data security and marklogic security all the things · 2019-06-18 · hybrid cloud and on-premises....
TRANSCRIPT
![Page 1: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/1.jpg)
17 June 2019© MARKLOGIC CORPORATION
Data Security and MarkLogic Security ALL the Things
JASON HUNTER SE Director
RANGAN DORESWAMYProduct Manager -
Security
![Page 2: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/2.jpg)
Data security is bigger than this little box
Source: Momentum Partners
![Page 3: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/3.jpg)
Most organizations focus on network security
NETWORK SECURITYPROTECT THE PERIMETER,THE “CRUNCHY OUTSIDE”
DATA SECURITYPROTECT THE DATA IN THE “SQUISHY MIDDLE”
![Page 4: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/4.jpg)
Challenges withdata security Data management is complex
Data gets scattered across silos
Policies spread in multiple places
Data models always changing
Multiple tools must work together
CEO/CFO/CIO
ComplianceOfficer
Developer
DBA
![Page 5: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/5.jpg)
SLIDE: 5
Secure by default
Fine-grained, role-based security
Advanced Encryption
Data anonymization and redaction
Improved data security across the integration lifecycle
MarkLogic: The most secure NoSQL database
DATA SECURITY & DATA SHARINGBetter security leads to more sharing with less risk
![Page 6: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/6.jpg)
Secure everywhere
Safe in any cloudDeploy confidently and avoid vendor lock-in
Safe data sharingControl exactly who sees what data
Cloud neutralHybrid cloud and on-premisesAdvanced encryption
Granular access controlAnonymization and redactionCurated and governed data
![Page 7: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/7.jpg)
Controlling access to information
![Page 8: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/8.jpg)
Access to documents
Who is the user?
What should the user see or do?
![Page 9: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/9.jpg)
Security principle: Authorization
AUTHORIZATION
AUTHENTICATION
AUDITING
Utilize Roles, Compartments, and Privileges to control access
![Page 10: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/10.jpg)
Privileges – what actions you can execute (i.e. reboot the box, insert docs with a given URI prefix)
Permissions – what capabilities you have with data (i.e. can you see/update a doc or element)
RBAC – Role Based Access Control
- Users are assigned to “roles” in the database
- The roles of a user control what they can do, see, edit, etc.
- Roles can inherit from each other for easier management
Security 101
![Page 11: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/11.jpg)
Document security model
ROLE SECURITY MODEL
RolesUser universe
PrivilegesActions
hierarchical
Users and Groups
APPLIED TO DOCUMENTS
CapabilitiesRead, update, insert, execute
Roles
…<role1, read><role2, node-update>…
Permissions
VISIBILITY
Must first have permissions to see the document, then if you have permission to see “secret”, you see all.
{"Customer_ID": 1001,"Fname": "Paul","Lname": "Jackson",
},
…}
![Page 12: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/12.jpg)
Compliance (read, update)CallCenter (read)
Role
Compliance
CallCenter
Role Based Access Control (RBAC)
User Permissions
InsurancePolicy
![Page 13: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/13.jpg)
CallCenter (read)Country: US (read)CallCenter
CallCenter
RBAC – Compartment Security*
USInsurance
PolicyCountry: US
Country: UK
CallCenter (read)Country: UK (read)
AND
UKInsurance
Policy
* Part of the Advanced Security option
AND
RoleUser Permissions
![Page 14: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/14.jpg)
Access inside documents
What sensitive information has to be protected?
How do you enable authorized search only?
![Page 15: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/15.jpg)
Role Based, Element Level SecurityGranular control on information visibility
{"Customer_ID": 1001,"Fname": "Paul","Lname": "Jackson","Phone": "415-555-1212","SSN": "123-45-6789","Addr": "123 Avenue ","City": "Someville","State": "CA","Zip": 94111
}
You can control access to the level of XML elements or JSON properties
Protection is based on element names, element attributes, property names, and values – Called Protected Paths
Out-of-the-box, in-database solution
Real-time control enforced at the data layer for: search, queries, and updates
![Page 16: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/16.jpg)
Integrate data while preserving privacy
Each Protected Path is associated with roles and permissions
- sec:protect-path("//ssn", ("hr_role", "read"))
- sec:protect-path("/root/reg[fn:matches(@access, 'USA')]", ("USA_role", "read"))
- sec:protect-path("/root/data[@cls='ts']", ("ts_role", "update"))
* Function signatures simplified for illustration
Only a user from HR can see the SSN
Only a Top Secret person can update data classified as Top Secret
![Page 17: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/17.jpg)
Integrated document security model
ROLE SECURITY MODEL
RolesUser universe
PrivilegesActions
hierarchical
Users and Groups
APPLIED TO DOCUMENTS
APPLIED TO PROTECTED PATHS
CapabilitiesRead, update, insert, execute
Roles
…<role1, read><role2, node-update>…
Permissions
CapabilitiesRead, update, insert, execute
Roles
Path
…<//path, role1, read><//path2, role2, update>…
Permissions
VISIBILITY
Must first have permissions to see the document, then if you have permission to see “secret”, you see all.
{……………
"path": {"secret"
},
…}
![Page 18: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/18.jpg)
Security Principle: Authentication
AUTHENTICATION
AUDITING
External or Local External is via LDAP or Kerberos
(with groups mapped to roles) Certificate-based (X.509) SAML 2.0 Secure credential storage
AUTHORIZATION
![Page 19: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/19.jpg)
External Authentication (Recommended)
- Primary user database lives external to the MarkLogic Database
- Authentication type can be LDAP, Kerberos, SAML Auth, Certificate
- Seamless Integration with existing enterprise security model
- You DO always need your Roles created within MarkLogic
- Authorization can be External (user roles derived from the Group declared by the external system) or Internal (users and roles are known within MarkLogic but credentials are checked externally)
Who you are: Authentication types
![Page 20: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/20.jpg)
Internal Authentication
- User database lives fully within MarkLogic
- Best to limit to the MarkLogic Bootstrapping Admin account (always need that local user)
- Remember: You DO always need your Roles created within MarkLogic
Who you are: Authentication types
![Page 21: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/21.jpg)
Delegated Authorization – SAML
![Page 22: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/22.jpg)
The middle tier can forward passwords. Make sure you secure the communication channel at every step. Beware, the middle tier and MarkLogic would be known as “password collectors”
The middle tier can hit MarkLogic with one high powered account and dictate what roles the current request should run under. Common with databases. Beware, it gives full trust to the middle tier code, and there’s no auditing
Better: Have a client present a secure “token” to the middle tier and have the middle tier pass it on. Within the token can be identity and capability. No passwords flying by, no undue trust given. This is SAML
Security with a middle tier
![Page 23: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/23.jpg)
Security Assertion Markup Language, a standard type of secure token that provides identity and capability
Generated by an “identity provider”. Picture an SSO server where a user logs in and gets the secure token in return. This token proves who they are and what they should be allowed to do
In a three-tier application, the middle tier manages the generation of the token and passes it to MarkLogic along with each request
MarkLogic (as of MarkLogic 9.0-9) reads SAML 2.0 tokens and securely recognizes the user without ever having the user credentials. SAML attributes can be mapped to MarkLogic roles
SAML
![Page 24: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/24.jpg)
Safe Data Sharing
![Page 25: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/25.jpg)
Share the right information
Can I get a data dump with PII removed?
How to give data to data scientists?
How to get realistic data on QA/UAT?
![Page 26: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/26.jpg)
Remove sensitive information on export
Data exported for testing and analysis must not have any real PII or Sensitive Information
Need a way to find the client or financial information in the dataNeed a way to tell what to do with the information depending on the target needs
![Page 27: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/27.jpg)
Share data while preserving privacyMask or conceal sensitive information on export
Redact at the level of XML elements, JSON properties, or even free text patterns when exporting
Combine built-in or custom rules into policies to match different target needs
Use built-in functions that best fit each content:
- concealing, random, deterministic, dictionary, pattern, or custom
{"Customer_ID": 1001,"Fname": "Paul","Lname": "Jackson","Phone": "415-555-1212","SSN": "123-45-6789","Addr": "123 Avenue ","City": "Someville","State": "CA","Zip": 94111
}
![Page 28: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/28.jpg)
Rule-based redaction on exportShare data while preserving privacy
Mask or conceal sensitive information
Use predefined functions
Out-of-the-box, in-database solution
{"Customer_ID": 1001,"Fname": "Paul","Lname": "Jackson","Phone": "415-555-1212","SSN": "343-45-6569","Addr": "456 Main St ","City": "NYC","State": "NY","Zip": 94111
}
Original document
{"Customer_ID": 3456,"Fname": "John","Lname": “Jameson","Phone": "123-123-1233","SSN": "xxx-xx-6569","Addr": “23 Side St ","City": “San Francisco","State": “CA","Zip": 90051
}
QA/Dev Export
{"Customer_ID": 34567,"Phone": "123-123-1233","SSN": “456-456-9876","City": “NYC","State": “NY","Zip": 94111
}
BI export
![Page 29: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/29.jpg)
SLIDE: 29 17 June 2019© MARKLOGIC CORPORATION
Use the rdt.redact function to create redacted in-memory copies of documents
Suitable for testing and debugging your rules or for redacting a small number of documents.
rdt.redact is not a security function
Use the mlcp command line tool to export data
Use rdt.ruleValidate to test the validity of your rules before calling rdt.redact
Redact function vs. mlcp
var doc = fn.collection("Redaction");
var validate = rdt.ruleValidate(["MY_RULES"]);
rdt.redact(doc, ["MY_RULES"]);
mlcp.sh export -host localhost -port 8000 \
-username u -password p -mode local \
-output_file_path ./results \
-collection_filter people \
-redaction "MY_RULES"
![Page 30: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/30.jpg)
SLIDE: 30 17 June 2019© MARKLOGIC CORPORATION
ruleClientInfo = {
"rule": {
"description": "Random #..",
"path": "/policy/client/id",
"method": {
"function": "mask-random" },
"options": {
"length": 10 }}};
• Rules are documents in a collection, e.g. MY_RULES
• Each rule defines what to do with the information by specifying a function
• Each rule uses XPath expressions to find information to conceal or mask
Redaction rules
xdmp.documentInsert(
"ruleClientInfo.json", ruleClientInfo, {
"collections": [ "MY_RULES" ]
});
![Page 31: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/31.jpg)
SLIDE: 31 17 June 2019© MARKLOGIC CORPORATION
"method": {"function": "mask-deterministic"
},"options": {"length": 10"salt": "a23sdas#4er""extend-salt": "collection"
}
Ships with out-of-the-box functions:
- Conceal, Random, Deterministic, Dictionary
- Highly secure design to prevent linkage attacks
- Patterns: SSN, US Phone, email, IPv4, Regex, Dates, Numbers
Users can write custom functions
Redaction functions
"method": {"function": "redact-us-ssn",
},"options": {"level": "partial","character": "X"
}
![Page 32: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/32.jpg)
Security principles: Auditing
AUTHENTICATION
AUDITING
Audit document access and updates
Audit configuration changes, administrative actions, code execution, and changes to access control
AUTHORIZATION
![Page 33: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/33.jpg)
Advanced SecuritySafe data sharing by controlling exactly who sees what data
![Page 34: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/34.jpg)
Prevent direct access to files
Is my data secure on disk?
Can the cloud sys admin see the data?
Can someone modify the data on disk?
Can you erase traces of wrongdoing?
![Page 35: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/35.jpg)
Securing Data at Rest With Encryption
![Page 36: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/36.jpg)
Advanced EncryptionTransparent encryption of data, configuration, and logs
Protection from insider threats
Prevent sys admin access to information Reduce DBA authority
Better governance Prevent tampering of information on disk Reduce ability to hack a system
Easier compliance Match stringent security standards and mandates
Enable Data Integration without Security Compromises
![Page 37: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/37.jpg)
Data confidentiality and integrityEncryption Protects Data Confidentiality
Protect database files above the file system
Avert non-authorized users from seeing file contents or using files in other systems
Enable safe deployment in the public cloud
Encryption Protects Data Integrity
Block modifications to audit logs – important to you, important to regulators
Prevent modifications to files on diskDisk storage
File system
Protected
Decryption
Database
DBA
Sys Admin
SecurityAdmin
![Page 38: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/38.jpg)
Advanced Encryption – Internal KMSTransparent encryption of data, configuration and logs
CLUSTER OR LAPTOP
DB BACKUPLOCAL KEY STORE
DBA
Wallet and encryption keys held on local disk
Wallet is needed to read the data; delete the wallet and the data is unrecoverable
MarkLogic admin manages the wallet and encryption keys: can backup, restore, extract, rotate, and move them
High performance on Intel Chip encryption NIST Approved Algorithm – AES-256 Transparent: No code modification!
![Page 39: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/39.jpg)
Advanced Encryption – External KMSTransparent encryption of data, configuration and logs
CLUSTER OR LAPTOP
DB BACKUPDBA
SEC ADMIN
SYS ADMIN
Wallet and encryption keys held in external key management system (KMS)
Integrates with any KMS supporting KMIP 1.2 standard or PKCS#11 HSM
MarkLogic admin has NO access to encryption keys
Without continued KMS cooperation the data is useless
Encryption keys managed per database in a cluster, so you can pick what databases to encrypt External Key
Management
![Page 40: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/40.jpg)
Backup confidentiality and integrity
Encryption Protects Data Backup and Restore Backup can be encrypted with a Passphrase,
the Cluster Level Encryption Key, or the External KMS Backup Key Encryption Key
Restore with Passphrase – fully self contained, for safe sharing to another system
Restore with Cluster Level Key – keys held in local wallet, for restoring a local cluster after data loss
Restore with External KMS BKEK – keys in KMS, for restoring a local cluster after data loss when KMS in use
Disk storage
File system
Protected
Decryption
Database
DBA
Sys Admin
SecurityAdmin
![Page 41: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/41.jpg)
External key management has been validated against:
SafeNet
Vormetric
Thales
Fornetix
nChiper
External KMS validation
![Page 42: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/42.jpg)
Advanced Encryption – for HA/DR
![Page 43: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/43.jpg)
The advanced security license option includes three features:
1. External key management
2. Redaction
3. Compartment security
Advanced Security
![Page 44: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/44.jpg)
MarkLogic Data Hub Service architecture
![Page 45: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/45.jpg)
There are three pre-defined roles managed in the portal cluster:
- Account admin – bootstrapper, full access, assigns people to other admin roles, billing
- Security admin – controls the network, LDAP, users; once created can prevent account admin from having this ability
- Service admin – controls the service, deploy code, load docs, run flows
Admin roles
![Page 46: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/46.jpg)
Data Hub roles
Endpoint operator
Service Admin
Account Admin
Flow operator
Endpoint developer
ODBC
Security Admin
Can upload new/changed documents (e.g. flows) to the modules database.
Load and modify data in the staging database and final database, call flow runner
Has access to endpoints and the final documents, can add documents to the modules database
Has access to endpoints
Has access to the analytics stack that has an ODBC server
Can create and modify the service
Can see billing, account details
Can assign the DHF roles to other roles, and create vanilla roles
Flow developer
Data Hub Service wraps around the Data Hub
The Data Hub provisions roles as part of its deployment
Security admin can use these roles or create new roles (that inherit from one of these)
![Page 47: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/47.jpg)
VPC – a virtual private cloud
- A virtual network dedicated to your AWS account
- VPC peering connects two accounts together
- MarkLogic sets up the VPC peering based on the configuration setup in the portal
Definition: VPC
![Page 48: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/48.jpg)
DHS Cluster
Service VPC/ Single Cluster
Customer VPC
VPC Peering
App developer
Flow developer
Service Admin
Account Admin
Endpoint Developer
Portal VPC
Portal Cluster
LDAP
Customer LDAP
Users w/ doc permissions
Operator
Security Admin
Ops Director Cluster
ML Ops
Security Admin
DHS Cluster
Service VPC/ Single Cluster
Flow developer
Endpoint Developer
VPC Peering
IAM HSM KMS
Data Hub Service – deployment
![Page 49: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/49.jpg)
Some enterprises and gov’t agencies require certain security certifications
Certifications are based on assessments conducted by third parties
MarkLogic is pursuing SOC 2 Type 2 and NIST 800-53 certifications
NIST 800-53 covers all common controls required for FedRamp, HIPPA, FDA 21 CFR , and others
Data Hub Service certifications
![Page 50: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/50.jpg)
Get started withData Hub ServiceCloud service that deploys in minutes with predictable, low cost
![Page 51: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/51.jpg)
Key Takeaways
![Page 52: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/52.jpg)
Resources
MarkLogic University: On-demand and instructor-led classes
- https://www.marklogic.com/learn/university/
- Hands-on security workshop tomorrow! (Space is limited)
Business/Security White Paper:
1. Top Concerns When Integrating Data
https://www.marklogic.com/resources/top-data-security-concerns-integrating-data/
![Page 53: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/53.jpg)
Resources
Tech/Security White Papers:
1. Building Security Into MarkLogic
https://www.marklogic.com/resources/building-security-marklogic/
2. Developing Secure Application on MarkLogic
http://www.marklogic.com/resources/developing-secure-apps/marklogic/resource_download/whitepapers/
3. Deploying MarkLogic Securely
http://www.marklogic.com/resources/deploying-MarkLogic-securely/resource_download/whitepapers/
![Page 54: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/54.jpg)
Q&A
![Page 55: Data Security and MarkLogic Security ALL the Things · 2019-06-18 · Hybrid cloud and on-premises. Advanced encryption. Granular access control. ... Real-time control enforced at](https://reader035.vdocument.in/reader035/viewer/2022070907/5f803d6f46859f11316264f0/html5/thumbnails/55.jpg)
Thank you