This presentation discusses securing databases in the cloud. It begins with an overview of cloud infrastructure and open-source products like MySQL, PostgreSQL, MongoDB, and Hadoop. It then covers security risks to data in the cloud from threats like insecure cryptographic storage and attacks on file systems. Methods for protecting databases are discussed, including access controls, encryption, and key management solutions. The presentation concludes by describing how a product called ezEncrypt provides transparent encryption to securely store data.

1. LAMySQL/LAPHP Talk:Securing Open-Source Databases in the Cloud Mike Frank, Director of Products

2. Session Agenda Cyber-security fears and the risks to your data in the cloud Overview of cloud and virtualized infrastructures, open-source products, and security applications Methods for protecting databases 7/21/2011 2

3. Like everything The cloud has both Rewards And Concerns 7/21/2011 3

4. The Cloud Rewards Scalable (Up or down) Agile – Quick to Market Service Oriented Pay as you go – like a “utility” Cost sharing / benefits SLA driven – HA Provides built in “automation” – APIs, tools, etc. Maintenance 7/21/2011 4

5. The Cloud Concerns Information Security Privacy Data Location Data Migration Legal 7/21/2011 5

6. The Cloud is the Same Components are like any other IT assets. computing resources used to do a job must be monitored and managed Different Controlled and monitored through the APIs / Tools available from the cloud provider. Can’t get “under the hood” 7/21/2011 6

7. Enterprise Cybersecurity Fears and the Risks to Data in Clouds 7/21/2011 7

8. What is DATA is vulnerable? Its all about DATA DIRECT - Real actual data Via various services – web, database,… In the end it resides in files and utimately on storage INDIRECT - Data that points to or protects data Usernames and Passwords Keys Configuration files or code for services and applications Hypervisor Images Firewalls Web Servers Middleware servers Data Caching Servers/Services Database Servers Applications 7/21/2011 8

9. Threat Agents Internal Company executives, Employees, Independent contractors, Interns Former Employees External Lone hackers, Organized crime, and Government entities Partners Third party sharing a business relationship Suppliers, Vendors, Hosting Providers, Outsourced IT support, etc. Business partners 7/21/2011 9

10. Added Risks - In the Cloud These risks are accentuated Data is more distributed Its in “Cloud Storage” Its in server “images” More “elastic” It moves around Its transient Servers going up and down Its on the Cloud Server Public, Hybrid, Private, Private Managed, etcetcetc APIs to “control” Or within a Hosted Service 7/21/2011 10

11. Added Threat Agents - In the Cloud There are more And they hit your public cloud server immediately Just launch a new cloud server with monitoring on Attacks occur immediately They might be “closer” In the same cloud On the same hardware, network, hypervisor On the same storage systems You have less control More “managed” Some Cloud utilities have OS Server User Access More unknown resources 7/21/2011 11

12. User Privileges Users typically have plenty to get the data Just taking advantage of privileges granted to them Don’t even need to be root Suspect in the cloud this is more so the case More with powerful privileges Not as well managed in many cases 7/21/2011 12

13. Main Attack Methods for Breaches Remote Access Services Backdoor or control channel Web Application Network File Sharing Majority of data is from Servers Followed by user devices 7/21/2011 13

14. Attack Vectors and Data Protection Get OS login access Get access to files on storage Network Injection Not as important as it once was Buffer Overflows Not as important as it once was Social Engineering Code Malware, viruses, trojans, etc. 7/21/2011 14

15. Overview of cloud infrastructure, open-source products, and security applications 7/21/2011 15

16. Open-Source and the Cloud Currently majority of cloud is Open Source Linux Based Apache Based Databases MySQL – 90% of databases PostgreSQL - surging NoSQL / Big Data coming on strong MongoDB Cassandra Hadoop And more Other components Solr, Sphinx 7/21/2011 16

17. Open Source Security Opinions Thinking is different from commercial Fewer requests from community of end users Less effort put into installers / configuration tools And more need to have users get started easily Less time spent on security (or has been) Preference is for functional things – like performance Expectation for OS or Applications to provide security Delineated boundaries Adding security features breaks things Security takes time – products are typically younger Or security features may be “add ons” Defaults are less secure 7/21/2011 17

18. This discussion focuses “below the yellow line” 7/21/2011 18 Data in File System ----------------- Local Or Network/Cloud File Storage

19. Insecure direct object reference The problem - attackers: Manipulate direct object references Use to gain unauthorized access to other objects. URLs or form parameters contain references to objects such as files, directories, database records or keys. 7/21/2011 19

20. Insecure cryptographic storage But: All to often Web devs don’t encrypt sensitive data OR Encryption is present but poorly designed Leads to disclosure of sensitive data How to protect : Use good technology / design patterns AES, RSA public key cryptography, and SHA-256 Generate keys offline Only transmit keys over secured communications 7/21/2011 20

21. Data in File System How, Where, Why is this “Vulnerable”? Filesystem within the OS – from an “OS user” Whether from a shell or other method Communications network Electronic eavesdropping – files and keys Storage communications Electronic eavesdropping Virtual Images Active or inactive Other access to the storage Physical storage device 7/21/2011 21

22. Per OSS DB Product – What to “Protect” 7/21/2011 22

23. MySQL The files for InnoDB tables (tablespace) or MyISAM User schemas but also things like my.user Logs Query Files - log=/var/log/mysql-queries.log Bin Log Configuration Files – may contain user/pass my.cnf master.info Other “client” configs (ie used by mysqldumpetc) Backup Files/Exports Whether hot,cold, warm, or logical (mysqldump) 7/21/2011 23

24. Postgres Tablespace Protect the directory and all the files for a tablespace Logs Is log_statement TRUE Encrypt the log file then And more important = See where its going Configuration Files – may contain user/pass Pg_hba.conf, pg_Ident.con, postgresql.conf, “client” configs - pgpass.conf Backup Files Whether hot,cold, warm, or some Logical or CDP 7/21/2011 24

25. MongoDB The data dir The dbpath e.g. /var/lib/mongodb/ Configuration Files – specify auth etc. --config Log Files Depending on what level is set Backup/Exports Where ever you direct your mongodump/bsondump Fsynv+lock – then copy Other – LVM etc 7/21/2011 25

26. Cassandra Data Files /var/lib/cassandra/data/<keyspace>/… Configuration Files cassandra.yaml -Dpasswd.properties=conf/passwd.properties -Daccess.properties=conf/access.properties Logs conf/log4j-server.properties Backup Files /var/lib/cassandra/data/mykeyspace/backups/ /var/lib/cassandra/data/mykeyspace/snapshots/ 7/21/2011 26

27. Hadoop From CDH3 doc Hadoop'scurrent threat model assumes that users cannot: Have root access to cluster or shared client machines. But someone will have root access or other access Note: Various “flavors” and variance at this level But still need to protect Data Files Config files hdfs-site.xml 7/21/2011 27

28. Overview of cloud infrastructure, open-source products, and security applications 7/21/2011 28

29. Linux Tools IP Tables / Netfilter Linux Kernel Firewall Host based AppAmor / SELinux Restrict the actions that installed software can take Add Roles and Policy Concept Seldom enabled 7/21/2011 29

30. Encryption tools Network - OpenSSL File – mcrypt, OpenSSL Filesystem based encryption – ecrypfts Dm-crypt – block based device encryption Note: Each represents just one component in a comprehensive set of mechanisms to protect the confidentiality of your data. 7/21/2011 30

31. Clouds Security Tools Can provide not just servers but also Firewalls Load Balancers Dedicated Firewalls Dedicated servers and storage Firewalls with options like Stateful inspection, IDS, AV, SSL, IPsec VPN, and more Encrypted Cloud Storage Block storage – at the FS mount level Or API level Still need to protect and manage the Keys 7/21/2011 31

32. Methods for protecting data: considering the pros and cons 7/21/2011 32

33. AS-IS for Linux OS Users And especially ROOT Can Read and Copy Data Files

34. Open Source Databases Don’t Protect Files With encryption - MySQL doesn’t The thief Has your data Copy a file and you have the data

35. On the cloud the data is either In the Hypervisor Image Hypervisor Image

36. Or a mounted data store Hypervisor Image Cloud Storage Storage volumes that can be attached to a running instance and mounted as a device within the instance. Examples – Amazon EC2, vCloud VMFS or NFS

39. Doesn’t protect data at rest etc.

41. Not stored on in the local or mounted filesystem

43. How ezNcrypt is Different Provides on-disk encryption architecture Application and process transparency Key is kept outside of the database schema Database or table-level encryption available Also its not just for databases Rules based – ACLs from Process to File for TDE Towards “Zero Trust”

44. Use Cases for Database Encryption Export of virtualized database machines Lost or stolen hardware Compliance Requirements PCI compliance with customer data HIPAA compliance with protection of medical records Other government agency compliance Safeguard personnel records Protect data from privileged access users

45. GazzangsezNcrypt Its AES Encrypted The file is worthless to the Thief If root copies a file and then all they have is an encrypted file

47. Owner

48. Location

50. Store 4. The key is encrypted with a one time use secret and sent over SSL 5. The authenticity of ezNcrypt is verified *provisional patent 3. ezNcrypt calls KSS to store the master key 2. The passphrase and salt or RSA key is used to protect the server and all the file keys 6. The key is safely stored KSS Key Storage System 1. Each individual file is encrypted with a unique and random key

51. 4. The key is encrypted with a one time use secret and sent over SSL 2. The authenticity of ezNcrypt is verified *provisional patent 1. ezNcrypt calls KSS to retrieve the master key 5. The Master Key is loaded into the keyring 3. The key is extracted KSS Key Storage System 6. Each individual file is unlocked with the master key Retrieve

52. Summary There are risks and rewards in the cloud By using a secure platform additional cloud security risks are greatly reduced and rewards recognized Thank you for your time Mike Frank – mike.frank@gazzang.com 7/21/2011 47