Kerberizing Cassandra

When it comes to access control, enterprises seek for uncompromised mechanism in place to protect the data and services over the network. Cryptographies based on both symmetrical and asymmetrical key algorithms are widely used for secured access and authorization. The well-known Kerberos protocol uses symmetric encryptions and can be used for a client to prove itself to a server across an insecure network. Further privacy and data integrity is ensured after both client and server prove their identity. Having Kerberos as a centralized authenticator, it is appropriate for enterprises to implement single sign-on (SSO) without difficulty across all their applications.

In this blog, we will discuss how to enable Kerberos authentication for a distributed NoSQL database system. We will implement for DataStax Cassandra, one of the leading database platform for big data on a cluster of nodes. DataStax Cassandra already provides authentication based on internally controlled role name/passwords, authorization based on object permission management, Authentication and authorization based on JMX username/passwords and SSL encryption. We intend to explain the implementation of the Kerberos integration and the blog is divided as four sections.

  • Installing Kerberos server
  • Configuring Kerberos server
  • Connection to Cassandra
  • Connection to Cassandra cqlsh

Installing Kerberos Server

Kerberos server is the key to the network security and is advised to have an alternative server to recover just in case of any failure. To set up Kerberos server, installation is done as below.

$ sudo apt-get install krb5-admin-server
$ sudo apt-get install krb5-kdc
$ sudo krb5_newrealm

While installing set kerberos realm with kdc and kadmin server. We go with Kerberos.com as kerberos realm and kserver.com as kdc and kadmin server.
Configuring Kerberos Server:
After installing Kerberos, we need to edit default Kerberos files, to change the realms name. In order to change, open krb5.conf in an editor,

$ sudo vi /etc/krb5.conf

Check the configuration for kerberos realm. In [domain_realm] part and add realm name.

.kerberos.com = KERBEROS.COM
kerberos.com = KERBEROS.COM

Now restart the Kerberos server so that changes will be reflected and be effective.

$ sudo service krb5-admin-server restart
$ sudo service krb5-kdc restart

At this stage, the Kerberos server is ready. After this we need to set, Kerberos client, so that the Cassandra nodes be secured.
Cassandra Connection
In this session, we will be connecting each Cassandra node to server by creating principal and editing few files in clients as well as in server.
kdc server:
Here we will create policy to attach with principals. To create basic policy, admin..

$ sudo kadmin.local
Kadmin: add_policy -minlength 8 -minclasses 3 admin
Kadmin: quit

Policy with name admin has been created and is ready to be attached. Now, add a server principal name (SPN)

$ sudo kadmin.local
kadmin: addprinc -policy admin root/admin
kadmin: quit

In order to give full permission to admin policy, open kadm5.acl in vi editor,

$ sudo vi /etc/krb5kdc/kadm5.acl

Uncomment */admin * line and save so that admin policy will get full permission. In /etc/hosts add your internal ip with realm name for example:

x.x.x.x KERBEROS.com

Restart the krb5-admin-server

$ sudo service krb5-admin-server restart

We need to add service principal and HTTP principal for each client in KDC using addprinc command. To do so, login to add principal

$ sudo kadmin -p root/admin
Kadmin: addprinc -policy admin –randkey cassandra/fqdn
Kadmin: addprinc -policy admin –randkey HTTP/fqdn
(*fqdn– Fully Qualified Domain Name / name of each node.)

To find client fqdn,

$ hostname --fqdn

To ensure both principal added successfully, check the server principal name in the KDC by listprincs command.

Kadmin: listprincs

kerberos client:
Install krb5-user in each client

$ sudo apt-get install krb5-user.

Set the realm in the same way as we did for Kerberos server with same server, i.e. KERBEROS.COM as kerberos realm and kserver.com as kdc and kadmin server. Most likely both krb5.conf should be same.

KDC server:
A keytab is a file containing pairs of Kerberos principals and encrypted keys from the Kerberos password. Using this we get authenticated to various remote systems using Kerberos without entering a password. If kerberos password has been changed, keytab should be generated newly.
To produce keytab for principal name.

$ sudo kadmin.local
Ktadd –k dse.keytab cassandra/fqdn
Ktadd –k dse.keytab HTTP/fqdn
dse.keytab - name of the keytab.

This command will create keytab in current folder. We can also target a folder to generate keytab. Now copy the keytab to each node using scp command.
Kerberos client:
Open /etc/hosts and add realm name and ip as in server.

x.x.x.x kerberos.com

Move the keytab to specific location and change user and permission of the keytab,

$ sudo chown cassandra:cassandra dse.keytab
$ sudo chmod 600 dse.keytab

Open cassandra.yaml, /etc/dse/cassandra/cassandra.yaml in vi editor, Change the authenticator as below.

authenticator: com.datastax.bdp.cassandra.auth.KerberosAuthenticator

Open dse.yaml, /etc/dse/dse.yaml in vi editor and modify as below
kerberos_options:

keytab: /etc/dse/dse.keytab
service_principal: cassandra/fqdn@KERBEROS.COM
http_principal: HTTP/fqdn@KERBEROS.COM
qop: auth
Fqdn as in server

By this Kerberos authentication has been set for Cassandra.
Connection to Cassandra cqlsh:
Cqlsh is the client for executing Cassandra Query Language based on python. In this session, we are going to authenticate cqlsh with kerberos by configuring cassandra.yaml.
In Server:
We need a user principal to authenticate to server from client. To create the user principal, jane do the following.

$ sudo kadmin.local
Kadmin: addprinc jane

It looks like jane@KERBEROS.COM
In Client:
Now temporarily disable kerberos authenticator and dse authorizer in cassandra.yaml. And add the following.

authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer

Now, restart the dse service and start the cqlsh,

$ sudo service dse restart

Login to cqlsh to add jane as superuser.

$ cqlsh hostname -u cassandnra -p cassandra (default user name and password)

Create a superuser, jane, to authenticate the kerberos servere by,

cqlsh> create user 'jane@KERBEROS.COM' SUPERUSER;

Now renable kerberos authenticator and change the authorizer in cassandra.yaml

authenticator: com.datastax.bdp.cassandra.auth.KerberosAuthenticator
authorizer: AllowAllAuthorizer

To run cqlsh kerberos authentication, add the python dependencies in the clients.

$ sudo apt-get install python-pip
$ sudo pip install pure-sasl
$ sudo apt-get install python-kerberos

Create cqlshrc file in .cassandra directory.

$ vi /home/user/.cassandra/cqlshrc and add these configuration,
[connection]
hostname = host-ip
port = 9042
[kerberos]
hostname = host-ip
service = Cassandra

Now introduce yourself to kerberos server by,

$ kinit jane

And enter the password and get authenticated.
The kinit command obtains or renews a Kerberos ticket-granting ticket. Use below command and verify the ticket.

$ klist

Start cqlsh.

$ cqlsh

By this the cqlsh kerberos authentication has been successful, every cql command has now been encrypted and secured.

 

Author Credits: Siddharth Kumar S, Senior Associate – Big data, 8KMiles Software Services and you can reach him here

Solutions in Azure : Azure CDN for Maximum Bandwidth & Reduced Latency – Part II

From the First Part of this Article we can derive a conclusion that the CDN’s job is to enhance the regular hosting by reducing bandwidth consumption, minimizing latency and providing the scalability needed to handle abnormal traffic loads. It cuts down on round-trip time (RTT), effectively giving similar response to end user irrespective of their geographical presence.

In MicroMarketMonitor’s recent report, it has clearly mentioned that only the North American content delivery network market is expected to grow from $1.95 billion in 2013 to $7.83 billion in 2019. One significant factor driving this growth is end user interaction with online content. So moving forward it is going to be a major factor while architecting any application.-

Azure CDN Highlights

  1. Improve rendering speed & Handle high traffic loads: Azure CDN servers manage the content by making use of its large network of POPs. This dramatically increases the speed and availability, resulting in significant user experience improvements.
  2. Designed for today’s web: Azure CDN is specifically designed for the dynamic, media-centric web of today and cater to the requirement of its users who expect everything to be fast, high quality, and always-on.
  3. Streaming Aware Era: Azure CDN can be helpful under all possible three ways while serving videos over HTTP- Progressive Download and Play, HTTP Pseudo-streaming & Live Streaming.
  4. Dynamic Content Acceleration: If you understand the nitty-gritties of Azure CDN it also uses series of techniques to serve uncatchable content faster. For example, it can route all communication from a client in India to a server in the US through an edge in India and an edge in the US. They then maintain a constant connection between those two edges and apply WAN optimization techniques to accelerate it.
  5. Block spammers, scrapers and other bad bots: Azure Content Delivery Network is built on a highly scalable, reverse-proxy architecture with sophisticated DDoS identification and mitigation technologies to protect your website from DDoS attacks.
  6. When the expectations are at peak, Azure CDN delivers: Thanks to its distributed global scale, Azure Content Delivery Network handles sudden traffic spikes and heavy loads, like the start of a major product launch or global sporting event.

Working With Azure Storage

Once the CDN is enabled on an Azure storage account, any blobs that are in public containers and are available for anonymous access will be cached via the CDN. Only blobs that are publicly available can be cached with the Azure CDN. To make a blob publicly available for anonymous access, you must denote its container as public. Once you do so, all blobs within that container will be available for anonymous read access and you have the option of making container data public as well, or restricting access only to the blobs within it.

For best performance, use CDN edge caching for delivering blobs less than 10 GB in size. When you enable CDN access for a storage account, the Management Portal provides you with a CDN domain name in the following format: http://.vo.msecnd.net/. This domain name can be used to access blobs in a public container. For example, given a public container named music in a storage account named myaccount, users can access the blobs in that container using either of the following two URLs:

Working With Azure Websites

You can enable CDN from your websites to cache your web contents, such as images, scripts, and stylesheets. See Integrate an Azure Website with Azure CDN. When you enable CDN access for a website, the Management Portal provides you with a CDN domain name in the following format: http://.vo.msecnd.net/. This domain name can be used to retrieve objects from a website. For example, given a public container named cdn and an image file called music.png, users can access the object using either of the following two URLs:

  • Azure Website URL: http://mySiteName.azurewebsites.net/cdn/music.png
  • Azure CDN URL: http://.vo.msecnd.net/cdn/music.png

Working With Azure Cloud Services

You can cache objects to the CDN that are provided by an Azure cloud service. Caching for cloud services has the following constraints:

  • The CDN should be used to cache static content only.
  • Your cloud service must be deployed to in a production deployment.
  • Your cloud service must provide the object on port 80 using HTTP.
  • The cloud service must place the content to be cached in, or delivered from, the /cdn folder on the cloud service

When you enable CDN access for a cloud service, the Management Portal provides you with a CDN domain name in the following format: http://.vo.msecnd.net/. This domain name can be used to retrieve objects from a cloud service. For example, given a cloud service named myHostedService and an ASP.NET web page called music.aspx that delivers content, users can access the object using either of the following two URLs:

  • Azure cloud service URL: http://myHostedService.cloudapp.net/cdn/music.aspx
  • Azure CDN URL: http://.vo.msecnd.net/music.aspx

Accessing Cached Content over HTTPS

Azure allows you to retrieve content from the CDN using HTTPS calls. This allows you to incorporate content cached in the CDN into secure web pages without receiving warnings about mixed security content types.

To serve your CDN assets over HTTPS there are couple of constraints worth mentioning:

  • You must use the certificate provided by the CDN. Third party certificates are not supported.
  • You must use the CDN domain to access content. HTTPS support is not available for custom domain names (CNAMEs) since the CDN does not support custom certificates at this time.

Even when HTTPS is enabled, content from the CDN can be retrieved using both HTTP and HTTPS.

Note: If you’ve created a CDN for an Azure Cloud Service (e.g. http://[XYZ].cloudapp.net/cdn/) it’s important that you create a self-signed certificate for your Azure domain ([XYZ].cloudapp.net). If you’re using Azure Virtual Machines can be done through IIS.

Custom Domain to Content Delivery Network (CDN) endpoint

In case you want to access the cached content with custom domain, azure lets you map your domain to particular CDN End point. With that in place you can use your own domain name in URLs to retrieve the cached content.

For detailed information on implementation please check- Map CDN to Custom Domain

CDNs are an essential part of current generation’s Internet, and their importance will increase eventually. Even now, companies are trying hard trying to figure out ways to move more functionality to edge servers (POP Locations) in order to provide users with the fastest possible experience. Azure CDN plays a vital role as it suffice current generation CDN requirement. While implementing Azure CDN (Or any CDN for that matter) the important thing is to formulate a strategy regarding the maximum lifespan of an object beforehand.

Author Credits: This article was written by Utkarsh Pandey, Azure Solution Architect at 8K Miles Software Services and originally published here .

There is a Microsoft Azure event happening on 16th September 2017 and it is great opportunity for all Azure enthusiasts to meet, greet and share ideas on latest innovation in this field. Click here for more details.

 

 

Diagnosis of Information Security issues & Best Practices to implement Role Based Access Control in Healthcare Premises

Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within an enterprise. Usually, users have the access privileges to the systems based on the roles that they perform in those systems. RBAC policies in general ensure that users who come under these policies have the right access to the right resource at the right point of time. In recent times Healthcare industry has been giving significant importance to RBAC, for example, if a RBAC system was used in a hospital, each and every person who is allowed access to the hospital’s network has a predefined role (doctor, nurse, lab technician, administrator, etc.). If a user is defined as having the role of nurse, then that user can access only resources that the role of nurse has been allowed access to. Each user is assigned one or more roles, and each role is assigned with one or more privileges in that role. In a hospital EHR Implementation process, clear non-separation of roles and chaotic access privileges to various systems would cause mayhem in the system, resulting in an implementation failure.

Security & RBAC Readiness Issues – Spotting of Symptoms

The first step before initiating an EHR Implementation process is to thoroughly assess/discover all RBAC related issues. 8KMiles looks for the following indications, as part of a discovery process, to assess whether RBAC issues exist in a Hospital/Health Care Organization and if they do, where they might exist.

1. Hospital or Health Care System has problem in defining roles for a particular user
2. Hospital or Health Care System has problem in providing access to a single user amongst a group of users within same job-title/department.
3. Department/System/ Application has to constantly rotate staff (sometimes even on a daily basis), hence keeping track of roles/access is getting very difficult.
4. There are many mini-roles which can form into a major role. There are many such major roles existing in the system.
5. Many Roles and access privileges though defined in the system have not been used for a while
6. There are no systems to address SODs (Segregation of Duties) that exists among roles/privileges
7. There is no Access Governance Solution in place to assess Role/Access privileges assigned to users
8. Audit reports were not in place to follow compliance process due to lack of Access Governance solution.
9. Users had problems in Multi-level approval
10. Roles not fitting into daily scheme of activities of a department are prevalent in the system
11. Patient Privacy Data related issues are a concern (both from a data-entry and a data-breach perspective)
12. Data Security or RBAC Security is a concern especially during bulk-data upload of patient data or during data interchange between in-house or external systems.
13. System has both Groups and Roles defined, but Groups are not mapped to roles in a way they should be.


Security & RBAC Readiness Issue – Mitigation Processes

After a detailed analysis of the issue is done, an 8KMiles RBAC Process Manager ,who will take the ownership of EHR Implementation, will define and implement the following processes/procedures, pertaining to RBAC and Security at the Hospital/Health Care Facility:

1. Study the results of the Discovery Process and understand existing Security and RBAC policies in place for each system/application in each department at every location of the Hospital/Health Care system
2. Prepare a RBAC matrix (Access Requirements of each Department’s Titles)
3. Prepare current workflows where these roles and their access privileges come into play
4. Note down any inconsistencies and inefficiencies pertaining to these roles that are obvious. For example, if a role and its access privileges are used heavily while some of them that are not being used at all
5. Note down any violation of Segregation of Duties (SODs) as per the access privileges entitled for the current roles. For example a clerk in the records department should not have access to a copier or print functions in their system so they can print/copy EHRs and distribute
6. Note down the critical and sensitive roles and access privileges that one needs to be careful about. These could be roles and privileges wherein employee has a direct read/write access to patient’s privacy data
7. Plan to address any gaps relating to these critical and sensitive roles and access privileges before/during EHR Implementation
8. Prepare plans to address the inconsistencies and SODs before the transition to the new EHR Implementation. If the EHR Preparation time is very short, at least have plans to address these during the EHR Implementation. Note: SOD Violations are caused by Pairs of Roles with Access Privileges that if an individual were to possess, would have a potential to directly compromise the integrity of both the systems, where these roles function
9. Prepare future workflows of Roles after the EHR Implementation. Note down the inconsistencies that were there before and how it has been solved during or because of EHR Implementation
10. Assess whether the critical and sensitive roles and access privileges were addressed effectively during EHR Implementation
11. Assess whether micro-roles or mini-roles have been effectively rolled under major Roles efficiently (i.e. Roles within Roles)
12. Perform a RBAC Data-Owner Certification Process every month after EHR Implementation wherein each of the Data Owners of each application/system attests for the need of these roles to be in the system. As a pre-cursor to this process identify all systems/applications and their Data Owners
13. Perform a RBAC Access Certification Process, every month after EHR Implementation, wherein you ask the Managers, Supervisors to attest where employees who work under them do need the roles they are performing on these systems. As a pre-cursor to this process identify all the managers and supervisors (if not already done) of each employee
14. Address orphaned/redundant roles and access privileges that come out of the above certification process
15. Find the relationship between the Groups and Roles present and see if the mappings of Groups with Roles are not out of synch
16. Assess any HIPAA/SOX related RBAC compliance issues that occur prior/during/post EHR Implementation and address them
17. Apprise of the Hospital System leadership/Stake Holders the major findings and changes made to be compliant

Security & RBAC Readiness – Best Practices

Following are some of the best practices that 8KMiles RBAC Managers/Personnel follow in order to address RBAC related issues:

1. Establish formal Business Relationship with the prospect
2. Understand the Business needs and requirements

a. Compliance with HIPAA, SOX, SAS70, HL7, requirements
b. Workflow Management (Establish Flow of Identities, Establish Roles – Access Control in relation to each other)
c. Interoperability (Explore Identity Federation with External Parties, Use REST APIs)
d. Security (Plan for Identity/Data Security at Rest and in Motion)
e. Medical Records Synch (HL7, HTTPS/Encryption, Multi-Factor Auth)
f. Integration Issues – For Example, integration of the hospital EMR with subsystems like Identity and Access Management and Access Governance systems

3. Understand Role Hierarchy, relationships between groups, roles and access permissions
4. Study the requirement systematically and come up with solutions based on agile methodology for the above pain-points

By following all of the above processes and RBAC best practices, organizations can secure Healthcare data and also identify redundant roles, inefficient access privileges, employees who were not granted right roles i.e., Mismatched roles, disparities between groups and roles, and access permissions of employees who were no longer part of the system.

Author Credits: Raj Srinivas, VP Technology at 8KMiles, You can connect with him here for more information