As data ecosystems evolve security becomes a paramount concern, especially within the realm of private cloud environments. Cloudera on Private Cloud with the Private Cloud Base (CDP PvC Base) stands as a beacon of innovation in the realm of data security, offering a holistic suite of features that work in concert to safeguard sensitive information. With the latest 7.1.9 release, the journey towards a more secure data ecosystem continues—one where businesses can unlock the full potential of their data with peace of mind.
How does this release elevate security?
Cloudera on private cloud integrates a unified security platform that orchestrates the full spectrum of security measures. From access controls and identity management to encryption and auditing, this comprehensive approach ensures that every facet of your data ecosystem is protected against potential threats and vulnerabilities. This latest version delivers security enhancements for data at rest, data in transit, and Federal Information Processing Standards (FIPS) compliance, as well as compliance with various regulatory requirements.
Platform security for data in transit
The platform uses transport layer security (TLS) and secure socket layer (SSL) protocols to establish a secure communication channel between different components of the platform for better privacy and data integrity. Using a cryptographic protocol safeguards data from being intercepted or modified during transit, thwarting potential cyber threats. Therefore, it is critical to update security protocols to adapt to the changing threat landscape and defend against the latest attack methods.
This version securely leaps forward by offering TLS version 1.2, which delivers a refined set of cipher suites, strengthened cryptographic algorithms, and a robust handshake process for improved security and resilience. Additionally, the release introduces Oracle TCP/IP using SSL (TCPS) support to facilitate secure communication between PvC Base components and Oracle backend DB. This ensures data administration and monitoring happens securely through the TCPS connection protocol.
Enhancing encryption for data at rest
Several data at rest encryption mechanisms such as key management systems (KMS) ensure that sensitive information is shielded from potential threats and unauthorized access. The latest release uses Ranger KMS to provide unified key management services for encryption in lieu of key trustee server (KTS). This enhances customer experience, as this centralized approach streamlines policy management and ensures consistency in access control rules. Furthermore, for existing users of KTS, import of keys from KTS and NavEncrypt as well as automation of NavEncrypt nodes from old KTS servers to Ranger KMS servers has been streamlined so data encryption and security remains uncompromised.
In this latest version, perimeter security is enhanced as well. The Knox HttpFS feature provides a secure way to access HDFS resources through a web interface using HTTP methods. Additionally, Knox token authentication can now be used to establish secure connections and manage user access. Token-based authentication provides efficient and scalable user authentication using tokens, which are easily rolled, renewed, and revoked and therefore, reduce the risk of exposure of user credentials.
Custom Kerberos principals and service users
Isolation is an important concept when securing infrastructure to minimize the potential impact of vulnerabilities. Today, CDP services use default names for Kerberos principals with matching service user names on host machines. However, using the default configuration can extend the accessibility of a single service beyond the cluster it’s installed on in a multi-cluster deployment. To address this, organizations seeking more advanced techniques for segregating multiple clusters can create custom Kerberos principals (CKP) along with corresponding custom service users. The CKP empowers organizations to restrict services from accessing data on clusters belonging to distinct lines of business or projects. It is worth noting that users gain access to this functionality during the process of creating a new cluster or adding a service to an existing cluster.
FIPS 140-2 updates
For organizations entrusted with confidential financial data, healthcare records, or government information, adherence to rigorous security standards like FIPS is not only a strategic choice but also a legal obligation.
Configuring the release to use FIPS 140-2 compliant cryptography within an operating system (OS) configured for FIPS-mode is currently supported for customers deploying on RHEL 7.8 and 7.9. With the addition of Red Hat Enterprise Linux (RHEL) 8.8 FIPS support, customers using RHEL 8.8 can now deploy the platform configured to use FIPS 140-2 compliant cryptography, on an FIPS-mode enabled RHEL 8.8 operating system. There are a number of CDP components that support configurability to use FIPS 140-2 compliant cryptography today. However, as part of our efforts to stay steadfastly aligned with the highest security benchmarks, we have extended the configurability to use FIPS 140-2 compliant cryptography support with the Phoenix, NavEncrypt, Ranger Key Management Service, and Key Trustee Server components. Full list of supported components for FIPS 140-2 are available at the required prerequisites for FIPS for CDP page.
Security vulnerabilities remediation
We take fixing security vulnerabilities seriously! We have an effective vulnerability remediation process that proactively scans, prioritizes, fixes, and monitors common vulnerabilities and exposures (CVE) to demonstrate our commitment to our customers’ security. The 7.1.9 release improved platform security and InfoSec compliance with 100+ resolved critical CVEs. This reduces the attack surface in customer deployments for a more secure ecosystem that prevents vulnerabilities from being exploited at any point.
In this world of technological evolution and the ever-changing landscape of cybersecurity, the proactive effort to keep security protocols up to date is crucial. By enforcing strong encryption mechanisms for data at rest, data in transit for enterprises, and supporting CGI standards for regulated industries, Cloudera on private cloud demonstrates a commitment to maintaining the integrity and availability of their systems and information.
Let us empower your organization to navigate the cybersecurity landscape confidently and effectively with this latest release! If you’re not already on the latest release, get started today! It’s now easier than ever to upgrade or migrate from previous versions to this one. To find your perfect path to 7.1.9, click on our migration and upgrade guide.