Embed Size (px)
Citation preview
Getting Started with Baffle Data Protection Services
Overview
This guide provides an overview of Baffle Manager and Baffle Shield configuration steps to get started with Baffle Data Protection Services.
Baffle Data Protection Services provide a range of data encryption, tokenization and de-identification methods to protect data in data stores and cloud storage environments. Baffle integrates with key management stores via a key virtualization layer as well as providing its own local key store to enable customers to use their own keys to apply protection to data in the cloud.
Common methods used for data protection supported by Baffle are column or field level encryption, tokenization, format preserving encryption (FPE), dynamic data masking, and record level encryption.
Simplified Configuration Steps
From a simplified view, to configure Baffle and enable field level encryption, the following steps need to be completed:
1. Configure Baffle Manager – the administrative console
2. Connect to a Keystore to act as a source for encryption keys
3. Connect to your data store
4. Configure a Baffle Shield
5. Define a data protection policy to encrypt specific fields
Baffle Data Protection Services
Pre-Requisites and System Requirements (Minimum)
Whether you use Baffle Professional Services to perform your deployment testing or your organization does so independently as part of planning, ensure that your test environment meets the following system requirements at minimum.
Component Requirements
Baffle Component
Operating
SystemvCPU Memory Initial
Space Java
Baffle Manager CentOS 7 2 8 GB 64 GB OpenJDK Java 1.8
Baffle Shield RHEL 7 or CentOS 7 equivalent
4 8 GB 64 GB3 OpenJDK Java 1.8
Database RHEL 6.8 or CentOS equivalent
16 256 GB 512 GB OpenJDK Java 1.8
Data Encryption
Data Schema • Number of columns to be encrypted
• Data types and column field names
• Number of rows in table(s)
• Database size; Indexing, if any
Application • Identify the application and associated data for testing (for example, Microsoft SQL Server 2014 or later).
• Set aside a copy of the application and data to expedite troubleshooting and diagnostics.
• Provide test data that is encoded using UTF-8 character set.
Key Storage • Provide a supported key storage solution (see Key Management Support in "Baffle Release Notes").
• Provide associated encryption keys.
• Host in AWS and make available to Baffle infrastructure.
1Baffle delivers this host as an AMI via binaries, depending on your deployment preference.
Overview of Baffle Architecture
Baffle Manager Communications
Port Requirements
BaffleManager enables encryption policies and configurations by communicating with the BaffleShield and databases. BaffleManager constructs a privacy schema that maps key IDs to data columns to enable encryption in a simplified manner.
The following table lists the ports that you need to open on respective systems to enable BaffleManager communications. This task is part of the deployment process outlined in (Start Here) Deploy Baffle Advanced Data Protection.
Host Port Required Direction Purpose
Baffle Manager 22 Inbound Console access
Baffle Manager 80 Inbound Binary downloads
Baffle Manager 443 Inbound Web interface access
Baffle Manager 8443 Inbound BaffleShield client access
Baffle Manager 8553 Inbound BaffleShield client access
Baffle Manager 22 Outbound BaffleShield configuration
Baffle Manager 1433 Outbound Database schema mapping
Baffle Manager 5696 Outbound KeySecure access
Baffle Shield 22 Inbound Console and BaffleManager access
Baffle Shield 8444 Inbound Application communication
Baffle Shield 80 Outbound Binary file retrieval from BaffleManager
Baffle Shield 14331 Outbound Database access
Baffle Shield 5696 Outbound KeySecure access
Baffle Shield 8443 Outbound BaffleManager communications
Baffle Shield 8553 Outbound BaffleManager communications
Database Server
14332 Inbound BaffleManager and BaffleShield
KeySecure 5696 Inbound BaffleManager and BaffleShield key config and retrieval
1 For SQL Server default port communications
2 For SQL Server default port communications
Configure an EC2 instance for Baffle Shield
Launch an EC2 instance that is appropriately sized for your environment. Issue the following bootstrap commands in the Advanced Details section for AWS.
#!/bin/bashsudo suyum install java-1.8.0-openjdk-devel -y
Step 1. Launch and Configure the Baffle Manager AMI from AWS Marketplace
1. Search for Baffle in the AWS Marketplace or click the link here – Baffle Data Protection Services
2. Once the instance is running navigate to the site via HTTPS. For example, https://192.168.1.1 as an address.
Because the instance is bootstrapped with a self-signed certificate, you will receive an invalid CA warning. Select the browser option to “proceed”. (You will have the opportunity to upload and use your organization’s certificate later in the setup process.). The following screen should appear:
This inidicates that the Baffle Manager is currently in a locked state.
3. To unlock the Baffle Manager, access the system via SSH using “baffle” as the username. Execute the following command to get the unlock code.
sudo more /opt/baffle/baffle-manager/initpass
4. Paste the unlock code into the Password field in your web browser and click CONTINUE.
5. Configure System Settings. You will be prompted for hostname and domain settings. All system users must have this domain name as part of this email going forward.
6. Configure Email Settings. The next screen requires you to configure email settings. This allows BaffleManager to send email to provide notifications and for password resets. Enter the SMTP server to use as well as the credential to use to authentication to the SMTP server. An example is shown in the screenshot below:
7. Create Admin Account. The screen below prompts you to create the initial Baffle Manager administrator account. This account is used to configure the subsequent components such as the key management store, data store connections, and Baffle Shields.
8. Configure Credential Keystore. This configuration screen establishes an encrypted credential store for any system access credential or access key that the Baffle Manager or Baffle Shield utilize.
Select LOCAL for Keystore type. For Secret Key, enter any random string which will be used to generate a random key to encrypt the keystore Config Password. For Config Password, enter a a secure password or passphrase to secure the actual keystore.
9. Install SSL Certificate. This configuration step allows you to install an SSL certificate to secure access to the Baffle Manager web interface. Upload the certificate and key file for your organization or respective CA to enable SSL for the Baffle Manager console.
10. This should complete the initial setup process and bring you to the logon page stating the that setup was successful.
11. Enter the credentials for the administrator account you created in Step 7 above to login and start the additional Baffle Manager configuration tasks.
Step 2. Connect to a Keystore
Before you can enroll your applications and databases and enable encryption, you must enroll your Keystore so that Baffle Manager can access and/or create data encryption keys (DEKs) that will be used to protect your data.
Baffle Data Protection Services supports various Keystore vendors using industry standard protocols such as KMIP, PKCS#11, and REST APIs (see Support in "Baffle Release Notes"). Follow the steps below to enroll a Keystore for use with Baffle Shields and databases.
1. After logging into Baffle Manager, click on the Key icon on the left hand navigation panel to display a listing of configured Keystores.
If this is the first Keystore enrollment, there will only be the “baffle_credential_store” present that was created during the system configuration steps.
Click on the +KEYSTORE button to add a new Keystore.
2. Add a Keystore. A dialog window to “Add Keystore” will appear. Enter a Keystore name and Description. Specify the Keystore Type from the dropdown menu and enter respective parameters for the Keystore selected. Keystore parameters are specific to the Keystore type or vendor. When completed, click on the “Add Keystore” button.
Example of a Local Keystore configuration:
Example of an AWS KMS configuration:
Step 3. Connect to a Data Store
In this section, you will configure a connection to a database which allows Baffle Manager to enumerate fields or columns that can be selected as part of a data privacy policy to enable field level encryption.
1. Start the Data Store Configuration. Click on the database icon on the left hand navigation panel to reveal listing of configured data stores.
2. Enroll a Data Store. Click on the +DATABASE button to add a Data Store. Enter a database name and description.
3. Specify the Data Store type, hostname or IP and Port to connect to the database.
4. Enter the Data Store credentials.
5. Select Use SSL to enable an SSL/TLS connection to the database.
6. Below is an example of a Microsoft SQL Server configuration.
7. Click Add Database to complete enrollment. The listing of Data Stores will be shown similar to the below screen.
Step 4. Configure a Baffle Shield
This section will install and configure a Baffle Shield that can be used to enforce a Data Protection Policy and encrypt data in the Data Stores configured in the previous section.
1. Add a Baffle Shield. Click on the Shield icon on the left hand navigation panel. This will display a listing of available Baffle Shields. Click on the +BAFFLE SHIELD button in the upper right hand corner.
2. Configure Baffle Shield. Enter a Baffle Shield Name and Description.
3. Select Automated Deployment for Deployment Model.
4. Enter a Username to access the Baffle Shield EC2 Instance that was launched as a pre-requisite for deployment.
5. Specify the Hostname or IP Address of the Baffle Shield
6. Enter a Port number that the Baffle Shield will listen on for application connections to the data store. The default port is 8444.
7. Select SSL if the data store connection uses SSL.
8. Select Use SSH Key if SSH keys will be used for secure access from the Baffle Manager to the Baffle Shield. Specify the SSH key to be used with this option.
9. Optionally, a username and password can be used to access the Baffle Shield.
10. Click Add Baffle Shield to complete this process. A listing of configured Baffle Shields will be displayed.
Step 5. Define a Data Protection Policy and Encrypt Data
This section walks through creating an Data Protection Policy to select columns for encryption and keys that will be used for the encryption process. Upon completion of creating the Data Protection Policy, you can migrate data through a Baffle Shield and encrypt the existing data in the data store.
The creation of a Data Protection Policy establishes a Privacy Schema that Baffle Shields use to present the original data schema to a respective application while handling the encrypt and decrypt operations transparently for the configured fields.
1. List Applications. Click on the Applications Icon in the left hand navigation panel. The listing of defined Data Protection Policies will be displayed as Applications.
2. Create a Data Protection Policy Mapping. Click on +APPLICATION.
3. Enter an Application Name and Description.
4. Choose a Baffle Shield from the drop down that was configured in the above Step 4.
5. Select a Data Store to apply data protection.
6. Select the Keystore to be used as a source for data encryption keys.
7. Specify the operational mode for the Baffle Shied. Leave Workload Capture Off unless profiling an application.
8. Specify Column Level for the Encryption Method.
9. Click Enroll Application.
10. Below is an example of creating a Data Protection Policy for Microsoft SQL Server
11. The listing of Applications will display this Data Protection Policy
12. Define the Data Protection Policy. Click on the Application configured in the steps above. A side bar will display such as the one shown below. Click on the ENCRYPT button to define the policy.
13. Select fields for encryption. A data schema navigator will open for the configured data store.
Clicking on a data store and table will drill down through the navigator.
14. Select columns for encryption and the respective encryption mode.
15. Specify Key IDs for use to encrypt specific columns.
16. Click NEXT to proceed to a confirmation screen. Click ENCRYPT to start the encryption and migration process.
17. The Applications listing will show the data migration process in progress.
18. To Decrypt data, click on the application again, and select DECRYPT and select columns for decryption.
Summary
You have now completed configuration of the Baffle Manager, Baffle Shields and created a Data Protection Policy to protect your data.
