Ameesh DivatiaThe Promise and Perils of Encrypting Cassandra Data

Confidential & Proprietary 2

ENTERPRISE IT DOMAIN(ON-PREMISE OR CLOUD)

CLOUD SERVICEPROVIDER DOMAIN

SQL APP

DATA DISK DB SERVER

CLOUD ADMIN

DB QUERY

THREAT & CHALLENGES

Perils of Cloud Hosted DatabasesCloud hosted database services being adopted by enterprise IT§ Where is the data stored?

Threats§ Stolen cloud administrator credentials

§ Violations of compliance regulations

Need§ Complete control of data by enterprise IT at all times

§ Encrypt all data that is uploaded to the cloud

How does enterprise IT deal with this?

Confidential & Proprietary 3

APP

CQL QUERY

COMMIT LOG SSTABLE

MEMORY

DISK

MEMTABLE

C*

FLUSH

INDEX TDE ENCRYPTION

WRITE DATA

Cassandra Security

Confidential & Proprietary 4

Use Case – Apache Cassandra§ Raw customer data stored in multi-tenant

clusters as clear text

§ Encryption available as an option only at rest

Vulnerabilities§ Data in memory is in the clear

§ Encryption key is in the clear in memory risking the entire data store

OLTP DOMAIN

SQL APP

DB QUERY

DB SERVER ADMIN ENCRYPTED DATA

KEYS

DATA DISK DB SERVER

DB SERVER ADMINENCRYPTED DATA

KEYS

ENCRYPT {}

DECRYPT {}

Anatomy of a Hack

Confidential & Proprietary 5

Threat Scenario§ Database admin has access to data and

keys used for ‘at rest’ security

OLTP DOMAIN

SQL APP

DB QUERY

DB SERVER ADMIN ENCRYPTED DATA

KEYS

DATA DISK DB SERVER

DB SERVER ADMINENCRYPTED DATA

KEYS

ENCRYPT {}

DECRYPT {}

Vulnerabilities§ Administrator’s credentials are stolen by a hacker

§ Hacker has access to the data as well as the key

Need§ Separation of keys and data into separate domains

§ Never decrypting data in a single compute instance

§ Operate on encrypted data

X

APP

X

KEY STORE ADMIN ENCRYPTED DATA

KEYSX

Encryption Adoption Challenges

Complexity: Perception that once the data is

encrypted, the customer loses control

Key management: What if the keys are lost, stolen or

stagnant?

Confidential & Proprietary 6

Encryption Adoption Challenges

Performance degradation: Perception that

application performance will slow down

Workflow impact: Changes the current

paradigm of app to database communication

Confidential & Proprietary 7

APP

CASSANDRA CLUSTERPER CUSTOMER

APP VPC

CASSANDRA VPC

ENCRYPTED CQL DATA REQUEST

CLEAR CQLDATA REQUEST

C*

PROTECTING IN-MEMORY & AT-REST CASSANDRA CLUSTER

DRIVER LEVEL PROXY

KMS

C*

C* C*

A Practical ApproachDriver level insertion for data protection

§ Transparent application operation

Seamless key management withAmazon KMS

§ Generate, use, store, rotate and retire keys

Performance at scale using massive parallelization

§ Elastic load balancing in response to demand

Frictionless integration into enterprise application workflows

§ Active monitoring of service components toensure high availability and failover

Confidential & Proprietary 8

Selective Privacy Example

Confidential & Proprietary 9

C* C*

APPTHREAT

THREATCQL INTERPRETER / API

EXISTINGCASSANDRA DATABASE

1 Optional – when disk encryption is used, the

key and data co-resident on media

making it very vulnerable to breaches

DISK ENCRYPTION1

BEFORE

CASSANDRANATIVE CALLS

DATA TABLE

APP

SECURE CASSANDRA

CQL / API

SECURE CASSANDRA

CASSANDRANATIVE CALLS

DATA TABLE

Secure Cassandra – Before and After

Confidential & Proprietary 10

Data In Use(Application)

Data In Use(Cassandra Memory)

Data At Rest(Cassandra DB)

SECU

RED

BY B

AFFL

EN

ON

E

Driver Modifications

Added couple of pipeline stages for encryption / decryption in the java driver

Connection.java

pipeline.addLast("messageDecryptor", new MessageDecryptor(transformDB));

pipeline.addLast("messageEncryptor", new MessageEncryptor.Encryptor(transformDB));

Confidential & Proprietary 11

Tiers of SecurityPARAMETER STOCK CASSANDRA SECURE CASSANDRA

PROTECTION

Data on disk Encrypted Encrypted

Data in Cassandra server memory Clear Encrypted

Data in App memory Clear Clear

Vulnerability No data Protection (App, DB Server, Disk)

Data Protection below CQL Interface(DB Server & Disk)

IMPACT

Driver Unchanged Added pipeline stages

DB Binaries Unchanged Add support for custom types

OPERATIONS ON ENCRYPTED DATA None Search, Sort, Aggregate

Confidential & Proprietary 12

Cassandra Modifications

Added custom types for encrypted values with serializers/ deserializers

Added custom functions for operations such as compares and aggregates on the encrypted values

Custom Integer Type:Db/marshal/EncIntType.javapublic class EncIntType extends AbstractType<BlindInt>{

public static final EncIntType instance = new EncIntType();private EncIntType(){

super(ComparisonType.CUSTOM);}

…}public synchronized int compareCustom(ByteBuffer o1, ByteBuffer o2){

Confidential & Proprietary 13

Conclusion

Cloud hosted databases have perils for stored data

Practical approach to protecting Cassandra data

§ Driver level modifications to enable encryption

§ Support custom types and functions for encrypted operations

The promise of keeping data encrypted…always! is attainable

§ No threats to availability

§ No impact on stability

§ Minimal impact on performance

Confidential & Proprietary 14

Make data breaches irrelevant

www.baffle.io

Thank You

baff el