Data Security - Big Data Everywhere

Data Security
as a Business Enabler – Not a Ball & Chain
Big Data Everywhere
May 21, 2015
Les McMonagle
Protegrity - Director Data Security Solutions
Les has over twenty years experience in information
security. He has held the position of Chief Information
Security Officer (CISO) for a credit card company and
ILC bank, founded a computer training and IT
outsourcing company in Europe and helped several
security technology firms develop their initial product
strategy.
Les founded and managed Teradata’s Information
Security, Data Privacy and Regulatory Compliance
Center of Excellence and is currently Director of Data
Security Solutions for Protegrity.
Les holds a BS in MIS, CISSP, CISA, ITIL and other
relevant industry certifications.
Les McMonagle (CISSP, CISA, ITIL)
Mobile: (617) 501-7144
Email:[email protected]
2
The Problem . . .
The cost of cybercrime is staggering:
3
• 
The annual cost to the global economy is in excess of $400 billion/year.
• 
Businesses that are victims of cybercrime need an average of 18 days to
resolve the problem and suffer average costs of over $400K.
• 
The tangible and intangible costs associated with some of the recent
high-profile cases exceeds $400M.
• 
Traditional network security, firewalls, IDS, SIEM, AV and monitoring
solutions do not offer the comprehensive security needed to protect the
target data against current, new and evolving threats.
Typical Phases of an Attack
4
http://eval.symantec.com/mktginfo/enterprise/white_papers/b-anatomy_of_a_data_breach_WP_20049424-1.en-us.pdf
Factors to Consider
"   Bad guys search for the easy targets
•  Large repositories of valuable, un-protected data
•  Systems with weaker controls and/or more access paths
•  Financial Data or Personally Identifiable Information (PII)
"   Blurring or Network Boundaries
•  Where does your company network end and another begin?
•  BYOD
•  Cloud
•  IoT (Internet of Things)
"   Insider threats remain the biggest threat
"   Advanced Persistent Threats (APTs)
•  Coordinated, comprehensive attack strategies
5
Types of Sensitive Data Potentially Stored in Hadoop
Credit
Card
PAN
SSN
DOB
Bank
Account
Numbers
Customer Lists
PIN
Best Practices
Pending
Patents
Trade
Secrets
Health
History
Order History
Health
Records
Accounts
Receivable
Accounts
Payable
Production Planning
Prescriptions
Employee
Personnel
Records
6
Home
Addresses
Location Data
Passwords
Sales Forecasts
Payroll Data
R&D
Customer
Contact
Information
Income Data
Salary Data
Project
Plans
What to do about it
"   Engage Information Security
"   Work with Legal and Compliance
"   Establish Good Data Governance Program
"   Adhere to generally accepted privacy principles *
"   Apply consistent protection throughout the data flow
"   Limit access on a Need-to-Know basis
"   Protect the actual data itself (regardless of where it is)
"   De-Identify data ─ without losing analytics value
7
* See reference slide(s) at end of presentation
Engage InfoSec, Legal, Compliance, Privacy
"   Engage Information Security – rather than avoid them
"   CISO’s and InfoSec ultimately have the same goals
"   Will help fund and implement effective data protection
"   Legal, Privacy and Compliance
•  Identify/interpret regulatory and compliance requirements
•  Helping protect the business by identifying risks to consider
•  Incorporate generally accepted Privacy Principles*
8
* See reference slide(s) at end of presentation
Data Governance Program
"   Establish good data governance program
•  Identified Data Owners
•  Identified Data Stewards
•  Identified Data Custodians
•  RACI – Roles and Responsibilities
"   Data Governance subject areas
•  Data Ownership
•  Data Quality
•  Data Integration
•  Metadata Management
•  Master Data Management
•  Data Architecture
•  Data Security & Privacy
9
Protect sensitive data consistently wherever it goes
At Rest
In Transit
In Use
Ideally with a single, centralized enterprise solution
10
What Data to Tokenize or Encrypt ?
"   Important questions to ask . . .
•  What policy and regulatory compliance requirements apply?
•  What risks must be mitigated?
•  How/Why are protected columns accessed/used?
•  What other mitigating controls are available?
•  Appropriate balance between business and data privacy/security?
•  When is Tokenization or Encryption most appropriate?
"   Utilization and access control limitations of Hadoop / Hive
"   Alternative protection options to consider
•  Full Disk Encryption (FTE)
Important Data Security Architecture Questions
To Encrypt or Tokenize . . . This is the Question
Tokenization
Encryption
SSN
PIN, CID, CV2
Password
Large - Field Size relative to width of lookup table - Small
CC-PAN
More -
X-Ray
Structured
-
Less
Cat Scan
Healthcare Records
More -
Logic in portions of the data element
Patient ID #
Less -
HIV-Pos*
-
Less
Diagnosis
report
Bank Acct No.
Percent of Access Requiring Clear Text - More
Customer ID #
DOB
Increasing
Data
Sensitivity
* With Initialization Vector (IV)
Potential Additional Controls to Consider
"   Tokenization or Encryption farther upstream in Data Flow
"   Do not load unnecessary regulated data to Hadoop
"   Access Hadoop Hive Tables through Teradata (QueryGrid)
"   HDFS file-level access control
" Accumulo cell level access control (Row/Column intersection)
"   Knox Gateway (authentication for multiple Hadoop clusters)
"   Coarse grained HDFS File Encryption
" XASecure (now HDP Advanced Security)
" Ambari (Hadoop Cluster Management)
"   Kerberos (Authentication) – all or nothing
Piecemeal independent security tools for Hadoop
Reduce your Exposure and Risk
Population of users who have
access to SSN today
SSN
Token
Population of users
who can perform
their job function
with only the last 4
digits of the SSN
Vaultless Tokenization is a form of
data protection that converts sensitive
data into fake data. The real data can
be retrieved only by authorized users.
SSN
Last 4 Digits
Often a more usable form of protection
than encryption.
SSN
Full
Population of users who need
access to the full SSN to
perform their job function
Improve Security Posture Without Impacting Analytics Value
14
What to look for in a good Enterprise Solution
Critical core requirements:
v  A single solution that works across all core platforms
v  Scalable, centralized enterprise class solution
v  Segregation of duties between DBA and Security Admin
v  Good Encryption Key or Token Lookup Table management
v  Data layer solution
v  Tamper-proof audit trail
v  Transparent (as possible) to authorized end-users
v  High Availability (HA)
v  Optional in-database versus ex-database encryption/tokenization
15
Other "nice to have" features
"   Flexible protection options (Encrypt, Tokenize, DTP/FPE, Masking)
"   Broadest possible support for a range of data types
"   Built in DR, Dual Active, Key and system recovery capability
"   Minimal performance impact to applications/end users
"   Optimized operations to minimize CPU utilization
"   Proven Implementation methodology
"   PCI-DSS compliant solution (meeting all relevant requirements)
"   Deep partnership with Teradata and other database providers
"   Minimal impact on system upgrades
"   Maintain consistent referential integrity and indexing capability
"   Low Total Cost of Ownership (TCO)
16
What to look for in a good solution for Hadoop
"   Course Grained and Fine Grained Protection Capability
•  HDFS File Encryption, Multi-Tennant File Encryption, HDFS FP (HDFS Codec)
• 
Column/Field Level “Fine Grained” Protection
"   Multi-Tennant Row Level Protection
• 
Allow authorized users access to specific rows only
• 
Unprotect columns for authorized users only
"   Heterogeneous Protection Capabilities
• 
Protect Upstream sources of data and Downstream targets of data
• 
Vaultless Tokenization, often less intrusive than encryption, reversible protection
•  Reversible – where masking is not
• 
Deployed on the (Data) Nodes
•  Leverage MPP architecture of Hadoop
•  Avoid Appliance based solutions that can slow down Hadoop
"   Tokenization capability for Hive access to HDFS Files/Tables
• 
17
Hive does not support VarByte data type (Encryption = Binary Ciphertext)
Hadoop security controls are playing catch-up
Traditional RDBMS
Firewalls, IDS/IPS
Hadoop (Fewer Layers)
Firewalls, IDS/IPS
Authentication (Kerberos)
Authorization
Authentication (Kerberos)
Future ?
RBAC
(Accumulo, Knox)
RLS
CLS
Audit
Hive
HDFS
RDBMS
Encrypt
Tokenize
Heavier reliance on Tokenization with Hadoop
18
Tokenize
Only
Granularity of Protecting Sensitive Data
Coarse Grained
Protection
(File/Volume)
Fine Grained
Protection
(Data/Field)
•  Methods: File or Volume encryption
•  Operates at the individual field level
•  “All or nothing” approach
•  Fine Grained Protection Methods:
•  Vaultless Tokenization
•  Masking
•  Encryption (Strong, Format Preserving)
•  Does NOT secure file contents in use
•  OS File System Encryption
•  Data is protected in use and wherever it goes
•  HDFS Encryption
•  Business logic can be retained
•  Secures data at rest and in transit
Data Security Platform
Applications
RDBMS
Audit
Log
Audit
Log
Enterprise
Security
Administrator
EDW
Audit
Log
Policy
Big Data
Audit
Log
File and Cloud
Gateway
Servers
IBM MainframeAudit
Protector Log
20
Audit
NetezzaLog
Audit
Log
File Servers
Protegrity Confidential
Protection
Servers
Protegrity’s Big Data Protector for Hadoop
Hadoop Node
Hadoop Cluster
Hive
Policy
Pig
Other
MapReduce
YARN
HBase
Audit
HDFS
OS File System
"   Protegrity Big Data Protector for Hadoop delivers protection at every node
and is delivered with our own cluster management capability.
"   All nodes are managed by the Enterprise Security Administrator that delivers
policy and accepts audit logs
"   Protegrity Data Security Policy contains information about how data is deidentified and who is authorized to have access to that data.
"   Policy is enforced at different levels of protection in Hadoop.
21
Rich Security Layer over the Hadoop Ecosystem
•  UDF Support for Pig
•  UDF Support for Hive
•  Hive - Tokenization
•  Java API Support for MapReduce
•  Hbase - Coprocessor support via UDFs
•  Cassandra – UDT
•  HDFS Encryption through the HDFS Codec
•  HDFS Commands Extended for Security Functions
•  HDFS Interface for Java Programs
•  De-identify before Ingestion into HDFS
•  OS File System Encryption; Folder/File or Volume
22
Pig / Hive
MapReduce
YARN
HBase
HDFS
File
System
Coarse Grained Protection: File / Volume Encryption
All fields are in the
clear
All fields are in
the clear
Pig / Hive
MapReduce
YARN
HBase
HDFS
File
with identifiable
Entire
File is
data
elements
Encrypted
File
System
Volume encryption option will encrypt the
entire volume versus the files themselves.
23
Coarse Grained with HDFS Staging Area
Pig / Hive
MapReduce
Jobs
MapReduce
YARN
HBase
HDFS
Ingest into HDFS
Staging Area
File
System
24
Coarse Grained Multi-Tenant Protection
Pig / Hive
MapReduce
YARN
HBase
T1
T1 folder
T2
25
T3 folder
clear folder
HDFS
Ingest into HDFS
Key 1
T3
T2 folder
Key 2
Key 3
File
System
Fine Grained Protection
Production Systems
Encryption
•  Reversible
•  Policy Control (authorized / Unauthorized Access)
•  Lacks Integration Transparency
•  Not searchable or sortable
•  Complex Key Management
•  Example: !@#$%a^.,mhu7///&*B()_+!@
Vaultless Tokenization / Pseudonymization
•  Reversible
•  Policy Control (Authorized / Unauthorized Access)
or
•  Not Reversible
•  No Complex Key Management
In either case
•  Integrates Transparently
•  Searchable and sortable
•  Business Intelligence: 0389 3778 3652 0038
Non-Production Systems
Masking
•  Not reversible
•  No Policy, Everyone Can Access the Data
•  Integrates Transparently
•  No Complex Key Management
•  Example: Date of Birth 2/15/1967 masked as xx/xx/1967
Protegrity Confidential
Enterprise-wide Protection
Source Systems
(Internal / External)
Consumption BI Systems
Target Systems
(Internal / External)
Input File
Source
FPG
Node
Node
Node
Input File
Source
Ecosystem Components
Pig
ETL
Hive
MapReduce
YARN
HBase
Database Server
HDFS
Database
Protector
Database
Sqoop
OS FS
Edge Node
Java
Program
File
Protector
Application
Protector
If Edge Node is a Hadoop Node,
Hadoop resources can be used
ESA
Policy Deployment
Audit Collection
Downstream Systems
Traditional IT Environment: Protegrity Protection
Typical Enterprise Today
Internet
Inside the Firewall
Apps
EDW
Files
DBs
Hadoop
Apps
Arch
028
Protegrity Confidential
Today’s IT Environment: Protegrity Protection
Typical Enterprise Today
Internet
Inside the Firewall
Apps
Cloud
Protector
Gateway
Files
Files
DBs
File
Protector
Gateway
EDW
Apps
Arch
029
ESA
Protegrity Confidential
Hadoop
HG Apps
Summarize what to do
"   Establish Good Data Governance
"   Protect the actual data Itself
"   Maintain referential integrity
"   De-Identify data ─ while maintaining analytics capability
"   Apply consistent protection throughout the data flow
"   Engage Information Security, Legal and Compliance
Build security in rather than bolt it on later
30
Sign Up for a Free, Half-Day Risk Assessment Workshop
Protegrity is proud to offer free, half-day risk
assessment workshops designed to help companies
evaluate their security posture.
This is a no-obligation offer.
These workshops are a unique, low-cost opportunity
to gain valuable insight into where you stand from a
risk management perspective relative to your peers.
For more information or to schedule a free half-day workshop, please email: [email protected]
31
The End . . .
Q&A
Convergence of Data Privacy Regulations
•  Government and industry groups are regularly
releasing new data privacy laws, requirements,
recommendations
•  Each leverages the best of previous privacy laws and
discards what has proven not to work
•  New regulations and standards are converging on a
standard set of data privacy principles
•  The International Security, Trust and Privacy Alliance
(ISTPA) has published a comparison of leading privacy
Privacy Principles – One
1/2
"   Accountability – requires that the entity define, document, communicate,
and assign accountability for its privacy polices and procedures and be
accountable for PII under its control.
"   Notice – requires that the entity provide notice about its privacy policies and
procedures and identify the purpose for which personal information is
collected, used, retained, and disclosed.
"   Choice and Consent – requires that the entity describe the choices
available to the individual and obtain implicit or explicit consent with respect
to the collection, use, and disclosure of personal information.
"   Collection Limitation – requires that the entity collect personal information
only for the purposes identified in the notice.
"   Use Limitation – requires that the entity limit the use of personal information
to the purpose identified in the notice and for which the individual has
provided implicit or explicit consent.
Comparable lists from: International Security, Trust and Privacy Alliance (ISTPA)
Association of Insurance Compliance Professionals (AICP)
Privacy Principles – Two
2/2
"   Access – requires that the entity provide individuals with access to their
personal information for review and update.
"   Disclosure – requires that the entity disclose personal information to third
parties only for the purposes identified in the notice and only with the implicit
or explicit consent of the individual.
"   Security – requires that the entity protect personal information against
unauthorized access or alteration (both physical & logical).
"   Data Quality – requires an entity maintain accurate, complete, and relevant
personal information for the purposes identified in the notice.
"   Enforcement – requires that the entity monitor compliance with its privacy
policies and procedures and have procedures to address privacy-related
inquiries and disputes.
These must be captured in business/technical requirements
Plethora of Global Privacy Regulations
Legislation and Regulations
European Union – 95/46/EC Directive on Data Privacy
Germany – Federal Data Protection Act
Sweden – Personal Data Act
United Kingdom – Data Protection Act
Australia – Privacy Act
Japan – Personal Information Protection Act
United States – SOX, GLBA, HIPAA, COPPA, SB
1386
36