"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
GraphConnect Europe 2016 - Securely Deploying Neo4j into AWS - Benjamin Nussbaum
1. a platform by
Securely Deploy Neo4j in AWS
Welcome!
by Benjamin Nussbaum
@bennussbaum | ben@graphgrid.com
a platform by
2. a platform by
Securely
In
Why is Security Important?
security incidents are on the rise and costly
• Nearly 40% YoY Increase
• Over 169M Records Exposed
• AVG Cost of $154 per Record
According to research done by PwC on the state of
information security within enterprises, 2015 saw known
security incidents increase by 38% from the year prior. http://
www.pwc.com/gx/en/issues/cyber-security/information-security-survey.html
23/5/16
According to ITRC Data Breach Reports over 169
million records were exposed in 2015, stemming from 781
publicized breaches across financial, business, education,
government and healthcare. http://www.idtheftcenter.org/images/breach/
DataBreachReports_2015.pdf
According to research done by IBM/Ponemon the
average global cost was $154 per each lost or stolen
record containing confidential or sensitive data. http://
www-03.ibm.com/security/data-breach/
3. a platform by
Securely
In
Why is Security Important?
the users of your software don’t know
• Being ResponsibleIt’s your responsibility to treat your user’ data securely
because they don’t really know any better - they likely
assume you do or take the ignorance is bliss approach.
33/5/16
4. a platform by
Securely
In
Where does Security Start?
security is a culture and a frame of mind
• PersonnelTo build and manage a secure software deployment
you need a culture of security. Your team is your most
important security asset. Build awareness of security on all
fronts: Social, Personal and Technical.
43/5/16
5. a platform by
Securely
In
Does Security Differ by Cloud?
security features vary greatly by cloud provider
• AWS
• Azure
AWS has a very robust security architecture that is
able to be leveraged with granular control to achieve a solid
technical security implementation
Azure has some similar offerings w.r.t network isolation
and security groups, but there are some differences.
**Features change all the time so check with your
cloud provider documentation
53/5/16
6. a platform by
Securely
In
Getting More Technical
but not that much
• SSL in Flight
• Enable Neo4j on 7473 for https
Regardless of your cloud provider, always use SSL
when routing data, even within your network.
Neo4j gives you the option to configure https usage,
which will take advantage of SSL.
63/5/16
7. a platform by
Securely
In
How can I Deploy to AWS?
several options for rolling your own cloud deployment
• CloudFormation
• Manual or Package Install
• Docker on ECS
• Provision with Chef
Use CloudFormation Template https://github.com/
neo4j-contrib/ec2neo
Use Tarball and install manually or use Debian or Yum
package manager to install
Use Neo4j with Docker and deploy to Elastic Container
Service
Provision EC2 instance using Chef https://github.com/
michaelklishin/neo4j-server-chef-cookbook
73/5/16
Security
NOT
Included
8. a platform by
Securely
In
How Do I Make it Secure?
learning the language
• IAM
• MFA
• VPC
Identity and Access Management (IAM): Provides user
and group level permissions for authentication and
authorization control to AWS resources.
Multi-Factor Authentication (MFA): Requires users with
access the AWS console to use an additional generated
token in addition to their usual password when logging in.
Virtual Private Cloud (VPC): Enables AWS resources
to be launched into a private network without being publicly
accessible and only accessible when using a VPN client.
83/5/16
9. a platform by
Securely
In
How Do I Make it Secure?
applying it to neo4j
• IAM
• MFA
• VPC
Identity and Access Management (IAM): This is where
your operations team users and groups are managed for
who has access to Neo4j within the organization when
authenticated on the VPN.
Multi-Factor Authentication (MFA): This is another
layer of security for users within the organization to prevent
access to privileged accounts that have access to Neo4j
data resources.
Virtual Private Cloud (VPC): Deploy Neo4j in a VPC to
restrict access to internal infrastructure and authorized
personnel with the correct VPN access.
93/5/16
10. a platform by
Securely
In
How Do I Make it Secure?
gaining access
• VPN
• DirectConnect
OpenVPN can be used to authenticate a user for VPC
access and is as little as $9.60 per connection per year.
This makes it even quite affordable even for startups.
Direct Connect establishes a dedicated network
connection from your premises (i.e data center, office, etc)
to your VPC in AWS, which is a great option for enterprises
introducing cloud into their architecture.
103/5/16
11. a platform by
Securely
In
How Do I Make it Secure?
learning the language
• Security Group
• Network ACL
• S3 ACLs
A Security Group controls inbound and outbound
traffic. They operate at an instance level with support for
only allow rules.
Network Access Control List (ACL): controls inbound
and outbound traffic for one or more subnets. This is where
your broad sweeping port decisions are made for public
versus private.
S3 Access Control Lists (ACLs): Define the accounts
and groups with access and the type of access to a bucket
or an object.
113/5/16
12. a platform by
Securely
In
How Do I Make it Secure?
applying it to neo4j
• Security Group
• Network ACL
• S3 ACLs
A Security Group adds additional allow rules to the
Neo4j instance for traffic in/out within the VPC.
Network Access Control List (ACL): Keep Neo4j ports
private for non-internal infrastructure use only.
S3 Access Control Lists (ACLs): Resources stored in
S3 and reference in Neo4j that would be returned by an
application for loading in a browser would be managed
here.
123/5/16
14. a platform by
Securely
In
How Do I Make it Secure?
completely private
• NAT RoutingYou can use a network address translation (NAT)
instance in a public subnet in your VPC to enable instances
in the private subnet to initiate outbound traffic to the
Internet or other AWS services, but prevent the instances
from receiving inbound traffic initiated by someone on the
Internet.
143/5/16
16. a platform by
Securely
In
How Does GraphGrid Do It?
brining it all together
• There’s A LOT to Know
• This Provided a Starting Point
Those are the security layers you get to work with in
AWS and the reality is there is just a lot to know and be
thinking about holistically as an organization about
personnel and infrastructure as they relate to information
security.
You now know what components you have to work
with and some recommend practices and the connection
point to Neo4j. It’s now a matter of learning how to
configure those correctly together and establishing a
security-minded culture.
163/5/16
17. a platform by
Securely
In
How Does GraphGrid Do It?
173/5/16
US-WEST-2 (Oregon)
Virtual Private Cloud (172.128.0.0/16)
US-WEST-2A US-WEST-2B US-WEST-2C
VPC Subnet (172.128.1.64/26)VPC Subnet (172.128.1.0/26) VPC Subnet (172.128.1.128/25)
Neo1 Neo2 Neo3
0.0.0.0/00.0.0.0/00.0.0.0/0
GraphGrid
172.128.0.0/16 172.128.0.0/16 172.128.0.0/16
Internet Gateway
Public IP Auto-assigned: Yes Public IP Auto-assigned: Yes Public IP Auto-assigned: Yes
LocalLocal Local
HN: neo1.graphgrid.com
PVT: 172.128.1.1
PUB: 54.16.129.21
HN: neo2.graphgrid.com
PVT: 172.128.1.64
PUB: 54.16.132.12
HN: neo3.graphgrid.com
PVT: 172.128.1.129
PUB: 54.16.4.196
Neo Security Group
INBOUND:
ALLOW ALL 172.128.1.0/26
ALLOW ALL 172.128.1.64/26
ALLOW ALL 172.128.1.128/25
OUTBOUND:
ALLOW ALL 0.0.0.0/0
Private DNS
neo1.graphgrid.com - 172.128.1.1
neo2.graphgrid.com - 172.128.1.65
neo3.graphgrid.com - 172.128.1.129
neos.graphgrid.com - elb-slave-private
neom.graphgrid.com - elb-master-private
neoa.graphgrid.com - elb-available-private
EBS Data Volumes Mounted
-Encryption Optional
EBS Snapshots
- Offline Backups
- Online Restores
S3 Storage
- Online Backups
- Online Restores
ELB Endpoints
- Master
- Slave
- Available
- Added to all Subnets
18. a platform by
Securely
In
How Can GraphGrid Help Me?
leverage a secure foundation
• Let GraphGrid Do It
• We’ve Already Put It All Together
GraphGrid provides all this security and more right out
of the box, and we have external Infosec partners validate.
So if you prefer to not undertake this challenge on your
own, we’ve got you covered. We securely deploy and fully
manage Neo4j in AWS.
183/5/16
19. a platform by
Securely Deploy Neo4j in AWS
Thank You!
by Benjamin Nussbaum
@bennussbaum | ben@graphgrid.com
a platform by