SlideShare a Scribd company logo

Protecting the Data Lake

A
Ashutosh Narkar

The document discusses the significance of data lakes, their features, and the security challenges associated with them. It elaborates on the Open Policy Agent (OPA) as a solution for policy enforcement, detailing its functionalities, use cases, and how it can be implemented to enhance security in data management. The presentation emphasizes the critical role of data in business growth and the need for robust security measures to protect this data from breaches and cyber attacks.

Technology
1 of 33
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Protecting the Data Lake
A bit about Ash Narkar ! @ashtalk
● Data Lake Overview ● Open Policy Agent ○ Community ○ Features ○ Use Cases ● Use case deep dive ○ Ceph Data Protection Agenda
Data is King !
Data is King ! ● Pervasive ● Abundant ● Customer Experience ● Revenue Growth
Data is King ! ● Pervasive ● Abundant ● Customer Experience ● Revenue Growth ● Cyber Attacks ● Breaches ● Fines ● Loss of Customer Trust
What Is A Data Lake?
Data Lake Features ● Centralized Content ● Scalability ● Multiple data type support ● Resource optimization
Data Lake Platform Sources Consumers
Data Lake Platform: Kafka Features ● Distributed streaming platform ● Building real-time streaming data pipelines and applications Security Challenges ● Authorization using Access Control Lists(ACLs) ● How to authorize requests based on context, like user, IP, common name in certificate Security Policies ● Consumers of topics containing PII must be whitelisted ● Producers to topics with high fanout must be whitelisted
Data Lake Platform: Ceph Features ● Unified distributed storage system ● Delivers object, block, and file storage Security Challenges ● Security protocol handles only Ceph clients and servers. NO human users or applications 😔 Security Policies ● Users can access only those buckets belonging to the same geographical region as them ● Access based on a user’s Business Unit, Department etc.
Data Lake Platform: Elasticsearch Features ● Full-text search and analytics engine ● Store, search and analyze Security Challenges ● Authorization is not considered as part of job ● User responsible for implementing access control Security Policies ● Access control policies for a patient’s PHI
Security Challenge Overview ● Distinct systems ● Changing security requirements ❌ Hardcoding policy ❌ Tight coupling ✅ Expressiveness ✅ Speed and performance ✅ Unified Solution
Who can solve the Security Challenge ?
What Is OPA?
OPA: Community Inception Project started in 2016 at Styra. Goal Unify policy enforcement across the stack. Use Cases Admission control Authorization ACLs RBAC IAM ABAC Risk management Data Protection Data Filtering Users Netflix Medallia Chef Cloudflare State Street Pinterest Intuit Capital One ...and many more. Today CNCF project (Incubating) 59 contributors 800+ slack members 2000+ stars 20+ integrations
Service OPA Policy (Rego) Data (JSON) Request DecisionQuery OPA: General-purpose policy engine
● Declarative Policy Language (Rego) ○ Can user X do operation Y on resource Z? ○ What invariants does workload W violate? ○ Which records should bob be allowed to see? ● Library, sidecar, host-level daemon ○ Policy and data are kept in-memory ○ Zero decision-time dependencies ● Management APIs for control & observability ○ Bundle service API for sending policy & data to OPA ○ Status service API for receiving status from OPA ○ Log service API for receiving audit log from OPA ● Tooling to build, test, and debug policy ○ opa run, opa test, opa fmt, opa deps, opa check, etc. ○ VS Code plugin, Tracing, Profiling, etc. OPA: Features Service OPA Policy (Rego) Data (JSON) Request DecisionQuery
How does OPA work?
How does OPA work? Salary Service V1 OPA Policy (Rego) Data (JSON) Request DecisionQuery Example policy "Employees can read their own salary and the salary of anyone they manage."
How does OPA work? Example policy Employees can read their own salary and the salary of anyone they manage. Input Data method: "GET" path: ["salary", "bob"] user: "bob"
3 Steps to OPA Step 1: Clone OPA Repo
3 Steps to OPA Step 1: Clone OPA Repo Step 2: Build OPA binary
3 Steps to OPA Step 1: Clone OPA Repo Step 2: Build OPA binary Step 3: Execute OPA binary
Protecting the Data Lake
Use Cases CLOUD Host DB Host sshd App Container HTTP API Microservice APIs Orchestrator Admission Control Container Execution, SSH, sudo Linux Risk Management Data Protection and Data Filtering
OPA Use Case: Ceph Data Protection
Ceph Architecture CEPH STORAGE CLUSTER (RADOS) LIBRADOS RBD CEPH FSRADOSGW
Ceph Data Protection: Setup OPA Node Port Service Incoming Request HTTP S3 Api RADOSGW RADOS user, method, bucket name Allow / Deny Policy (Rego) Data (JSON)
Example policy "Users can access only those buckets belonging to the same geographical region as them."
Demo: Ceph Data Protection https://katacoda.com/styra
Data is King ! ● Pervasive ● Abundant ● Customer Experience ● Revenue Growth ● Cyber Attacks ● Breaches ● Fines ● Loss of Customer Trust
Thank You! github.com/open-policy-agent/opa openpolicyagent.org slack.openpolicyagent.org Booth S20

More Related Content

PDF
Fine-grained Authorization in a Containerized World
Ashutosh Narkar
 
PDF
Opa gatekeeper
Rita Zhang
 
PDF
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
Michael Man
 
PDF
CNCF opa
Juraj Hantak
 
PPTX
Cloud native policy enforcement with Open Policy Agent
LibbySchulze
 
PDF
Opentracing jaeger
Oracle Korea
 
ODP
Nagios Conference 2014 - Luke Groschen - Using Nagios Network Analyzer and NS...
Nagios
 
PDF
Netflix Open Source Meetup Season 3 Episode 2
aspyker
 
Fine-grained Authorization in a Containerized World
Ashutosh Narkar
 
Opa gatekeeper
Rita Zhang
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
Michael Man
 
CNCF opa
Juraj Hantak
 
Cloud native policy enforcement with Open Policy Agent
LibbySchulze
 
Opentracing jaeger
Oracle Korea
 
Nagios Conference 2014 - Luke Groschen - Using Nagios Network Analyzer and NS...
Nagios
 
Netflix Open Source Meetup Season 3 Episode 2
aspyker
 

What's hot (20)

PDF
Tracing Micro Services with OpenTracing
Hemant Kumar
 
PPTX
Nagios Conference 2014 - Scott Wilkerson - Getting Started with Nagios Networ...
Nagios
 
PDF
APIs: Intelligent Routing, Security, & Management
NGINX, Inc.
 
PDF
Elastic{ON} 2017 Recap
Matias Cascallares
 
PDF
Next-Gen DDoS Detection
Alex Henthorn-Iwane
 
PDF
Log System As Backbone – How We Built the World’s Most Advanced Vector Databa...
StreamNative
 
PDF
NGINX Plus R19 : EMEA
NGINX, Inc.
 
PDF
Select Star: Flink SQL for Pulsar Folks - Pulsar Summit NA 2021
StreamNative
 
PDF
Digital Forensics and Incident Response in The Cloud
Velocidex Enterprises
 
PDF
Open Tracing, to order and understand your mess. - ApiConf 2017
Gianluca Arbezzano
 
PPTX
Scale your application to new heights with NGINX and AWS
NGINX, Inc.
 
PDF
Five years of operating a large scale globally replicated Pulsar installation...
StreamNative
 
PPTX
What's new in NGINX Plus R19
NGINX, Inc.
 
PDF
Elastic Stack roadmap deep dive
Elasticsearch
 
PDF
An approach for migrating enterprise apps into open stack
Arthur Berezin
 
PDF
Netflix Open Source Meetup Season 4 Episode 2
aspyker
 
PPTX
Analyzing NGINX Logs with Datadog
NGINX, Inc.
 
PDF
6 Months Sailing with Docker in Production
Hung Lin
 
PPTX
Vault Agent and Vault 0.11 features
Mitchell Pronschinske
 
PDF
Distributed Tracing with OpenTracing, ZipKin and Kubernetes
Container Solutions
 
Tracing Micro Services with OpenTracing
Hemant Kumar
 
Nagios Conference 2014 - Scott Wilkerson - Getting Started with Nagios Networ...
Nagios
 
APIs: Intelligent Routing, Security, & Management
NGINX, Inc.
 
Elastic{ON} 2017 Recap
Matias Cascallares
 
Next-Gen DDoS Detection
Alex Henthorn-Iwane
 
Log System As Backbone – How We Built the World’s Most Advanced Vector Databa...
StreamNative
 
NGINX Plus R19 : EMEA
NGINX, Inc.
 
Select Star: Flink SQL for Pulsar Folks - Pulsar Summit NA 2021
StreamNative
 
Digital Forensics and Incident Response in The Cloud
Velocidex Enterprises
 
Open Tracing, to order and understand your mess. - ApiConf 2017
Gianluca Arbezzano
 
Scale your application to new heights with NGINX and AWS
NGINX, Inc.
 
Five years of operating a large scale globally replicated Pulsar installation...
StreamNative
 
What's new in NGINX Plus R19
NGINX, Inc.
 
Elastic Stack roadmap deep dive
Elasticsearch
 
An approach for migrating enterprise apps into open stack
Arthur Berezin
 
Netflix Open Source Meetup Season 4 Episode 2
aspyker
 
Analyzing NGINX Logs with Datadog
NGINX, Inc.
 
6 Months Sailing with Docker in Production
Hung Lin
 
Vault Agent and Vault 0.11 features
Mitchell Pronschinske
 
Distributed Tracing with OpenTracing, ZipKin and Kubernetes
Container Solutions
 
Ad

Similar to Protecting the Data Lake (20)

PDF
Open Policy Agent
Torin Sandall
 
PDF
Dynamic Authorization & Policy Control for Docker Environments
Torin Sandall
 
PDF
Dynamic Policy Enforcement for Microservice Environments
Nebulaworks
 
PPTX
OPA APIs and Use Case Survey
Torin Sandall
 
PDF
Building a Next-gen Data Platform and Leveraging the OSS Ecosystem for Easy W...
StampedeCon
 
PPTX
Lessons learned from embedding Cassandra in xPatterns
Claudiu Barbura
 
PDF
Hive on Spark, production experience @Uber
Future of Data Meetup
 
PDF
Big Data Pipeline for Analytics at Scale @ FIT CVUT 2014
Jaroslav Gergic
 
PDF
Data Platform in the Cloud
Amihay Zer-Kavod
 
PDF
#RADC4L16: An API-First Archives Approach at NPR
Camille Salas
 
PPTX
Charles sonigo - Demuxed 2018 - How to be data-driven when you aren't Netflix...
Charles Sonigo
 
PDF
Extracting Insights from Data at Twitter
Prasad Wagle
 
PDF
Data Con LA 2018 - Enabling real-time exploration and analytics at scale at H...
Data Con LA
 
PDF
Database automation guide - Oracle Community Tour LATAM 2023
Nelson Calero
 
PPTX
Dynomite @ RedisConf 2017
Ioannis Papapanagiotou
 
PDF
Query and audit logging in cassandra
Vinay Kumar Chella
 
PDF
Designing for operability and managability
Gaurav Bahrani
 
PDF
Scaling up uber's real time data analytics
Xiang Fu
 
PDF
Cloud-Scale BGP and NetFlow Analysis
Alex Henthorn-Iwane
 
PPTX
Denver Big Data Analytics Day
Zivaro Inc
 
Open Policy Agent
Torin Sandall
 
Dynamic Authorization & Policy Control for Docker Environments
Torin Sandall
 
Dynamic Policy Enforcement for Microservice Environments
Nebulaworks
 
OPA APIs and Use Case Survey
Torin Sandall
 
Building a Next-gen Data Platform and Leveraging the OSS Ecosystem for Easy W...
StampedeCon
 
Lessons learned from embedding Cassandra in xPatterns
Claudiu Barbura
 
Hive on Spark, production experience @Uber
Future of Data Meetup
 
Big Data Pipeline for Analytics at Scale @ FIT CVUT 2014
Jaroslav Gergic
 
Data Platform in the Cloud
Amihay Zer-Kavod
 
#RADC4L16: An API-First Archives Approach at NPR
Camille Salas
 
Charles sonigo - Demuxed 2018 - How to be data-driven when you aren't Netflix...
Charles Sonigo
 
Extracting Insights from Data at Twitter
Prasad Wagle
 
Data Con LA 2018 - Enabling real-time exploration and analytics at scale at H...
Data Con LA
 
Database automation guide - Oracle Community Tour LATAM 2023
Nelson Calero
 
Dynomite @ RedisConf 2017
Ioannis Papapanagiotou
 
Query and audit logging in cassandra
Vinay Kumar Chella
 
Designing for operability and managability
Gaurav Bahrani
 
Scaling up uber's real time data analytics
Xiang Fu
 
Cloud-Scale BGP and NetFlow Analysis
Alex Henthorn-Iwane
 
Denver Big Data Analytics Day
Zivaro Inc
 
Ad

Recently uploaded (20)

PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Encapsulation theory and applications.pdf
gurumoop
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 

Protecting the Data Lake

  • 2. A bit about Ash Narkar ! @ashtalk
  • 3. ● Data Lake Overview ● Open Policy Agent ○ Community ○ Features ○ Use Cases ● Use case deep dive ○ Ceph Data Protection Agenda
  • 5. Data is King ! ● Pervasive ● Abundant ● Customer Experience ● Revenue Growth
  • 6. Data is King ! ● Pervasive ● Abundant ● Customer Experience ● Revenue Growth ● Cyber Attacks ● Breaches ● Fines ● Loss of Customer Trust
  • 7. What Is A Data Lake?
  • 8. Data Lake Features ● Centralized Content ● Scalability ● Multiple data type support ● Resource optimization
  • 10. Data Lake Platform: Kafka Features ● Distributed streaming platform ● Building real-time streaming data pipelines and applications Security Challenges ● Authorization using Access Control Lists(ACLs) ● How to authorize requests based on context, like user, IP, common name in certificate Security Policies ● Consumers of topics containing PII must be whitelisted ● Producers to topics with high fanout must be whitelisted
  • 11. Data Lake Platform: Ceph Features ● Unified distributed storage system ● Delivers object, block, and file storage Security Challenges ● Security protocol handles only Ceph clients and servers. NO human users or applications 😔 Security Policies ● Users can access only those buckets belonging to the same geographical region as them ● Access based on a user’s Business Unit, Department etc.
  • 12. Data Lake Platform: Elasticsearch Features ● Full-text search and analytics engine ● Store, search and analyze Security Challenges ● Authorization is not considered as part of job ● User responsible for implementing access control Security Policies ● Access control policies for a patient’s PHI
  • 13. Security Challenge Overview ● Distinct systems ● Changing security requirements ❌ Hardcoding policy ❌ Tight coupling ✅ Expressiveness ✅ Speed and performance ✅ Unified Solution
  • 14. Who can solve the Security Challenge ?
  • 16. OPA: Community Inception Project started in 2016 at Styra. Goal Unify policy enforcement across the stack. Use Cases Admission control Authorization ACLs RBAC IAM ABAC Risk management Data Protection Data Filtering Users Netflix Medallia Chef Cloudflare State Street Pinterest Intuit Capital One ...and many more. Today CNCF project (Incubating) 59 contributors 800+ slack members 2000+ stars 20+ integrations
  • 18. ● Declarative Policy Language (Rego) ○ Can user X do operation Y on resource Z? ○ What invariants does workload W violate? ○ Which records should bob be allowed to see? ● Library, sidecar, host-level daemon ○ Policy and data are kept in-memory ○ Zero decision-time dependencies ● Management APIs for control & observability ○ Bundle service API for sending policy & data to OPA ○ Status service API for receiving status from OPA ○ Log service API for receiving audit log from OPA ● Tooling to build, test, and debug policy ○ opa run, opa test, opa fmt, opa deps, opa check, etc. ○ VS Code plugin, Tracing, Profiling, etc. OPA: Features Service OPA Policy (Rego) Data (JSON) Request DecisionQuery
  • 19. How does OPA work?
  • 20. How does OPA work? Salary Service V1 OPA Policy (Rego) Data (JSON) Request DecisionQuery Example policy "Employees can read their own salary and the salary of anyone they manage."
  • 21. How does OPA work? Example policy Employees can read their own salary and the salary of anyone they manage. Input Data method: "GET" path: ["salary", "bob"] user: "bob"
  • 22. 3 Steps to OPA Step 1: Clone OPA Repo
  • 23. 3 Steps to OPA Step 1: Clone OPA Repo Step 2: Build OPA binary
  • 24. 3 Steps to OPA Step 1: Clone OPA Repo Step 2: Build OPA binary Step 3: Execute OPA binary
  • 26. Use Cases CLOUD Host DB Host sshd App Container HTTP API Microservice APIs Orchestrator Admission Control Container Execution, SSH, sudo Linux Risk Management Data Protection and Data Filtering
  • 27. OPA Use Case: Ceph Data Protection
  • 28. Ceph Architecture CEPH STORAGE CLUSTER (RADOS) LIBRADOS RBD CEPH FSRADOSGW
  • 29. Ceph Data Protection: Setup OPA Node Port Service Incoming Request HTTP S3 Api RADOSGW RADOS user, method, bucket name Allow / Deny Policy (Rego) Data (JSON)
  • 30. Example policy "Users can access only those buckets belonging to the same geographical region as them."
  • 31. Demo: Ceph Data Protection https://katacoda.com/styra
  • 32. Data is King ! ● Pervasive ● Abundant ● Customer Experience ● Revenue Growth ● Cyber Attacks ● Breaches ● Fines ● Loss of Customer Trust