webinar - keeping your data safe in couchbase using gazzang
DESCRIPTION
Data in Couchbase server may contain either sensitive, protected information or key intellectual property. Sensitive data comes in many forms - names, addresses, medical records, school transcripts, buying habits, credit card numbers, corporate intellectual property. Typically, this information is distributed throughout the cluster calling for the underlying data files to be protected. Gazzang for Couchbase offers a powerful, policy-driven solution that enables you to encrypt your data stored in Couchbase Server. In this webinar you'll see: An overview of Couchbase Server The main use cases for data encryption and key management An overview of Gazzang zNcrypt and Gazzang zTrustee How to ensure your security solution integrates seamlessly with Couchbase without impacting performance What do you need to get started A demo of how Gazzang works in CouchbaseTRANSCRIPT
Introduction to Couchbase
Couchbase ServerNoSQL Document Database
Couchbase Open Source Project
• Leading NoSQL database project focused on distributed database technology and surrounding ecosystem
• Supports both key-value and document-oriented use cases
• All components are available under the Apache 2.0 Public License
• Obtained as packaged software in both enterprise and community editions.
Couchbase
Open Source Project
Easy Scalability
Consistent High Performance
Always On
24x365
Grow cluster without application changes, without downtime with a single click
Consistent sub-millisecond read and write response times
with consistent high throughput
No downtime for software upgrades, hardware maintenance, etc.
JSONJSON
JSON
JSONJSON
Flexible Data Model
JSON document model with no fixed schema.
Couchbase Server
Couchbase Server Architecture
Couchbase Server Architecture
Hea
rtb
eat
Pro
cess
mo
nit
or
Glo
bal
sin
glet
on
su
per
viso
r
Co
nfi
gura
tio
n m
anag
er
on each node
Reb
alan
ce o
rch
estr
ato
r
No
de
hea
lth
mo
nit
or
one per cluster
vBu
cket
sta
te a
nd
rep
licat
ion
man
ager
httpR
EST
man
age
me
nt
AP
I/W
eb
UI
HTTP
8091Erlang port mapper
4369Distributed Erlang
21100 - 21199
Erlang/OTP
storage interface
Couchbase EP Engine
11210Memcapable 2.0
Moxi
11211Memcapable 1.0
Memcached
New Persistence Layer
8092Query API
Qu
ery
En
gin
e
Data Manager Cluster Manager
Couchbase Server Architecture
Replication, Rebalance, Shard State Manager
REST management API/Web UI
8091Admin Console
Erla
ng
/OTP
11210 / 11211Data access ports
Object-managedCache
Multi-threaded Persistence Engine
8092Query API
Qu
ery
En
gin
e
http
Data Manager Cluster Manager
Couchbase Operations
33 2
Single node - Couchbase Write Operation
Managed Cache
Dis
k Q
ueu
e
Disk
Replication Queue
App Server
Couchbase Server Node
Doc 1Doc 1
Doc 1
To other node
33 2
Single node - Couchbase Update Operation
Managed Cache
Dis
k Q
ueu
e
Replication Queue
App Server
Doc 1’
Doc 1
Doc 1’Doc 1
Doc 1’
Disk
To other node
Couchbase Server Node
GET
Do
c 1
33 2
Single node - Couchbase Read Operation
Dis
k Q
ueu
e
Replication Queue
App Server
Doc 1
Doc 1Doc 1
Managed Cache
Disk
To other node
Couchbase Server Node
33 2
Single node – Couchbase Cache Miss2
Dis
k Q
ueu
e
Replication Queue
App Server
Couchbase Server Node
Doc 1
Doc 3Doc 5 Doc 2Doc 4
Doc 6 Doc 5 Doc 4 Doc 3 Doc 2
Doc 4
GET
Do
c 1
Doc 1
Doc 1
Managed Cache
Disk
To other node
COUCHBASE SERVER CLUSTER
Basic Operation
• Docs distributed evenly across servers
• Each server stores both active and replica docsOnly one server active at a time
• Client library provides app with simple interface to database
• Cluster map provides map to which server doc is onApp never needs to know
• App reads, writes, updates docs
• Multiple app servers can access same document at same time
User Configured Replica Count = 1
READ/WRITE/UPDATE
ACTIVE
Doc 5
Doc 2
Doc
Doc
Doc
SERVER 1
ACTIVE
Doc 4
Doc 7
Doc
Doc
Doc
SERVER 2
Doc 8
ACTIVE
Doc 1
Doc 2
Doc
Doc
Doc
REPLICA
Doc 4
Doc 1
Doc 8
Doc
Doc
Doc
REPLICA
Doc 6
Doc 3
Doc 2
Doc
Doc
Doc
REPLICA
Doc 7
Doc 9
Doc 5
Doc
Doc
Doc
SERVER 3
Doc 6
APP SERVER 1
COUCHBASE Client Library
CLUSTER MAP
COUCHBASE Client Library
CLUSTER MAP
APP SERVER 2
Doc 9
Add Nodes to Cluster
• Two servers addedOne-click operation
• Docs automatically rebalanced across clusterEven distribution of docsMinimum doc movement
• Cluster map updated
• App database calls now distributed over larger number of servers
REPLICA
ACTIVE
Doc 5
Doc 2
Doc
Doc
Doc 4
Doc 1
Doc
Doc
SERVER 1
REPLICA
ACTIVE
Doc 4
Doc 7
Doc
Doc
Doc 6
Doc 3
Doc
Doc
SERVER 2
REPLICA
ACTIVE
Doc 1
Doc 2
Doc
Doc
Doc 7
Doc 9
Doc
Doc
SERVER 3 SERVER 4 SERVER 5
REPLICA
ACTIVE
REPLICA
ACTIVE
Doc
Doc 8 Doc
Doc 9 Doc
Doc 2 Doc
Doc 8 Doc
Doc 5 Doc
Doc 6
READ/WRITE/UPDATE READ/WRITE/UPDATE
APP SERVER 1
COUCHBASE Client Library
CLUSTER MAP
COUCHBASE Client Library
CLUSTER MAP
APP SERVER 2
COUCHBASE SERVER CLUSTER
User Configured Replica Count = 1
Fail Over Node
REPLICA
ACTIVE
Doc 5
Doc 2
Doc
Doc
Doc 4
Doc 1
Doc
Doc
SERVER 1
REPLICA
ACTIVE
Doc 4
Doc 7
Doc
Doc
Doc 6
Doc 3
Doc
Doc
SERVER 2
REPLICA
ACTIVE
Doc 1
Doc 2
Doc
Doc
Doc 7
Doc 9
Doc
Doc
SERVER 3 SERVER 4 SERVER 5
REPLICA
ACTIVE
REPLICA
ACTIVE
Doc 9
Doc 8
Doc Doc 6 Doc
Doc
Doc 5 Doc
Doc 2
Doc 8 Doc
Doc
• App servers accessing docs
• Requests to Server 3 fail
• Cluster detects server failedPromotes replicas of docs to activeUpdates cluster map
• Requests for docs now go to appropriate server
• Typically rebalance would follow
Doc
Doc 1 Doc 3
APP SERVER 1
COUCHBASE Client Library
CLUSTER MAP
COUCHBASE Client Library
CLUSTER MAP
APP SERVER 2
User Configured Replica Count = 1
COUCHBASE SERVER CLUSTER
COUCHBASE SERVER CLUSTER
Indexing and Querying
User Configured Replica Count = 1
ACTIVE
Doc 5
Doc 2
Doc
Doc
Doc
SERVER 1
REPLICA
Doc 4
Doc 1
Doc 8
Doc
Doc
Doc
APP SERVER 1
COUCHBASE Client Library
CLUSTER MAP
COUCHBASE Client Library
CLUSTER MAP
APP SERVER 2
Doc 9
• Indexing work is distributed amongst nodes
• Large data set possible
• Parallelize the effort
• Each node has index for data stored on it
• Queries combine the results from required nodes
ACTIVE
Doc 5
Doc 2
Doc
Doc
Doc
SERVER 2
REPLICA
Doc 4
Doc 1
Doc 8
Doc
Doc
Doc
Doc 9
ACTIVE
Doc 5
Doc 2
Doc
Doc
Doc
SERVER 3
REPLICA
Doc 4
Doc 1
Doc 8
Doc
Doc
Doc
Doc 9
Query
SERVER 3SERVER 1 SERVER 2
Couchbase Server – San Francisco
SERVER 3SERVER 1 SERVER 2
Couchbase Server – New York
Per replication Tunable Parameters
Cross Data Center Replication (XDCR)
Active – Active Replication
Hot Standby
Couchbase Server Security
Couchbase Buckets – Semi-synonymous with “database”
Accessing Buckets –• Using SASL Authentication• Authentication happens over CRAM-MD5 encryption
Gazzang for Couchbase Server
Couchbase Connectors Page - http://www.couchbase.com/couchbase-server/connectors/gazzang
Gazzang for Couchbase Datasheet -http://www.couchbase.com/sites/default/files/uploads/all/datasheets/Gazzang-Couchbase_Datasheet.pdf
About Gazzang
• Headquartered in Austin, Texas
• Focus on high-performance data-at-restencryption and key management
• Specialize in securing cloud and big dataenvironments
• Key vertical industries: financial services, healthcare, retail, government, education, technology
• Featured as a Couchbase Server Connector
What we hear from our customers• “I need to protect sensitive data in my cloud”
Ensure sensitive data and encryption keys are never stored in plain text nor exposed publicly
Maintain compliance (HIPAA, PCI, SOX, FERPA, etc…) and meet customer expectations for data security
• “Help me secure my Big Data infrastructure”
Harden Big Data infrastructures that have relatively weak securityand little cryptographic protection
Maintain Big Data performance and availability
• “I need to maintain control of my keys”
Manage the rapid growth of key, certificate, token proliferation caused by Big Data/cloud/Industrial Internet
Bring sensitive digital artifacts under a consistent set of controls and policies
• “My cloud provider should not have access to my data”
Deploy multi-factor authentication in the cloud
Establish and enforce robust access controls for sensitive objects
11/14/2013
Gazzang - All rights reserved 2012 23
Gazzang zNcrypt™ sits between the file system and any database, application or service running on Linux to encrypt data before it’s written to the disk.
• AES-256 encryption
• Process-based ACLs
• Maximum performance
• Enterprise scalability
• Packaged support for Couchbase Serverand other big data platforms
• Keys protected by Gazzang zTrustee™
Gazzang Encryption
24Gazzang - All rights reserved 2013 Confidential – Internal Use Only
Gazzang Key Management
Gazzang zTrustee™ is a “virtual safe-deposit box” for managing zNcrypt keys or any other digital artifact that must be secure and policy controlled
• Software-based solution separateskeys from encrypted data
• Centralized management of SSL certificates, SSH keys, tokens, passwords and more
• Unique “trustee” and machine-based policies deliver multifactorauthentication
• Integration with HSMs from Thales, RSA and SafeNet
• Multiple deployment optionsinclude on-prem or hosted SaaS offering
25
• Time to live• Number of retrievals• URL• Trustee approval• Client• Much more
Trustees must approve release of objects in accordance with the deposit policy
• Trustee votes• Time to live• Retrieval limits• Single-use URL• Client
permissions
API Library• Java• Python• C library
Gazzang - All rights reserved 2013 Confidential – Internal Use Only
Key Differentiators
• Simple, powerful solutions supporting a broad range of use cases
• Fast, easy deployments
Install and configure using standard DevOps tools e.g. Chef, Puppet
No application or storage configuration changes required
• Low performance impact
• Virtual safe deposit box for any critical digital asset
• Built for Big Data, architected for cloud deployments, protects any Linux application
Gazzang - All rights reserved 2013 Confidential – Internal Use Only
Questions?
[email protected]@anilkumar1129
Download Couchbase Server 2.2 http://www.couchbase.com/download
Visit www.gazzang.com/solutions/securing-big-data for more information