 1 1 1 -6 7 6 2

J o n D o u g h

Encryption KeyRequest / Response*

$ # A d # $ g & * j% J 1 T J C Z

J o n D o u g h DSM

Clie

nt-s

erve

r SS

L

COUCHBASE CLUSTER


N1QL Language Security Best Practices

• Use named or positional query parameters

• Use strongly typed language constructs such as .NET POCOs or Java POJOs

Check-out N1QL injection best practices blog -http://blog.couchbase.com/2015/september/couchbase-and-n1ql-security-centeredgesoftware

http://blog.couchbase.com/2015/september/couchbase-and-n1ql-security-centeredgesoftware




Security Roadmap


Couchbase Security Feature Roadmap – At-a-glance

• Secret Management• PAM Authentication

• RBAC for Applications (MB-16036)

• Application Auditing(MB-11346)

• Kerberos(MB-16037)• Native on-disk encryption(

MB-16143)

Short-term (4.6) Medium-term (“Spock”) Long Term

* The following is intended to outline our general product direction. It is intended for information purposes and is only a plan.

Prod

uct

Feat

ures

4-6 months 8-12 months 12+months

https://issues.couchbase.com/browse/MB-16036




©2016 Couchbase Inc.©2015 Couchbase Inc. 28

PCI and Couchbase

PCI Requirements Couchbase Support

Install firewall configuration to protect cardholder data Corporate security policy (Outside Couchbase Scope)

Remove vendor defaults for passwords and security configuration LDAP & PAM support, X509 certs, Key Management (4.6)

Protect stored cardholder data Vormetric/Protegrity/Gemalto, native encryption (Future)

Encrypt transmission of cardholder data across open, public networks TLS support for client/server and XDCR, x509 certs

Protect systems against malware and update anti-virus software Anti-virus scans for Couchbase binaries

Develop and maintain secure systems and applications Fuzz testing, vulnerabilities response plan, security fixes

Restrict access to cardholder data by business need to know RBAC for admin, RBAC for application (Spock)

Identify and authenticate access to system components LDAP & PAM, 2-factor authN (Future), SSO (Future)

Restrict physical access to cardholder data Corporate security policy (Outside Couchbase Scope)

Track, monitor access to network resources and cardholder data Admin auditing, application auditing (Future)

Regularly test security systems and processes Vulnerabilities response plan

Maintain a policy that addresses infosec for all personnel Corporate security policy (Outside Couchbase Scope)

Any digital economy app dealing with credit card payment data

©2016 Couchbase Inc.

Demo


Thank You@NoSQLDon | [email protected]

[email protected]



Date post:	15-Feb-2017
Category:	Software
Upload:	couchbase
View:	95 times
Download:	1 times

Securing deployments: top to bottom, all around – Couchbase Connect 2016

Software