Hewlett Packard Enterprise: Protect your digital enterprise
Proactively protect the interactions between users, applications and data across any location or device
Attack life cycle: Our approach to security
Research
Research Potential Targets
Monetization
Data sold on black market
Infiltration
Phishing Attack and Malware
Discovery
Mapping Breached Environment
Capture
Obtain data
Exfiltration
Exfiltrate/destroy stolen data
Threat intelligence
• HP Security Research
Block adversary
• HP TippingPoint
• HP Fortify
Detect adversary
• HP ArcSight
• Vertica
Protect data
• HP Atalla
• HP Security Voltage
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Infrastructure Security Creates Exploitable Gaps
• Consider a Point of Sale – “POS”
• POS Malware* steals from memory – seeking card data in use
– Dexter
– PoSeidon
– BlackPOS
– Custom POS malware
– GamaPOS
• Data-at-rest encryption won’t prevent POS data theft
– Infected POS controlled by BotNets + live data = PCI data breach
4
Storage
File Systems
Databases
Data & Applications
Middleware/Network
Decryption/Encryption (Disk, File, OS Process)
Data encrypted at rest – data not in use
Data is in the clear in this part of the stack – data in use
*http://www8.hp.com/us/en/software-solutions/cyber-risk-report-security-vulnerability/
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Neutralizing Breaches - Introducing Data-centric Security
5
Traditional IT
Infrastructure Security
Disk encryption
Database Encryption
SSL/TLS/Firewalls
Security Gap
Security Gap
Security Gap
Security Gap
SSL/TLS/Firewalls
Authentication Management
Threats to
Data
Malware, Insiders
SQL Injection, Malware
Traffic Interceptors
Malware, Insiders
Credential Compromise
Data
Ecosystem
Da
ta S
ecu
rity
Co
ve
rag
e
Security
Gaps
HP Data-centric
Security
En
d-t
o-e
nd
Da
ta P
rote
ctio
n
Storage
File Systems
Databases
Data & Applications
Middleware/Network
17
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Attack Trends vs. Protection Strategy Effectiveness
Data-centric security protects data over its lifecycle vs. broad threats.
Infrastructure-centric solutions only protect from physical threats (e.g. VLE)
Traditional infrastructure level protection: • Disk, File • Data at rest in disks or
files when powered off or in backup
Data-centric Security • Fields and Objects • Data stays protected
in use, in motion, and at rest
Graph source: Verizon Data Breach Report 2014
15
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Secure Data can go everywhere Without increased risk and while maintaining data sovereignty
7
Amazon AWS
Big Data Analytics
in the Cloud
Cloud Applications &
Services
Offshore Test and Dev Transaction
Processors
Data from Devices, Sensors, and Applications
SaaS | PaaS
Partner Data Systems
Enterprise Data Systems
Big Data Analytics
in Hadoop
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Security Voltage Products
HP SecureMail HP SecureData
• Email encryption solution
• Internal and external email encryption
• Highly scalable to millions of users
• Easy to use, Outlook, mobile, web browser, etc.
• Encryption and tokenization of “structured” data and files
• “Data-centric” security for databases, applications and payment streams
• Windows, Linux, Hadoop, Teradata, z/OS, HP NonStop, etc.
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP SecureData Core Technologies
Format Preserving Encryption
• Protect structured data while maintaining functional and analytic integrity of the data
Secure Stateless Tokenization
• High-octane tokenization of PAN data without database management headaches
Page Integrated Encryption
• Extends end-to-end protection to browser, through and beyond the SSL tunnel
Name: Gunther DOB: 02-07-1966
SSN: 934-72-2356
Name: Uywjlqo DOB: 08-06-1972
SSN: 298-24-2356
4444 3333 2222 1111
4567 8764 8865 9875 4444 3356 4532 1111 4444 33AB VCXY 1111 Card Number:
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP SecureData Use Cases
Data De-Identification PCI Compliance
• Protection of data in production databases and applications
• Data masking for test/dev
• Secure analysis for Hadoop and Teradata
• Protection of data in the cloud
• Tokenization for PCI scope reduction
• Point-to-Point Encryption for stores
• Point-to-Point Encryption for ecommerce
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP SecureData Enterprise – Data Security Platform
11
HP SecureData Central
Management Console
Authentication & Authorization Sources (e.g Active Directory)
HSM - Tokenize/Detokenize/Encrypt/Decrypt/Mask? - IP Valid? Certificate valid ? - Application Authenticated? - User/Role validated? - Key Generation/Token table management - Permission granted?
- Define access Policies - Data Security Formats - Access Controls - Reporting & Monitoring - Key Rotation Policies - Events and Alerts
HP SecureData Web Services API
HP SecureData Native API’s
(C, Java, C#, .NET)
HP SecureData Command Lines &
Automated File Parsers
HP SecureData z/Protect, z/FPE
HP SecureData Native UDFs
Partner Integrations
SaaS & PaaS Cloud Apps
Policy Controlled Data Protection and Masking Services & Clients
Payment Terminals
Storage Key Management
Production Databases
Mainframe Applications &
Databases
3rd Party Applications
Teradata, Hadoop &
Vertica
ETL & Data Integration
Suites
Network Interceptors
Payment Systems
Business Applications, Data stores and Processes
HP Nonstop Applications &
Databases
Web/Cloud Applications (AWS, Azure)
Enterprise Applications
Volumes and Storage
3rd Party SaaS Gateways
43
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Example –Enabling Mobile, Hybrid Cloud Data Security
• Large Specialty Insurer – 22,000 Employees
– Global Operations
• Advanced mobile services – Mobile monitoring (apps, energy, conflicts)
– Backup and Restore services
– Supporting top telco subscribers
• Major challenge – keeping data secure in cloud on behalf of third parties (top US Telcos)
• Remaining agile key element of strategy
• Strategic Cloud operations across multiple clouds (Azure, AWS)
• Enabling Cloud Based Analytics on large data sets to enable customer service
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Azure Apps – data secured with HP SecureData
Tier 1 telcos
LARGE Internet Companies
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
AWS Side – data secured with HP SecureData
Tier 1 Global Telcos
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Data
Ris
k S
urf
ace
Diagram Source: http://blogs.msdn.com/b/jimoneil/archive/2012/09/21/windows-azure-feature-map.aspx
The Azure Stack
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Disk and VM Only Solutions
Data
Ris
k S
urf
ace
• Keys are in the cloud • Data protection is at rest • Attacks happen in active apps
The Azure Stack – Using “IT” Security
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Da
ta C
en
tric
Se
cu
rity
Co
ve
rag
e
The Azure Stack – Using Data-Centric Security
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Example – Major Auto Manufacturer – BigData Dataflow Architecture
18
Sensitive structured database sources
Sensitive structured data files
Edge Node
Command Line Tools
Hadoop
Map Reduce
Sqoop
Hive UDFs
“LZ”
“IC” DataStage
HP SecureData Servers
Teradata
Analytics
UDFs
Cognos
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
• Data security for traditional enterprise apps, hybrid apps: secure data as part of a strategic enterprise-wide data security strategy
• Secure communications: encrypted email communications, billing statements, claims and mobile interactions for patients and employees
• Improve customer information, reduce prescription fraud and reverse claim overpayment: quick detection and analysis of customer health status, automate fraud detection and quickly detect claim overpayments
• Enable competitive advantage: formed internal data exploration hackathons using de-identified data to create market innovations and detect risks
• HP SecureData protects business process, increases agility and improves customer interaction
• Enables innovation through data access without risking compliance and privacy regulations (HIPAA/HITECH, PCI, etc.)
• De-identifies and shares data from multiple data sources; enables analytics on sensitive data
• Shows that the most effective way of protecting the data is at the field level
• HP SecureMail protects sensitive PII and PHI throughout the enterprise, email and cloud to customers & extended ecosystem
Example – Health Care Insurance Company Fortune 100 company - managed health care, health care insurance
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Data Sovereignty is Complicated
• Legal, contractual, technological mesh
• Where is a data center located, whose data is being stored
• No uniform standards, often directly conflicting laws
– E.g. USA Patriot Act vs. European Data Protection Directive
• Some jurisdictions are particularly complex
– Patchwork of federal, territory, and provincial laws
“Landmark ruling could pose serious concerns for European firms wary of the cloud.”
– Dan Worth, V3.com
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
• Data Residency Problem
– Central Banking
– Accenture Core Banking Application
• Challenge:
– CSSF regulation driven
– $150m investment at risk
• Data Residency EU Privacy Challenge
– Data Ops in Portugal
– Customer Data in Luxembourg
– IBM mainframe in scope
– Need for data separation from Luxemburg and Portugal
• HP FPE Technology critical enabler for rapid compliance
– First EU Bank to meet strict new CSSF regulation
– Avoided $150m data center cost.
Solution Components
IBM Mainframe, Core Banking
HP SecureData
Implementation with GSI
Example – Cloud Data De-Identification, Data Residency – Top European Bank Solving European Data Residency Challenges in core banking
21 (C) 2015 Voltage Security, Inc. All Rights Reserved - Confidential
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Example – Australia's number one direct wine store
• Retail and Online merchant
– Largest e-commerce retailer in Australia
– Part of Tier 1 parent
– > 330,000 customers
– Payment flow with multiple processors
• Goal - PCI Compliance and de-scoping
• Solution
– Voltage SecureData Web & Voltage SecureData Enterprise
• Outcome
– PCI scope reduction, reduced breach risk
– Deployed in < 60 days
Solution Components
HP SecureData Web
HP SecureData Enterprise
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Online shopper – browser. Desktop, Mobile
Merchant infrastructure
Card and Purchase Data Encrypted at capture
using PIE
SecureData Web Decrypt & Cardholder Data
Environment
Web Infrastructure Environment – Store Front
E-Commerce Applications & Retail System Interfaces
Internet
Green – out of PCI scope Red – In Scope of PCI
To Payment
Processors
Wine store e-commerce PCI scope reduction
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP SecureData for HP NonStop
• HP SecureData Host SDK
− Available on HP NonStop Guardian and OSS
− Host decryption and tokenization capabilities for PAN data
• HP SecureData Simple API
− Available on: HP NonStop OSS and HP-UX
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Integration with Teradata and Informatica
• Teradata
− Maximizes the multi node feature of Teradata
− Implemented through UDFs
− UDFs invoked through SQL and triggers/views
− Distributed on nodes for high performance
• Informatica
− Integration through “hooks” in ILM and DDM
− Modify ETL routine to call HP Security Voltage for encryption or tokenization
− Implemented through SOAP, native API or command line tool
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP SecureData for IBM z/OS
• HP SecureData z/Protect API
− Uses a “started task” to do actual work
− Batch programs/CICS transactions call minimal APIs
− Support for HP FPE and native HP SST on z/OS
• HP SecureData z/FPE
− The z/OS Bulk Data Protection Tool
− Bulk protection of data: flat files, DB2, IMS, VSA, etc.
− Enables easy data protection and masking
− Can use Rexx, COBOL, PL/I, C, other languages
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP SecureMail
• Simple, native user experience – just like regular email
− Outlook, iPhone, iPad, Android, Blackberry, Web
• HP Stateless Key Management Architecture
− No key or message stores to manage
− Low operational and infrastructure costs
• Single HP IBE solution for all use cases
− Internal and external protection and compliance
− Single technology (IBE, 100% push, message format)
• Outlook, Exchange, Windows AD Support
− Global address list, distribution lists, contacts
− AD Authentication, AD Groups
• The world’s most popular email encryption solution
− It just works
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Options for Securing Data in Hadoop with HP Security Voltage
Applications, Analytics & Data
Applications, Analytics & Data
Applications & Data
Applications & Data
Applications & Data
Hadoop Cluster
Hadoop Jobs
ETL & Batch
BI Tools & Downstream Applications
Hadoop Jobs & Analytics
Hadoop Jobs & Analytics
Egress Zone
Application with HP Security Voltage Interface Point
Unprotected Data
De-Identified Data
Legend:
Standard Application
HP Security Voltage
HDFS
Storage Encryption
HP Security Voltage
HP Security Voltage
2
1
6
4
5
7
ETL & Batch
Landing Zone
HP Security Voltage
HP Security Voltage
HP Security Voltage
HP Security Voltage
3
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Sample Big Data Analytics Dataflow
32
HP SecureData Key Servers &
Tokenization Servers
Sensitive structured
data sources
ETL / Landing Zone
De-identification
Teradata
Hadoop HP Vertica
Analytics Analytics Privileged Analytics
Analytics
UDFs
UDFs and Map Reduce & Sqoop
UDFs
Privileged Analytics
BI Tools
Privileged Analytics
ETL