08448380779 Call Girls In Friends Colony Women Seeking Men
Don't Let Security Be The 'Elephant in the Room'
1. Don’t Let Security Be The
‘Elephant in the Room’
Enterprise Security for Big Data
Mitch Ferguson, VP Business Development, Hortonworks
Jeremy Stieglitz, VP Business Development, Voltage Security
8/5/2013
22. Don’t Let Security Be The
‘Elephant in the Room’
Enterprise Security for Big Data
Jeremy Stieglitz
23. Extracting Value from Data
Big Data Now Includes Sensitive Data
• Marketing – analyze purchase patterns
• Social media – find best customer segments
• Financial systems – model trading data
• Banking and insurance – 360 customer view
• Security – identify credit card fraud
• Healthcare – advance disease prevention
Copyright 2013 Voltage Security 23
How do you liberate the value in data – without
increasing risk?
24. Hidden Risks in Big Data Adoption
Big Data
Enables deeper data
analysis
More value from old
data
New risks if data is not
protected
24
Data Concentration Risks
– Financial Positions
– Market Position
– Changes to big picture
– Corporate Compliance risk
Cloud Adoption Risks
– Sensitive data in untrusted
systems.
– Data in storage, in use,
transmitted to cloud.
Data Sharing Risks
– Compliance challenges
with 3rd party risk
– Data in and out of the
enterprise
Breach Risks
– Internal users
– External shares
– Backup’s, Hadoop
stores, data feeds.
Copyright 2013 Voltage Security
25. Data Security Approaches
IT Infrastructure Security
Security Gap
Security Gap
Security Gap
Full disk encryption
Transparent Database
Encryption (TDE)
SSL/TLS
Authentication and
Access Control
SecurityCoverage
Copyright 2013 Voltage Security 25
26. Data Security Approaches
IT Infrastructure Security
SecurityCoverage
Security Gap
Security Gap
Security Gap
Full disk encryption
Transparent Database
Encryption (TDE)
SSL/TLS
Authentication and
Access Control
• More keys
• More secure
• Less computation
• Application aware
• Less keys
• Less secure
• More computation
• Transparent
“check box” encryption,
Available from cloud
providers
Copyright 2013 Voltage Security 26
27. Traditional IT
Infrastructure Security
Data-Centric Security
Top down:
Application-layer
data protection
provides seamless
end-to-end data
security
Encrypt once,
persistently protect
from point of capture:
in storage, in transit,
in use
If attacked, data has
no value
SecurityCoverage
SecurityCoverage
Full disk encryption
Transparent Database
Encryption (TDE), triggers
SSL/TLS/Firewalls
Authentication and
Access Control
Security Gap (Data in the Clear)
Security Gap (Data in the Clear)
Security Gap (Data in the Clear)
Security Gap (Data in the Clear)
Traditional IT Security vs.
Data-centric security
Copyright 2013 Voltage Security 27
28. Requirements for Big Data Security
28
Lock data in place
More keys to manage
Horizontal support to
wherever your data travels
Copyright 2013 Voltage Security
29. Data – structure, value, and meaning
Take a simple Tax ID. It’s more than just a number.
• It has a format and structure
• It has value in being unique
• It’s parts have value – e.g. last 4 digits
Copyright 2013 Voltage Security 29
30. Traditional Encryption Practically
Eliminates Value in the Data
• Destroys the original value – makes data secure, but
incompatible
• Changes format of data – requires schema changes
• Changes size of field – increases storage
• Always requires application and data flow changes: “Ripping up
the Roads”
• Destroys any special encoding or checksums (Luhn checksum
in credit cards, driver’s license checksums for certain states)
934-72-2356
Tax ID AES-CBC
uE28W&=209gX32F*52
Encrypted Tax ID
Copyright 2013 Voltage Security 30
31. • Standard, proven mode of AES (NIST FFX mode – ask NIST)
• Encrypt at capture. Data stays protected at all times
• Fit into existing systems, protocols, schemas – any data
• Enable operation on encrypted data – retains the value of the original data
• Protect live data in applications & databases, business process or
transactions
• Create de-identified data for test, cloud apps, outsourcers
• Can preserve validation checksums
Voltage Format-Preserving
Encryption™ (FPE)
31
Credit Card
934-72-2356
Tax ID
Regular AES 8juYE%Uks&dDFa2345^WFLERG
FPE 7412 3423 3526 0000 298-24-2356
Ija&3k24kQarotugDF2390^32
7412 3456 7890 0000
Copyright 2013 Voltage Security
32. Stateless Key Management
32
Keys when you need them,
not when you don’t.
• Keys derived on the fly
• Simple - lower risk, lower cost
• Scale to millions of users
• Keys don’t stay resident
• Standards Based
• FPE/AES Symmetric keys
• Structured and unstructured
data
Identity Based Encryption IEEE 1363.3
Copyright 2013 Voltage Security
33. High-performance Data Security
33
Voltage SecureData™ for Hadoop
Hadoop ecosystem:
ETL tools, HIVE, MapReduce jobs, other query and analysis tools
Copyright 2013 Voltage Security
34. Three Insertion Points into
Hortonworks Data Platform (HDP)
#1. Upon Ingest:
APIs, CL, Batch tools
for ETL, SQOOP,
Streaming, etc.
Copyright 2013 Voltage Security
34
35. Three Insertion Points into
Hortonworks Data Platform (HDP)
#2. Executed as
Map Job
Copyright 2013 Voltage Security 35
36. Three Insertion Points into
Hortonworks Data Platform (HDP)
#3. UDFs for PIG,
Hive, etc.
Copyright 2013 Voltage Security
36
37. Benefits of Voltage SecureData
• Solves complex global compliance issues
• Ensures data stays protected wherever it goes
• Enables accurate analytics on encrypted data
• Optimizes performance
• Flexibly adapts to the fast-growing Hadoop ecosystem
• Delivers maximum return on information – without
increased risk
Copyright 2013 Voltage Security 37
38. Use Case: Fortune 50 Healthcare
Products and Services Company
• Challenge
– Sell new information-based services to
medical suppliers & drug companies
– Big Data team tasked with securing 1000
node Hadoop cluster for HIPAA, HITECH
• Solution
– Data de-identified in ETL move before
entering Hadoop
– Ability to decrypt analytic results when
needed, through multiple tools
• Benefits
– Ability to monetize existing medical data, and
fine-tune manufacturing and marketing
8/5/2013 38Copyright 2013 Voltage Security
39. Use Case: Banking
Top Worldwide Financial Institution
• Challenge
– Credit risk and consumer fraud groups
– PCI compliance is #1 driver
– ETL offload use case with Hadoop alongside DW
• Solution
– Integrate with Sqoop on ingestion, and Hive and Pig
on the applications / query side to protect 20 types of
data
– Fraud analysts work with SST tokenized credit card
numbers and only de-tokenize as needed
• Benefits
– Enable fraud and risk analytics directly in Hadoop on
protected data
– Use Hadoop processing with security and compliance
for faster time to insight
8/5/2013 39Copyright 2013 Voltage Security