How to Bulletproof Your Scylla Deployment
1 like1,444 views
Tzach Livyatan, head of product at ScyllaDB, discusses strategies for securing Scylla deployments, emphasizing the importance of ongoing security processes. The document outlines various security risks, including unauthorized access and data breaches, and provides guidance on authentication, authorization, encryption, and auditing best practices. ScyllaDB offers features such as role-based access control and different encryption options to enhance system security.
How to Bulletproof Your Scylla Deployment
- 1. Tzach Livyatan - Head of Product, ScyllaDB How to Bullet-Proof Your Scylla Deployment
- 2. 2 Speakers Tzach Livyatan is ScyllaDB Product Manager, and has had a 15 year career in development, system engineering and product management. In the past he worked in the Telecom domain, focusing on carrier grade systems, signalling, policy and charging applications for Oracle and others.
- 3. 3 + The Real-Time Big Data Database + Drop-in replacement for Apache Cassandra + 10X the performance & low tail latency + Open source and Enterprise editions + New: Scylla Cloud, DBaaS + Founded by the creators of KVM hypervisor + HQs: Palo Alto, CA; Herzelia, Israel About ScyllaDB
- 4. A System is Never “Bullet-Proof” Securing the system is an endless, ongoing process
- 5. Security Risks Bingo Sniffing on Application-DB Connection Key Leak Unauthorized Server Access Insider Data Breach Port Scanning DDoS CQL Injection OS Vulnerabilities Unauthorized DB Access Man-in-the-middle Brute Force Attack Data Leak Physical Theft Non Authenticated Access Sniffing on node-node Connection Ransomware
- 6. Agenda 6 + Authentication + Authorization + RBAC + Encryption In Transit + Encryption at Rest + Auditing + Minimal Exposure + Best Practices
- 7. + Limit access to the cluster to identified clients + Disabled by default (Enabled in Scylla Cloud) + Enable and Disable Authentication Without Downtime a. Move to a TransitionalAuthenticator b. Enable Auth on each client c. Move to PasswordAuthenticator + Best Practice : use a unique User per application, for easier Auditing and Service Level Authentication
- 8. Authorization is the process by where users are granted permissions which entitle them to access or change data on specific keyspaces, tables or an entire datacenter. Authorization is enabled using the authorizer setting in scylla.yaml. Scylla has two authorizers available: + AllowAllAuthorizer (default setting) - which performs no checking and so effectively grants all permissions to all roles. + CassandraAuthorizer - which implements permission management functionality and stores its data in Scylla system tables. Authorization
- 9. Role-Based Access Control + Method of reducing lists of authorized users to a few roles assigned to multiple users + Create the roles and their associated permissions + Roles can be granted to other roles + Users are Roles + Cassandra compatible CQL syntax (users, permissions, roles) here + More info here
- 10. Users Are Roles (with login) Roles Users
- 11. Users Are Roles (with login) Customer Trainer Staff Admin TimDennisMaryLisa schedule.cust GRANT SELECT customer.info schedule.train SELECT schedule customer SELECT MODIFY SUPERUSER GRANT GRANT
- 12. CREATE ROLE customer; GRANT SELECT ON schedule.cust TO customer; CREATE ROLE trainer; GRANT customer TO trainer; GRANT SELECT ON customer.info TO trainer; GRANT SELECT ON schedule.train TO trainer; Role Based Access Control - Example
- 13. CREATE ROLE lisa WITH PASSWORD = 'password' AND LOGIN = true; CREATE ROLE mary WITH PASSWORD = 'password' AND LOGIN = true; GRANT trainer TO mary; GRANT customer TO lisa; Role Based Access Control - Example
- 14. Granting Roles and Permissions + Permission: what the role is permitted to do + Resource: the scope over which the permission is granted for GRANT (permission | "ALL PERMISSIONS") ON resource TO role where: • Where permission is CREATE, DESCRIBE, etc. • A resource is one of • “<ks>.<tab>” • “KEYSPACE <ks>” • “ALL KEYSPACES” • “ROLE <role>” • “ALL ROLES” • Note that An unqualified table name assumes the current keyspace
- 16. + Encryption In Transit + Client to Node + Node to Node + Encryption At Rest + Tables + System + Providers Encryption
- 17. 17 + SSL Encryption of Data In Flight is available in all versions of Scylla + Client - Node Encryption - The available options are: + Enabled or Not Enabled + When Enabled, all incoming CQL connections require TLS/SSL connectivity. + Setting include: + certificate - A PEM format certificate, either self-signed, or provided by a CA authority. + keyfile - The corresponding PEM format key for the certificate More Info: Encryption: Data in Transit Client to Node Encryption In Transit - Client to Node
- 18. 18 + SSL Encryption of Data In Flight is available in all versions of Scylla + Internode_encryption - The available options are: + none (default) / all / dc/ rack + Settings include: + certificate - A PEM format certificate, either self-signed, or provided by a certificate authority (CA). + keyfile - The corresponding PEM format key for the certificate + truststore - Optional path to a PEM format certificate store of trusted CA:s. If not provided, Scylla will attempt to use the system trust store to authenticate certificates. More Info: Encryption: Data in Transit Node to Node Encryption In Transit - Node to Node
- 19. Encryption At Rest + Encryption of user data as stored on disk + SSTables + Commitlog + Hints + Batchlog + Invisible to client + Transparent Data Encryption + Scylla Enterprise 2019.1 19 System level granularity keyspace.table granularity
- 20. Encryption at Rest + Uses disk block encryption + File level wrapping + Divides file into 4k blocks and encrypts/decrypts on r/w ■ Uses hash of key + block position to derive init vector for block cipher (ESSIV - cryptfs) + Hooked via extension points in sstables/commitlog/hints + Wraps files depending on config/schema 20
- 21. CREATE TABLE data.atrest (pk text primary key, c0 int) WITH scylla_encryption_options = { 'cipher_algorithm' : 'AES/ECB/PKCS5Padding', 'secret_key_strength' : 128, 'key_provider': 'LocalFileSystemKeyProviderFactory', 'secret_key_file': '/etc/scylla/encryption_keys/data_encryption_keys' } ; + cipher_algoritm - The key type (algorithm) + secret_key_strength - The length of the key in bits + key_provider - Name of the provider for the key 21 Encryption at Rest
- 22. Encryption at rest cipher_algorithm secret_key_strength AES/CBC/PKCS5Padding (default) 128 (default), 192, or 256 AES/ECB/PKCS5Padding 128, 192, or 256 Blowfish/CBC/PKCS5Padding 32-448 DES/CBC/PKCS5Padding 56 DESede/CBC/PKCS5Padding 112 or 168 RC2/CBC/PKCS5Padding 40-128 cipher_algorithims are available for use with Scylla using OpenSSL.
- 23. Enable/disable encryption of existing table ALTER TABLE data.atrest (pk text primary key, c0 int) WITH scylla_encryption_options = { 'cipher_algorithm' : 'AES/ECB/PKCS5Padding', 'secret_key_strength' : 192, 'key_provider': 'LocalFileSystemKeyProviderFactory', 'Secret_key_file': '/etc/scylla/encryption_keys/data_encryption_keys' } ; ALTER TABLE ks.test WITH scylla_encryption_options = { 'key_provider' : 'none’ }; 23
- 24. Enable/disable (cont) + Data is not encrypted or decrypted until SSTables are (re-)written + Must force rewrite to ensure all data is changed + If you remove an encryption key before all data is decrypted/rewritten the data will be lost > nodetool upgradesstables -a <keyspace> <table> 24
- 25. System Encryption + Encrypts “implicitly” stored user data + Commitlog, hints, batch + Configured on node level (scylla.yaml) system_info_encryption: enabled: <bool> key_provider: (optional) <key provider type> + Uses same key providers and options as table encryption 25
- 26. 26 Key Providers KMIP + Centralized key management + Replacement/ rotation functionality in server Local + Does not require an external server + Persisted on the node + Manual distribution to all nodes Scylla Tables Distributes keys for SSTables only (no system keys)
- 27. Local key file System Key file Key Key KMIP host Keys Scylla table Local provider Replicated provider KMIP provider Keys Encryption extension ..either Encryption extension encrypts System table (hints, batchlog) Commit log User table
- 28. + Who did / looked at / changed what and when + Logging activities a user performs on Scylla cluster + Enable on scylla.yaml (2018.1.x and later) + Three audit storage alternatives: + None (default) - Audit is disabled + Table - Enables audit, messages stored in a Scylla table: audit.audit_log + Syslog - Enables audit, messages are sent to syslog and to an external server 28 Auditing
- 29. + scylla.yaml params + Audit categories Auditing every DML or QUERY can have significant impact on perf, and consume storage. Use wisely! 29 What Can You Audit?
- 30. + Ensure that Scylla runs in a trusted network environment. + Limit access to IP / Port by role. + Use the minimal privileges principle + Avoid Public IP if possible + Use VPC if possible Minimize Network Exposure
- 31. Scylla Cloud - Limit cluster access to min 31
- 33. + Routinely upgrade to latest Scylla and OS versions + Routinely check for network exposure + Routinely replace keys/passwords + Use 2FA (Scylla Cloud) + Use minimal privilege principle + Apply available security features Security is an Ongoing Process 33 https://twitter.com/Hackers_bot
- 34. Incremental Compaction Sept 4, 2019 | 10:00 AM PT - 1:00 PM ET Available on-demand: How to Shrink Your Datacenter Footprint by 50% Data Modeling Best Practices How to Size Your Scylla Cluster
- 36. Security Risk Bingo Sniffing on Application-DB Connection Key Leak Unauthorized Server Access Insider Data Breach Port Scanning DDoS CQL Injection OS Vulnerabilities Unauthorized DB Access Man-in-the-middle Brute Force Attack Data Leak (logs) Physical Theft Non Authenticated Access Sniffing on node-node Connection Ransomware
- 37. United States 1900 Embarcadero Road Palo Alto, CA 94303 Israel 11 Galgalei Haplada Herzelia, Israel www.scylladb.com @scylladb Thank you