trademark

Recommendations

Info

2.0 Security Best Practices for Non-Relational Data Stores (cont.) 2.3 Use transport layer security (TLS) to establish connections and communication 2.3.1 Why? To maintain confidentiality while in transit; to establish trusted connections between the user and server; and to securely establish communication across participating cluster nodes. 2.3.2 How? Implement TLS/SSL (secure sockets layer) encapsulated connections. Ideally, each node is equipped with a unique public/private key pair and digital certificate so that client authentication is enabled. 2.4 Provide support for pluggable authentication modules 2.4.1 Why? To certify users are able to program to pluggable authentication module (PAM) interface by using PAM library API for authentication-related services. 2.4.2 How? Implement support for PAM. Hardening with benchmarks established by the Center for Internet Security and hardening at the operating system (OS) level (e.g., SELinux) can be considered. 2.5 Implement appropriate logging mechanisms 2.5.1 Why? To expose possible attacks. 2.5.2 How? • Implement logging mechanisms according to industry standards, such as the NIST Log CLOUD SECURITY ALLIANCE Big Data Working Group Guidance © Copyright 2016, Cloud Security Alliance. All rights reserved. 14
2.0 Security Best Practices for Non-Relational Data Stores (cont.) Management Guide SP800-92 [KS06] and ISO27002 [ISO05]. • Use advanced persistent threat (APT) logging mechanisms like log4j, etc. For example, ELK Stack (Elasticsearch, Logstash, Kibana) and Splunk can be used for log monitoring and onthe-fly log analysis. 2.6 Apply fuzzing methods for security testing 2.6.1 Why? To expose possible vulnerabilities caused by insufficient input validation in NoSQL that engages hypertext transfer protocol (HTTP) to establish communication with users (e.g., cross-site scripting and injection). 2.6.2 How? • Provide invalid, unexpected or random inputs and test for them. Typical strategies include dumb fuzzing, which uses completely random input, and smart fuzzing, which crafts input data based on knowledge about the input format, etc. • Guidelines are provided by the Open Web Application Security Project (OWASP) (https://www.owasp.org/index.php/Fuzzing), MWR InfoSecurity (https://www. mwrinfosecurity.com/our-thinking/15-minute-guide-to-fuzzing/), etc. Fuzzing should be done at separate levels in a system, including the protocol level, data node level, application level, and so forth. • Use tools for fuzzing, such as Sulley. 2.7 Ensure appropriate data-tagging techniques 2.7.1 Why? To avoid unauthorized modification of data while piping data from its source. 2.7.2 How? Use security-tagging techniques that mark every tuple arriving on a specified data source with a special, immutable security field including timestamp. CLOUD SECURITY ALLIANCE Big Data Working Group Guidance © Copyright 2016, Cloud Security Alliance. All rights reserved. 15
Page 2 and 3: The permanent and official location
Page 4 and 5: Table of Contents (cont.) 3.1.1 Why
Page 6 and 7: Table of Contents (cont.) 8.7 Emplo
Page 8 and 9: Introduction The term “big data
Page 10 and 11: 1.0 Secure Computations in Distribu
Page 12 and 13: 1.0 Secure Computations in Distribu
Page 16 and 17: 2.0 Security Best Practices for Non
Page 18 and 19: 3.0 Secure Data Storage and Transac
Page 20 and 21: 3.0 Secure Data Storage and Transac
Page 22 and 23: 4.0 Endpoint Input Validation/Filte
Page 24 and 25: 4.0 Enpoint Input Validation/Filter
Page 26 and 27: 4.0 Enpoint Input Validation/Filter
Page 28 and 29: 5.0 Real-Time Security/Compliance M
Page 30 and 31: 5.0 Real-Time Security/Compliance M
Page 32 and 33: 6.0 Scalable and Composable Privacy
Page 38 and 39: 7.0 Cryptographic Technologies for
Page 44 and 45: 8.0 Granular Access Control (cont.)
Page 46 and 47: 8.0 Granular Access Control (cont.)
Page 48 and 49: 9.0 Granular Audits It is a best pr
Page 50 and 51: 9.0 Granular Audits (cont.) 9.5 Saf
Page 52 and 53: 9.0 Granular Audits (cont.) 9.10 Cr
Page 54 and 55: 10.0 Data Provenance (cont.) the da
Page 56 and 57: 10.0 Data Provenance (cont.) 10.5 I
Page 58 and 59: 10.0 Data Provenance (cont.) hashed
Page 60 and 61: References [ABC+07] Giuseppe Atenie
Page 62 and 63: References (cont.) [KL10] Seny Kama

trademark

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?