Learn how security in Hadoop is quickly changing, and what the key requirements are for making Hadoop compliance-ready.

1. Compliance-Ready Hadoop
Comprehensive Security for the Enterprise

2. ©2014 Cloudera, Inc. All rights reserved.
How can we correlate organized activity on millions of accounts all over the world
over months or years, and detect that it’s fraudulent?
You live in San Francisco.
Did you really buy a new boat in Alabama yesterday?

3. Which technologies actually improve patient health?
What’s our budget for new equipment?
©2014 Cloudera, Inc. All rights reserved.

4. Which one of these people is likely to be carrying a bomb?
Do you have liquids in your carry-on?
©2014 Cloudera, Inc. All rights reserved.

5. Trusted Data Zone
Sensitive Data, Critical Applications
Hadoop “Data Lake” or Sandbox
New Data Sources, Non-Critical Applications
RDBMS
©2014 Cloudera, Inc. All rights reserved.
Hadoop is at risk of becoming another silo

6. ©2014 Cloudera, Inc. All rights reserved.
Cloudera’s Vision for Hadoop Security
Compliance-Ready
Comprehensive
Transparent
• Standards-based Authentication
• Centralized, Granular Authorization
• Native Data Protection
• End-to-End Data Audit and Lineage
• Meet compliance requirements
• HIPAA, PCI-DSS, …
• Encryption and key management
• Security at the core
• Minimal performance impact
• Compatible with new components
• Insight with compliance

7. ©2014 Cloudera, Inc. All rights reserved.
Key Requirements for Security in Hadoop
Perimeter
Guarding access to the
cluster itself
Technical Concepts:
Authentication
Network isolation
Data
Protecting data in the
cluster from
unauthorized visibility
Technical Concepts:
Encryption, Tokenization,
Data masking
Access
Defining what users
and applications can do
with data
Technical Concepts:
Permissions
Authorization
Visibility
Reporting on where
data came from and
how it’s being used
Technical Concepts:
Auditing
Lineage

8. ©2014 Cloudera, Inc. All rights reserved.
Key Requirements for Security in Hadoop
Perimeter
Guarding access to the
cluster itself
Technical Concepts:
Authentication
Network isolation
Data
Protecting data in the
cluster from
unauthorized visibility
Technical Concepts:
Encryption, Tokenization,
Data masking
Access
Defining what users
and applications can do
with data
Technical Concepts:
Permissions
Authorization
Visibility
Reporting on where
data came from and
how it’s being used
Technical Concepts:
Auditing
Lineage
Kerberos | AD/LDAP
Today: First to market with Kerberos authentication
Roadmap: Fully automated Kerberos that leverages existing
active directory environment

9. ©2014 Cloudera, Inc. All rights reserved.
Key Requirements for Security in Hadoop
Perimeter
Guarding access to the
cluster itself
Technical Concepts:
Authentication
Network isolation
Data
Protecting data in the
cluster from
unauthorized visibility
Technical Concepts:
Encryption, Tokenization,
Data masking
Kerberos | AD/LDAP
Access
Defining what users
and applications can do
with data
Technical Concepts:
Permissions
Authorization
Sentry
Visibility
Reporting on where
data came from and
how it’s being used
Technical Concepts:
Auditing
Lineage
Cloudera Navigator
Data
Protecting data in the
cluster from
unauthorized visibility
Technical Concepts:
Encryption, Tokenization,
Data masking
Encrypt | Key Trustee
Today: Unified authorization for Hive,
Impala, & Search through
Apache Sentry
Roadmap: Unified authorization across
all access paths to data and
metadata—Apache Sentry
expansion

10. ©2014 Cloudera, Inc. All rights reserved.
Key Requirements for Security in Hadoop
Perimeter
Guarding access to the
cluster itself
Technical Concepts:
Authentication
Network isolation
Data
Protecting data in the
cluster from
unauthorized visibility
Technical Concepts:
Encryption, Tokenization,
Data masking
Kerberos | AD/LDAP
Access
Defining what users
and applications can do
with data
Technical Concepts:
Permissions
Authorization
Sentry
Visibility
Reporting on where
data came from and
how it’s being used
Technical Concepts:
Auditing
Lineage
Cloudera Navigator
Data
Protecting data in the
cluster from
unauthorized visibility
Technical Concepts:
Encryption, Tokenization,
Data masking
Encrypt | Key Trustee
Today: First in the market with
centralized audit capabilities
Roadmap: Extend capabilities to
cover more workloads
including Spark

11. ©2014 Cloudera, Inc. All rights reserved.
• Data encryption and key management since 2010
• Security: Singular product focus and a pillar of company culture.
Security is at the front of everything we do
• Big Data Expertise: While other security vendors retrofit their
solutions for big data, Gazzang’s solutions are designed for the
specific demands of Hadoop and NoSQL systems
• Customer Success: Nearly 200 paying customers including
several in the Fortune 1000
• Named a 2014 Cool Vendor in Big Data by Gartner
Gazzang Joins the Cloudera Family

12. ©2014 Cloudera, Inc. All rights reserved.
Meeting HIPAA and PCI Compliance
• State-run health exchange in the midwest
• Using Cloudera to log, track and run analytics
on interactions between case workers and
consumers
• The ability to drive data privacy and HIPAA
compliance on Hadoop were critical
requirements and key factors in the
selections of Cloudera and Gazzang
• Surprised by the performance and ease of use
• Financial services company known for wire transfers
wanted to get to know its customers better in an effort
to improve service and sniff out fraud
• Massive amount of personal and PCI data collected, the
company is encrypting everything in its Hadoop cluster
• Data is segregated with Apache Sentry (incubating) and
Kerberos, monitored by Cloudera Navigator and
encrypted by Gazzang
• Key manager and process-based ACL’s enable separation
of keys and data based on “business need to know”

13. Hadoop Security Challenges
©2014 Cloudera, Inc. All rights reserved.
• We can ensure sensitive data and
encryption keys are never stored in
plain text nor exposed publicly
• We can enable compliance (HIPAA,
PCI-DSS, SOX, FERPA, EU data
protection) initiatives that require
at-rest encryption and key
management
“I need to meet
[insert acronym here]
compliance”

14. ©2014 Cloudera, Inc. All rights reserved.
• When thinking about compliance, consider the following:
• Are your encryption processes (algorithm, key length) consistent with NIST
Special Publication 800-111?
• Are the encryption keys stored on a separate device or location from the
encrypted data?
• What kind of authentication and access controls are enforced?
• Is the data secured in a manner that would enable you to claim “safe harbor”
in the event of a breach?
• Do the crypto modules meet FIPS 140-2 certification?
• Can you account for all the sensitive data that may fall under compliance
scope?
Not all Data Security is Created Equal

15. Key Components of PCI-DSS
Customer
Cloudera Navigator
Requirement
Encrypt Sentry Kerberos Core
✔ Install and maintain a firewall
✔ Do not use vendor-supplied defaults
✔ ✔ Protect stored cardholder data
✔ Encrypt transmission of cardholder data across open, public networks
✔ Use and regularly update anti-virus software
✔ ✔ Develop and maintain secure systems and applications
✔ ✔ Restrict access to cardholder data by business need-to-know
✔ Assign a unique ID to each person with computer access
✔ Restrict physical access to cardholder data
✔ Track and monitor all access to network resources and cardholder data
✔ Regularly test security systems and processes
✔ ✔ Maintain a policy that addresses information security
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

16. Key Components of HIPAA
Ref: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf
Customer
Cloudera Navigator
Requirement
Encrypt Sentry Kerberos
✔ Unique User Identification: Assign a unique name and/or number for identifying and tracking user identity.
✔ Emergency Access Procedure: Establish procedures for obtaining necessary ePHI during an emergency.
✔
Automatic Logoff: Implement electronic procedures that terminate an electronic session after a
predetermined time of inactivity.
✔ Encryption and Decryption: Implement a mechanism to encrypt and decrypt ePHI.
✔ ✔ ✔
Implement hardware, software, and/or procedural mechanisms that record and examine activity in
information systems that contain or use ePHI.
✔
Mechanism to Authenticate ePHI: Implement electronic mechanisms to corroborate that ePHI has not been
altered or destroyed in an unauthorized manner.
✔
Authentication: Implement procedures to verify that a person or entity seeking access to ePHI is the one
claimed.
✔
Transmission Security - Integrity Controls: Implement security measures to ensure that electronically
transmitted ePHI is not improperly modified without detection until disposed of.
✔
Transmission Security – Encryption: Implement a mechanism to encrypt ePHI whenever deemed appropriate

17. Hadoop Security Challenges
©2014 Cloudera, Inc. All rights reserved.
“I want security
that won’t impose
a harsh penalty”
• We provide a transparent layer
between the application and file
system that dramatically reduces
performance impact of encryption
• We can make sure only
applications that need access
to plaintext data will have it

18. Hadoop Security Challenges
©2014 Cloudera, Inc. All rights reserved.
“It’s critical that no
unauthorized parties
can access my data”
• Navigator encrypt can prevent
admins and super users from
accessing sensitive data
• You can establish a variety of key
retrieval policies that dictate who or
what can access the secure artifact

19. ©2014 Cloudera, Inc. All rights reserved.
Navigator Encrypt
Navigator encrypt provides transparent
encryption for Hadoop data as it’s
written to disk
• AES-256 encryption for HDFS data,
Hive metadata, log files, ingest paths, etc...
• Process-based ACLs
• High-performance optimized on Intel
• Fast, easy deployment with Cloudera Parcel
• Enterprise scalability
• Keys protected by Navigator key trustee

20. Hadoop Security Challenges
©2014 Cloudera, Inc. All rights reserved.
“I need a centralized
way to manage all my
hadoop security
artifacts”
• Navigator key trustee provides
cluster-level security, managing
the growing volumes of Hadoop
encryption keys, certificates,
passwords
• We can help you bring sensitive
digital artifacts under a consistent
set of controls and policies

21. ©2014 Cloudera, Inc. All rights reserved.
Navigator key trustee is a “virtual safe-deposit box” for managing
encryption keys or any other Hadoop security artifact
Navigator Key Trustee
• Separates keys from encrypted data
• Centralized management of SSL certificates,
SSH keys, tokens, passwords, kerberos keytab
files and more
• Unique “trustee” and machine-based policies
deliver multifactor authentication
• Integration with HSMs from Thales, RSA and
SafeNet

22. ©2014 Cloudera, Inc. All rights reserved.
Cluster-level security
• Transparent protection
for all data and metadata
• Enterprise Key
Management for all
Hadoop encryption keys

23. ©2014 Cloudera, Inc. All rights reserved.
Introducing the Cloudera Center for Security Excellence
• Based in Austin, Texas
• Comprehensive data and
cluster security technologies
• Hadoop security test and
certification lab
• Security ecosystem partner
enablement
• Intel chipset, cloud and
virtualization security
alignment
`

24. ©2014 Cloudera, Inc. All rights reserved.
Key Requirements for Security in Hadoop
Perimeter
Guarding access to the
cluster itself
Technical Concepts:
Authentication
Network isolation
Data
Protecting data in the
cluster from
unauthorized visibility
Technical Concepts:
Encryption, Tokenization,
Data masking
Kerberos | AD/LDAP
Access
Defining what users
and applications can do
with data
Technical Concepts:
Permissions
Authorization
Sentry
Visibility
Reporting on where
data came from and
how it’s being used
Technical Concepts:
Auditing
Lineage
Cloudera Navigator
Data
Protecting data in the
cluster from
unauthorized visibility
Technical Concepts:
Encryption, Tokenization,
Data masking
Encrypt | Key Trustee
Today: Transparent Encryption + Enterprise Key Management +
Partner solutions
Roadmap: Transparent Encryption for HDFS
(includes work-through Project Rhino)
+ Enterprise Key Management

25. ©2014 Cloudera, Inc. All rights reserved.
Result: Cloudera is the most secure Hadoop platform
Perimeter
Guarding access to the
cluster itself
Technical Concepts:
Authentication
Network isolation
Data
Protecting data in the
cluster from
unauthorized visibility
Technical Concepts:
Encryption, Tokenization,
Data masking
Kerberos | AD/LDAP
Access
Defining what users
and applications can do
with data
Technical Concepts:
Permissions
Authorization
Sentry
Visibility
Reporting on where
data came from and
how it’s being used
Technical Concepts:
Auditing
Lineage
Cloudera Navigator
Data
Protecting data in the
cluster from
unauthorized visibility
Technical Concepts:
Encryption, Tokenization,
Data masking
Encrypt | Key Trustee

26. Batch
Processing
Analytic
MPP SQL
Search
Engine
Machine
Learning
Stream
Processing
End-to-End, Zero-Downtime System Administration
Workload & Resource Management
3rd Party
Apps
Distributed Filesystem Online NoSQL Database
Access Control
Authorization
Perimeter
Authentication
Data Protection
Encryption,
Key Management
Data Lifecycle
BDR, Snapshots
Data Visibility
Audit, Lineage
ANALYTIC &
PROCESSING
ENGINES
SYSTEMS
MANAGEMENT
UNIFIED DATA
STORAGE &
INTEGRATION
SECURITY &
GOVERNANCE
CLOUDERA ENTERPRISE Comprehensive, Transparent, Compliance-Ready Security
©2014 Cloudera, Inc. All rights reserved.

27. ✔ Meet compliance requirements
✔ Innovate without compromise
✔ Comprehensive security for all data
©2014 Cloudera, Inc. All rights reserved.

28. • cloudera.com/security
• Hear more in the series:
• Deep dive on Kerberos and perimeter protection
• Encryption and key management
• Sentry and auditing
• Look for more info on the series in our follow up email
Learn More

29. ©2014 Cloudera, Inc. All rights reserved.
Thank you!