When Migrating to the Cloud, Don’t Leave Your Security Policies Behind
By Tony Velcich, Oct 19, 2020
Organizations are moving more IT resources to hybrid and multi-cloud environments - accelerating automation and digital transformation. In terms of flexibility and speed, there’s simply no competing with the elasticity of the cloud – which is exactly why McAfee found that 97% of organizations already use public or private cloud services, and IDG found that 41% of enterprises are already migrating storage, archiving, backups and other file servers to the cloud.
Yet while organizations gear up to face the challenges of migration and replication of data and logic to the cloud - the migration and replication of the security policies that constrain access to that data may receive less attention - but they shouldn’t.
Primer: What are Ranger and Sentry?
Widely adopted by organizations using the commercial distributions of Hadoop, Ranger and Sentry are two of Hadoop’s most powerful on-prem security tools.
Apache Ranger is a framework to manage data security in Hadoop deployments. It provides centralized security administration, fine-grained authorization and centralized auditing within a single cluster. Ultimately, Ranger provides comprehensive security across the entire Hadoop ecosystem, alongside a central framework for security policy administration and user access monitoring.
Apache Sentry is a system for defining and enforcing fine-grained authorization against Hadoop resources. While Hadoop offers strong security at the filesystem level, it does not provide granular support to secure user and application access to data. Sentry enforces access control to data and data privileges, offering role-based authorization that delivers precise levels of access.
What Happens to Ranger and Sentry in the Cloud?
When organizations extend into either hybrid or pure cloud deployments - they need to transition from the way they implemented security for large-scale on-prem data platforms (like Hadoop) to the new cloud environment. This means finding a way to ensure that security policies defined in platforms like Ranger and Sentry and implemented in their Hadoop environment can be applied and effective in the cloud.
And this is why WANdisco created the LiveData Ranger and LiveData Sentry plugins.
Our LiveData Sentry Plugin replicates and coordinates Apache Sentry policies across Hadoop cloud clusters to maintain common policy enforcement in each. This enables organizations to ensure consistent policy definition and enforcement across multiple clusters that share access to the same data. It also enables them to change Sentry policies in any cluster - enforcing access to cluster resources with the same authorization rights in each environment.
LiveData Ranger Plugin allows Hadoop clusters to replicate Apache Ranger policy definitions. This offers clusters a shared set of Ranger policies – but costly single points of failure, degraded performance or administrative headaches. LiveData Ranger Plugin can replicate policy definitions as they are created or modified in any cluster, maintaining ironclad consistency among environments.
The Bottom Line
Migration efforts cannot afford to ignore the challenge of transferring security policies from on-prem environments to the cloud. It is critical to reduce the cost and effort of migrating security policies – while still allowing organizations to continue to use the Ranger or Sentry platforms for enforcing on-prem security policies. WANdisco’s solutions offer the best of both worlds: security within Hadoop, and seamless security policy migration to the cloud. With WANdisco’s paradigm, there is no need to reinvent the wheel to have cloud data secured in the same way as it is on Hadoop.
About the author
Tony Velcich, SR. DIRECTOR OF PRODUCT MARKETING, WANDISCO
Tony is an accomplished product management and marketing leader with over 25 years of experience in the software industry. Tony is currently responsible for product marketing at WANdisco, helping to drive go-to-market strategy, content and activities. Tony has a strong background in data management having worked at leading database companies including Oracle, Informix and TimesTen where he led strategy for areas such as big data analytics for the telecommunications industry, sales force automation, as well as sales and customer experience analytics.