Upload
inside-analysis
View
416
Download
0
Embed Size (px)
Citation preview
Grab some coffee and enjoy the pre-show banter
before the top of the
hour!
The Briefing Room
To Serve and Protect: Making Sense of Hadoop Security
Twitter Tag: #briefr The Briefing Room
Reveal the essential characteristics of enterprise software, good and bad
Provide a forum for detailed analysis of today’s innovative technologies
Give vendors a chance to explain their product to savvy analysts
Allow audience members to pose serious questions... and get answers!
Mission
Twitter Tag: #briefr The Briefing Room
Topics
September: HADOOP 2.0
October: DATA MANAGEMENT
November: ANALYTICS
Twitter Tag: #briefr The Briefing Room
Twitter Tag: #briefr The Briefing Room
Analyst: Robin Bloor
Robin Bloor is Chief Analyst at The Bloor Group
[email protected] @robinbloor
Twitter Tag: #briefr The Briefing Room
HP Security Voltage
HP recently acquired Voltage Security (now HP Security Voltage) to expand its data security solutions for big data and the cloud
HP Security Voltage provides data and email protection
Its security product features data encryption, tokenization and key management over structured and unstructured data, including data in Hadoop
Twitter Tag: #briefr The Briefing Room
Guest: Sudeep Venkatesh
Sudeep Venkatesh is a noted expert in data protection solutions, bringing over a decade of industry and technology experience in this area to HP Security Voltage. His expertise spans data protection, security infrastructures, cloud security, identity and access management, encryption, and the PCI standards both for the commercial and government sectors. He has worked on numerous global security projects with Fortune 500 firms in the United States and globally. At HP Security Voltage, Sudeep serves in the position of Vice President of Solution Architecture, with responsibility over designing solutions for some of HP Security Voltage's largest customers in the end-to-end data protection portfolio. This includes email, file and document encryption, as well as the protection of sensitive data in databases, applications and payments systems.
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. © Copyright 2015Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted
HP Security Voltage Data-Centric Security & Encryption Solutions Sudeep Venkatesh
September 22, 2015
Monetization Data Sold on Black Market
Research Potential Targets Research Infiltration
Phishing Attack and Malware
Discovery Mapping Breached Environment
Capture Obtain data
Attack Life Cycle
Exfiltration/Damage Exfiltrate/Destroy Stolen Data
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Why is Securing Hadoop Difficult?
• Multiple sources of data from multiple enterprise systems, and real-time feeds with varying (or unknown) protection requirements
• Rapid innovation in a well-funded open-source developer community
• Multiple types of data combined together in the Hadoop “data lake”
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Why is Securing Hadoop Difficult?
• Automatic replication of data across multiple nodes once entered into the HDFS data store
• Access by many different users with varying analytic needs
• Reduced control if Hadoop clusters are deployed in a cloud environment
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Existing Ways to Secure Hadoop • Existing IT security − Network firewalls − Logging and monitoring − Configuration management
Need to augment these with “data-centric” protection of data in use, in motion and at rest
• Enterprise-scale security for Apache Hadoop − Apache Knox: Perimeter security − Kerberos: Strong authentication − Apache Ranger: Monitoring and Management
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What is Data-Centric Protection?
Storage
File Systems
Databases
Data & Applications
Traditional IT Infrastructure Security
Disk Encryption
Database Encryption
SSL/TLS/Firewalls
Security Gap
Security Gap
Security Gap
Security Gap
SSL/TLS/Firewalls
Authentication Management
Middleware
Threats to Data
Malware, Insiders
SQL Injection, Malware
Traffic Interceptors
Malware, Insiders
Credential Compromise
Data Ecosystem
Dat
a Se
curit
y C
over
age
Security Gaps
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What Kind of Protection Closes the Security Gap?
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
End-to-End Sensitive Data Protection at Rest, in Motion, and in Use
Storage
File Systems
Databases
Data & Applications
Traditional IT Infrastructure Security
Disk Encryption
Database Encryption
SSL/TLS/Firewalls
Security Gap
Security Gap
Security Gap
Security Gap
SSL/TLS/Firewalls
Authentication Management
Middleware
Threats to Data
Malware, Insiders
SQL Injection, Malware
Traffic Interceptors
Malware, Insiders
Credential Compromis
e
Data Ecosystem
Dat
a Se
curit
y C
over
age
Security Gaps
HP Security Voltage Data-centric Security
End-
to-e
nd
D
ata
Prot
ectio
n
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
How to Protect Your Data
Credit Card 1234 5678 8765
4321
SSN 934-72-2356
Email [email protected]
DOB 31-07-1966
AES
FIWUYBw3Oiuqwriuweuwr%oIUOw1DF^
8juYE%Uks&dDFa2 345^WFLERG
lja&3k24kQotugDF2390^32 OOWioNu2(*872weWOiuqwriuweuwr%oIUOw1@
3k24kQotugDF2390^320OW%i
Full 8736 5533 4678 9453
347-98-8309 [email protected] 20-05-1972
Partial 1234 5681 5310 4321
634-34-2356 [email protected] 20-05-1972
Obvious 8736 5533 4678 9453
347-98-8309 [email protected] 20-05-1972
Field Level, Format-Preserving, Reversible Data De-Identification
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Solution
Use Case: Global Financial Services Company
• Customer is rapidly moving to adopt open source storage and data analysis platforms
• Use cases: Fraud detection, marketing (360 degree view of what the customer is doing, to provide more relevant marketing), creating data sets or reports to sell or provide to other companies, financial modeling
• Invested in multiple data warehouse and big data platforms
• Using complex ETL tools to import data into Hadoop from sources including mainframe, distributed databases, flat files, etc.
• Protection in Hadoop is the first step in an enterprise wide data protection strategy
Need
• Protect sensitive PCI and PII data as it is being imported into Hadoop. Fields protected include PAN, Bank Account, SSN, Address, City, Zip Code, Date of Birth
• HP Secure Stateless Tokenization (SST) offers PCI audit scope reduction for the Hadoop environment
• Central key and policy management infrastructure can scale enterprise wide to mainframe and distributed platforms
• Data can be protected at ingestion through integration with Sqoop and MapReduce
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Solution
• Better health analysis to customers: One of their use cases for Hadoop is to provide better analysis of health status to customers on their web site
• Catch prescription fraud: Fraudsters collect prescriptions from 5-6 doctors and get them filled by 5-6 pharmacies. The manual process takes several weeks to track. Hadoop will enable them to do this almost instantly
• Reverse claim overpayment: Often times claims are overpaid based on errors and mistakes. They hope to catch this as it happens with Hadoop
• Developer hackathons: Open the system up to their Hadoop developers as a sandbox, enabling innovation, discovery and competitive advantage – without risk
Use Case: Health Care Insurance Company
Need
• Utilized the massive un-tapped data sets for analysis that were hampered by compliance and risk
• Integrated HP SecureData in Sqoop so data is de-identified as it is copied from databases
• Ability to initially scale to 1000 Hadoop nodes
• Currently investigating the use of HP SecureData enterprise wide for open systems and mainframe platforms
• Enabling innovation through data access without risk with HIPAA/HITECH regulated data sets
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Use Case : Global Telecommunications Leader Protecting PII Throughout Large Scale Legacy and New Applications
• Protect 26 data types constituting PII, 500 Apps, mainframe, Teradata, Windows, Unix
• Secure data types regardless of platform
• Support wide variety of platforms including mainframe, open systems and big data platforms
• Reduce costs of having to protect data in each app and each database
Need
• HP SecureData with HP Format-Preserving Encryption applied to hundreds of apps and databases
• Preservation of data formats and relationships
• Native support for z/OS, Teradata, Hadoop and Open Systems
Solution
• Created SaaS, leveraged company-wide
• Protected 26 data types in over 700 applications
• Solution management required less than 1 FTE
Results
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
HP Security Voltage, a Leader in Data-Centric Security
safeguarding data throughout its entire lifecycle –
at rest, in motion, in use – across big data, cloud,
on-premise and mobile environments with continuous protection
www.voltage.com/hadoop
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Questions?
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
Twitter Tag: #briefr The Briefing Room
Perceptions & Questions
Analyst: Robin Bloor
Securing Hadoop
Robin Bloor, PhD
The Sorry Truth
Security was never engineered into IT systems
It was always an afterthought
So it is with Hadoop
Windows of Opportunity…
u The “security surface” that needs protection is always growing
u Security solutions tend to be fragmented
u The value targets are health and credit card data
u Big data is just another opportunity for the cyber thief – only bigger
Hadoop Staging
Hadoop In Use
Hadoop Security
u Hadoop presents a wide area of vulnerability
u Role-based access is required (for self-service)
u Encryption is probably a necessity
u Format-preserving encryption is preferable
The Net Net
IT security is STRATEGIC
Encryption is a primary plank of this
u How “inconvenient” is HP Voltage Security? Please describe an implementation. What does the user experience?
u Security often comes with performance penalties. What is the performance cost of HP Security Voltage?
u Security needs to be integrated, so encryption needs to shake hands with authentication.
How does this work with HP Voltage?
u Costs?
u Are there any environments to which HP Security Voltage’s technology is inapplicable: OLTP, Data Streaming & Streaming Analytics, BI, Mobile, Cloud,…
u Which platforms/environments are supported?
u Which other security vendors/technologies does HP partner with for data center solutions?
Twitter Tag: #briefr The Briefing Room
Twitter Tag: #briefr The Briefing Room
Upcoming Topics
www.insideanalysis.com
September: HADOOP 2.0
October: DATA MANAGEMENT
November: ANALYTICS
Twitter Tag: #briefr The Briefing Room
THANK YOU for your
ATTENTION!
Some images provided courtesy of Wikimedia Commons