HP Security Voltage - Hewlett Packardh20426. · •HP Security Voltage ... SQL Injection, Malware Traffic Interceptors Malware, Insiders ... HP Nonstop Applications & Databases Web/Cloud

HP Security Voltage A leading expert in data-centric encryption and tokenization

1

Hewlett Packard Enterprise: Protect your digital enterprise

Proactively protect the interactions between users, applications and data across any location or device

Attack life cycle: Our approach to security

Research

Research Potential Targets

Monetization

Data sold on black market

Infiltration

Phishing Attack and Malware

Discovery

Mapping Breached Environment

Capture

Obtain data

Exfiltration

Exfiltrate/destroy stolen data

Threat intelligence

• HP Security Research

Block adversary

• HP TippingPoint

• HP Fortify

Detect adversary

• HP ArcSight

• Vertica

Protect data

• HP Atalla

• HP Security Voltage

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Infrastructure Security Creates Exploitable Gaps

• Consider a Point of Sale – “POS”

• POS Malware* steals from memory – seeking card data in use

– Dexter

– PoSeidon

– BlackPOS

– Custom POS malware

– GamaPOS

• Data-at-rest encryption won’t prevent POS data theft

– Infected POS controlled by BotNets + live data = PCI data breach

4

Storage

File Systems

Databases

Data & Applications

Middleware/Network

Decryption/Encryption (Disk, File, OS Process)

Data encrypted at rest – data not in use

Data is in the clear in this part of the stack – data in use

*http://www8.hp.com/us/en/software-solutions/cyber-risk-report-security-vulnerability/


Neutralizing Breaches - Introducing Data-centric Security

5

Traditional IT

Infrastructure Security

Disk encryption

Database Encryption

SSL/TLS/Firewalls

Security Gap

Security Gap

Security Gap

Security Gap

SSL/TLS/Firewalls

Authentication Management

Threats to

Data

Malware, Insiders

SQL Injection, Malware

Traffic Interceptors

Malware, Insiders

Credential Compromise

Data

Ecosystem

Da

ta S

ecu

rity

Co

ve

rag

e

Security

Gaps

HP Data-centric

Security

En

d-t

o-e

nd

Da

ta P

rote

ctio

n

Storage

File Systems

Databases

Data & Applications

Middleware/Network

17


Attack Trends vs. Protection Strategy Effectiveness

Data-centric security protects data over its lifecycle vs. broad threats.

Infrastructure-centric solutions only protect from physical threats (e.g. VLE)

Traditional infrastructure level protection: • Disk, File • Data at rest in disks or

files when powered off or in backup

Data-centric Security • Fields and Objects • Data stays protected

in use, in motion, and at rest

Graph source: Verizon Data Breach Report 2014

15


Secure Data can go everywhere Without increased risk and while maintaining data sovereignty

7

Amazon AWS

Big Data Analytics

in the Cloud

Cloud Applications &

Services

Offshore Test and Dev Transaction

Processors

Data from Devices, Sensors, and Applications

SaaS | PaaS

Partner Data Systems

Enterprise Data Systems

Big Data Analytics

in Hadoop


HP Security Voltage Products

HP SecureMail HP SecureData

• Email encryption solution

• Internal and external email encryption

• Highly scalable to millions of users

• Easy to use, Outlook, mobile, web browser, etc.

• Encryption and tokenization of “structured” data and files

• “Data-centric” security for databases, applications and payment streams

• Windows, Linux, Hadoop, Teradata, z/OS, HP NonStop, etc.


HP SecureData Core Technologies

Format Preserving Encryption

• Protect structured data while maintaining functional and analytic integrity of the data

Secure Stateless Tokenization

• High-octane tokenization of PAN data without database management headaches

Page Integrated Encryption

• Extends end-to-end protection to browser, through and beyond the SSL tunnel

Name: Gunther DOB: 02-07-1966

SSN: 934-72-2356

Name: Uywjlqo DOB: 08-06-1972

SSN: 298-24-2356

4444 3333 2222 1111

4567 8764 8865 9875 4444 3356 4532 1111 4444 33AB VCXY 1111 Card Number:


HP SecureData Use Cases

Data De-Identification PCI Compliance

• Protection of data in production databases and applications

• Data masking for test/dev

• Secure analysis for Hadoop and Teradata

• Protection of data in the cloud

• Tokenization for PCI scope reduction

• Point-to-Point Encryption for stores

• Point-to-Point Encryption for ecommerce


HP SecureData Enterprise – Data Security Platform

11

HP SecureData Central

Management Console

Authentication & Authorization Sources (e.g Active Directory)

HSM - Tokenize/Detokenize/Encrypt/Decrypt/Mask? - IP Valid? Certificate valid ? - Application Authenticated? - User/Role validated? - Key Generation/Token table management - Permission granted?

- Define access Policies - Data Security Formats - Access Controls - Reporting & Monitoring - Key Rotation Policies - Events and Alerts

HP SecureData Web Services API

HP SecureData Native API’s

(C, Java, C#, .NET)

HP SecureData Command Lines &

Automated File Parsers

HP SecureData z/Protect, z/FPE

HP SecureData Native UDFs

Partner Integrations

SaaS & PaaS Cloud Apps

Policy Controlled Data Protection and Masking Services & Clients

Payment Terminals

Storage Key Management

Production Databases

Mainframe Applications &

Databases

3rd Party Applications

Teradata, Hadoop &

Vertica

ETL & Data Integration

Suites

Network Interceptors

Payment Systems

Business Applications, Data stores and Processes

HP Nonstop Applications &

Databases

Web/Cloud Applications (AWS, Azure)

Enterprise Applications

Volumes and Storage

3rd Party SaaS Gateways

43


Example –Enabling Mobile, Hybrid Cloud Data Security

• Large Specialty Insurer – 22,000 Employees

– Global Operations

• Advanced mobile services – Mobile monitoring (apps, energy, conflicts)

– Backup and Restore services

– Supporting top telco subscribers

• Major challenge – keeping data secure in cloud on behalf of third parties (top US Telcos)

• Remaining agile key element of strategy

• Strategic Cloud operations across multiple clouds (Azure, AWS)

• Enabling Cloud Based Analytics on large data sets to enable customer service


Azure Apps – data secured with HP SecureData

Tier 1 telcos

LARGE Internet Companies


AWS Side – data secured with HP SecureData

Tier 1 Global Telcos


Data

Ris

k S

urf

ace

Diagram Source: http://blogs.msdn.com/b/jimoneil/archive/2012/09/21/windows-azure-feature-map.aspx

The Azure Stack

http://blogs.msdn.com/b/jimoneil/archive/2012/09/21/windows-azure-feature-map.aspx








Disk and VM Only Solutions

Data

Ris

k S

urf

ace

• Keys are in the cloud • Data protection is at rest • Attacks happen in active apps

The Azure Stack – Using “IT” Security


Da

ta C

en

tric

Se

cu

rity

Co

ve

rag

e

The Azure Stack – Using Data-Centric Security


Example – Major Auto Manufacturer – BigData Dataflow Architecture

18

Sensitive structured database sources

Sensitive structured data files

Edge Node

Command Line Tools

Hadoop

Map Reduce

Sqoop

Hive UDFs

“LZ”

“IC” DataStage

HP SecureData Servers

Teradata

Analytics

UDFs

Cognos


• Data security for traditional enterprise apps, hybrid apps: secure data as part of a strategic enterprise-wide data security strategy

• Secure communications: encrypted email communications, billing statements, claims and mobile interactions for patients and employees

• Improve customer information, reduce prescription fraud and reverse claim overpayment: quick detection and analysis of customer health status, automate fraud detection and quickly detect claim overpayments

• Enable competitive advantage: formed internal data exploration hackathons using de-identified data to create market innovations and detect risks

• HP SecureData protects business process, increases agility and improves customer interaction

• Enables innovation through data access without risking compliance and privacy regulations (HIPAA/HITECH, PCI, etc.)

• De-identifies and shares data from multiple data sources; enables analytics on sensitive data

• Shows that the most effective way of protecting the data is at the field level

• HP SecureMail protects sensitive PII and PHI throughout the enterprise, email and cloud to customers & extended ecosystem

Example – Health Care Insurance Company Fortune 100 company - managed health care, health care insurance


Data Sovereignty is Complicated

• Legal, contractual, technological mesh

• Where is a data center located, whose data is being stored

• No uniform standards, often directly conflicting laws

– E.g. USA Patriot Act vs. European Data Protection Directive

• Some jurisdictions are particularly complex

– Patchwork of federal, territory, and provincial laws

“Landmark ruling could pose serious concerns for European firms wary of the cloud.”

– Dan Worth, V3.com


• Data Residency Problem

– Central Banking

– Accenture Core Banking Application

• Challenge:

– CSSF regulation driven

– $150m investment at risk

• Data Residency EU Privacy Challenge

– Data Ops in Portugal

– Customer Data in Luxembourg

– IBM mainframe in scope

– Need for data separation from Luxemburg and Portugal

• HP FPE Technology critical enabler for rapid compliance

– First EU Bank to meet strict new CSSF regulation

– Avoided $150m data center cost.

Solution Components

IBM Mainframe, Core Banking

HP SecureData

Implementation with GSI

Example – Cloud Data De-Identification, Data Residency – Top European Bank Solving European Data Residency Challenges in core banking

21 (C) 2015 Voltage Security, Inc. All Rights Reserved - Confidential


Example – Australia's number one direct wine store

• Retail and Online merchant

– Largest e-commerce retailer in Australia

– Part of Tier 1 parent

– > 330,000 customers

– Payment flow with multiple processors

• Goal - PCI Compliance and de-scoping

• Solution

– Voltage SecureData Web & Voltage SecureData Enterprise

• Outcome

– PCI scope reduction, reduced breach risk

– Deployed in < 60 days

Solution Components

HP SecureData Web

HP SecureData Enterprise


Online shopper – browser. Desktop, Mobile

Merchant infrastructure

Card and Purchase Data Encrypted at capture

using PIE

SecureData Web Decrypt & Cardholder Data

Environment

Web Infrastructure Environment – Store Front

E-Commerce Applications & Retail System Interfaces

Internet

Green – out of PCI scope Red – In Scope of PCI

To Payment

Processors

Wine store e-commerce PCI scope reduction

Thank You! Q&A

Additional Slides: HP SecureData Platforms


HP SecureData for HP NonStop

• HP SecureData Host SDK

− Available on HP NonStop Guardian and OSS

− Host decryption and tokenization capabilities for PAN data

• HP SecureData Simple API

− Available on: HP NonStop OSS and HP-UX


Integration with Teradata and Informatica

• Teradata

− Maximizes the multi node feature of Teradata

− Implemented through UDFs

− UDFs invoked through SQL and triggers/views

− Distributed on nodes for high performance

• Informatica

− Integration through “hooks” in ILM and DDM

− Modify ETL routine to call HP Security Voltage for encryption or tokenization

− Implemented through SOAP, native API or command line tool


HP SecureData for IBM z/OS

• HP SecureData z/Protect API

− Uses a “started task” to do actual work

− Batch programs/CICS transactions call minimal APIs

− Support for HP FPE and native HP SST on z/OS

• HP SecureData z/FPE

− The z/OS Bulk Data Protection Tool

− Bulk protection of data: flat files, DB2, IMS, VSA, etc.

− Enables easy data protection and masking

− Can use Rexx, COBOL, PL/I, C, other languages


HP SecureMail

• Simple, native user experience – just like regular email

− Outlook, iPhone, iPad, Android, Blackberry, Web

• HP Stateless Key Management Architecture

− No key or message stores to manage

− Low operational and infrastructure costs

• Single HP IBE solution for all use cases

− Internal and external protection and compliance

− Single technology (IBE, 100% push, message format)

• Outlook, Exchange, Windows AD Support

− Global address list, distribution lists, contacts

− AD Authentication, AD Groups

• The world’s most popular email encryption solution

− It just works

[email protected]

HP SecureData for Big Data


Options for Securing Data in Hadoop with HP Security Voltage

Applications, Analytics & Data

Applications, Analytics & Data

Applications & Data

Applications & Data

Applications & Data

Hadoop Cluster

Hadoop Jobs

ETL & Batch

BI Tools & Downstream Applications

Hadoop Jobs & Analytics

Hadoop Jobs & Analytics

Egress Zone

Application with HP Security Voltage Interface Point

Unprotected Data

De-Identified Data

Legend:

Standard Application

HP Security Voltage

HDFS

Storage Encryption

HP Security Voltage

HP Security Voltage

2

1

6

4

5

7

ETL & Batch

Landing Zone

HP Security Voltage

HP Security Voltage

HP Security Voltage

HP Security Voltage

3


Sample Big Data Analytics Dataflow

32

HP SecureData Key Servers &

Tokenization Servers

Sensitive structured

data sources

ETL / Landing Zone

De-identification

Teradata

Hadoop HP Vertica

Analytics Analytics Privileged Analytics

Analytics

UDFs

UDFs and Map Reduce & Sqoop

UDFs

Privileged Analytics

BI Tools

Privileged Analytics

ETL

Documents

HP Security Voltage - Hewlett Packardh20426. · •HP Security Voltage ... SQL Injection, Malware Traffic Interceptors Malware, Insiders ... HP Nonstop Applications & Databases Web/Cloud