Securing Big Data as we use it. Albert Biketi VP & GM, Data Security HPE Software August 2016

1

Discussion Agenda

• Intro • Why we care about Big Data and the trends around it

• Challenges of securing Big Data in enterprises • How we help, and some case studies

2

Transform to a hybrid

infrastructure

Enable workplace

productivity

Protect your digital enterprise

Empower the data-driven organization

4 3

Transform to a hybrid

infrastructure

Enable workplace

productivity

Protect your digital enterprise

Empower the data-driven organization

Proactively protect the interactions between users, applications and data across any location or device.

Hewlett Packard Enterprise: Protect your digital enterprise

Users. Applications. Data. Our focus is on protecting the interactions between users, applications, and data

5

HPE Security Fortify – This is your code Statement statement3 = connection.CreateStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); // pull the USER_COOKIE from the cookies String user = getCookie(s); String query = “SELECT * FROM user_data WHERE last_name = ‘” + user + “’”; Vector<String> v = new Vector<String>(); try { ResultSet results = statement3.executeQuery(query); while (results.next()) { String type = results.getString(“cc_type”); String num = results.getString(“cc_number”); v.addElement(type + “-” + num); } 84%

of successful attacks compromise application vulnerabilities

Most breaches target sensitive data

© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

538 reported in 2016

100s of ransom events

6 missing drives

13M records

Hospital was hostage

950,000 notifications

2016 YTD Data to July 19, 2016 -US Data Source: Identity Theft Resource Center (ITRC)

Big Data: Why we care

8

Have you ever been sick?

Sepsis Noun (MEDICINE)

“the presence in tissues of harmful bacteria and their toxins, typically through infection of a wound.”

Photo By James Heilman, MD - Own work, CC BY-SA 3.0

Sepsis

10

50% of hospital deaths

56% of deaths were in less severe, non-ICU cases

25% of all hospital charges or $24B in annual direct costs

Occurs in just 10% of hospital patients but 10x the death rate vs. patients without sepsis.

Sources: Journal of American Medical Association –JAMA Journal of the American Medical Informatics Association Centers for Disease Control (CDC) Kaiser Permanente Northern California Agency for Healthcare Research and Quality

Monitoring a few key variables carefully can reduce sepsis risk significantly by allowing early intervention.

11

Improving business through pricing changes

12

On average, a 1% price increase translates into an 8.7% increase in operating profits (assuming no loss of volume, of course).

yet 30% of pricing changes don’t deliver business value

Related trends

13

Big Data & Analytics

Internet of Things (e.g., edge computing)

Machine Learning Algorithms

Insights for a competitive edge

Changing what compute means

New sources of knowledge & IP

Big Data: Challenges in enterprise security

14

15

• Data is exploding, in both uses and sources • Adversaries (the bad guys) are innovating • Regulation is accelerating • The Big Data ecosystem also has rapid innovation

Key success factors for enterprises investing in Data Security

Well-understood dimensions of risk

Sensitivity, Location, Inappropriate access

Appropriate business owners for data identified

Owners understand context, IT/Security has controls

Leverage existing processes and systems

Used to drive results practically from concept to reality

How we help secure Big Data in use

Why do enterprises care about encryption? Encryption is an area poised for wider adoption: 2nd highest ROI against cyber crime

Ordinary Encryption and the Suitcase Problem

What does this have to do with how encryption is commonly implemented?

Decryption occurs too frequently Most applications use data, that is otherwise stored encrypted at rest, completely in the clear

HPE SecureData provides this protection

21

Traditional IT Infrastructure Security

Disk encryption

Database encryption

SSL/TLS/firewalls

Authentication Management

Threats to Data

Malware, Insiders

SQL injection, Malware

Traffic Interceptors

Malware, Insiders

Credential Compromise

Security Gaps

HPE SecureData Data-centric Security

SSL/TLS/firewalls

Dat

a se

curit

y co

vera

ge

End-

to-e

nd P

rote

ctio

n

Middleware/Network

Storage

Databases

File Systems

Data & Applications

Data Ecosystem

Security gap

Security gap

Security gap

Security gap

HPE Format-Preserving Encryption (FPE)

22

– Supports data of any format: name, address, dates, numbers, etc.

– Preserves referential integrity

– Only applications that need the original value need change

– Used for production protection and data masking

AES

FPE 253- 67-2356

8juYE%Uks&dDFa2345^WFLERG

First Name: Uywjlqo Last Name: Muwruwwbp SSN: 253- 67- 2356 DOB: 01-02-1972

Ija&3k24kQotugDF2390^32 0OWioNu2(*872weW Oiuqwriuweuwr%oIUOw1@

Tax ID

934-72-2356

First Name: Gunther Last Name: Robertson SSN: 934-72-2356 DOB: 08-07-1966

Five Innovative Technologies

Format-Preserving Encryption (FPE), Secure Stateless Tokenization (SST), Identity-Based Encryption (IBE), Page-Integrated Encryption (PIE), and Stateless Key Management

23

HPE and Standards - standards are important to HPE, a core value

HPE Format-Preserving Encryption is a recognized NIST standard AES FF1 This is important to customers who want to comply with standards

Pre-breach: All applications and users have access to data

Analysts Help Desk DBAs Malicious User

HR Application ETL Tool Mainframe App/ Transaction processing

Malware

Numerous PII types

After: Data is protected at source from “Field Level”

Analysts Help Desk DBAs Malicious User

HR Application ETL Tool Transaction Processing App Malware

& Numerous PII

types

Data protection with HPE FPE and HPE SST

– Guaranteed referential integrity or fully randomized output by policy

– Enables data protection and data de-identification from one framework

− Can be used to generate test data for QA, training, etc.

FPE

FPE

FPE

FPE

SST

& Numerous PII

types

& Numerous PII

types

SaaS & PaaS cloud apps

Certified on multiple technology platforms

28

Mainframe BigInsights

Deployment Options for HPE SecureData

Seamless integration option slide

Layer Support Typical Time to Deploy

Security Profile

Application Native APIs + WS API

Hours/days per app + QA

Data in use and at rest, in motion

Middleware MQ + WS API Hours/days per queue + QA

Data in motion, at rest

Database Standard DB tools, PL/SQL, Triggers/Views

Hours/days per app + QA

Data at rest, partial in motion, use

Structured Files Batch tools hours Data at rest, in motion, in use

Unstructured Bulk Files

Batch tools hours Data at rest, in motion

Storage

All of the above + Enterprise Key Management for Servers and Storage

Days Data is already protected with HPE FPE/ HPE SST. HP SecureStorage protects all other data at rest (volumes) ESKM Protects Keys

File Systems

Databases

Data & Applications

Storage

Middleware

Use Case: Embracing IoT analytics for new risk insights and customer behavior analysis from Big Data lakes

34 Company Proprietary - For Executive Briefing

Use case: Big Data - Global financial services company

‒ Customer is rapidly moving to adopt open source storage and data analysis platforms

‒ Use cases: Fraud detection, 360 degree Customer View and Behavior for marketing, to provide more relevant marketing), creating data sets or reports to sell or provide to other companies, financial modeling

‒ Invested in multiple data warehouse and big data platforms

‒ Using complex ETL tools to import data into Hadoop from sources including mainframe, distributed databases, flat files, etc.

‒ Protection in Hadoop is the first step in an enterprise wide data protection strategy

‒ Protect sensitive PCI and PII data as it is being imported into Hadoop. Fields protected include PAN, bank account, SSN, address, city, zip code, date of birth

‒ HPE Secure Stateless Tokenization (SST) offers PCI audit scope reduction for the Hadoop environment

‒ Fully integrated into Hadoop- Sqoop, Mapeduce

‒ Central, Extensible key and policy management, reporting via Management Console

‒ New customer insights from live data feeds, social networks, new method of fraud detection

31 Customer Confidential | Hewlett Packard Enterprise

Options for securing data in HPE Big Data Platforms

Applications, analytics and data

Applications, analytics and data

HPE Haven

Hadoop jobs

ETL and batch

BI Tools and Downstream Applications

Hadoop jobs and analytics

Hadoop jobs and analytics

Egress Zone

Application with HPE SecureData Interface Point Unprotected Data

De-Identified Data

Legend:

Standard Application

HPE Vertica/Ha

doop (HDFS)

Storage encryption

HPE SecureStorage

HPE SecureData

2

1

6

4

5

7

ETL and batch

Landing Zone

HPE SecureData

HPE SecureData

HPE SecureData

3

32

Applications and data

HPE

SecureData

Applications and data

Applications and data

Source Data and Applications

Customer Confidential | Hewlett Packard Enterprise

Use Case: Internet of Things -Connected Cars – Big Data Analytics & Risk Protecting PII data for analytics at scale

• Enable new high scale “EDW 2.0” – 2Bn events/day

• Handling multiple types of sensitive data (PII, Machine data)

• Protect data in Hadoop, Teradata, DataStage and Cognos

• Ingest real-time data from vehicles & 3rd party data

• Analyze faults to detect recall requirements and affected vehicles, predict vehicle behavior

• HPE SecureData with HPE Format-Preserving Encryption

• Utilize Flume to protect incoming real-time data feeds

• De-identify data within Sqoop from internal data sources

• Re-identify data within Hadoop, Teradata, DataStage and Cognos

• Vehicle Data Feeds from cars • 3rd Party Data Feeds

(Accident records, global dealership)

• Data scientists can operate on protected data

• Enabled deeper Hadoop adoption for least cost

• Consumer PII is protected throughout analytics process.

• Sensitive information such as VIN, phone numbers, addresses, etc.

• Analytics are done on de-identified data and not exposing customers

Customer Confidential | Hewlett Packard Enterprise 33

IoT Data Security – Connected Car – Big Data primary data flow

34

Sensitive structured sources

Sensitive structured

data

Hadoop Edge Nodes

HPE SecureData Hadoop Tools

Hadoop Cluster

Map Reduce

Sqoop

Hive UDFs

“Landing zone”

“Integration Controls” IBM DataStage

HPE SecureData Key Servers & WS API’s

Teradata EDW

Analytics & Data

Science (JDBC)

UDFs

Cognos

Flume real time ingest

~2 Billion real time transactions/day

Other real-time data feeds – customer

data from dealerships,

manufacturers.

Existing data sets and 3rd party data, e.g.. accident data

Customer Confidential | Hewlett Packard Enterprise

Additional Use Case: Global Financial Services Company – Adopting Hadoop for analytical insights on Data

– Rapidly moving to adopt open source storage and real-time data analysis platforms

– Use cases: Fraud detection, AML, 360 degree view of customer, creating data sets to provide to 3rd parties and business lines

– Support data warehouse and big data tools

– Protect sensitive PCI and PII data ingested into Hadoop & Teradata.

– Data protected in real-time at ingestion through SecureData for Sqoop, MapReduce, and Informatica ETL

– Trusted users can dynamically access live data in BI tools

– Enables Data scientists to operate on de-identified data – reduced risk

– Fields protected include PAN, Swift Codes, Bank Account, SSN, Address, City, Zip Code, DOB.

– SST for PCI audit scope reduction for Hadoop – saves cost/audit time

36

Inmar Video

Thanks Q&A

37