1
Comprehensive Security for the Enterprise:
Protecting Data-at-Rest & in Motion
Ritu Kama, Director Product Management, I...
2 ©2014 Cloudera, Inc. All rights reserved.
Cloudera’s Vision for Hadoop Security
Compliance-Ready
Comprehensive
Transpare...
3
Contributed by Intel in 2013
Blueprint for enterprise-grade security:
• Data Encryption
• Authentication and Single Sign...
4
Rhino Goal: Encryption and Key
Management Framework
Cloudera and Intel engineers are
now contributing HDFS encryption
ca...
5 ©2014 Cloudera, Inc. All rights reserved.
Project Rhino Scope
Apache ZooKeeper Apache Bigtop
6
Combining strengths
• Leading in stability,
compatibility, continuity
• Leading SQL functionality
& performance
• Leadin...
7 ©2014 Cloudera, Inc. All rights reserved.
Key Requirements for Security in Hadoop
Perimeter
Guarding access to the
clust...
8 ©2014 Cloudera, Inc. All rights reserved.
Guard the Perimeter
Perimeter
Guarding access to the
cluster itself
Technical ...
9 ©2014 Cloudera, Inc. All rights reserved.
Control Access
Perimeter
Guarding access
to the cluster
itself
Technical Conce...
10 ©2014 Cloudera, Inc. All rights reserved.
Protecting Data At Rest & In Motion
Perimeter
Guarding access
to the cluster
...
11
Now Available: Cloudera Navigator encrypt + Cloudera Navigator key trustee
3RD PARTY
APPS
STORAGE FOR ANY TYPE OF DATA
...
12
• Transparent protection for
all data and metadata
• Enterprise Key
Management for all
Hadoop encryption keys
Now Avail...
13 ©2014 Cloudera, Inc. All rights reserved.
Navigator encrypt
Navigator encrypt provides transparent
encryption for Hadoo...
14
Navigator key trustee is a “virtual safe-deposit box” for managing
encrypt keys or any other Hadoop security artifact
N...
15
Ease of Deployment
• Install encryption client
• Cloudera parcel
• Package managers (yum, apt-get), Chef, Puppet, Ansib...
16
Key components of PCI
16
Customer
Cloudera Navigator
Requirement
Encrypt Sentry Kerberos Core
✔ Install and maintain a ...
17
Key Components of HIPPA
17
Ref: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf
Cus...
18 ©2014 Cloudera, Inc. All rights reserved.
• The App
• Cloud Security Challenges
• Evolving the Approach
Case Study
19 ©2014 Cloudera, Inc. All rights reserved.
• Customer transaction data
• Could reveal strategic
investment of customer
r...
20 ©2014 Cloudera, Inc. All rights reserved.
• Sensitive financial data in cloud-hosted SaaS?
• Payment card and bank acco...
21 ©2014 Cloudera, Inc. All rights reserved.
• Switching cloud providers
• Customer reactions to this…
Evolving the Approa...
22 ©2014 Cloudera, Inc. All rights reserved.
• Switching cloud providers
• Doubling down on data encryption
• Customer rea...
23 ©2014 Cloudera, Inc. All rights reserved.
• Considered by customers they
couldn’t sell to before
• Considerably less ef...
24 ©2014 Cloudera, Inc. All rights reserved.
Mike’s crystal ball
What’s Next?
25 ©2014 Cloudera, Inc. All rights reserved.
Key Requirements for Security in Hadoop
Perimeter
Guarding access to the
clus...
26 ©2014 Cloudera, Inc. All rights reserved.
Enterprise Security for Apache Hadoop: Finding and
Filling the Gaps
• Wed. Ju...
27 ©2014 Cloudera, Inc. All rights reserved.
Thank You!
Upcoming SlideShare
Loading in...5
×

Comprehensive Security for the Enterprise III: Protecting Data at Rest and In Motion

786

Published on

This webinar discusses how you can use Navigator capabilities such as Encrypt and Key Trustee to secure data and enable compliance. Additionally, we will discuss our joint work with Intel on Project Rhino (an initiative to improve data security in Hadoop). We also hear from a security architect at a financial services company that is using encryption and key management to meet financial regulatory requirements.

Published in: Software
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
786
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Comprehensive Security for the Enterprise III: Protecting Data at Rest and In Motion

  1. 1. 1 Comprehensive Security for the Enterprise: Protecting Data-at-Rest & in Motion Ritu Kama, Director Product Management, Intel Sam Heywood, Director Product Management - Security, Cloudera “Mike”, CTO, Financial Services Company
  2. 2. 2 ©2014 Cloudera, Inc. All rights reserved. Cloudera’s Vision for Hadoop Security Compliance-Ready Comprehensive Transparent • Standards-based Authentication • Centralized, Granular Authorization • Native Data Protection • End-to-End Data Audit and Lineage • Meet compliance requirements • HIPAA, PCI-DSS, FERPA, etc… • Encryption and key management • Security at the core • Minimal performance impact • Compatible with new components • Insight with compliance 2
  3. 3. 3 Contributed by Intel in 2013 Blueprint for enterprise-grade security: • Data Encryption • Authentication and Single Sign on • Fine-grained Authorization • Audit Achieves it’s goals & is open source: • Encryption and fine-grained access controls have been added to Apache HBase https://github.com/intel-hadoop/project-rhino/ Project Rhino — Overview ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
  4. 4. 4 Rhino Goal: Encryption and Key Management Framework Cloudera and Intel engineers are now contributing HDFS encryption capabilities that can plug into enterprise key managers. NOTE: Enterprise key management, compliant key storage, and encrypting sensitive data outside of HDFS are not addressed. Project Rhino ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
  5. 5. 5 ©2014 Cloudera, Inc. All rights reserved. Project Rhino Scope Apache ZooKeeper Apache Bigtop
  6. 6. 6 Combining strengths • Leading in stability, compatibility, continuity • Leading SQL functionality & performance • Leading management capabilities • 150 engineers, 100 open source committers Converged CDH + IDH open source platform by end of 2014 • Leading security feature set • Leading silicon optimizations • 50 engineers, 12 open source committers • Leading Big Data encryption and key management solution • 40+ employees with maniacal focus on Big Data Security ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
  7. 7. 7 ©2014 Cloudera, Inc. All rights reserved. Key Requirements for Security in Hadoop Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage
  8. 8. 8 ©2014 Cloudera, Inc. All rights reserved. Guard the Perimeter Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage Kerberos | AD/LDAP Preserve multiple entry points while providing strong authentication that’s easy to manage • Kerberos • Industry Standard • Integrated into Manager • LDAP/AD • Username/Password • SAML • Single Sign-On
  9. 9. 9 ©2014 Cloudera, Inc. All rights reserved. Control Access Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Kerberos | AD/LDAP Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Sentry | Rhino Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage Cloudera Navigator Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Encrypt | Key Trustee Sentry • Apache project contributed by Cloudera in 2013 • Unified authorization for Hive, Impala and Search Rhino • Contributed by Intel in 2013 • Blueprint for enterprise-grade security, including authorization
  10. 10. 10 ©2014 Cloudera, Inc. All rights reserved. Protecting Data At Rest & In Motion Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Kerberos | AD/LDAP Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Sentry Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Encrypt | Key Trustee Navigator encrypt • Compliance-Ready • Transparent encryption for Hadoop data that’s highly performant, scalable, and easy to deploy • Integrated into Navigator Navigator key trustee • Compliance-Ready • Enterprise key management for encryption keys, certificates, and passwords • Integrated into Navigator Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Encrypt | Key Trustee
  11. 11. 11 Now Available: Cloudera Navigator encrypt + Cloudera Navigator key trustee 3RD PARTY APPS STORAGE FOR ANY TYPE OF DATA UNIFIED, ELASTIC, RESILIENT, SECURE SENTRY CLOUDERA’S ENTERPRISE DATA HUB BATCH PROCESSING MAPREDUCE ANALYTIC SQL IMPALA SEARCH ENGINE SOLR MACHINE LEARNING SPARK STREAM PROCESSING SPARK STREAMING WORKLOAD MANAGEMENT YARN FILESYSTEM HDFS ONLINE NOSQL HBASE DATA MANAGEMENT CLOUDERANAVIGATOR SYSTEM MANAGEMENT CLOUDERAMANAGER Compliance-Ready Transparent Encryption and Key Management ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
  12. 12. 12 • Transparent protection for all data and metadata • Enterprise Key Management for all Hadoop encryption keys Now Available: Cloudera Navigator encrypt + Cloudera Navigator key trustee ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
  13. 13. 13 ©2014 Cloudera, Inc. All rights reserved. Navigator encrypt Navigator encrypt provides transparent encryption for Hadoop data as it’s written to disk • AES-256 encryption for HDFS data, Hive metadata, log files, ingest paths, etc... • Process-based ACLs • High-performance optimized on Intel • Fast, easy deployment with Cloudera Parcel • Enterprise scalability • Keys protected by Navigator key trustee 13 ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
  14. 14. 14 Navigator key trustee is a “virtual safe-deposit box” for managing encrypt keys or any other Hadoop security artifact Navigator key trustee • Separates keys from encrypted data • Centralized management of SSL certificates, SSH keys, tokens, passwords, kerberos keytab files and more • Unique “trustee” and machine-based policies deliver multifactor authentication • Integration with HSMs from Thales, RSA and SafeNet 14 ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
  15. 15. 15 Ease of Deployment • Install encryption client • Cloudera parcel • Package managers (yum, apt-get), Chef, Puppet, Ansible • Configure key trustee account and store master key • Passphrase method (optional “split security”) • Key file method • Create ACLs • Almost any process, executable, script can be ‘trusted’ • Profile allows control of Jar files and other Java Parameters • Encrypt data
  16. 16. 16 Key components of PCI 16 Customer Cloudera Navigator Requirement Encrypt Sentry Kerberos Core ✔ Install and maintain a firewall ✔ Do not use vendor-supplied defaults ✔ ✔ Protect stored cardholder data ✔ Encrypt transmission of cardholder data across open, public networks ✔ Use and regularly update anti-virus software ✔ ✔ Develop and maintain secure systems and applications ✔ ✔ Restrict access to cardholder data by business need-to-know ✔ Assign a unique ID to each person with computer access ✔ Restrict physical access to cardholder data ✔ Track and monitor all access to network resources and cardholder data ✔ Regularly test security systems and processes Maintain an Information Security Policy ✔ ✔ Maintain a policy that addresses information security
  17. 17. 17 Key Components of HIPPA 17 Ref: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf Customer Cloudera Navigator Requirement Encrypt Sentry Kerberos ✔ Unique User Identification: Assign a unique name and/or number for identifying and tracking user identity. ✔ Emergency Access Procedure: Establish procedures for obtaining necessary ePHI during an emergency. ✔ Automatic Logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. ✔ Encryption and Decryption: Implement a mechanism to encrypt and decrypt ePHI. ✔ ✔ ✔ Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. ✔ Mechanism to Authenticate ePHI: Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. ✔ Authentication: Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. ✔ Transmission Security - Integrity Controls: Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of. ✔ Transmission Security – Encryption: Implement a mechanism to encrypt ePHI whenever deemed appropriate
  18. 18. 18 ©2014 Cloudera, Inc. All rights reserved. • The App • Cloud Security Challenges • Evolving the Approach Case Study
  19. 19. 19 ©2014 Cloudera, Inc. All rights reserved. • Customer transaction data • Could reveal strategic investment of customer resources • Could expose customers to public embarrassment/inquiry The App
  20. 20. 20 ©2014 Cloudera, Inc. All rights reserved. • Sensitive financial data in cloud-hosted SaaS? • Payment card and bank account information • Financial transactions, inc. payer, payee, amounts, methods, etc. • API keys for banks integrated into system • What was happening when cloud data security topic came up • Level of effort to address • Effect on sales cycle Cloud Security Challenges
  21. 21. 21 ©2014 Cloudera, Inc. All rights reserved. • Switching cloud providers • Customer reactions to this… Evolving the Approach
  22. 22. 22 ©2014 Cloudera, Inc. All rights reserved. • Switching cloud providers • Doubling down on data encryption • Customer reactions to this… Evolving the Approach
  23. 23. 23 ©2014 Cloudera, Inc. All rights reserved. • Considered by customers they couldn’t sell to before • Considerably less effort & shortening sales cycles Twofold Business Impact
  24. 24. 24 ©2014 Cloudera, Inc. All rights reserved. Mike’s crystal ball What’s Next?
  25. 25. 25 ©2014 Cloudera, Inc. All rights reserved. Key Requirements for Security in Hadoop Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage Available On- Demand Available On Demand Available Soon Register for Aug 7 Webinar
  26. 26. 26 ©2014 Cloudera, Inc. All rights reserved. Enterprise Security for Apache Hadoop: Finding and Filling the Gaps • Wed. July 23rd (tomorrow!) • 6pm-9pm • @HP in Sunnyvale, CA • Presented by The Hive Big Data Think Tank Hadoop Security Meetup
  27. 27. 27 ©2014 Cloudera, Inc. All rights reserved. Thank You!

×