For years Centrify has been deployed to help secure access to Hadoop clusters, and my team has helped to configure and deploy Centrify and Kerberos within many of them. Initially our involvement often started as clusters moved from pilot to production. Our sense is that someone in IT asked the questions:
“How are we going to secure access?”
“How are we going to provision and de-provision?”
“How does this fit within our security mandates?”
Centrify is called in to address these concerns. In most cases it would have been better if we’d been involved earlier, so as to better understand implementation decisions and to provide best practices, however — better late than never as they say.
Given our expertise in providing secure identity management, it’s no surprise that Centrify has a large number of customers with Hadoop deployments in both the federal and commercial sectors. This has provided us with insight into how deploying and securing Hadoop is both similar and different across the two. In his blog “Big Data Requires Even Bigger Security,” Bill Man addresses the reasons why Centrify is the leader in providing privileged identity management of Big Data. While all of these reasons for identity management apply to the Federal space (authentication, access control, authorization, and auditing), the primary difference is the mandated security standards, which government organizations are required to operate within. Indeed the private sector has SOX and PCI, however government customers are mandated to procure products that meet specific security requirements before they are even considered for purchase, let alone implemented.
Centrify’s Federal page describes both our assistance with, as well as our adherence to, federal security standards. Additionally, there are several blogs describing how we help organizations conform to those security standards. These same federal standards still apply to Big Data and cluster’d computing. For example an agency may require smart card (HSPD-12) access to a cluster, and perhaps require FIPS 140-2 certification to provide secure Kerberos authentication of cluster services and end-user authentication.
I would like to expand a little on FIPS 140-2, which is a security standard for cryptographic modules. (More information on FIPS 140-2 can be found on Wikipedia.) Hadoop has two security modes: Simple and Kerberos. The default security setting is Simple, which relies upon the operating system (Linux) for user authentication. In most federal agencies this Simple mode is not adequate and would render the entire Hadoop deployment insecure and non-compliant. The second and preferred mode is Kerberos, which is used to secure all access to Hadoop clusters via strong authentication, and can be implemented using FIPS 140-2 Certified cryptographic modules. Centrify’s crypto libraries are FIPS 140-2 certified, since most of the our federal customers require it, and this ensures the highest level of security for Hadoop deployments.
As I previously mentioned, deploying Hadoop in the government is not vastly different from the private sector. The most important thing to remember is to plan upfront for the implementing and testing of the government mandated security practices in the pilot phase, such as adherence to security practices (smart card) and security certifications (FIPS 104-2/Common Criteria). With proper planning and the right tools, the deployment of a Hadoop system can be implemented securely, can maintain federal compliancy, and does not have to change existing provisioning and de-provisioning procedures. Of course your toolset should include the Centrify Server Suite, since Centrify is the leader in unified identity management across cloud, mobile and data center, and we’ve now extended this leadership into securing the identity management of Big Data.