Your SlideShare is downloading. ×
Compliance-Ready Hadoop
Comprehensive Security for the Enterprise
©2014 Cloudera, Inc. All rights reserved.
How can we correlate organized activity on millions of accounts all over the wor...
Which technologies actually improve patient health?
What’s our budget for new equipment?
©2014 Cloudera, Inc. All rights r...
Which one of these people is likely to be carrying a bomb?
Do you have liquids in your carry-on?
©2014 Cloudera, Inc. All ...
Trusted Data Zone
Sensitive Data, Critical Applications
Hadoop “Data Lake” or Sandbox
New Data Sources, Non-Critical Appli...
©2014 Cloudera, Inc. All rights reserved.
Cloudera’s Vision for Hadoop Security
Compliance-Ready
Comprehensive
Transparent...
©2014 Cloudera, Inc. All rights reserved.
Key Requirements for Security in Hadoop
Perimeter
Guarding access to the
cluster...
©2014 Cloudera, Inc. All rights reserved.
Key Requirements for Security in Hadoop
Perimeter
Guarding access to the
cluster...
©2014 Cloudera, Inc. All rights reserved.
Key Requirements for Security in Hadoop
Perimeter
Guarding access to the
cluster...
©2014 Cloudera, Inc. All rights reserved.
Key Requirements for Security in Hadoop
Perimeter
Guarding access to the
cluster...
©2014 Cloudera, Inc. All rights reserved.
• Data encryption and key management since 2010
• Security: Singular product foc...
©2014 Cloudera, Inc. All rights reserved.
Meeting HIPAA and PCI Compliance
• State-run health exchange in the midwest
• Us...
Hadoop Security Challenges
©2014 Cloudera, Inc. All rights reserved.
• We can ensure sensitive data and
encryption keys ar...
©2014 Cloudera, Inc. All rights reserved.
• When thinking about compliance, consider the following:
• Are your encryption ...
Key Components of PCI-DSS
Customer
Cloudera Navigator
Requirement
Encrypt Sentry Kerberos Core
✔ Install and maintain a fi...
Key Components of HIPAA
Ref: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf
Customer
...
Hadoop Security Challenges
©2014 Cloudera, Inc. All rights reserved.
“I want security
that won’t impose
a harsh penalty”
•...
Hadoop Security Challenges
©2014 Cloudera, Inc. All rights reserved.
“It’s critical that no
unauthorized parties
can acces...
©2014 Cloudera, Inc. All rights reserved.
Navigator Encrypt
Navigator encrypt provides transparent
encryption for Hadoop d...
Hadoop Security Challenges
©2014 Cloudera, Inc. All rights reserved.
“I need a centralized
way to manage all my
hadoop sec...
©2014 Cloudera, Inc. All rights reserved.
Navigator key trustee is a “virtual safe-deposit box” for managing
encryption ke...
©2014 Cloudera, Inc. All rights reserved.
Cluster-level security
• Transparent protection
for all data and metadata
• Ente...
©2014 Cloudera, Inc. All rights reserved.
Introducing the Cloudera Center for Security Excellence
• Based in Austin, Texas...
©2014 Cloudera, Inc. All rights reserved.
Key Requirements for Security in Hadoop
Perimeter
Guarding access to the
cluster...
©2014 Cloudera, Inc. All rights reserved.
Result: Cloudera is the most secure Hadoop platform
Perimeter
Guarding access to...
Batch
Processing
Analytic
MPP SQL
Search
Engine
Machine
Learning
Stream
Processing
End-to-End, Zero-Downtime System Admini...
✔ Meet compliance requirements
✔ Innovate without compromise
✔ Comprehensive security for all data
©2014 Cloudera, Inc. Al...
• cloudera.com/security
• Hear more in the series:
• Deep dive on Kerberos and perimeter protection
• Encryption and key m...
©2014 Cloudera, Inc. All rights reserved.
Thank you!
Upcoming SlideShare
Loading in...5
×

Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready Hadoop

1,120

Published on

Learn how security in Hadoop is quickly changing, and what the key requirements are for making Hadoop compliance-ready.

Published in: Technology
1 Comment
4 Likes
Statistics
Notes
  • http://dbmanagement.info/Tutorials/Hadoop.htm
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
1,120
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
1
Likes
4
Embeds 0
No embeds

No notes for slide

Transcript of "Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready Hadoop"

  1. 1. Compliance-Ready Hadoop Comprehensive Security for the Enterprise
  2. 2. ©2014 Cloudera, Inc. All rights reserved. How can we correlate organized activity on millions of accounts all over the world over months or years, and detect that it’s fraudulent? You live in San Francisco. Did you really buy a new boat in Alabama yesterday?
  3. 3. Which technologies actually improve patient health? What’s our budget for new equipment? ©2014 Cloudera, Inc. All rights reserved.
  4. 4. Which one of these people is likely to be carrying a bomb? Do you have liquids in your carry-on? ©2014 Cloudera, Inc. All rights reserved.
  5. 5. Trusted Data Zone Sensitive Data, Critical Applications Hadoop “Data Lake” or Sandbox New Data Sources, Non-Critical Applications RDBMS ©2014 Cloudera, Inc. All rights reserved. Hadoop is at risk of becoming another silo
  6. 6. ©2014 Cloudera, Inc. All rights reserved. Cloudera’s Vision for Hadoop Security Compliance-Ready Comprehensive Transparent • Standards-based Authentication • Centralized, Granular Authorization • Native Data Protection • End-to-End Data Audit and Lineage • Meet compliance requirements • HIPAA, PCI-DSS, … • Encryption and key management • Security at the core • Minimal performance impact • Compatible with new components • Insight with compliance
  7. 7. ©2014 Cloudera, Inc. All rights reserved. Key Requirements for Security in Hadoop Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage
  8. 8. ©2014 Cloudera, Inc. All rights reserved. Key Requirements for Security in Hadoop Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage Kerberos | AD/LDAP Today: First to market with Kerberos authentication Roadmap: Fully automated Kerberos that leverages existing active directory environment
  9. 9. ©2014 Cloudera, Inc. All rights reserved. Key Requirements for Security in Hadoop Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Kerberos | AD/LDAP Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Sentry Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage Cloudera Navigator Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Encrypt | Key Trustee Today: Unified authorization for Hive, Impala, & Search through Apache Sentry Roadmap: Unified authorization across all access paths to data and metadata—Apache Sentry expansion
  10. 10. ©2014 Cloudera, Inc. All rights reserved. Key Requirements for Security in Hadoop Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Kerberos | AD/LDAP Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Sentry Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage Cloudera Navigator Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Encrypt | Key Trustee Today: First in the market with centralized audit capabilities Roadmap: Extend capabilities to cover more workloads including Spark
  11. 11. ©2014 Cloudera, Inc. All rights reserved. • Data encryption and key management since 2010 • Security: Singular product focus and a pillar of company culture. Security is at the front of everything we do • Big Data Expertise: While other security vendors retrofit their solutions for big data, Gazzang’s solutions are designed for the specific demands of Hadoop and NoSQL systems • Customer Success: Nearly 200 paying customers including several in the Fortune 1000 • Named a 2014 Cool Vendor in Big Data by Gartner Gazzang Joins the Cloudera Family
  12. 12. ©2014 Cloudera, Inc. All rights reserved. Meeting HIPAA and PCI Compliance • State-run health exchange in the midwest • Using Cloudera to log, track and run analytics on interactions between case workers and consumers • The ability to drive data privacy and HIPAA compliance on Hadoop were critical requirements and key factors in the selections of Cloudera and Gazzang • Surprised by the performance and ease of use • Financial services company known for wire transfers wanted to get to know its customers better in an effort to improve service and sniff out fraud • Massive amount of personal and PCI data collected, the company is encrypting everything in its Hadoop cluster • Data is segregated with Apache Sentry (incubating) and Kerberos, monitored by Cloudera Navigator and encrypted by Gazzang • Key manager and process-based ACL’s enable separation of keys and data based on “business need to know”
  13. 13. Hadoop Security Challenges ©2014 Cloudera, Inc. All rights reserved. • We can ensure sensitive data and encryption keys are never stored in plain text nor exposed publicly • We can enable compliance (HIPAA, PCI-DSS, SOX, FERPA, EU data protection) initiatives that require at-rest encryption and key management “I need to meet [insert acronym here] compliance”
  14. 14. ©2014 Cloudera, Inc. All rights reserved. • When thinking about compliance, consider the following: • Are your encryption processes (algorithm, key length) consistent with NIST Special Publication 800-111? • Are the encryption keys stored on a separate device or location from the encrypted data? • What kind of authentication and access controls are enforced? • Is the data secured in a manner that would enable you to claim “safe harbor” in the event of a breach? • Do the crypto modules meet FIPS 140-2 certification? • Can you account for all the sensitive data that may fall under compliance scope? Not all Data Security is Created Equal
  15. 15. Key Components of PCI-DSS Customer Cloudera Navigator Requirement Encrypt Sentry Kerberos Core ✔ Install and maintain a firewall ✔ Do not use vendor-supplied defaults ✔ ✔ Protect stored cardholder data ✔ Encrypt transmission of cardholder data across open, public networks ✔ Use and regularly update anti-virus software ✔ ✔ Develop and maintain secure systems and applications ✔ ✔ Restrict access to cardholder data by business need-to-know ✔ Assign a unique ID to each person with computer access ✔ Restrict physical access to cardholder data ✔ Track and monitor all access to network resources and cardholder data ✔ Regularly test security systems and processes ✔ ✔ Maintain a policy that addresses information security https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
  16. 16. Key Components of HIPAA Ref: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf Customer Cloudera Navigator Requirement Encrypt Sentry Kerberos ✔ Unique User Identification: Assign a unique name and/or number for identifying and tracking user identity. ✔ Emergency Access Procedure: Establish procedures for obtaining necessary ePHI during an emergency. ✔ Automatic Logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. ✔ Encryption and Decryption: Implement a mechanism to encrypt and decrypt ePHI. ✔ ✔ ✔ Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. ✔ Mechanism to Authenticate ePHI: Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. ✔ Authentication: Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. ✔ Transmission Security - Integrity Controls: Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of. ✔ Transmission Security – Encryption: Implement a mechanism to encrypt ePHI whenever deemed appropriate
  17. 17. Hadoop Security Challenges ©2014 Cloudera, Inc. All rights reserved. “I want security that won’t impose a harsh penalty” • We provide a transparent layer between the application and file system that dramatically reduces performance impact of encryption • We can make sure only applications that need access to plaintext data will have it
  18. 18. Hadoop Security Challenges ©2014 Cloudera, Inc. All rights reserved. “It’s critical that no unauthorized parties can access my data” • Navigator encrypt can prevent admins and super users from accessing sensitive data • You can establish a variety of key retrieval policies that dictate who or what can access the secure artifact
  19. 19. ©2014 Cloudera, Inc. All rights reserved. Navigator Encrypt Navigator encrypt provides transparent encryption for Hadoop data as it’s written to disk • AES-256 encryption for HDFS data, Hive metadata, log files, ingest paths, etc... • Process-based ACLs • High-performance optimized on Intel • Fast, easy deployment with Cloudera Parcel • Enterprise scalability • Keys protected by Navigator key trustee
  20. 20. Hadoop Security Challenges ©2014 Cloudera, Inc. All rights reserved. “I need a centralized way to manage all my hadoop security artifacts” • Navigator key trustee provides cluster-level security, managing the growing volumes of Hadoop encryption keys, certificates, passwords • We can help you bring sensitive digital artifacts under a consistent set of controls and policies
  21. 21. ©2014 Cloudera, Inc. All rights reserved. Navigator key trustee is a “virtual safe-deposit box” for managing encryption keys or any other Hadoop security artifact Navigator Key Trustee • Separates keys from encrypted data • Centralized management of SSL certificates, SSH keys, tokens, passwords, kerberos keytab files and more • Unique “trustee” and machine-based policies deliver multifactor authentication • Integration with HSMs from Thales, RSA and SafeNet
  22. 22. ©2014 Cloudera, Inc. All rights reserved. Cluster-level security • Transparent protection for all data and metadata • Enterprise Key Management for all Hadoop encryption keys
  23. 23. ©2014 Cloudera, Inc. All rights reserved. Introducing the Cloudera Center for Security Excellence • Based in Austin, Texas • Comprehensive data and cluster security technologies • Hadoop security test and certification lab • Security ecosystem partner enablement • Intel chipset, cloud and virtualization security alignment `
  24. 24. ©2014 Cloudera, Inc. All rights reserved. Key Requirements for Security in Hadoop Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Kerberos | AD/LDAP Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Sentry Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage Cloudera Navigator Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Encrypt | Key Trustee Today: Transparent Encryption + Enterprise Key Management + Partner solutions Roadmap: Transparent Encryption for HDFS (includes work-through Project Rhino) + Enterprise Key Management
  25. 25. ©2014 Cloudera, Inc. All rights reserved. Result: Cloudera is the most secure Hadoop platform Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Kerberos | AD/LDAP Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Sentry Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage Cloudera Navigator Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Encrypt | Key Trustee
  26. 26. Batch Processing Analytic MPP SQL Search Engine Machine Learning Stream Processing End-to-End, Zero-Downtime System Administration Workload & Resource Management 3rd Party Apps Distributed Filesystem Online NoSQL Database Access Control Authorization Perimeter Authentication Data Protection Encryption, Key Management Data Lifecycle BDR, Snapshots Data Visibility Audit, Lineage ANALYTIC & PROCESSING ENGINES SYSTEMS MANAGEMENT UNIFIED DATA STORAGE & INTEGRATION SECURITY & GOVERNANCE CLOUDERA ENTERPRISE Comprehensive, Transparent, Compliance-Ready Security ©2014 Cloudera, Inc. All rights reserved.
  27. 27. ✔ Meet compliance requirements ✔ Innovate without compromise ✔ Comprehensive security for all data ©2014 Cloudera, Inc. All rights reserved.
  28. 28. • cloudera.com/security • Hear more in the series: • Deep dive on Kerberos and perimeter protection • Encryption and key management • Sentry and auditing • Look for more info on the series in our follow up email Learn More
  29. 29. ©2014 Cloudera, Inc. All rights reserved. Thank you!

×