best practices: securing a couchbase server deployment: couchbase connect 2014
DESCRIPTION
As more and more sensitive information is stored in NoSQL databases, security has become a growing concern. In fact, many organizations are looking at locking down the cluster, encrypting sensitive data using applications, and other third-party technologies to build a defense-in-depth security solution across their application stack. Join this session to learn about new security features in 3.0 and other ways in which you can protect your Couchbase apps.TRANSCRIPT
Best Practices Securing a Couchbase Server Deployment
Don Pinto | Product Manager, Couchbase
@NoSQLDon
©2014 Couchbase, Inc. 2
Why NoSQL Security ?
Breaches, costs and reputation
Security questions from the field
Securing the stack
Security features in Couchbase
Security outside Couchbase
On the cloud
What’s next?
Q&A
Agenda
Why NoSQL security ?
Big data not only means..
Volume Velocity Variety
But also
Value
NoSQL is a popular solution for big data apps.90%
STRUCTURED UNSTRUCTURED
Structured information is only 10% of the story
90% of big data is unstructured and is made up of information like emails, videos, tweets, facebook posts, web clicks, and so on..
Because your information is valuable
10%
©2014 Couchbase, Inc. 4
Where do breaches come from?
40% related to server
incidents
* Verizon 2014 Data Breach Investigations Report
95 Countries, 50+ Organizations, 1300+ breaches
©2014 Couchbase, Inc. 5
Data breaches – costs and reputation
Average total data breach cost per organization ~ $5.85M
* 2014 cost of data breach study in United States
Average lost business ~ $3.32M
©2014 Couchbase, Inc. 6
Regulatory Compliance PCI HIPAA EU Directive ISO 27002 and more..
Organizational Security Requirements Network access protection Identity management Intrusion detection Patch management and others..
Data consolidation and global outsourcing
Key business drivers
Patch
ManagementMany
others..
©2014 Couchbase, Inc.
7
Pro
d
De
v, Q
A,
Test
StorageStorage
Backup Server
Sensitive
hAck3rs
Which ports are
open through
the firewall?
What if an operator steals a disk?
Is sensitive data encrypted?
Is there admin access and data
access separation? Is your data encrypted in the cloud?
Common security questions
Are backups encrypted ?
XDCR to remote Cluster
Is XDCR Secure?
What Vulnerabilities?
Need data to be protected in depth
©2014 Couchbase, Inc.
Defense in depth – Best Practice
8
Layered security approach
Network
Storage
Servers
VMs
OS
Couchbase
App
Dat
abas
e an
d a
pp
p
rote
ctio
n
Pro
tect
th
e
infr
astr
uct
ure
Review best practices to secure your Couchbase Infrastructure
Learn about security features in Couchbase
Security Best Practices
Outside Couchbase Server
©2014 Couchbase, Inc. 10
Securing the perimeter – Best PracticeO
uts
ide
Net
wo
rk
WEB AND MOBILE APPS
Load Balancer
Allow Couchbase ingress and outgress ports
Allow Couchbase node-to-node ports on local internal networkCOUCHBASE CLUSTER
Inte
rnal
N
etw
ork
Per
imet
er
Net
wo
rk
End users & hack3rs
Web Server
External Firewall
Internal Firewall
Allow webserver ingress and outgress ports
Packet FilteringBlocking malicious IPs
IT Admins& App Developers
IT Admin & DBA
©2014 Couchbase, Inc. 11
Securing the network – Best Practice
Configuring Linux IPTables /etc/sysconfig/iptables
Important Couchbase ports 8091, 8092, 11207,11210,
11211,11214, 11215, 18091, 18092
Use IPSec for added security
©2014 Couchbase, Inc. 12
Couchbase executing as “couchbase” user on linux
Protect important files Encrypt on-disk data and index file paths
/opt/couchbase/var/lib/couchbase/data (default data path on Linux) Encrypt on-disk password files
/opt/couchbase/var/lib/couchbase/isasl.pw /opt/couchbase/var/lib/config/
ACL tools path /opt/couchbase/bin/
Restrict admin access: Disable web console access to Couchbase on ports 8091, 18091 Only allow access from specific machines
Securing the host machine – Best Practice
©2014 Couchbase, Inc. 13
Restrict access to Couchbase only through certain machines
Turn on OS auditing on these machines
Restricting and logging admin access – Best Practice
Couchbase Server – Seattle
File system Storage
DBA
User Directory
Jump box with OS Logging
Seattle – Datacenter
©2014 Couchbase, Inc. 14
Data-at-rest encryption – Best Practice
Transparent encryption for data-at-rest using Vormetric
Transparent deployment
Scales and grows with your needs
Policy based key management
Tested with Couchbase
+More info in Derek’s session on Vormetric and Couchbase
Security Best Practices and Features
Inside Couchbase Server
©2014 Couchbase, Inc. 16
Passwords should have sufficient length (~ 8 chars) – Letters (upper and lower case), digits, and special characters
Enforce password rotation based on your organizational requirements
Forgot your admin password? Oops! cbreset_password tool
Passwords in Couchbase – Best Practice
©2014 Couchbase, Inc. 17
Couchbase buckets – logical container for your documents
Buckets are protected with SASL AuthN AuthN happens place over CRAM-MD5
Delete the following buckets in production : Default bucket (No password support) Sample buckets – beer-sample, gamesim-sample (Empty passwords by default)
Couchbase bucket authentication – Added in 1.x
©2014 Couchbase, Inc. 18
Read-only access in the web console and over REST
Privileges to view without edit capabilities :
Cluster and bucket summary
Design documents and view definitions
XDCR replications
Events and settings
Read-only admin – Added in 2.2
©2014 Couchbase, Inc. 19
Access log monitors when administrators access the Couchbase cluster
Tracks REST or admin console accesses
“http_access.log” can be found at /opt/couchbase/var/lib/couchbase/logs
ASCII text-based - Common Log Format
What can you get from this log? Search client IP patterns
Search error codes - “401”
Suspicious GET URLs
Complement with OS jumpbox audit
Couchbase access log – New in 3.0 !
©2014 Couchbase, Inc. 20
Encrypts admin access to Couchbase using SSL
Remote admins connecting to Couchbase Admin Console over the internet
Accessing view data over the internet
Want to force SSL only client connections? Lock down non-SSL ports using a firewall
Encrypted admin access – New in 3.0 !
https://couchbase_server:18091/…
https://couchbase_server:18092/…
Security Best Practices
Inside the application
©2014 Couchbase, Inc. 22
Cluster config including passwords stored in client configuration cache
Many ‘short lived’ libcouchbase client processes +
Non-frequent cluster topology changes
Cache stored is stored on local client disk as named file For PHP, configured in .ini file variable - couchbase.config_cache = “<path>” Don’t make cache configuration cache path world readable / writable
Secure client configuration cache path – Best Practice
Configurationshould be
client cached
©2014 Couchbase, Inc. 23
Attacker can craft arbitrary input that
Injection of arbitrary key-value pairs
Changing user specified document type
Overriding important document fields
Strongly type your document model using Java POJOs, C#.Net POCOs
Explicitly override the field
{ “user”:“don”, “password”:“0asd21$1%”, “created”:“2014-10-04”, “password” : “password”}
{ “user”:“don”, “password”:“password”, “created”:“2014-10-04”}
Validate user input – Best Practice
Schema Injection
DEMO
SSL support in Couchbase Server 2.0 clients (Java, .NET, libCouchbase)
SSL can be enabled per bucket
Encrypted client-server communication (New feature in 3.0)
SERVER 3SERVER 1 SERVER 2Couchbase Server
SSL
©2014 Couchbase, Inc. 26
Use third-party crypto libraries to encrypt and decrypt dataOnly application has the crypto keys Only encrypt sensitive JSON fieldsThings to watch for –
Don’t store the crypto key un-encrypted in the documentIntegrate the app with a key management solution or local keyring
Don’t index encrypted data unless it is absolutely necessaryOnly encrypt necessary data fields
Don’t apply start-end key ranges to encrypted data Keep hashes of your data in the document for equality searches
Client-side field encryption – Application capability
Client-side data encryption
DEMO
Security Best Practices
On the cloud
©2014 Couchbase, Inc. 29
Host operating system Individual SSH keyed logins via bastion hosts for AWS admins All accesses logged and audited
Guest operating system Customer controlled at root level AWS admins cannot log in Customer-generated key-pairs
Firewall Mandatory inbound instance firewall, default deny mode Outbound instance firewall available in VPC VPS subnet ACLs
Signed Amazon API calls Require X.509 certificate or customer’s secret AWS key
Amazon EC2 security
• Based on content from http://aws.amazon.com/security
©2014 Couchbase, Inc. 30
Encrypts XDCR traffic between datacenters using SSL
All traffic between the source and destination datacenter is encrypted
Periodically rotate the XDCR certificates
Slight CPU load increase on the source and destination clusters
Secure cross datacenter replication – Added in 2.5
©2014 Couchbase, Inc. 31
Secure cross datacenter replication – Encrypted traffic
What’s Next?
Previous… In 2.2 In 2.5 In 3.0
SASL AuthN with Bucket Passwords
Admin User
Read-Only User
Easy Admin Password Reset
Non-root User Deployments
Secure Communication for
XDCR
Encrypted client server communication
Encrypted admin access
Access Log*
Data-at-rest Encryption*
Security features in couchbase
* this is not an audit log* through third-party tool
©2014 Couchbase, Inc. 35
Added preventive, detective, and administrative security controls in Couchbase
Auditing
External authentication
User, roles and permissions
Fine grained authorization
Enhanced crypto and more …
What’s next ?
©2014 Couchbase, Inc. 36
Download Couchbase Server 3.0
Download @ http://www.couchbase.com/download
@NoSQLDon