securing couchbase for your enterprise – connect silicon valley 2017
TRANSCRIPT
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved.
SECURITYCouchbase Server 5.0 & Couchbase Mobile 2.0
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved.
WHY SECURITY?
The Net is Dark and
Full of Terrors
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 3
Recent Security Breaches
WannaCry Ransomware
(May 2017)Wikileaks CIA Vault 7
(March 2017)
Cloudflare
Cloudbleed
(Feb 2017)
MongoDB hack
(Jan 2017)
Equifax
(Sept 2017)DocuSign
(May 2017)Verizon
(July 2017)Deloitte
(Sep 2017)
Securities and
Exchange
Commission (SEC)
(Sep 2017)
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved.
REVIEW | SECURITY CAPABILITIESA quick refresher
4
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 5
Security – A Major Question at Different LevelsO
uts
ide
Netw
ork
Users
COUCHBASE CLUSTER
Inte
rnal
Netw
ork
Peri
mete
r
Netw
ork
External
Firewall
Internal
Firewall
Web Server
Application Server
Applications
Infrastructure
Data
Users
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 6
Facility
Network perimeter
Internal network
Host
Application
Admin
Data
Defense in Depth:Layered approach to customer environment
Physical controls, video surveillance, access control
Edge routers, firewalls, intrusion detection, vulnerability
scanning
Intrusion detection, vulnerability scanning
Access control and monitoring, anti-malware, patch and
configuration management
Secure engineering (SDL), Access Control, security
monitoring, anti-malware
Account Management, training and awareness,
screening
Authorization, Data Encryption, Data Masking, Secret
Management
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 7
Security Pillars in Couchbase
7
Authentication Authorization Crypto Auditing Operations
App/Data: SASL
AuthN
Admin: Local or LDAP
PAM Authentication
(4.6)
Local Admin User
Local Read-Only User
RBAC for Admins
RBAC for Applications
(5.0)
TLS admin access
TLS client-server access
Secure XDCR
X.509 certificates for
TLS
Data-at-rest Encryption*
Field-level Encryption*
Secret Management
(4.6)
Admin auditing Security
management via
UI/CLI/REST
* Via third-party partners
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 8
Couchbase addresses Security concerns for the full stack
8
Client Tier
Mobile Client
Web Client
Desktop Client
Data Tier
DatabaseWeb Services
Middle Tier
COUCHBASE LITE
SYNC GATEWAY
COUCHBASE SERVER
Internet Intranet
1
Local StorageFull Database
AES-256 Encryption
5
Secure Data Storage in the
Cloud with Partner
Solutions
4
User and Role Based Data
Access Control
2
Secure Transport Over Wire
3
Pluggable Authentication
2
Secure Transport Over Wire
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 9
Authentication
9
Internal (local) External
Internal users managed by Couchbase
• Challenge-response
• User management (New)
Cluster Authentication
• Shared erlang token
External users managed by 3rd party Identity Management System
• LDAP integration
• Pluggable Authentication Modules (PAM)
Authentication Domains
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 10
Pluggable Authentication Modules (PAM) in Couchbase 4.6
• Allows UNIX local accounts to authenticate as Couchbase administrators
• Pluggable authentication architecture that is policy driven
Centralized
Management
Centralized and synchronize
administrator account
management using UNIX user
management services
Security Policy
Enforcement
Allows configuration of strong
security policies such as
strong password requirements
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 11
Authorization
1
1
Authorization for Admins Authorization for Apps
• Role based access control for Administrators
• RBAC for applications (New)
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 12
Role-Based Access Control (RBAC) for Administrators
Regulatory
Compliance
A strong demand for
applications to meet standards
recommended by regulatory
authorities
Segregation of
Admin Duties
Every admin does not have all
the privileges. Depending on
the job duties, admins can
hold only those privileges that
are required.
Security
Privilege
Separation
Only the full-admin has the
privilege to manage security,
and his/her actions can be
audited just like other
administrators.
Role-Based Access Control (RBAC) allows you to specify what each admin can access in couchbase through role
membership
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 13
RBAC for Administrators – How it works
• Administrative users can be mapped to out-of-the-box roles
• Roles pre-defined with permissions for specific resources
• Full Admin
• Cluster Admin
• Bucket Admin
• View Admin
• XDCR Admin
• Can work with internal and external users
Full Admin
Cluster AdminBucket Admin
View Admin
XDCR
Admin
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 14
Encryption
1
4
On-the-wire Encryption On-Disk Encryption
• TLS between client and server
• TLS between datacenters using secure XDCR
• X.509 CA Certificates for trusted encryption between client and server
• Volume and application level encryption through our trusted 3rd partners (Vormetric, Protegrity, SafeNet)
• FIPS 140-2 compliant
Role Based Access ControlRBAC for Applications – New in 5.0
15
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 16
Role-Based Access Control (RBAC) for Applications
Regulatory
Compliance
A strong demand for
applications to meet standards
recommended by regulatory
authorities
Segregation of
User Duties
Depending on the job duties,
users can hold only those
privileges that are required
Locking Down
Services
Depending on what the
service is needed for, only
those roles can be assigned
• Meet regulatory compliance requirements for data users and applications
• Simplified access control management for data and admin users across the cluster
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 17
RBAC Security Model
• NIST Model
• Scalable users accounts
• Fixed out-of-the-box data roles in 5.0
• 1:N User-to-role mapping
• Roles can be applied for specific buckets / across all buckets [*]
PrivilegeA set of actions on a given resource
Eg. Read documents on “foo” bucket
RoleA fixed grouping of privileges
that defines the access given
Action: an operation eg. read,
write, read metadata
Resource: some system object
that an action can be performed
on. eg. bucket, index, etc.
UserUser is a human user or service
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 18
High Level Process of Securing your Environment
1
8
• Secure the Perimeter and Layers:
• Identify the secure perimeter.
• Secure the perimeter via firewall rules
• Secure the full stack with appropriate procedures – OS, Database, Application
• Encrypt at Rest and in Transit:
• Encrypt all communication that traverses the secure perimeter
• Encrypt data on disk
• Control Access
• Limit access to the database and data and sensitive files (configuration, logs etc.)
• Leverage Couchbase-specific feature functionality to further enhance / augment the security at the database level
(e.g. SSL, RBAC)
• Assess and further minimize your attack surface area.
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved.
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved.
WHAT’S NEW IN COUCHBASE 5.0?
20Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved.
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 21
Couchbase Server 5.0
21Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved.
New security capabilities
Authorization
Role Based Access Control for Applications
Authentication
X509 Certificate based authentication
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved.
RBAC
23Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved.
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 24
RBAC for users and applications
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 24
Data Access Compliance
Unique identities for users and apps
- Internally / Externally (LDAP, PAM) managed authentication
domains
Segregated data access
- Roles for locking down access to data, query and full text
services
- Roles that will allow users and services to only do their jobs
and nothing more
Simplified Access Control
Built-in roles for data and admin access
- Simplified security management through roles not individual
users
Centralized security management
- Full-admin can configure cluster-wide RBAC through UI, REST
and CLI
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 25
RBAC for users and applications
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 25©2017 Couchbase. All rights reserved. 25
• GRANT a role to a user
• REVOKE a role from a user
• Distinct roles for each N1QL statement type
GRANT query_insert ON `travel-sample` TO don;
REVOKE query_insert ON `travel-sample` FROM jdoe;
N1QL GRANT and REVOKE statements
New system catalogs for RBAC
system:user_info
system:my_user_info
system:applicable_roles
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 26
User Management
26
Flexible User Management
• Internal and External authorization support
• Unique identities for data users and services
• REST and CLI configurable
• Seamless upgrades without application changes
• Scalable
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 27
New Roles for Data Service – RBAC in 5.0
27
• Read data from bucket Data Reader
• Write data to bucketData Writer
• Can read the DCP stream from bucketData DCP Reader
• Can backup/restore the bucketData Backup
• Can monitor statistics for bucketData Monitoring
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 28
New Roles for Query Service – RBAC in 5.0
28
• Can execute SELECT N1QL statement for bucketQuery Select
• Can execute UPDATE N1QL statement for bucketQuery Update
• Can execute INSERT N1QL statement for bucketQuery Insert
• Can execute DELETE N1QL statement for bucketQuery Delete
• Can execute index management statements for bucketQuery Manage Index
• Can query system tables for bucket Query System Catalog
• Can execute N1QL CURL statement Query External Access
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 29
New Roles for Full Text Search Service – RBAC in 5.0
29
• Can administer FTS serviceFTS Admin
• Can execute search queries for a bucket FTS Searcher
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 30
Bucket Roles – RBAC in 5.0
30
• Can administer FTS serviceBucket Full Access
• Can execute search queries for a bucket Bucket Admin
So, can I get a role that gives me the application behavior similar to pre-5.0?
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 31
Password Policy and Rotation
31
Policy and Rotation
• Simple password policy rules enforced when initially set or rotated
• Policy can be set using REST or CLI
• Password can be reset using UI, REST or CLI
Default Policy
{
"enforceDigits": false,
"enforceLowercase": false,
"enforceSpecialChars": false,
"enforceUppercase": false,
"minLength": 6
}
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 32
Role Assignment – Using REST and CLI
32
Using REST
Using CLI
curl -X PUT http://localhost:8091/settings/rbac/users/local/doug-data-user
-u Administrator:password -d "roles=data_reader[travel-sample]" -d
"password=dougpassword”
./couchbase-cli user-manage --set --rbac-username doug-n1ql-user --rbac-
password dougpassword --auth-domain local --roles "data_reader[*],
query_select[*]" -c http://localhost:8091 -u Administrator -p password
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 33
GRANT/REVOKE statements in N1QL for RBAC
33
GRANT ROLE
REVOKE ROLE
GRANT ROLE data_reader(`*`) to doug
REVOKE ROLE data_reader(`*`) from doug
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 34
Web Console For Administrators and Developers
34
Who gets to log into web console ?
1. Administrators (Any administrator role)
2. Developers (Users who have one or more query role)
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved.
AUTHENTICATION
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 36
Why Certificate Auth
Certificates are widely available across the enterprise infrastructure
• Stronger security by mutually authenticating the client and server
• Stronger guarantees against non-repudiation of user actions
• Stronger crypto on the communication channel
• Users forget passwords, or may set a weak one. No easy cracking passwords!
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 37
High-Level Requirements
Deployment Each service can have their own certificate
Multiple services can be co-located on same app server
Services on the same app host can talk to two different CB buckets
Certificate & CA Certificate should be in .pem format
Certificates can be signed by intermediaries, which are then signed by root CA
Service certificates (client-certs) are signed by the same chain of trust that terminate at root CA authority as
Server certificates
Certificates will be manually generated and loaded into Couchbase
Access Points Certificate based authentication is needed for memcached access
Certificate based authentication is needed for N1QL and FTS access
Certificate based authentication is needed for UI access
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 38
High-Level Requirements
AuthZ RBAC should be able to authorize users based on the details presented in the certificate
SDK Support Certificate support should be available in all Couchbase clients starting first with Java
Certificate Rotation Certificate rotation must be done completely online without disconnecting existing connections
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 39
The Handshake
Java Client
Server Certificate 4.5
(X.509 for trusted client-
server encryption)
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 40Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 40©2017 Couchbase. All rights reserved. 40
SDK
Enhancements
New Password Authenticator Class
• Upgrade to latest SDK versions!
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 41Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 41©2017 Couchbase. All rights reserved. 41
SDK
Enhancements
Shorthand URI Approach
• Pre-5.0 approach assumes bucket with matching username
• Similar URI approach can be used with full bucket, user and
password parameters
• Available for subset of libraries
• Not recommended, but available for ease of migration
Further reading...
• https://blog.couchbase.com/new-sdk-authentication/
• Minimal versions for 5.0 Beta SDK support
• Java 2.4.5 – .NET 2.4.5 – Node.js 2.3.3
Python 2.2.4 – PHP 2.3.2 – Go 1.2.3 – C 2.7.5
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 42Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 42©2017 Couchbase. All rights reserved. 42
Big Data
Connectors
• Configuration-wide username is now available
• Not limited to bucket passwords
• Kafka 3.1.3 (May 2017)
• Spark release pending – build from source
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved.
Security Overview -Couchbase Mobile 2.0
43Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved.
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 45
Typical 3-Tier architecture
Client Tier
Mobile Client
Web Client
Desktop Client
Internet Data Tier
DatabaseWeb Services
Middle Tier Intranet
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 46
Security concerns for mobile applications
1
Data Storage on Device
• File System Encryption• Data Encryption• Key Rotation• Offline Login
2
Data Transport on the Wire
• Secure Transport 3
Authentication
• Principal Instantiation• Session Management
4
Data Access Control
• Read Access• Write Validation 5
Data Storage in the Cloud
• File System Encryption• Data Encryption
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 47
Security concerns across the full stack
Client Tier
Mobile Client
Web Client
Desktop Client
Data Tier
DatabaseWeb Services
Middle Tier
1
Local Storage
2
Transport Over Wire
3
Authentication
4
Data Access Control
2
Transport Over Wire
5
Data Storage in the Cloud
Internet Intranet
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 48
Couchbase addresses Security concerns for the full stack
Client Tier
Mobile Client
Web Client
Desktop Client
Data Tier
DatabaseWeb Services
Middle Tier
COUCHBASE LITE
SYNC GATEWAY
COUCHBASE SERVER
Internet Intranet
1
Local StorageFull Database
AES-256 Encryption
5
Secure Data Storage in the
Cloud with Partner
Solutions
4
User and Role Based Data
Access Control
2
Secure Transport Over Wire
3
PluggableAuthentication
2
Secure Transport Over Wire
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 49
Couchbase addresses Security concerns for the full stack
Client Tier
Mobile Client
Web Client
Desktop Client
Data Tier
DatabaseWeb Services
Middle Tier
COUCHBASE LITE
SYNC GATEWAY
COUCHBASE SERVER
Internet Intranet
1
Local StorageFull Database
AES-256 Encryption
5
Data Storage in the Cloud
4
Data Access Control
2
Secure Transport Over Wire
3
Authentication
2
Secure Transport Over Wire
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 50
Securing Local Storage
Encrypted Data Requires Key for Access
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 51
Securing Local Storage—what’s available OOB?
Couchbase Provides• Full database encryption
• File system encryption
• Key rotation
• Offline login
Application Developer Responsibilities• Key Selection
• Key Storage
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 52
How Couchbase addresses Security concerns for the full stack
Client Tier
Mobile Client
Web Client
Desktop Client
Data Tier
DatabaseWeb Services
Middle Tier
COUCHBASE LITE
SYNC GATEWAY
COUCHBASE SERVER
Internet Intranet
1
Local StorageFull Database
AES-256 Encryption
5
Data Storage in the Cloud
4
Data Access Control
2
Secure Transport Over Wire
3
Authentication
2
Secure Transport Over Wire
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 53
Secure Data Transport over the Internet
SYNC GATEWAY
{
"SSLCert": "cert.pem",
"SSLKey": "privkey.pem",
"databases": {
"todo": {
……
}
}
}
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 54
SYNC GATEWAY
Secure Data Transport over the Intranet
"databases": {
"todo": {
"server":"https://cb-server:8091",
"bucket": "data-bucket",
"username":"data-bucket",
……
}
COUCHBASE SERVER
SE
RV
ER
1
SE
RV
ER
2
SE
RV
ER
3
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 55
How Couchbase addresses Security concerns for the full stack
Client Tier
Mobile Client
Web Client
Desktop Client
Data Tier
DatabaseWeb Services
Middle Tier
COUCHBASE LITE
SYNC GATEWAY
COUCHBASE SERVER
Internet Intranet
1
Local StorageFull Database
AES-256 Encryption
5
Data Storage in the Cloud
4
Data Access Control
2
Secure Transport Over Wire
3
Pluggable Authentication
2
Secure Transport Over Wire
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 56
Authentication
• Basic Authentication
• OpenID Connect
• Custom Authentication
• Facebook Login
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 57
Authentication: OpenID Connect
• OpenID Connect is an interoperable authentication protocol based
on the OAuth 2.0 family of specifications
• Supported flows
• Authorization Code Flow
• Implicit Flow
• Production deployments of OpenID Connect
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 58
OpenID Connect
ProviderSystem
Browser
Mobile
Device
Sync
Gateway Identity
Provider
Application Initiates Authentication by connecting to Sync Gateway’s OIDC
end-point
Sync Gateway responds with redirect to OIDC Provider
User is sent to OIDC provider endpoint
Validate credentials
Validation result
(true/false)Upon successful authentication, redirect to Sync Gateway with
authorization code
Sync Gateway returns ID token, session
ID, refresh token
Challenge for user authentication
Receive Credentials from user
End user is redirected to Sync
Gateway with authorization codeSync Gateway uses authorization
code to make access request to token
endpointOIDC Provider returns access token,
ID token, refresh token to Sync
Gateway
Application sets session cookie in
replication headers
Sync Gateway creates a session
for authenticated user
Sync Gateway Session Cookie sent in the replication
requests
Device opens endpoint in browser
OpenID Connect – Authorization Code Flow
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 59
OpenID Connect – Implicit Flow
OpenID Connect
Provider
System
Browser
Mobile
Device
Sync
Gateway
Identity
Provider
Application Initiates Authentication
and opens system browser
Redirect to OIDC Provider for user
authentication
Challenge for user authentication
Receive credentials from user
Validate credentials
Validation result
(true/false)
Client receives tokens in the response
Sync Gateway Session Cookie Returned
CBL uses JWT token to get a Sync Gateway
session
Replicator session cookie is
set
Sync Gateway provides option to create user
based on JWT token
Cookies sent in the replication request to Sync Gateway
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 60
Custom Authentication
Custom
Authentication
Provider
Application Initiates Authentication with Custom Auth
Provider
Request credential for user authentication
Receive credentials from user
Validate credentials
Validation result
(true/false)
Set authentication session cookie
Client receives response
POST request with the user name to the Admin REST API
http://server/dbname/_session
Cookie value set in response body
Cookies sent in the replication request to Sync
Gateway
Replicator cookie parameter
set
Create user (if needed) with the Admin REST API http://server/dbname/_user
Mobile
Device
Sync
Gateway
Identity
Provider
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 61
How Couchbase addresses Security concerns for the full stack
Client Tier
Mobile Client
Web Client
Desktop Client
Data Tier
DatabaseWeb Services
Middle Tier
COUCHBASE LITE
SYNC GATEWAY
COUCHBASE SERVER
Internet Intranet
1
Local StorageFull Database
AES-256 Encryption
5
Data Storage in the Cloud
4
User and Role Based Data
Access Control
2
Secure Transport Over Wire
3
Authentication
2
Secure Transport Over Wire
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 62
tent
survival gear
camping supplies
sleeping bags
Data Access in mobile apps
SHARE
Bob
JohnAlice
SHARE
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 63
Data Access Control in Couchbase
User Permissions
APIs for Role Definition & Assignment
Channels
Access Grants
Sync Function
Sync Function
User Based Access
Roles
Data partitioning
Read Access
Write Access
Data Validation
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 64
How Couchbase addresses Security concerns for the full stack
Client Tier
Mobile Client
Web Client
Desktop Client
Data Tier
DatabaseWeb Services
Middle Tier
COUCHBASE LITE
SYNC GATEWAY
COUCHBASE SERVER
Internet Intranet
1
Local StorageFull Database
AES-256 Encryption
5
Secure Data Storage in the
Cloud with Partner
Solutions
4
Data Access Control
2
Secure Transport Over Wire
3
Authentication
2
Secure Transport Over Wire
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 65
Securing data at Rest in Couchbase Server
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved. 66
Couchbase addresses Security concerns for the full stack
Client Tier
Mobile Client
Web Client
Desktop Client
Data Tier
DatabaseWeb Services
Middle Tier
COUCHBASE LITE
SYNC GATEWAY
COUCHBASE SERVER
Internet Intranet
1
Local StorageFull Database
AES-256 Encryption
5
Secure Data Storage in the
Cloud with Partner
Solutions
4
User and Role Based Data
Access Control
2
Secure Transport Over Wire
3
Pluggable Authentication
2
Secure Transport Over Wire
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved.
QA
©2017 Couchbase. All rights reserved. 67
Confidential and Proprietary. Do not distribute without Couchbase consent. © Couchbase 2017. All rights reserved.
THANK YOU