October 21, 2014 | Written by: Rakesh Ranjan
Share this post:
There is a division of responsibility when you put your database to work in the cloud. An infrastructure as a service (IaaS) provider, such as IBM SoftLayer, secures the physical components while responsibility to secure information rests with the application developer. Of course, the software as a service (SaaS) vendor must provide the developers and technology to secure the application, and the service must run on a platform that supports security as a fully integrated stack and not as an add-on layer. IBM Bluemix is a platform as a service (PaaS) that provides functional, infrastructure, operational, network and physical security for the core platform.
By default, a database uses unencrypted connections between the client and the server. This means that someone with access to the network could watch all your traffic and look at the data being sent or received. They could even change the data while it is in transit between the client and the server.
When you need to move information over a network in a secure fashion, an unencrypted connection is unacceptable. Encryption is necessary to make any kind of data unreadable. Encryption algorithms must include security elements to resist many kinds of known attacks, such as attempts to change the order of encrypted messages or replay data twice.
The IBM Analytics Warehouse for Bluemix is already configured for a secure connection using a Secure Sockets Layer (SSL) certificate. SSL is a protocol that uses different encryption algorithms to ensure that data received over a public network can be trusted. It has mechanisms to detect any data change, loss or replay. SSL also incorporates algorithms that provide identity verification using the X509 standard. X509 makes it possible to identify someone on the Internet. It is most commonly used in e-commerce applications.
In basic terms, there should be a certificate authority (or CA) that assigns electronic certificates to anyone who needs them. Certificates rely on asymmetric encryption algorithms that have two encryption keys, a public key and a secret key that is held by the owner. A certificate owner can show the certificate to another party as proof of identity. Any data encrypted with the public key can be decrypted only by using the corresponding secret key.
In Bluemix, the Analytics Warehouse service provides a rich set of built-in security capabilities to help clients meet their security, privacy and compliance needs. They include:
• Encryption for data at rest: By default, the Analytics Warehouse service in Bluemix uses an encrypted database. The encryption uses Advanced Encryption Standard (AES) in cipher block chaining (CBC) mode with a 256 bit key. Encryption and key management are totally transparent to applications and schemas. Additionally, the service administrator manages the master key rotation period. Database and tablespace backup images are automatically compressed and encrypted. As with online data, backup images are also encrypted using AES in CBC mode with 256 bit keys. Data is compressed first and then encrypted.
• Encryption for data in transit: SSL is supported for safeguarding both the database traffic as well as the web console traffic.
• Trusted contexts: This feature allows clients to further restrict when a user can exercise a particular privilege. For example, a client can easily implement a rule that permits connecting to the database only from a given IP address. Additionally, for three-tiered applications, trusted contexts allow the mid-tier application to assert the end user identity to the database for access control and auditing purposes.
The Analytics Warehouse service is primarily used in two different ways.
• Application developers and data scientists launch the web-based console to develop a statistical and predictive analytic application using built-in R and R-studio features.
• Application developers and data scientists use their own machine learning algorithm to develop an application in the language of their choice and then use the Analytics Warehouse database to push that application to Bluemix
SecureBLU is an application hosted on Bluemix that demonstrates the approaches an application developer can take to secure an application while accessing a database in the cloud.
Here are the steps to develop an application that uses an SSL certificate to securely connect to the Analytics Warehouse service:
1. Sign up for IBM Bluemix, if you haven’t already done so.
2. Add an application (you can use a simple Java web starter from a boilerplate).
3. Add a service. Browse the Analytics Warehouse service under the Big Data category and bind this service to your application.
4. Click on the service tile and then click the launch button. You will be taken to the web console using single sign-on (SSO).
5. On the Setup menu, click Connect Applications. This page will provide you all the information you need to connect your client application securely, including the SSL port number and a downloadable SSL certificate.
6. Download the SSL certificate and save it on your laptop, noting the database, host and port information.
7. Launch the SecureBLU application, provide the necessary information and connect to the Analytics Warehouse service. Click on some of the sample queries provided.
8. On the application home page, click Get the Code to access the application code and learn how you can build your own secure application.
Learn more about data security in the cloud by reading the six-part blog series by Walid Rjaibi.
I’m interested in hearing about your experiences with database security using IBM Bluemix. Leave a comment below or connect with me on Twitter @ranjans to join the conversation.