• Save
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In Motion
 

Comprehensive Security for the Enterprise III: Protecting Data at Rest and In Motion

on

  • 214 views

This webinar discusses how you can use Navigator capabilities such as Encrypt and Key Trustee to secure data and enable compliance. Additionally, we will discuss our joint work with Intel on Project ...

This webinar discusses how you can use Navigator capabilities such as Encrypt and Key Trustee to secure data and enable compliance. Additionally, we will discuss our joint work with Intel on Project Rhino (an initiative to improve data security in Hadoop). We also hear from a security architect at a financial services company that is using encryption and key management to meet financial regulatory requirements.

Statistics

Views

Total Views
214
Views on SlideShare
130
Embed Views
84

Actions

Likes
0
Downloads
0
Comments
0

3 Embeds 84

http://www.cloudera.com 77
http://author01.core.cloudera.com 6
http://cloudera.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Comprehensive Security for the Enterprise III: Protecting Data at Rest and In Motion Comprehensive Security for the Enterprise III: Protecting Data at Rest and In Motion Presentation Transcript

  • 1 Comprehensive Security for the Enterprise: Protecting Data-at-Rest & in Motion Ritu Kama, Director Product Management, Intel Sam Heywood, Director Product Management - Security, Cloudera “Mike”, CTO, Financial Services Company
  • 2 ©2014 Cloudera, Inc. All rights reserved. Cloudera’s Vision for Hadoop Security Compliance-Ready Comprehensive Transparent • Standards-based Authentication • Centralized, Granular Authorization • Native Data Protection • End-to-End Data Audit and Lineage • Meet compliance requirements • HIPAA, PCI-DSS, FERPA, etc… • Encryption and key management • Security at the core • Minimal performance impact • Compatible with new components • Insight with compliance 2
  • 3 Contributed by Intel in 2013 Blueprint for enterprise-grade security: • Data Encryption • Authentication and Single Sign on • Fine-grained Authorization • Audit Achieves it’s goals & is open source: • Encryption and fine-grained access controls have been added to Apache HBase https://github.com/intel-hadoop/project-rhino/ Project Rhino — Overview ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited. View slide
  • 4 Rhino Goal: Encryption and Key Management Framework Cloudera and Intel engineers are now contributing HDFS encryption capabilities that can plug into enterprise key managers. NOTE: Enterprise key management, compliant key storage, and encrypting sensitive data outside of HDFS are not addressed. Project Rhino ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited. View slide
  • 5 ©2014 Cloudera, Inc. All rights reserved. Project Rhino Scope Apache ZooKeeper Apache Bigtop
  • 6 Combining strengths • Leading in stability, compatibility, continuity • Leading SQL functionality & performance • Leading management capabilities • 150 engineers, 100 open source committers Converged CDH + IDH open source platform by end of 2014 • Leading security feature set • Leading silicon optimizations • 50 engineers, 12 open source committers • Leading Big Data encryption and key management solution • 40+ employees with maniacal focus on Big Data Security ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
  • 7 ©2014 Cloudera, Inc. All rights reserved. Key Requirements for Security in Hadoop Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage
  • 8 ©2014 Cloudera, Inc. All rights reserved. Guard the Perimeter Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage Kerberos | AD/LDAP Preserve multiple entry points while providing strong authentication that’s easy to manage • Kerberos • Industry Standard • Integrated into Manager • LDAP/AD • Username/Password • SAML • Single Sign-On
  • 9 ©2014 Cloudera, Inc. All rights reserved. Control Access Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Kerberos | AD/LDAP Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Sentry | Rhino Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage Cloudera Navigator Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Encrypt | Key Trustee Sentry • Apache project contributed by Cloudera in 2013 • Unified authorization for Hive, Impala and Search Rhino • Contributed by Intel in 2013 • Blueprint for enterprise-grade security, including authorization
  • 10 ©2014 Cloudera, Inc. All rights reserved. Protecting Data At Rest & In Motion Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Kerberos | AD/LDAP Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Sentry Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Encrypt | Key Trustee Navigator encrypt • Compliance-Ready • Transparent encryption for Hadoop data that’s highly performant, scalable, and easy to deploy • Integrated into Navigator Navigator key trustee • Compliance-Ready • Enterprise key management for encryption keys, certificates, and passwords • Integrated into Navigator Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Encrypt | Key Trustee
  • 11 Now Available: Cloudera Navigator encrypt + Cloudera Navigator key trustee 3RD PARTY APPS STORAGE FOR ANY TYPE OF DATA UNIFIED, ELASTIC, RESILIENT, SECURE SENTRY CLOUDERA’S ENTERPRISE DATA HUB BATCH PROCESSING MAPREDUCE ANALYTIC SQL IMPALA SEARCH ENGINE SOLR MACHINE LEARNING SPARK STREAM PROCESSING SPARK STREAMING WORKLOAD MANAGEMENT YARN FILESYSTEM HDFS ONLINE NOSQL HBASE DATA MANAGEMENT CLOUDERANAVIGATOR SYSTEM MANAGEMENT CLOUDERAMANAGER Compliance-Ready Transparent Encryption and Key Management ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
  • 12 • Transparent protection for all data and metadata • Enterprise Key Management for all Hadoop encryption keys Now Available: Cloudera Navigator encrypt + Cloudera Navigator key trustee ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
  • 13 ©2014 Cloudera, Inc. All rights reserved. Navigator encrypt Navigator encrypt provides transparent encryption for Hadoop data as it’s written to disk • AES-256 encryption for HDFS data, Hive metadata, log files, ingest paths, etc... • Process-based ACLs • High-performance optimized on Intel • Fast, easy deployment with Cloudera Parcel • Enterprise scalability • Keys protected by Navigator key trustee 13 ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
  • 14 Navigator key trustee is a “virtual safe-deposit box” for managing encrypt keys or any other Hadoop security artifact Navigator key trustee • Separates keys from encrypted data • Centralized management of SSL certificates, SSH keys, tokens, passwords, kerberos keytab files and more • Unique “trustee” and machine-based policies deliver multifactor authentication • Integration with HSMs from Thales, RSA and SafeNet 14 ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
  • 15 Ease of Deployment • Install encryption client • Cloudera parcel • Package managers (yum, apt-get), Chef, Puppet, Ansible • Configure key trustee account and store master key • Passphrase method (optional “split security”) • Key file method • Create ACLs • Almost any process, executable, script can be ‘trusted’ • Profile allows control of Jar files and other Java Parameters • Encrypt data
  • 16 Key components of PCI 16 Customer Cloudera Navigator Requirement Encrypt Sentry Kerberos Core ✔ Install and maintain a firewall ✔ Do not use vendor-supplied defaults ✔ ✔ Protect stored cardholder data ✔ Encrypt transmission of cardholder data across open, public networks ✔ Use and regularly update anti-virus software ✔ ✔ Develop and maintain secure systems and applications ✔ ✔ Restrict access to cardholder data by business need-to-know ✔ Assign a unique ID to each person with computer access ✔ Restrict physical access to cardholder data ✔ Track and monitor all access to network resources and cardholder data ✔ Regularly test security systems and processes Maintain an Information Security Policy ✔ ✔ Maintain a policy that addresses information security
  • 17 Key Components of HIPPA 17 Ref: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf Customer Cloudera Navigator Requirement Encrypt Sentry Kerberos ✔ Unique User Identification: Assign a unique name and/or number for identifying and tracking user identity. ✔ Emergency Access Procedure: Establish procedures for obtaining necessary ePHI during an emergency. ✔ Automatic Logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. ✔ Encryption and Decryption: Implement a mechanism to encrypt and decrypt ePHI. ✔ ✔ ✔ Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. ✔ Mechanism to Authenticate ePHI: Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. ✔ Authentication: Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. ✔ Transmission Security - Integrity Controls: Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of. ✔ Transmission Security – Encryption: Implement a mechanism to encrypt ePHI whenever deemed appropriate
  • 18 ©2014 Cloudera, Inc. All rights reserved. • The App • Cloud Security Challenges • Evolving the Approach Case Study
  • 19 ©2014 Cloudera, Inc. All rights reserved. • Customer transaction data • Could reveal strategic investment of customer resources • Could expose customers to public embarrassment/inquiry The App
  • 20 ©2014 Cloudera, Inc. All rights reserved. • Sensitive financial data in cloud-hosted SaaS? • Payment card and bank account information • Financial transactions, inc. payer, payee, amounts, methods, etc. • API keys for banks integrated into system • What was happening when cloud data security topic came up • Level of effort to address • Effect on sales cycle Cloud Security Challenges
  • 21 ©2014 Cloudera, Inc. All rights reserved. • Switching cloud providers • Customer reactions to this… Evolving the Approach
  • 22 ©2014 Cloudera, Inc. All rights reserved. • Switching cloud providers • Doubling down on data encryption • Customer reactions to this… Evolving the Approach
  • 23 ©2014 Cloudera, Inc. All rights reserved. • Considered by customers they couldn’t sell to before • Considerably less effort & shortening sales cycles Twofold Business Impact
  • 24 ©2014 Cloudera, Inc. All rights reserved. Mike’s crystal ball What’s Next?
  • 25 ©2014 Cloudera, Inc. All rights reserved. Key Requirements for Security in Hadoop Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage Available On- Demand Available On Demand Available Soon Register for Aug 7 Webinar
  • 26 ©2014 Cloudera, Inc. All rights reserved. Enterprise Security for Apache Hadoop: Finding and Filling the Gaps • Wed. July 23rd (tomorrow!) • 6pm-9pm • @HP in Sunnyvale, CA • Presented by The Hive Big Data Think Tank Hadoop Security Meetup
  • 27 ©2014 Cloudera, Inc. All rights reserved. Thank You!