securing data in
play

SECURING DATA IN A BANKING DOMAIN 1 WHOAMI Federico Leven @ - PowerPoint PPT Presentation

HADOOP UNDER ATTACK SECURING DATA IN A BANKING DOMAIN 1 WHOAMI Federico Leven @ ReactoData federico@reactodata.net Big Data + Open Source from 2012 Web : http://www.reactodata.net Big Data Meetup coordinator Twitter: @reactodata


  1. HADOOP UNDER ATTACK SECURING DATA IN A BANKING DOMAIN 1

  2. WHOAMI Federico Leven @ ReactoData federico@reactodata.net Big Data + Open Source from 2012 Web : http://www.reactodata.net Big Data Meetup coordinator Twitter: @reactodata (http://www.iaar.site), speaker ... Linkedin : https://www.linkedin.com/in/federicoleven/ 2

  3. We are a startup based in Buenos and Poland, providing Big Data + Cloud solutions based on Open Source and proprietary software and Hadoop consultancy. Big Data and Hadoop applications development • Machine Learning • Cloud • UX/UI and Mobile Apps for Big Data platforms • Hadoop Consultancy • 3

  4. Agenda The Challenge : Best Practices + Regulations How to do it in Hadoop End-to-End Secured Architecture What can go wrong ? References Conclusion & Questions 4

  5. Th The Cha e Challen llenge ge Be Best Practices st Practices an and r d reg egulations ulations 5 Buzzconf 2018

  6. The Challenge : Data Security The set of preventive, detective and corrective measures to protect the integrity, confidenciality and availability of the data. CAAIN • CONFIDENCIALITY • AVAILABILITY • AUTHENTICITY • NON-REPUDIATION • INTEGRITY ❑ ACCOUNTABILITY / AUDITING Cain and Abel ❑ TRACEABILITY 6

  7. C(A)AIN C ONFIDENCIALITY : Data is not made available or disclosed to unauthorized parties. A VAILABILITY : Data is available when is needed. A UTHENTICITY : Data source identity is verifiable. I NTEGRITY : Data is accurate and complete over its entire lifecycle. N ON-REPUDIATION : Parties of a data transaction cannot deny having received/sent the data . 7

  8. The Challenge : Threats in financial and banking domain Emerging Technologies Challenges - Botnet - IoT unsecured devices - DDoS (Distributed Denial of Service Attack) Insider Challenges - Unintentional actions - Malicious users Target Regulation Challenges - Sensitive data - Periodically new and/or stricter - Access credentials regulations - US Data Protection rules - EUR : GDPR 8

  9. The Challenge : Best Practices in banking Organization Human Technological Networking • Security Officer • Employees Awareness • Software Updates • End User Guidelines • Training • Data Protection • Access Policies • … • Auditing • Governance • … • … • 9

  10. How to do it in Hadoop 10 Buzzconf 2018

  11. From concepts to technology AUTHENTICATION : Identify the user. AUTHORIZATION : Grant user access to the data. PROTECTION : Protect data from being used except by authorized users. AVAILABILITY : Make data accessible when needed. 11

  12. From concepts to technology N I A A C Auditing Authentication Protection Availability Authentication Traceability Authorization Availability Metadata Lineage Log Audit • Kerberos • Encryption • Kerberos • Hadoop • LDAP (Motion & • LDAP • HA (HDFS, Rest) • Sentry HBASE …) Cloudera Navigator • Redaction • HBase ACLs • Hadoop/HA • + 12

  13. From concepts to technology BCRA A6375 • BCRA A6495 • ISO 17799/27001 • https://www.cloudera.com/documentation/enterprise/5-14-x/topics/sg_edh_overview.html 13

  14. What we needed in a banking infrastructure for Hadoop 14

  15. End-to-End Secured Architecture 15 Buzzconf 2018

  16. Example Production deployment (CDH 5.13) ZOOKEEPER KTS KMS HDFS Kerberos AD YARN SENTRY HBASE HIVESERVER HIVE METASTORE C. MANAGER Oracle DB SSL/TLS 16

  17. Secure data pipeline example HDFS Business HDFS Landing Web UI Ingest Sources Area Area Rabbit Spark ETL MQ Flume Agent Impala HDFS HDFS ORACLE Hive Sqoop SparkSQL Sqoop SSL ON Encrypted Zone Data redaction custom component 17

  18. What can go wrong ? 18 Buzzconf 2018

  19. What can go wrong ? Some good news and some bad news UNSECURE APPLICATIONS WILL NOT WORK ON SECURE ENVIRONMENTS Sentry HDFS synchronization does not support Hive Metastore HA (CDH 5.9) Sentry HA not supported (CDH 5.9) To use CM Kerberos wizard, you need a high level privileges user SparkSQL does not respect Sentry permissions (Latest) Enabling Sentry turns off Hive impersonation (CDH 5.9) Spark Streaming cannot consume from secure Kafka (CDH 5.9) 19

  20. References 20 Buzzconf 2018

  21. References ✓ http://www.bcra.gob.ar/Pdfs/Texord/t-rmsist.pdf ✓ http://www.bcra.gov.ar/pdfs/texord/t-seguef.pdf ✓ https://en.wikipedia.org/wiki/ISO/IEC_27002 ✓ http://web.iram.org.ar/index.php?vernorma&id=2439 ✓ https://www.cloudera.com/documentation/enterprise/latest/PDF/cloudera-security.pdf ✓ https://www.cloudera.com/documentation/enterprise/5-9-x/topics/security.html ✓ https://www.forbes.com/sites/gregorymcneal/2014/05/26/banks-challenged-by- cybersecurity-threats-state-regulators-acting/#228d745597f7 21

  22. Thank you ! Questions, suggestions or complaints ? “No Hadoop was harmed in the making of this presentation” 22

Recommend


More recommend