Securing Big Data as we use it. - Arrow...
Transcript of Securing Big Data as we use it. - Arrow...
Securing Big Data as we use it. Albert Biketi VP & GM, Data Security HPE Software August 2016
1
Discussion Agenda
• Intro • Why we care about Big Data and the trends around it
• Challenges of securing Big Data in enterprises • How we help, and some case studies
2
Transform to a hybrid
infrastructure
Enable workplace
productivity
Protect your digital enterprise
Empower the data-driven organization
4 3
Transform to a hybrid
infrastructure
Enable workplace
productivity
Protect your digital enterprise
Empower the data-driven organization
Proactively protect the interactions between users, applications and data across any location or device.
Hewlett Packard Enterprise: Protect your digital enterprise
Users. Applications. Data. Our focus is on protecting the interactions between users, applications, and data
5
HPE Security Fortify – This is your code Statement statement3 = connection.CreateStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); // pull the USER_COOKIE from the cookies String user = getCookie(s); String query = “SELECT * FROM user_data WHERE last_name = ‘” + user + “’”; Vector<String> v = new Vector<String>(); try { ResultSet results = statement3.executeQuery(query); while (results.next()) { String type = results.getString(“cc_type”); String num = results.getString(“cc_number”); v.addElement(type + “-” + num); } 84%
of successful attacks compromise application vulnerabilities
Most breaches target sensitive data
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
538 reported in 2016
100s of ransom events
6 missing drives
13M records
Hospital was hostage
950,000 notifications
2016 YTD Data to July 19, 2016 -US Data Source: Identity Theft Resource Center (ITRC)
Big Data: Why we care
8
Have you ever been sick?
Sepsis Noun (MEDICINE)
“the presence in tissues of harmful bacteria and their toxins, typically through infection of a wound.”
Photo By James Heilman, MD - Own work, CC BY-SA 3.0
Sepsis
10
50% of hospital deaths
56% of deaths were in less severe, non-ICU cases
25% of all hospital charges or $24B in annual direct costs
Occurs in just 10% of hospital patients but 10x the death rate vs. patients without sepsis.
Sources: Journal of American Medical Association –JAMA Journal of the American Medical Informatics Association Centers for Disease Control (CDC) Kaiser Permanente Northern California Agency for Healthcare Research and Quality
Monitoring a few key variables carefully can reduce sepsis risk significantly by allowing early intervention.
11
Improving business through pricing changes
12
On average, a 1% price increase translates into an 8.7% increase in operating profits (assuming no loss of volume, of course).
yet 30% of pricing changes don’t deliver business value
Related trends
13
Big Data & Analytics
Internet of Things (e.g., edge computing)
Machine Learning Algorithms
Insights for a competitive edge
Changing what compute means
New sources of knowledge & IP
Big Data: Challenges in enterprise security
14
15
• Data is exploding, in both uses and sources • Adversaries (the bad guys) are innovating • Regulation is accelerating • The Big Data ecosystem also has rapid innovation
Key success factors for enterprises investing in Data Security
Well-understood dimensions of risk
Sensitivity, Location, Inappropriate access
Appropriate business owners for data identified
Owners understand context, IT/Security has controls
Leverage existing processes and systems
Used to drive results practically from concept to reality
How we help secure Big Data in use
Why do enterprises care about encryption? Encryption is an area poised for wider adoption: 2nd highest ROI against cyber crime
Ordinary Encryption and the Suitcase Problem
What does this have to do with how encryption is commonly implemented?
Decryption occurs too frequently Most applications use data, that is otherwise stored encrypted at rest, completely in the clear
HPE SecureData provides this protection
21
Traditional IT Infrastructure Security
Disk encryption
Database encryption
SSL/TLS/firewalls
Authentication Management
Threats to Data
Malware, Insiders
SQL injection, Malware
Traffic Interceptors
Malware, Insiders
Credential Compromise
Security Gaps
HPE SecureData Data-centric Security
SSL/TLS/firewalls
Dat
a se
curit
y co
vera
ge
End-
to-e
nd P
rote
ctio
n
Middleware/Network
Storage
Databases
File Systems
Data & Applications
Data Ecosystem
Security gap
Security gap
Security gap
Security gap
HPE Format-Preserving Encryption (FPE)
22
– Supports data of any format: name, address, dates, numbers, etc.
– Preserves referential integrity
– Only applications that need the original value need change
– Used for production protection and data masking
AES
FPE 253- 67-2356
8juYE%Uks&dDFa2345^WFLERG
First Name: Uywjlqo Last Name: Muwruwwbp SSN: 253- 67- 2356 DOB: 01-02-1972
Ija&3k24kQotugDF2390^32 0OWioNu2(*872weW Oiuqwriuweuwr%oIUOw1@
Tax ID
934-72-2356
First Name: Gunther Last Name: Robertson SSN: 934-72-2356 DOB: 08-07-1966
Five Innovative Technologies
Format-Preserving Encryption (FPE), Secure Stateless Tokenization (SST), Identity-Based Encryption (IBE), Page-Integrated Encryption (PIE), and Stateless Key Management
23
HPE and Standards - standards are important to HPE, a core value
HPE Format-Preserving Encryption is a recognized NIST standard AES FF1 This is important to customers who want to comply with standards
Pre-breach: All applications and users have access to data
Analysts Help Desk DBAs Malicious User
HR Application ETL Tool Mainframe App/ Transaction processing
Malware
Numerous PII types
After: Data is protected at source from “Field Level”
Analysts Help Desk DBAs Malicious User
HR Application ETL Tool Transaction Processing App Malware
& Numerous PII
types
Data protection with HPE FPE and HPE SST
– Guaranteed referential integrity or fully randomized output by policy
– Enables data protection and data de-identification from one framework
− Can be used to generate test data for QA, training, etc.
FPE
FPE
FPE
FPE
SST
& Numerous PII
types
& Numerous PII
types
SaaS & PaaS cloud apps
Certified on multiple technology platforms
28
Mainframe BigInsights
Deployment Options for HPE SecureData
Seamless integration option slide
Layer Support Typical Time to Deploy
Security Profile
Application Native APIs + WS API
Hours/days per app + QA
Data in use and at rest, in motion
Middleware MQ + WS API Hours/days per queue + QA
Data in motion, at rest
Database Standard DB tools, PL/SQL, Triggers/Views
Hours/days per app + QA
Data at rest, partial in motion, use
Structured Files Batch tools hours Data at rest, in motion, in use
Unstructured Bulk Files
Batch tools hours Data at rest, in motion
Storage
All of the above + Enterprise Key Management for Servers and Storage
Days Data is already protected with HPE FPE/ HPE SST. HP SecureStorage protects all other data at rest (volumes) ESKM Protects Keys
File Systems
Databases
Data & Applications
Storage
Middleware
Use Case: Embracing IoT analytics for new risk insights and customer behavior analysis from Big Data lakes
34 Company Proprietary - For Executive Briefing
Use case: Big Data - Global financial services company
‒ Customer is rapidly moving to adopt open source storage and data analysis platforms
‒ Use cases: Fraud detection, 360 degree Customer View and Behavior for marketing, to provide more relevant marketing), creating data sets or reports to sell or provide to other companies, financial modeling
‒ Invested in multiple data warehouse and big data platforms
‒ Using complex ETL tools to import data into Hadoop from sources including mainframe, distributed databases, flat files, etc.
‒ Protection in Hadoop is the first step in an enterprise wide data protection strategy
‒ Protect sensitive PCI and PII data as it is being imported into Hadoop. Fields protected include PAN, bank account, SSN, address, city, zip code, date of birth
‒ HPE Secure Stateless Tokenization (SST) offers PCI audit scope reduction for the Hadoop environment
‒ Fully integrated into Hadoop- Sqoop, Mapeduce
‒ Central, Extensible key and policy management, reporting via Management Console
‒ New customer insights from live data feeds, social networks, new method of fraud detection
31 Customer Confidential | Hewlett Packard Enterprise
Options for securing data in HPE Big Data Platforms
Applications, analytics and data
Applications, analytics and data
HPE Haven
Hadoop jobs
ETL and batch
BI Tools and Downstream Applications
Hadoop jobs and analytics
Hadoop jobs and analytics
Egress Zone
Application with HPE SecureData Interface Point Unprotected Data
De-Identified Data
Legend:
Standard Application
HPE Vertica/Ha
doop (HDFS)
Storage encryption
HPE SecureStorage
HPE SecureData
2
1
6
4
5
7
ETL and batch
Landing Zone
HPE SecureData
HPE SecureData
HPE SecureData
3
32
Applications and data
HPE
SecureData
Applications and data
Applications and data
Source Data and Applications
Customer Confidential | Hewlett Packard Enterprise
Use Case: Internet of Things -Connected Cars – Big Data Analytics & Risk Protecting PII data for analytics at scale
• Enable new high scale “EDW 2.0” – 2Bn events/day
• Handling multiple types of sensitive data (PII, Machine data)
• Protect data in Hadoop, Teradata, DataStage and Cognos
• Ingest real-time data from vehicles & 3rd party data
• Analyze faults to detect recall requirements and affected vehicles, predict vehicle behavior
• HPE SecureData with HPE Format-Preserving Encryption
• Utilize Flume to protect incoming real-time data feeds
• De-identify data within Sqoop from internal data sources
• Re-identify data within Hadoop, Teradata, DataStage and Cognos
• Vehicle Data Feeds from cars • 3rd Party Data Feeds
(Accident records, global dealership)
• Data scientists can operate on protected data
• Enabled deeper Hadoop adoption for least cost
• Consumer PII is protected throughout analytics process.
• Sensitive information such as VIN, phone numbers, addresses, etc.
• Analytics are done on de-identified data and not exposing customers
Customer Confidential | Hewlett Packard Enterprise 33
IoT Data Security – Connected Car – Big Data primary data flow
34
Sensitive structured sources
Sensitive structured
data
Hadoop Edge Nodes
HPE SecureData Hadoop Tools
Hadoop Cluster
Map Reduce
Sqoop
Hive UDFs
“Landing zone”
“Integration Controls” IBM DataStage
HPE SecureData Key Servers & WS API’s
Teradata EDW
Analytics & Data
Science (JDBC)
UDFs
Cognos
Flume real time ingest
~2 Billion real time transactions/day
Other real-time data feeds – customer
data from dealerships,
manufacturers.
Existing data sets and 3rd party data, e.g.. accident data
Customer Confidential | Hewlett Packard Enterprise
Additional Use Case: Global Financial Services Company – Adopting Hadoop for analytical insights on Data
– Rapidly moving to adopt open source storage and real-time data analysis platforms
– Use cases: Fraud detection, AML, 360 degree view of customer, creating data sets to provide to 3rd parties and business lines
– Support data warehouse and big data tools
– Protect sensitive PCI and PII data ingested into Hadoop & Teradata.
– Data protected in real-time at ingestion through SecureData for Sqoop, MapReduce, and Informatica ETL
– Trusted users can dynamically access live data in BI tools
– Enables Data scientists to operate on de-identified data – reduced risk
– Fields protected include PAN, Swift Codes, Bank Account, SSN, Address, City, Zip Code, DOB.
– SST for PCI audit scope reduction for Hadoop – saves cost/audit time
36
Inmar Video
Thanks Q&A
37