SlideShare a Scribd company logo

Hadoop Meetup Jan 2019 - Hadoop Encryption

Download as PPTX, PDF
E
Erik Krogen

The document discusses the importance of encryption in Hadoop to protect sensitive data and meet regulatory requirements across various sectors such as finance, government, and healthcare. It outlines features, performance impact, development history, and common challenges related to key management servers (KMS) in securing data both in motion and at rest. Future enhancements for Hadoop encryption include a pluggable KMS framework and performance improvements, while bad practices in configuring KMS are also highlighted.

Technology
Related topics:
Distributed Systems Overview Information Security
1 of 15
Downloaded 21 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
© Cloudera, Inc. All rights reserved. Hadoop Encryption Wei-Chiu Chuang, Cloudera
© Cloudera, Inc. All rights reserved. Why Encryption • Information leaks affect 10s to 100s of millions of people • Personally identifiable information (PII) • Credit cards, SSNs, account logins • Encryption would have prevented some of these leaks • Encryption is a regulatory requirement for many business sectors • Finance (PCI DSS) • Government (Data Protection Directive) • Healthcare (DPD, HIPAA)
© Cloudera, Inc. All rights reserved. Related Technologies Data In-Motion Encryption • SSL/TLS • Hadoop Data Transfer Encryption • Hadoop RPC Encryption Data At-Rest Encryption • At Linux volume level • Transparent Encryption at HDFS level • HBase Column Family level • Parquet Column level Encryption Xinli
© Cloudera, Inc. All rights reserved. HDFS Transparent Encryption: In a Nutshell HDFS Namespace / /data /tmp /data/1 /data/f2 Encryption zone Encryption zone key Data Encryption Key (per file)
© Cloudera, Inc. All rights reserved. HDFS Transparent Encryption: In a Nutshell Client KMS MS NN DN NameNode DataNode Key Management Server in EZ?
© Cloudera, Inc. All rights reserved. Features • Minor performance impact on HDFS reads and writes • OpenSSL and AES-NI acceleration • 7.5% for reads, ~0% for writes • Key ACLs • Warm-up/Caching (*) • Key rollover
© Cloudera, Inc. All rights reserved. Dev History • First released in Hadoop 2.6.0/ CDH5.3 in 2014 December • Many, many bug fixes and enhancements • Functional bugs, failure handling bugs, scale bugs • Stable after Hadoop 2.8 / CDH5.11-ish
© Cloudera, Inc. All rights reserved. Lesson Learned Scale-out is not easy to deploy Security Endurance, scale tests are essential Too little emphasis on KMS as a performance bottleneck FileSystem#getDelegationToken() API/integration High throughput REST API layer is hard
© Cloudera, Inc. All rights reserved. Status Quo Among Cloudera’s customers (pre-merger): • 14% Data Transfer Encryption • 16% Data at Rest Encryption • 19% RPC Encryption • 44% Kerberized Largest at-rest encryption cluster: ~1,000 nodes, > 50PB
© Cloudera, Inc. All rights reserved. Troubleshooting Performance anomaly • Openssl-devel lib • Entropy • rng-tools • Secure Random • hadoop.security.secure.random.impl = org.apache.hadoop.crypto.random .OpensslSecureRandom Proxy user configuration
© Cloudera, Inc. All rights reserved. Bad Practices • No KMS HA • KMS enabled, RPC encryption not enabled • KMS enabled, but no Kerberos • KMS w/o SSL • Data transfer encryption is enabled, but using an unoptimized crypto algorithm • 3DES, RC4, AES-NI
© Cloudera, Inc. All rights reserved. Challenges KMS Low Throughput • NN can sustain > 100 thousand RPC ops/second • namespace ops, block reports • KMS: at most a few thousand RPC ops/second • create, append, read, reencrypt • 3-4 KMS servers not uncommon • Jetty • SSL Handshake • Impala/Parquet with wide tables (> 100 columns)
© Cloudera, Inc. All rights reserved. Future Pluggable KMS ACL Framework (HADOOP-14951) WebHDFS At Rest Encryption Support (HDFS-12355) NFS Gateway At Rest Encryption Support (HDFS-13521) Performance Improvements (HADOOP-15743, HADOOP-15811) KMS Benchmark Tool (HADOOP-15967) KMS over Hadoop RPC?
© Cloudera, Inc. All rights reserved. ●Current KMS Transport Layer KMSClient Jetty http client Name Node http client REST API/HTTP
© Cloudera, Inc. All rights reserved. KMS over Hadoop RPC Benefit of KMS over Hadoop RPC: • Proven performance • Code reuse KMSClient Name Node Hadoop RPCHadoop RPC Hadoop RPC Hadoop RPC

More Related Content

PPTX
Hadoop Meetup Jan 2019 - Mounting Remote Stores in HDFS
Erik Krogen
 
PPTX
Hadoop Meetup Jan 2019 - Router-Based Federation and Storage Tiering
Erik Krogen
 
PPTX
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby Node
Erik Krogen
 
PDF
Ozone: Evolution of HDFS scalability & built-in GDPR compliance
Dinesh Chitlangia
 
PDF
Ozone - Evolution of hdfs scalability
Dinesh Chitlangia
 
PPTX
Introduction to Redis
TO THE NEW | Technology
 
PPTX
Hadoop Storage in the Cloud Native Era
DataWorks Summit
 
PPTX
Ceph Deployment at Target: Customer Spotlight
Colleen Corrice
 
Hadoop Meetup Jan 2019 - Mounting Remote Stores in HDFS
Erik Krogen
 
Hadoop Meetup Jan 2019 - Router-Based Federation and Storage Tiering
Erik Krogen
 
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby Node
Erik Krogen
 
Ozone: Evolution of HDFS scalability & built-in GDPR compliance
Dinesh Chitlangia
 
Ozone - Evolution of hdfs scalability
Dinesh Chitlangia
 
Introduction to Redis
TO THE NEW | Technology
 
Hadoop Storage in the Cloud Native Era
DataWorks Summit
 
Ceph Deployment at Target: Customer Spotlight
Colleen Corrice
 

What's hot (20)

PDF
HBase Tales From the Trenches - Short stories about most common HBase operati...
DataWorks Summit
 
PDF
Ceph as software define storage
Mahmoud Shiri Varamini
 
PPTX
Red Hat Ceph Storage Acceleration Utilizing Flash Technology
Red_Hat_Storage
 
PDF
Red Hat Storage 2014 - Product(s) Overview
Marcel Hergaarden
 
DOCX
Redis vs Memcached
Gaurav Agrawal
 
PDF
CEPH DAY BERLIN - UNLIMITED FILESERVER WITH SAMBA CTDB AND CEPHFS
Ceph Community
 
PDF
Troubleshooting redis
DaeMyung Kang
 
PDF
Glusterfs and openstack
openstackindia
 
PDF
Red Hat Storage for Mere Mortals
Red_Hat_Storage
 
PDF
Building Scalable, Real Time Applications for Financial Services with DataStax
DataStax
 
PDF
CEPH DAY BERLIN - CEPH MANAGEMENT THE EASY AND RELIABLE WAY
Ceph Community
 
ODP
Dustin Black - Red Hat Storage Server Administration Deep Dive
Gluster.org
 
PPTX
Practical NoSQL: Accumulo's dirlist Example
DataWorks Summit
 
PPTX
Red Hat Storage Day Dallas - Red Hat Ceph Storage Acceleration Utilizing Flas...
Red_Hat_Storage
 
PPTX
Ceph Introduction 2017
Karan Singh
 
PPTX
Scaling HDFS at Xiaomi
DataWorks Summit
 
PDF
Red Hat Storage Server Administration Deep Dive
Red_Hat_Storage
 
PDF
Unlock Bigdata Analytic Efficiency with Ceph Data Lake - Zhang Jian, Fu Yong
Ceph Community
 
PDF
Experiences building a distributed shared log on RADOS - Noah Watkins
Ceph Community
 
PDF
What's New with Ceph - Ceph Day Silicon Valley
Ceph Community
 
HBase Tales From the Trenches - Short stories about most common HBase operati...
DataWorks Summit
 
Ceph as software define storage
Mahmoud Shiri Varamini
 
Red Hat Ceph Storage Acceleration Utilizing Flash Technology
Red_Hat_Storage
 
Red Hat Storage 2014 - Product(s) Overview
Marcel Hergaarden
 
Redis vs Memcached
Gaurav Agrawal
 
CEPH DAY BERLIN - UNLIMITED FILESERVER WITH SAMBA CTDB AND CEPHFS
Ceph Community
 
Troubleshooting redis
DaeMyung Kang
 
Glusterfs and openstack
openstackindia
 
Red Hat Storage for Mere Mortals
Red_Hat_Storage
 
Building Scalable, Real Time Applications for Financial Services with DataStax
DataStax
 
CEPH DAY BERLIN - CEPH MANAGEMENT THE EASY AND RELIABLE WAY
Ceph Community
 
Dustin Black - Red Hat Storage Server Administration Deep Dive
Gluster.org
 
Practical NoSQL: Accumulo's dirlist Example
DataWorks Summit
 
Red Hat Storage Day Dallas - Red Hat Ceph Storage Acceleration Utilizing Flas...
Red_Hat_Storage
 
Ceph Introduction 2017
Karan Singh
 
Scaling HDFS at Xiaomi
DataWorks Summit
 
Red Hat Storage Server Administration Deep Dive
Red_Hat_Storage
 
Unlock Bigdata Analytic Efficiency with Ceph Data Lake - Zhang Jian, Fu Yong
Ceph Community
 
Experiences building a distributed shared log on RADOS - Noah Watkins
Ceph Community
 
What's New with Ceph - Ceph Day Silicon Valley
Ceph Community
 
Ad

Similar to Hadoop Meetup Jan 2019 - Hadoop Encryption (20)

PPTX
Project Rhino: Enhancing Data Protection for Hadoop
Cloudera, Inc.
 
PPTX
Securing Spark Applications
DataWorks Summit/Hadoop Summit
 
PPTX
Fighting cyber fraud with hadoop
Niel Dunnage
 
PDF
PCI Compliane With Hadoop
Rommel Garcia
 
PPTX
The Future of Hadoop Security - Hadoop Summit 2014
Cloudera, Inc.
 
PPTX
The Future of Data Management - the Enterprise Data Hub
DataWorks Summit
 
PPTX
Hadoop security @ Philly Hadoop Meetup May 2015
Shravan (Sean) Pabba
 
PPTX
Risk Management for Data: Secured and Governed
Cloudera, Inc.
 
PDF
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Big Data Spain
 
PPTX
Hadoop Distributed File System (HDFS) Encryption with Cloudera Navigator Key ...
Cloudera, Inc.
 
PPTX
Saving the elephant—now, not later
DataWorks Summit
 
PPTX
Transparent Encryption in HDFS
DataWorks Summit
 
PDF
BigData Security - A Point of View
Karan Alang
 
PDF
Hadoop security implementationon 20171003
lee tracie
 
PPTX
Security implementation on hadoop
Wei-Chiu Chuang
 
PPTX
End to End Streaming Architectures
Cloudera, Inc.
 
PPTX
Open Source Security Tools for Big Data
Great Wide Open
 
PPTX
Open Source Security Tools for Big Data
Rommel Garcia
 
PPTX
Owasp Indy Q2 2012 Cheat Sheet Overview
owaspindy
 
PPTX
Big data security
Joey Echeverria
 
Project Rhino: Enhancing Data Protection for Hadoop
Cloudera, Inc.
 
Securing Spark Applications
DataWorks Summit/Hadoop Summit
 
Fighting cyber fraud with hadoop
Niel Dunnage
 
PCI Compliane With Hadoop
Rommel Garcia
 
The Future of Hadoop Security - Hadoop Summit 2014
Cloudera, Inc.
 
The Future of Data Management - the Enterprise Data Hub
DataWorks Summit
 
Hadoop security @ Philly Hadoop Meetup May 2015
Shravan (Sean) Pabba
 
Risk Management for Data: Secured and Governed
Cloudera, Inc.
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Big Data Spain
 
Hadoop Distributed File System (HDFS) Encryption with Cloudera Navigator Key ...
Cloudera, Inc.
 
Saving the elephant—now, not later
DataWorks Summit
 
Transparent Encryption in HDFS
DataWorks Summit
 
BigData Security - A Point of View
Karan Alang
 
Hadoop security implementationon 20171003
lee tracie
 
Security implementation on hadoop
Wei-Chiu Chuang
 
End to End Streaming Architectures
Cloudera, Inc.
 
Open Source Security Tools for Big Data
Great Wide Open
 
Open Source Security Tools for Big Data
Rommel Garcia
 
Owasp Indy Q2 2012 Cheat Sheet Overview
owaspindy
 
Big data security
Joey Echeverria
 
Ad

Recently uploaded (20)

PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
KodekX | Application Modernization Development
KodekX
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 

Hadoop Meetup Jan 2019 - Hadoop Encryption

  • 1. © Cloudera, Inc. All rights reserved. Hadoop Encryption Wei-Chiu Chuang, Cloudera
  • 2. © Cloudera, Inc. All rights reserved. Why Encryption • Information leaks affect 10s to 100s of millions of people • Personally identifiable information (PII) • Credit cards, SSNs, account logins • Encryption would have prevented some of these leaks • Encryption is a regulatory requirement for many business sectors • Finance (PCI DSS) • Government (Data Protection Directive) • Healthcare (DPD, HIPAA)
  • 3. © Cloudera, Inc. All rights reserved. Related Technologies Data In-Motion Encryption • SSL/TLS • Hadoop Data Transfer Encryption • Hadoop RPC Encryption Data At-Rest Encryption • At Linux volume level • Transparent Encryption at HDFS level • HBase Column Family level • Parquet Column level Encryption Xinli
  • 4. © Cloudera, Inc. All rights reserved. HDFS Transparent Encryption: In a Nutshell HDFS Namespace / /data /tmp /data/1 /data/f2 Encryption zone Encryption zone key Data Encryption Key (per file)
  • 5. © Cloudera, Inc. All rights reserved. HDFS Transparent Encryption: In a Nutshell Client KMS MS NN DN NameNode DataNode Key Management Server in EZ?
  • 6. © Cloudera, Inc. All rights reserved. Features • Minor performance impact on HDFS reads and writes • OpenSSL and AES-NI acceleration • 7.5% for reads, ~0% for writes • Key ACLs • Warm-up/Caching (*) • Key rollover
  • 7. © Cloudera, Inc. All rights reserved. Dev History • First released in Hadoop 2.6.0/ CDH5.3 in 2014 December • Many, many bug fixes and enhancements • Functional bugs, failure handling bugs, scale bugs • Stable after Hadoop 2.8 / CDH5.11-ish
  • 8. © Cloudera, Inc. All rights reserved. Lesson Learned Scale-out is not easy to deploy Security Endurance, scale tests are essential Too little emphasis on KMS as a performance bottleneck FileSystem#getDelegationToken() API/integration High throughput REST API layer is hard
  • 9. © Cloudera, Inc. All rights reserved. Status Quo Among Cloudera’s customers (pre-merger): • 14% Data Transfer Encryption • 16% Data at Rest Encryption • 19% RPC Encryption • 44% Kerberized Largest at-rest encryption cluster: ~1,000 nodes, > 50PB
  • 10. © Cloudera, Inc. All rights reserved. Troubleshooting Performance anomaly • Openssl-devel lib • Entropy • rng-tools • Secure Random • hadoop.security.secure.random.impl = org.apache.hadoop.crypto.random .OpensslSecureRandom Proxy user configuration
  • 11. © Cloudera, Inc. All rights reserved. Bad Practices • No KMS HA • KMS enabled, RPC encryption not enabled • KMS enabled, but no Kerberos • KMS w/o SSL • Data transfer encryption is enabled, but using an unoptimized crypto algorithm • 3DES, RC4, AES-NI
  • 12. © Cloudera, Inc. All rights reserved. Challenges KMS Low Throughput • NN can sustain > 100 thousand RPC ops/second • namespace ops, block reports • KMS: at most a few thousand RPC ops/second • create, append, read, reencrypt • 3-4 KMS servers not uncommon • Jetty • SSL Handshake • Impala/Parquet with wide tables (> 100 columns)
  • 13. © Cloudera, Inc. All rights reserved. Future Pluggable KMS ACL Framework (HADOOP-14951) WebHDFS At Rest Encryption Support (HDFS-12355) NFS Gateway At Rest Encryption Support (HDFS-13521) Performance Improvements (HADOOP-15743, HADOOP-15811) KMS Benchmark Tool (HADOOP-15967) KMS over Hadoop RPC?
  • 14. © Cloudera, Inc. All rights reserved. ●Current KMS Transport Layer KMSClient Jetty http client Name Node http client REST API/HTTP
  • 15. © Cloudera, Inc. All rights reserved. KMS over Hadoop RPC Benefit of KMS over Hadoop RPC: • Proven performance • Code reuse KMSClient Name Node Hadoop RPCHadoop RPC Hadoop RPC Hadoop RPC

Editor's Notes

  • #7: Caching improves performance. But some users’ environment prohibit caching due to security concerns.
  • #9: KMS was designed to be horizontally scalable. However, because Cloudera recommend 2 KMS-HA and 2 Keytrustee Servers for production workload, the cost for HA is high.