Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Protect your digital enterprise Application and Data Security
Cezary Prokopowicz ESP Regional Sales Manager CEE
14 April 2016
Transform to a hybrid
infrastructure
Enable workplace
productivity
Protect your digital enterprise
Empower the data-driven organization
Transform to a hybrid
infrastructure
Enable workplace
productivity
Empower the data-driven organization
Protect your digital enterprise
Protect your most prized digital assets whether they are on premise, in the cloud or in between.
Managing risk in today’s digital enterprise
Rapid transformation of enterprise IT
Shift to hybrid
Mobile connectivity
Big data explosion
Cost and complexity of regulatory pressures
Compliance
Privacy
Data protection
Increasingly sophisticated cyber attacks
More sophisticated
More frequent
More damaging
USERS
APPS DATA
Today’s digital Enterprise needs a new style of protection
5
Off Premise
Protect your most business-critical digital assets
and their interactions, regardless of location
device
Off Premise
BIG DATA
IaaS
SaaS
PaaS
BYOD
On Premise
Protect your digital enterprise
Prevent Detect & Respond Recover
Build it in
Identify the threats you face, assess your
organization’s capabilities to protect your
enterprise,
Harden your applications, protect your
users, and encrypt your most important data
Proactively detect and
manage breaches
Help reduce time-to-breach-resolution
with a tight coupling of analytics,
correlation, and orchestration.
Establish situational awareness to find
and shut down threats at scale
Safeguard continuity
and compliance
Drive resilience and business continuity
across your IT environments, systems, and
applications.
Reduce risk with enterprise-wide governance,
risk & compliance strategies
• Identify the threats you face
• Assess your organization’s
capabilities to protect your enterprise
• Build proactive defenses into user
management, applications, and data
Prevent
Detect & Respond
Recover
Build Security into the fabric of your organization
• Simplified Compliance
• More Secure Analytics
• Easier Move to the Cloud
• Safer Back-End Storage
Data Centric Security for end-to-end protection
Introducing: “Data-centric” security
11
Traditional IT
infrastructure security
Threats to
Data
Malware,
Insiders
SQL injection,
Malware
Traffic
Interceptors
Malware,
Insiders
Credential
Compromise
Data
Ecosystem
Security
Gaps
Disk encryption
Database encryption
NG-IPS/NG-FWs/WAFs
SSL/TLS/firewalls
Authentication
Management
Storage
File systems
Databases
Data and applications
Security gap
Security gap
Security gap
Security gap
Middleware
Data
secu
rity
co
vera
ge
HPE Security – Data Security provides this protection
12
Traditional IT
infrastructure security
Disk encryption
Database encryption
Authentication
Management
Threats to
Data
Malware,
Insiders
SQL injection,
Malware
Traffic
Interceptors
Malware,
Insiders
Credential
Compromise
Data
Ecosystem
Security
Gaps
HPE Security
data-centric security
SSL/TLS/firewalls
Data
secu
rity
co
vera
ge
En
d-t
o-e
nd
Pro
tecti
on
Storage
File systems
Databases
Data and applications
Security gap
Security gap
Security gap
Security gap
Middleware NG-IPS/NG-FWs/WAFs
HPE Format-Preserving Encryption (FPE)
13
– Supports data of any format: name, address, dates, numbers, etc.
– Preserves referential integrity
– Only applications that need the original value need change
– Used for production protection and data masking
AES
FPE 253- 67-2356
8juYE%Uks&dDFa2345^WFLERG
First Name: Uywjlqac Last Name: Muwruwwb
SSN: 253- 67- 2356
DOB: 01-02-1972
Ija&3k24kQotugDF2390^32 0OWioNu2(*872weW
Oiuqwriuweuwr%oIUOw1@
Tax ID
934-72-2356
First Name: Miroslav
Last Name: Knapovsky
SSN: 934-72-2356
DOB: 11-07-1971
HPE Secure Stateless Tokenization (SST)
Credit Card
934-72-2356
Tax ID
1234 5678 8765 4321
Partial SST
SST 347-98-8309
Obvious SST
8736 5533 4678 9453
1234 5633 4678 4321
1234 56AZ UYTZ 4321
347-98-2356
AZS-UX-2356
– Replaces token database with a smaller token mapping table
– Token values mapped using random numbers
– Lower costs
− No database hardware, software, replication problems, etc.
14
15
Field level, format-preserving, reversible data de-identification Customizable to granular requirements addressed by encryption & tokenization
Credit card
1234 5678 8765 4321
SSN/ID
934-72-2356
DOB
11-07-1971
Full 8736 5533 4678 9453 347-98-8309 [email protected] 20-05-1972
Partial 1234 5681 5310 4321 634-34-2356 [email protected] 20-05-1972
Obvious 1234 56AZ UYTZ 4321 AZS-UD-2356 [email protected] 20-05-1972
FPE SST
Web Form
Mainframe
Database
New Account
Application
Fraud
Detection
Customer
Service
Application Hadoop
Analytics
4040 1234 1234 9999 Elen Smith
4040 1234 1234 9999 Elen Smith
4040 1234 1234 9999 Elen Smith
4040 1234 1234 9999 Elen Smith
4040 1234 1234 9999 Elen Smith
4040 1234 1234 9999 Elen Smith
CC
Processing
Mapping the Flow of Sensitive Data
Web Form with HPE PIE New Account
Application
Mainframe
Database
Fraud
Detection
Customer
Service
Application Hadoop
Analytics
4040 1234 1234 9999 Elen Smith
4040 1234 1234 9999 Elen Smith
4040 6763 0123 9999 Kelt Dqitp
4040 6763 0123 9999 Elen Smith
4040 6763 0123 9999 Kelt Dqitp
4040 6763 0123 9999 Kelt Dqitp
CC
Processing
The Same Environment With HPE SecureData
HP SecureData
4040 6763 0123 9999 Kelt Dqitp
HPE SecureData
18
– HPE Stateless Key Management
– No key database to store or manage
– High performance, unlimited scalability
– Both encryption and tokenization technologies
– Customize solution to meet exact requirements
– Broad platform support
– On-premise / Cloud / Big Data
– Structured / Unstructured
– Linux, Hadoop, Windows, AWS, IBM z/OS, HPE NonStop, Teradata, etc.
– Quick time-to-value
– Complete end-to-end protection within a common platform
– Format-preservation dramatically reduces implementation effort
HPE SecureData
Management Console
HPE SecureData
Web Services API
HPE SecureData
Native APIs
(C, Java, C#./NET)
HPE SecureData
Command Lines
HPE SecureData
Key Servers
HPE SecureData
File Processor
HPE SecureData platform tools
Protected Data Environment
Native APIs
– Enable encryption in custom apps
– C/C++/C#/Java
– Distributed and mainframe platforms
Command Line Tools
‒ Bulk encryption and tokenization
‒ Files and databases
‒ Variety of distributed and mainframe platforms
‒ Any web services enabled platform
‒ Additional layer of masking
‒ Offload processing on HPE SecureData Server
Web Services APIs
19
Name SS# Credit Card # Street Address Customer ID
Kwfdv Cqvzgk 161-82-1292 3712 3486 3545 1001 2890 Ykzbpoi Clpppn S7202483
Veks Iounrfo 200-79-7127 5587 0856 7634 0139 406 Cmxto Osfalu B0928254
Pdnme Wntob 095-52-8683 5348 9209 2367 2829 1498 Zejojtbbx Pqkag G7265029
Eskfw Gzhqlv 178-17-8353 4929 4333 0934 4379 8261 Saicbmeayqw Yotv G3951257
Jsfk Tbluhm 525-25-2125 4556 2545 6223 1830 8412 Wbbhalhs Ueyzg B6625294
‒ Converged HPE SST and FPE client solution in Java
‒ Handles different record types within the same file
‒ Efficient multi-field, multi-threading architecture
HPE SecureData
File Processor
Key generation and authentication
Base Key s = 1872361923616 1872361923616…..
Key Server
Authentication Resource, e.g. LDAP, AD, …
HSM
optional
– Multiple servers seeded with the same base key (master secret)
– Keys generated “just-in-time” after authentication and authorization
– No key store/vault: No key replication required, key is destroyed after use
– Simple DR: Multiple servers load balanced
20
Request Key [email protected]
Application
1872361923616
1234 5678 8765 4321
HPE SecureData concept: formats
21
4361 4871 1917 5946
HP FPE
1234 56024342 4321
Partial HP FPE
1234 56116197 4321
Stateless token
1234 56WX4WDL 4321
eFPE
1234 56BQDSJHKGZS
Obviously protected
XXXXXXXXXXXX 4321
Masked
HPE Security – Data Security
Before: All applications and users have access to data
Analysts Help Desk DBAs Malicious User
HR Application ETL Tool Mainframe App Malware
Name SS# Credit Card # Street Address Customer ID
James Potter 385-12-1199 37123 456789 01001 1279 Farland Avenue G8199143
Ryan Johnson 857-64-4190 5587 0806 2212 0139 111 Grant Street S3626248
Carrie Young 761-58-6733 5348 9261 0695 2829 4513 Cambridge Court B0191348
Brent Warner 604-41-6687 4929 4358 7398 4379 1984 Middleville Road G8888767
Anna Berman 416-03-4226 4556 2525 1285 1830 2893 Hamilton Drive S9298273
After: Data is protected at source from “Field Level”
Analysts Help Desk DBAs Malicious User
HR Application ETL Tool Payments App Malware
Name SS# Credit Card # Street Address Customer ID
Kwfdv Cqvzgk 161-82-1292 3712 3488 7865 1001 2890 Ykzbpoi Clpppn S7202483
Veks Iounrfo 200-79-7127 5587 0876 5467 0139 406 Cmxto Osfalu B0928254
Pdnme Wntob 095-52-8683 5348 9212 3456 2829 1498 Zejojtbbx Pqkag G7265029
Eskfw Gzhqlv 178-17-8353 4929 4356 7432 4379 8261 Saicbmeayqw Yotv G3951257
Jsfk Tbluhm 525-25-2125 4556 2598 7643 1830 8412 Wbbhalhs Ueyzg B6625294
Malicious users, malware and DBAs: only see protected data
DBAs Malicious User
Malware
Name SS# Credit Card # Street Address Customer ID
Kwfdv Cqvzgk 161-82-1292 3712 3488 7865 1001 2890 Ykzbpoi Clpppn S7202483
Veks Iounrfo 200-79-7127 5587 0876 5467 0139 406 Cmxto Osfalu B0928254
Pdnme Wntob 095-52-8683 5348 9212 3456 2829 1498 Zejojtbbx Pqkag G7265029
Eskfw Gzhqlv 178-17-8353 4929 4356 7432 4379 8261 Saicbmeayqw Yotv G3951257
Jsfk Tbluhm 525-25-2125 4556 2598 7643 1830 8412 Wbbhalhs Ueyzg B6625294
Help desk and payments apps: operate on partially protected data
Help Desk
Payments App
Name SS# Credit Card # Street Address Customer ID
Kwfdv Cqvzgk 161-82-1292 3712 3488 7865 1001 2890 Ykzbpoi Clpppn S7202483
Veks Iounrfo 200-79-7127 5587 0876 5467 0139 406 Cmxto Osfalu B0928254
Pdnme Wntob 095-52-8683 5348 9212 3456 2829 1498 Zejojtbbx Pqkag G7265029
Eskfw Gzhqlv 178-17-8353 4929 4356 7432 4379 8261 Saicbmeayqw Yotv G3951257
Jsfk Tbluhm 525-25-2125 4556 2598 7643 1830 8412 Wbbhalhs Ueyzg B6625294
Authorized applications access real data
Authorized Fraud
Analysts
Authorized HR
Application
HPE SecureData
Tools
Name SS# Credit Card # Street Address Customer ID
Kwfdv Cqvzgk 161-82-1292 3712 3488 7865 1001 2890 Ykzbpoi Clpppn S7202483
Veks Iounrfo 200-79-7127 5587 0876 5467 0139 406 Cmxto Osfalu B0928254
Pdnme Wntob 095-52-8683 5348 9212 3456 2829 1498 Zejojtbbx Pqkag G7265029
Eskfw Gzhqlv 178-17-8353 4929 4356 7432 4379 8261 Saicbmeayqw Yotv G3951257
Jsfk Tbluhm 525-25-2125 4556 2598 7643 1830 8412 Wbbhalhs Ueyzg B6625294
HPE SecureData
Tools
Name
James Potter
Ryan Johnson
Carrie Young
Brent Warner
Anna Berman
SS#
385-12-1292
857-64-7127
761-58-8683
604-41-8353
416-03-2125
Develop Test Deploy
• 84% of breaches target applications
• Applications have become the new perimeter
Traditional Application Security
Operate
Develop
Test
Deploy
• Secure Development • Find and fix as developer codes
• Security Testing • Expand testing to web, mobile and cloud applications in
production
• Software Security Assurance • Programmatic approach to securing applications at scale
Securing the new SDLC
The number of apps is growing Increasing platforms and complexity …many delivery models
OPEN SOURCE OUTSOURCED COMMERCIAL
Procuring secure
software
DEMONSTRATING
COMPLIANCE
LEGACY SOFTWARE
IN-HOUSE
DEVELOPMENT
Certifying new
releases
Securing legacy
applications
Monitoring / Protecting
Production Software
A reactive approach to AppSec is inefficient and expensive
3 We are breached
or pay to have
someone tell us
our code is bad
2 IT deploys the
insecure software
4 We convince
& pay the
developer to fix it
1 Somebody builds
insecure software
The Problem Costs and incidence of attacks
are high and growing.
Number of successful attacks
per year per company:
144% increase in 4 years
Average cost of cyber
crime
per company:
95% increase in 4 years
2014
$12
.7M
2010
$6.5
M
2010
50
2014
122
Deplo
yments
/ M
ain
tenance
Testing
Codin
g
Desig
n/
Arc
hitectu
re
Requirem
ents
Co
st to
Re
me
dia
te
30X
15X
7X
The ROI
$
!
Comprehensive End to End Application Security
Dynamic Runtime Static
Production
Fortify on Demand App Defender
On Premise App Defender
Application Development
Test Code Design Integration & Staging
IT Operations
On Demand
WebInspect Static Code Analyzer
SCA
Analysis
Static Application Security Testing Accurately identify root cause and remediate underlying security flaw
XML
Java
JSP
T-SQL
Results
T-SQL
Java
XML
JSP
User Input
SQL Injection
22+ Languages
VBScript
HTML ASP
XML PL/SQL
Java
C# .NET COBOL
PHP
Python Visual Basic
ABAP
T-SQL
C/C++
Classic ASP
CFML
VB.NET
JavaScript/AJA
X
SCA Frontend
Proven Over a decade of successful deployments backed by the largest security research team
• 10 out of 10 of the largest information technology companies
• 9 out of 10 of the largest banks
• 4 out of 5 of the largest pharmaceutical companies
• 3 out of 3 of the largest independent software vendors
• 5 out of 5 of the largest telecommunication companies
Dynamic and
Runtime Analysis
Technology Made
Simple
Compliance
Management Build Integration
Centralized Program
Management
Dynamic Analysis – WebInspect
HPE Security Fortify WebInspect
Dynamic Testing in
QA or Production
Dynamic Analysis Dashboard – HPE Security Fortify SSC Live dynamic scan visualization
Live scan dashboard
Live scan statistics
Detailed attack table
Vulnerabilities found in application
Coverage Analysis
HPE Security Fortify Software Security Center Vulnerability detail
Remediation
explanation and
advice
Line of code
vulnerability detail
Vulnerabilities
identified
in the scan
Application testing flexibility
on Demand
HPE Security Fortify on Demand
on Premise
HPE Security Fortify Software Security Center
Proven Over a decade of successful deployments backed by the largest security research team
• 10 out of 10 of the largest information technology companies
• 9 out of 10 of the largest banks
• 4 out of 5 of the largest pharmaceutical companies
• 3 out of 3 of the largest independent software vendors
• 5 out of 5 of the largest telecommunication companies
Texas
UK
Australia
Toronto
Virginia
Costa Rica
Germany
Bulgaria
Malaysia
India
Protect your digital enterprise at scale
40
application security and network access
control (Gartner)
data security (Gartner)
SIEM (Gartner)
Leader 10 managed
global SOCs
42 business continuity
and recovery centers
managed security services
(Forrester)
Technology
Consulting
Managed Services
Leader Visionary Leader 5000+ security
professionals