to serve and protect: making sense of hadoop security

Grab some coffee and enjoy the pre-show banter

before the top of the

hour!

The Briefing Room

To Serve and Protect: Making Sense of Hadoop Security

Twitter Tag: #briefr The Briefing Room

Welcome

Host: Eric Kavanagh

[email protected] @eric_kavanagh


  Reveal the essential characteristics of enterprise software, good and bad

  Provide a forum for detailed analysis of today’s innovative technologies

 Give vendors a chance to explain their product to savvy analysts

  Allow audience members to pose serious questions... and get answers!

Mission


Topics

September: HADOOP 2.0

October: DATA MANAGEMENT

November: ANALYTICS


Analyst: Robin Bloor

Robin Bloor is Chief Analyst at The Bloor Group

[email protected] @robinbloor


HP Security Voltage

  HP recently acquired Voltage Security (now HP Security Voltage) to expand its data security solutions for big data and the cloud

  HP Security Voltage provides data and email protection

  Its security product features data encryption, tokenization and key management over structured and unstructured data, including data in Hadoop


Guest: Sudeep Venkatesh

Sudeep Venkatesh is a noted expert in data protection solutions, bringing over a decade of industry and technology experience in this area to HP Security Voltage. His expertise spans data protection, security infrastructures, cloud security, identity and access management, encryption, and the PCI standards both for the commercial and government sectors. He has worked on numerous global security projects with Fortune 500 firms in the United States and globally. At HP Security Voltage, Sudeep serves in the position of Vice President of Solution Architecture, with responsibility over designing solutions for some of HP Security Voltage's largest customers in the end-to-end data protection portfolio. This includes email, file and document encryption, as well as the protection of sensitive data in databases, applications and payments systems.

© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. © Copyright 2015Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. HP Restricted

HP Security Voltage Data-Centric Security & Encryption Solutions Sudeep Venkatesh

September 22, 2015

Monetization Data Sold on Black Market

Research Potential Targets Research Infiltration

Phishing Attack and Malware

Discovery Mapping Breached Environment

Capture Obtain data

Attack Life Cycle

Exfiltration/Damage Exfiltrate/Destroy Stolen Data

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Why is Securing Hadoop Difficult?

• Multiple sources of data from multiple enterprise systems, and real-time feeds with varying (or unknown) protection requirements

• Rapid innovation in a well-funded open-source developer community

• Multiple types of data combined together in the Hadoop “data lake”


Why is Securing Hadoop Difficult?

• Automatic replication of data across multiple nodes once entered into the HDFS data store

• Access by many different users with varying analytic needs

• Reduced control if Hadoop clusters are deployed in a cloud environment


Existing Ways to Secure Hadoop •  Existing IT security − Network firewalls − Logging and monitoring − Configuration management

Need to augment these with “data-centric” protection of data in use, in motion and at rest

•  Enterprise-scale security for Apache Hadoop − Apache Knox: Perimeter security − Kerberos: Strong authentication − Apache Ranger: Monitoring and Management


What is Data-Centric Protection?

Storage

File Systems

Databases

Data & Applications

Traditional IT Infrastructure Security

Disk Encryption

Database Encryption

SSL/TLS/Firewalls

Security Gap

Security Gap

Security Gap

Security Gap

SSL/TLS/Firewalls

Authentication Management

Middleware

Threats to Data

Malware, Insiders

SQL Injection, Malware

Traffic Interceptors

Malware, Insiders

Credential Compromise

Data Ecosystem

Dat

a Se

curit

y C

over

age

Security Gaps


What Kind of Protection Closes the Security Gap?


End-to-End Sensitive Data Protection at Rest, in Motion, and in Use

Storage

File Systems

Databases

Data & Applications

Traditional IT Infrastructure Security

Disk Encryption

Database Encryption

SSL/TLS/Firewalls

Security Gap

Security Gap

Security Gap

Security Gap

SSL/TLS/Firewalls

Authentication Management

Middleware

Threats to Data

Malware, Insiders

SQL Injection, Malware

Traffic Interceptors

Malware, Insiders

Credential Compromis

e

Data Ecosystem

Dat

a Se

curit

y C

over

age

Security Gaps

HP Security Voltage Data-centric Security

End-

to-e

nd

D

ata

Prot

ectio

n


How to Protect Your Data

Credit Card 1234 5678 8765

4321

SSN 934-72-2356

Email [email protected]

DOB 31-07-1966

AES

FIWUYBw3Oiuqwriuweuwr%oIUOw1DF^

8juYE%Uks&dDFa2 345^WFLERG

lja&3k24kQotugDF2390^32 OOWioNu2(*872weWOiuqwriuweuwr%oIUOw1@

3k24kQotugDF2390^320OW%i

Full 8736 5533 4678 9453

347-98-8309 [email protected] 20-05-1972

Partial 1234 5681 5310 4321

634-34-2356 [email protected] 20-05-1972

Obvious 8736 5533 4678 9453

347-98-8309 [email protected] 20-05-1972

Field Level, Format-Preserving, Reversible Data De-Identification


Solution

Use Case: Global Financial Services Company

•  Customer is rapidly moving to adopt open source storage and data analysis platforms

•  Use cases: Fraud detection, marketing (360 degree view of what the customer is doing, to provide more relevant marketing), creating data sets or reports to sell or provide to other companies, financial modeling

•  Invested in multiple data warehouse and big data platforms

•  Using complex ETL tools to import data into Hadoop from sources including mainframe, distributed databases, flat files, etc.

•  Protection in Hadoop is the first step in an enterprise wide data protection strategy

Need

•  Protect sensitive PCI and PII data as it is being imported into Hadoop. Fields protected include PAN, Bank Account, SSN, Address, City, Zip Code, Date of Birth

•  HP Secure Stateless Tokenization (SST) offers PCI audit scope reduction for the Hadoop environment

•  Central key and policy management infrastructure can scale enterprise wide to mainframe and distributed platforms

•  Data can be protected at ingestion through integration with Sqoop and MapReduce


Solution

•  Better health analysis to customers: One of their use cases for Hadoop is to provide better analysis of health status to customers on their web site

•  Catch prescription fraud: Fraudsters collect prescriptions from 5-6 doctors and get them filled by 5-6 pharmacies. The manual process takes several weeks to track. Hadoop will enable them to do this almost instantly

•  Reverse claim overpayment: Often times claims are overpaid based on errors and mistakes. They hope to catch this as it happens with Hadoop

•  Developer hackathons: Open the system up to their Hadoop developers as a sandbox, enabling innovation, discovery and competitive advantage – without risk

Use Case: Health Care Insurance Company

Need

•  Utilized the massive un-tapped data sets for analysis that were hampered by compliance and risk

•  Integrated HP SecureData in Sqoop so data is de-identified as it is copied from databases

•  Ability to initially scale to 1000 Hadoop nodes

•  Currently investigating the use of HP SecureData enterprise wide for open systems and mainframe platforms

•  Enabling innovation through data access without risk with HIPAA/HITECH regulated data sets


Use Case : Global Telecommunications Leader Protecting PII Throughout Large Scale Legacy and New Applications

•  Protect 26 data types constituting PII, 500 Apps, mainframe, Teradata, Windows, Unix

•  Secure data types regardless of platform

•  Support wide variety of platforms including mainframe, open systems and big data platforms

•  Reduce costs of having to protect data in each app and each database

Need

•  HP SecureData with HP Format-Preserving Encryption applied to hundreds of apps and databases

•  Preservation of data formats and relationships

•  Native support for z/OS, Teradata, Hadoop and Open Systems

Solution

•  Created SaaS, leveraged company-wide

•  Protected 26 data types in over 700 applications

•  Solution management required less than 1 FTE

Results


HP Security Voltage, a Leader in Data-Centric Security

safeguarding data throughout its entire lifecycle –

at rest, in motion, in use – across big data, cloud,

on-premise and mobile environments with continuous protection

www.voltage.com/hadoop


Questions?


Thank you


Perceptions & Questions

Analyst: Robin Bloor

Securing Hadoop

Robin Bloor, PhD

The Sorry Truth

Security was never engineered into IT systems

It was always an afterthought

So it is with Hadoop

Windows of Opportunity…

u The “security surface” that needs protection is always growing

u  Security solutions tend to be fragmented

u The value targets are health and credit card data

u  Big data is just another opportunity for the cyber thief – only bigger

Hadoop Staging

Hadoop In Use

Hadoop Security

u Hadoop presents a wide area of vulnerability

u Role-based access is required (for self-service)

u  Encryption is probably a necessity

u  Format-preserving encryption is preferable

The Net Net

IT security is STRATEGIC

Encryption is a primary plank of this

u  How “inconvenient” is HP Voltage Security? Please describe an implementation. What does the user experience?

u  Security often comes with performance penalties. What is the performance cost of HP Security Voltage?

u  Security needs to be integrated, so encryption needs to shake hands with authentication.

How does this work with HP Voltage?

u  Costs?

u  Are there any environments to which HP Security Voltage’s technology is inapplicable: OLTP, Data Streaming & Streaming Analytics, BI, Mobile, Cloud,…

u  Which platforms/environments are supported?

u  Which other security vendors/technologies does HP partner with for data center solutions?


Upcoming Topics

www.insideanalysis.com

September: HADOOP 2.0

October: DATA MANAGEMENT

November: ANALYTICS


THANK YOU for your

ATTENTION!

Some images provided courtesy of Wikimedia Commons

to serve and protect: making sense of hadoop security

Technology