Slide No: 1

Data Security for Couchbase

Don Pinto Arun Gowda

Agenda

NoSQL/Couchbase Overview Encryption/Data Security Drivers Vormetric Overview Protecting Sensitive Data in Couchbase Sample Security Policy for Couchbase Summary

Why NoSQL security ?

Big data not only means..

Volume Velocity Variety

But also

Value

NoSQL is a popular solution for big data apps.90%

STRUCTURED UNSTRUCTURED

Structured information is only 10% of the story

90% of big data is unstructured and is made up of information like emails, videos, tweets, facebook posts, web clicks, and so on..

Because your information is valuable

10%

©2014 Couchbase, Inc.

4

Pro

d

De

v, Q

A,

Test

StorageStorage

Backup Server

Sensitive

hAck3rs

Which ports are

open through

the firewall?

What if an operator steals a disk?

Is sensitive data encrypted?

Is there admin access and data

access separation? Is your data encrypted in the cloud?

Common security questions

Are backups encrypted ?

XDCR to remote Cluster

Is XDCR Secure?

What Vulnerabilities?

Sensitive Data is Dispersing and GrowingBecoming harder to secure

• Physical

• Virtual

• Outsourced

• Sources

• Nodes

• Analytics

Enterprise Data Centers Private, Public, Hybrid Clouds

Big DataRemote Servers

• 2013: 1 Zettabyte of sensitive data not protected

• 2020: 10 Zettabytes of exposed sensitive data

- IDC 2014

Top Concerns for Cloud and Big DataSecurity and compliance

“By 2018 …25% of corporate data traffic will bypass traditional perimeter security defenses - up from 4% today.”

“By 2018, 25% of corporate data traffic will bypass traditional perimeter security defenses – up from 4% today.” - Gartner, Nov 2013

Top Security Concerns With Cloud Computing

March 2014

41%

35%

32%

26%

18%

15%

11%

10%

4%

Data Privacy and Security

Access and Control

Auditing and Compliance

Control of Data

Security Models/ Toolsets

Contractual/ Legal Issues

Internal Issues

Network Connection Security

Geographical Coverage

“The biggest growth inhibitors for Big Data market are security and privacy concerns. ” - Wikibon, Jan 2014

Big Data Market Forecast

Traditional IT Security Challenges Never Subside

Slide No: 7

Vormetric Data Security PlatformCentralized Encryption, Tokenization, Key Management

Best Encryptio

n

Security &Compliance

Protecting Sensitive Data in Couchbase

Sensitive data (e.g. PII/PHI) resides in many locations inside the enterprise (and in the cloud) in structured and unstructured formats

Sensitive data is required by state and national regulations to be encrypted at rest

Sensitive data should also be monitored and protected from insider threats, malware, and APTs which can lead to data breaches

Reporting & Analytics

Storage

Database

Application

User

File Systems

VolumeManagers

• Allow/Block• Encrypt/

Decrypt

VormetricData Security Managervirtual or physical appliance

Cloud Admin, Storage

Admin, etc

*$^!@#)(-|”_}?$%-:>>

Encrypted & Controlled

DSM

*$^!@#)(-|”_}?$%-:>>

Encrypted& Controlled

Privileged Users

John Smith 401 Main Street

Clear Text

Approved Processes and

Users

Server

DSM

Storage

Database

Application

User

File Systems

VolumeManagers

External key management

- SS Tables / Data- Saved Caches- Commit Logs / Error logs,

etc- Configuration files

Au

dit L

og

s

Vormetric Transparent EncryptionFile Level Encryption

*$^!@#)(

-|”_}?$%-:>>

John Smith 401 Main Street

Clear Text

Storage

Database

Application

User

File Systems

VolumeManagers

Big Data, Databases or Files

VormetricData Security ManagerVirtual or Physical Appliance

Cloud Provider /Outsource

Administrators

*$^!@#)(

-|”_}?$%-:>>

Name: Jon DoughSS: if030jcl

PO: Jan395-2014

Approved Applications

Privileged Users

• Allow/Block• Encrypt/

Decrypt

External key management

Reporting & Analytics

Au

dit L

og

s

Encrypted& Controlled

Encrypted& Controlled

Vormetric Application EncryptionField Level Encryption

Couchbase encryption – clientEncryption at the application

Leverage Vormetric encryption and key management

APIs, libraries, and sample code in Java, .NET, C/C++.

VAEApplication Vormetric

Application Encryption

S S N : 1 1 2 -1 1 1 - 6 7 6 2

J o n D o u g h

Vormetric APIEncryption Key

Request / Response*

$ # A d # $ g & * j% J 1 T J C Z

J o n D o u g h DSM

Co

uc

hb

as

eC

lien

t-se

rve

r S

SL

Via Couchbase SDKs

Setting up Couchbase Enterprise Access Control and Security Policies

Creating 2 User Set Lists – Couchbase Approved User and Privileged User (root)

User Policies

Protecting Directories That Potentially Contain Sensitive Data

Intended User Can See File Metadata and Read couchdb.log Data Content

Vormetric Security Intelligence Event Log:

Privileged User Can See File Metadata, and couchdb.log Log Data is Encrypted

Vormetric Security Intelligence Event Log:

Any Other User Is Denied Any Access

Vormetric Security Intelligence Event Log:

Summary

Couchbase provides a powerful NoSQL platform

Data security including encryption should be addressed proactively

Vormetric & Couchbase have partnered to enable customers to build high-performance, highly-secure applications

Visit www.vormetric.com for more information http://www.vormetric.com/compliance/pci-dss

Protect What Matters,Where it Matters

don@couchbase.com | @NoSQLDonagowda@vormetric.com | @vormetric

Don’t forget to fill out the Connect Session Survey on the Connect App

Get Started with Couchbase Server 4.0: www.couchbase.com/beta

Test drive vormetric @ http://testdrive.vormetric.com/

Get trained on Couchbase: training.couchbase.com