Post on 30-Jul-2015
Security forBig Data Systems
如何做好大数据的系统安全
By Steve MusheroMay, 2015
Build & Manage Servers Optimize & Manage Servers Manage Cloud Servers Copyright © 2015 ChinaNetCloud
Running the World’s Internet Servers www.ChinaNetCloud.com
We have lots of data我们有很多数据
Running the World’s Internet Servers www.ChinaNetCloud.com
We get data from everything数据无处不在
Running the World’s Internet Servers www.ChinaNetCloud.com
From Every Part of Life 融入生活的每一部分
Running the World’s Internet Servers www.ChinaNetCloud.com
How to protect it ?如何保护数据
Running the World’s Internet Servers www.ChinaNetCloud.com
How to protect it ? Like Gold !如何像保护黄金那样去保护它
Running the World’s Internet Servers www.ChinaNetCloud.com
Protecting Gold – Safes保护黄金-保险箱
Running the World’s Internet Servers www.ChinaNetCloud.com
Protecting Gold – Vaults保护黄金-地下保险库
Running the World’s Internet Servers www.ChinaNetCloud.com
Protecting Gold – Banks保护黄金-银行
Running the World’s Internet Servers www.ChinaNetCloud.com
Protecting Gold – Forts保护黄金-地堡
Running the World’s Internet Servers www.ChinaNetCloud.com
Those risks were physical这些风险都是物理的
Running the World’s Internet Servers www.ChinaNetCloud.com
Today’s Risks are Digital当今的风险是电子化的
Running the World’s Internet Servers www.ChinaNetCloud.com
Gold Thieves Arrive by Car with Guns偷黄金的人是持枪驾车
Running the World’s Internet Servers www.ChinaNetCloud.com
Data Thieves Arrive by Cable偷数据的人是接数据线
Running the World’s Internet Servers www.ChinaNetCloud.com
From Anywhere从任何地方
Running the World’s Internet Servers www.ChinaNetCloud.com
By Anyone任何人
Running the World’s Internet Servers www.ChinaNetCloud.com
Data Risks ?数据风险是什么?
Running the World’s Internet Servers www.ChinaNetCloud.com
Data Risks ?数据风险是什么?
Types类型
Running the World’s Internet Servers www.ChinaNetCloud.com
Risk Types – Stolen Data风险类型-偷数据
Running the World’s Internet Servers www.ChinaNetCloud.com
Risk Types – Tampered Data风险类型-篡改数据
Running the World’s Internet Servers www.ChinaNetCloud.com
Risk Types – Privacy风险类型-隐私侵犯
Running the World’s Internet Servers www.ChinaNetCloud.com
Risk Areas – Collecting Data风险类型-收集数据
Running the World’s Internet Servers www.ChinaNetCloud.com
Risk Areas – Processing Data风险类型-处理数据
Running the World’s Internet Servers www.ChinaNetCloud.com
Risk Areas – Storing Data风险类型-存储数据
Running the World’s Internet Servers www.ChinaNetCloud.com
Risk Paths – Outsiders (Hackers)风险路径-外部(黑客)
Running the World’s Internet Servers www.ChinaNetCloud.com
Risk Paths – Insiders (Employees)风险路径-内部(员工)
Running the World’s Internet Servers www.ChinaNetCloud.com
Risk Paths – Sys Admin (Privileged Users)风险路径-系统管理 ( 特权用户)
Running the World’s Internet Servers www.ChinaNetCloud.com
What to do ?怎么办
Running the World’s Internet Servers www.ChinaNetCloud.com
Securing Data – Difficult & Frustrating安全加固数据 – 又难又麻烦
Running the World’s Internet Servers www.ChinaNetCloud.com
How to Secure it ?如何来办
Running the World’s Internet Servers www.ChinaNetCloud.com
How to Balance Security vs. Usability ?如何平衡数据安全和可用性
Usability – 可用性Features - 特点
Performance - 性能Convenience - 便捷
Security安全
Running the World’s Internet Servers www.ChinaNetCloud.com
Every part should be good要做好每一方面
Running the World’s Internet Servers www.ChinaNetCloud.com
Every part should be good要做好每一方面
Weakest Link最薄弱的环节
Running the World’s Internet Servers www.ChinaNetCloud.com
4 Security Zones4 大安全区域
Gathering收集收据
Processing Data处理数据
Storing Data存储数据
Infrastructure底层设施
Running the World’s Internet Servers www.ChinaNetCloud.com
4 Security Zones4 大安全区域
Gathering收集数据
Processing Data
Storing Data
Infrastructure
Running the World’s Internet Servers www.ChinaNetCloud.com
Gathering & Ingesting Data收集和摄取数据
• Secure gathering 安全收集• Personal Identifying Info (PII) 个人身份信息
• Anonymisation 匿名
Running the World’s Internet Servers www.ChinaNetCloud.com
Data migration/ETL junctions数据迁移/ ETL 结合
• Secure Systems 安全加固系统• Process Validation 处理验证
Running the World’s Internet Servers www.ChinaNetCloud.com
4 Security Zones4 大安全区域
Gathering
Processing Data处理数据
Storing Data
Infrastructure
Running the World’s Internet Servers www.ChinaNetCloud.com
Processing Data 处理数据
Running the World’s Internet Servers www.ChinaNetCloud.com
Processing Data – Two parts处理数据- 2 个方面
• Processing Data 处理数据• Map Reduce 匹对• Consolidating 巩固• Summarizing 汇总• Usually Hadoop
• Presentation 演示• Website 网站• Report 报告• Interactive 互动
Running the World’s Internet Servers www.ChinaNetCloud.com
Securing Hadoop 安全加固 Hadoop
• Poor Authentication 认证环节薄弱
• Users & Services用户和服务
• No privacy 无隐私• No Integrity 不完整• Arbitrary Code Exec 代码执行武断• Exploits Exist 开发一直存在
Running the World’s Internet Servers www.ChinaNetCloud.com
Weg Code – OWASP Resources代码 – OWASP 项目资源
• Info - 介绍• Guides - 指引• Tools - 工具
http://owasp.org.cn
Running the World’s Internet Servers www.ChinaNetCloud.com
Code – OWASP Top 10代码- 10 大应用程序风险
Key Points 要点• A1 – Injection• A2 – Auth & Session Mgmt• A3 – XSS • A7 – Function ACLs• A8 – CSRF• A9 – Insecure Components
http://owasp.org.cn
Running the World’s Internet Servers www.ChinaNetCloud.com
Processing Code – App Scanning处理代码- APP 扫描
• Best practice最佳实践
• Find new problems找到新问题• As you update
更新• Third parties
第三方
• New exploits新的改进
Running the World’s Internet Servers www.ChinaNetCloud.com
4 Security Zones4 大安全区域
Gathering
Processing Data
Storing Data存储数据
Infrastructure
Running the World’s Internet Servers www.ChinaNetCloud.com
Storing Data – Key Protection Point存储数据-重要的保护点
• Easy to Steal 容易在以下几个地方被偷窃
• From DBMS数据库管理系统• From Storage存储系统
• Privacy Also an Issue隐私也是个问题
Running the World’s Internet Servers www.ChinaNetCloud.com
Storing Data – Two Levels存储数据- 2 个层面
• DBMS Level 数据库管理系统层面• Oracle, MySQL, etc.• Operational Security 运维安全• Users, Config, etc. 用户,配置等• PII Separation / Sharding PII 隔离/分片• Disk / SAN Level 磁盘/ SAN 层级• Encrypt at Rest 全部加密• Careful configuration 认真的配置
Running the World’s Internet Servers www.ChinaNetCloud.com
4 Security Zones4 大安全区域
Gathering
Processing Data
Storing Data
Infrastructure底层设施
Running the World’s Internet Servers www.ChinaNetCloud.com
Infrastructure – Cloud & Servers底层设施-云和物理服务器
• Services 服务软件
• Servers & OS 服务器和操作系统
• Cloud 云
• Network 网络
Running the World’s Internet Servers www.ChinaNetCloud.com
Cloud & Servers – Love & Respect Them云和物理服务器-需要被关注
• Often forgotten经常被遗忘
• Often use defaults经常采取默认设置
• Or random Google search或用谷歌搜索配置
• Source of great danger风险的发源地
Running the World’s Internet Servers www.ChinaNetCloud.com
Infrastructure – Many Parts & Layers基础设施-许多层级
• Internet – 互联网
• Firewalls - 防火墙
• Web/App Servers - 服务器
• Database - 数据库
• OS - 操作系统
• Servers / Cloud - 物理服务器/云
Running the World’s Internet Servers www.ChinaNetCloud.com
Firewall & WAF (Web App Firewall)WAF – 网页应用防火墙
• Protect Networks 保护网络
• Protect Application Code 保护应用代码
• OWASP basics• SQL, XSS
Running the World’s Internet Servers www.ChinaNetCloud.com
Under Your Application – Server & OS应用之下-服务器 & 操作系统
• Hardened OS - 加固操作系统
• Iptables - 防火墙配置
• Run Users - 用户运行
• File permissions - 文件许可
• Logging - 日志
• Scanning (ClamAV) - 扫描
• Track activity - 轨迹追踪
• Automate - 自动
• System Updates - 系统升级
Running the World’s Internet Servers www.ChinaNetCloud.com
Under Your Application – Cloud应用之下-云
• Best Practices - 最佳实践
• Control Access - 控制登录权限
• Can delete EVERYTHING会意外删除一切
• Use Cloud Security Features 使用公共云上的安全服务
Running the World’s Internet Servers www.ChinaNetCloud.com
Audit is also Important审计也很重要
Deep Check to Find Problems 深入检查 , 发现问题
Running the World’s Internet Servers www.ChinaNetCloud.com
Tools – Infosphere Guardium工具
Running the World’s Internet Servers www.ChinaNetCloud.com
Summary总结
• Security is Critically Important 安全非常重要• Big Data is Vulnerable 大数据很容易被侵入• Hard to Do Well 难以良好驾驭• But more Tools 但,实用工具越来越多• Details & Experts Help 要注重细节,并取得专家帮助!
Running the World’s Internet Servers www.ChinaNetCloud.com
Thank you!谢谢
Running the World’s Internet Servers www.ChinaNetCloud.com
Thanks from ChinaNetCloud来自云络的感谢
Pioneers in OaaS – Operations as a Service运维即服务的先锋团队
ChinaNetCloud Sales@ChinaNetCloud.com
www.ChinaNetCloud.com
Beijing Office:
北京办公室Lee World Business Building #305
57 Happiness Village Road, Chaoyang District
朝阳区幸福村中路 57号利世商务楼 305室Beijing, 100027 China
Silicon Valley Office:
硅谷办公室
California Avenue
Palo Alto, 94123 USA
Shanghai Headquarters:
上海办公室
X2 Space 1-601, 1238 Xietu Lu
Shanghai, 200032 China 斜土路 1238号 X2空间 1号楼 601室
T: +86-21-6422-1946 F: +86-21-6422-4911