Product introduction >>
Sansec’s SecBD（Hereon referred to as Hadoop secure solution）is the secure protection solution for designed and developmental big data as well as big data application scenarios for both public and private clouds. Through the implementation of secure trust notice issuing mechanisms, we have taken a step forward in enhancing Hadoop’s notice circulation security between various points, providing reliable key management clustering deployment solutions and ensuring user key security and maintainability.
Product features >>
Having effective authentication and access control to ensure Hadoop user data is not illegally accessed is very important. Through providing a separate authentication service, SecBD universally manages Hive, MapReduce, and DataNode servers while ensuring that servers will not be impersonated and device clusters are all reliable.
At the same time, authentication service provides trusted clients with identity authentication while ensuring that necessary operations for work remain running, preventing false users’ impersonation of clients submitting malicious attacks. Authentication service provides users with commands, digital certificates, JWT types of identity verification mechanisms which support user tokens.
After authenticating the user, SecBD will give the user a ticket for access control. This ticket includes the information on the user’s authorities and rights, allowing the user to access big data services that they’re permitted access to. It’s ultimately implemented within a universal authentication service management. Users need only to log in once to access all services within a given point.
·Key management and data encryption
SecBD protect usability of big data encryption and storage of secure keys through SecKMS, and can be an extensible key management service. Key management will remain compatible with Hadoop’s original key managerment API interface and will not require any existing Hadoop source code to be changed, hence can be integrated with the system in a convenient manner and also improves user’s key security in the area of encryption
SecBD can also provide data encryption functions in HDFS and HBase. When Hadoop client reads the data of the encryption zone, it will first go to the primary node to get the encrypted data key and then got to the SecBD to decrypt the corresponding data key. At the time of the client requests service from the SecBD, some authority authentication will be required. Clients that do not meet the requirements will not receive the decrypted DEK. After the authentication is complete, the user will complete the read/write operations on the data within the encrypted zone through calling the HSM. SecBD primarily provides big data application layer with HBase chart or columns of data access monitoring, at the same time implements unit secure storage for HBase.
·monitoring and auditing
SecBD also simultaneously provides different levels of access control including searching, insertions, allowing the administrators to use the diagram controls to access rows or columns. Through certain privileges such as select and insert, this service monitors each schema object in the hive metastore.
Product advantages >>
·SecBD provides independent ticket validation mechanisms. User authentication goes through ticketing before they can access node services
·User encrypted zone’s master key is protected by hardware cryptographic modules. SecBD guarantees the security of the master key as well as its recoverability；
·Work requires first authenticating the user’s identity and then gives the user the authority.
·Cryptographic resources at the lowest level supports clustering modules. Uses load balancing to improve device availability
·Key management systems corresponds to device clusters. Key data guarantees high performance within the database
·Synchronously undergoes key management and backup to prevent the loss of keys in the event of equipment failure
·Keys of various types are generated by OSCCA approved hardware equipment, which ensures a high quality of the key
·Supports RSA and AES international algorithms and at the same time also supports SM2, SM4 of the Chinese algorithms. Supports signature verification, data encryption and decryption, and data envelopes