Watch full webinar here: https://bit.ly/3xWXuSN Malgré le besoin croissant d'agilité, les entreprises restent réticientes à héberger leur données sensibles dans le Cloud pour des raisons de sécurité. Par ailleurs, le chiffrement basique ne suffit plus, car masquer la donnée ou la fournir de façon partielle empêche son utilisation. La cryptographie avancée associée à la Logical Data Fabric constitue un duo gagnant pour intensifier l’utilisation de ces données sensibles dans le Cloud tout en garantissant le maximum de sécurité et de confidentialité. D’une part, la Logical Data Fabric permet aux organisations ayant un écosystème hybride d’accéder à l’ensemble de leur patrimoine data en temps réel tout en étalissant des politiques de sécurité, alors que la cryptographie avancée permet de stocker les données chiffrées dans le cloud, même pendant son utilisation, tout en y incluant des droits d’accès. Rejoignez ce webinar pour découvrir : - Les enjeux d’accès et de partage des données dans les environnements hybrides et multiclouds. - Comment la Logical Data Fabric de Denodo simplifie l’adoption du Cloud grâce à un point unique d’accès à la donnée tout en fournissant une couche de sécurité et de gouvernance. - Comment les fonctionnalités avancées de la cryptographie de Cosmian se différencient des approches traditionnelles de chiffrement. - Une démo live sur comment la cryptographie applicative permet de créer des politiques de sécurité et d’accès aux données dans des environnements zéro trust.

1. WEBINAR
Cryptographie avancée et
Logical Data Fabric :
Accélérez le partage et la migration vers le
Cloud de vos données sensibles
Bruno Grieder
CTO & Co-founder,
Cosmian
Vincent Fages-Gouyou
Director of Product Management EMEA,
Denodo

2. Agenda
1. Modern Enterprise’s Data Dilemma
2. Architectures & what Cloud strategy?
3. Understanding the Denodo’s Logical Data Fabric
4. Don’t forget Security & Sovereignty
5. Cosmian’s advance cryptographic technology
6. Cosmian’s ABE embedded in Denodo
7. Live demo

3. Data Sharing & Governance

4. 4
The Enterprise’s Data Dilemma
Rising Volume of data
▪ 90% of the data have been produced in the past 2 years
▪ 40 zettabytes of Data by end 2020 (5 200GB / person on earth)
▪ Every person will be generating 1.7 MB data / second In 2020
▪ It will take 181 million years for a person to download all those Data
Rising Business challenges with Data
▪ Poor data quality costs business between $9 M to $14 M a year
▪ Bad data is estimated to cost US only $3 trillion a year
▪ 97% of organization are investing in AI & Big Data
▪ 93% have multi-cloud & hybrid strategy
▪ Data Scientists waste 75% looking for Data
Get value out of the data in a agile mode
▪ Embrace predictive and prescriptive analytics
▪ Use all data assets available
▪ Reduce Time to Market (TTM) and Time to Data (TTD)
▪ Empower Self-Service strategies to reduce IT bottlenecks and
shadow IT
Reduces costs while insuring governance & security
▪ Reduce HW and operational cost of data management (e.g. cloud)
▪ Pivot to less costly data management techniques when possible
▪ Prevents data leaks and complies with existing regulations
Rising complexity of data
▪ Eclectic mix of old and new data; every structure imaginable
▪ Generated and integrated, from batch to real time
▪ Traditional data from enterprise apps, web, third-parties
▪ New sources of data from machines, social media, IoT
Rising complexity of data management solutions
▪ Mix of home grown, vendor built, open source
▪ Multi-platform architectures; distributed and heterogeneous;
on premises or cloud; from relational to Hadoop
▪ Hybrid and diverse in the extreme.
Business IT

5. 5
Enterprise’s Data Delivery Architecture
Data Science
Data Quality ML / AI
Locations
Data Sources
OLAP
Visualisation
Denodo Proprietary and Confidential

6. 6
The Dream of Monolithic Data Centralization
▪ Physically centralize all data in a single
location
▪ Examples: Data Warehouse, Data Lake,
Data LakeHouse, Cloud Data
Warehouse
▪ Attractive for its simplicity, it also
comes with many challenges
Denodo Proprietary and Confidential

7. 7
Limits of Monolithic Architectures: Slow and Rigid
▪ Need to ingest all data in a new system
▪ Existing analytics systems cannot be reused
▪ Data is replicated for every different purpose / use case
▪ Changes require modifying pipelines and datasets at multiple stages
Denodo Proprietary and Confidential

8. 8
Cloud Monolithic Data Centralization
Benefits
▪ Brings more flexibility & scalability
▪ Access from anywhere
▪ Lower cost of operations
But
▪ New data silos
▪ Vendor lock-in risk
▪ Data latency
▪ Regulatory compliance & Security concerns
Denodo Proprietary and Confidential

9. 9
§ Flexibility
§ Cost optimization
§ Avoid vendor lock-in
§ Regulatory compliance
§ Geographical flexibility
Benefits of Multi-Cloud Strategy
9

10. 10
§ Complexity
§ Duplication
§ Increased costs
§ Multiple security models
§ Skill sets required
§ Integration
Challenges of Multi-Cloud Strategy: Back to square #1 !
10

11. 12
Enterprise’s Logical Data Fabric
Data Science
Data Quality ML / AI
Locations
Data Sources
OLAP
Visualisation
Governance, Metadata Management, Data Mart
Security
Data Access
Data Virtualization Data Services
Denodo Proprietary and Confidential

12. 13
Denodo’s Logical Data Fabric
§ Based on Data Virtualization technology which abstracts
data consumers from where data is located and how it is
represented in the source systems.
§ It allows building a business semantic layer on top of
multiple distributed data sources of any type without the
requirement of replicating data into a central repository.
§ It enables the implementation of enterprise wide data
sharing and security policies at every levels of integration,
on consumer side, in the semantic layer, at the data source.
§ This semantic layer can be accessed in a secure and
governed manner by consumers using a variety of standard
methods such as SQL, REST, OData, GraphQL or MDX.
§ It’s the foundation for distributed and logical architectures
Denodo Proprietary and Confidential

13. 15
Denodo’s Logical Data Fabric
Federation
Transformation
Abstraction
Data Service Dynamic Query
Optimization
Cost Based
Optimizer
Query
Rewriting
Caching MPP
Security &
Governance
Lifecycle
Management
Data Catalog
Discover
Collaborate
Query
Categorize
Denodo Proprietary and Confidential

14. 16
A Modern Data Virtualization Architecture
DATA CATALOG
Discover - Explore - Document
{ API ACCESS }
RESTful / OData
GraphQL / GeoJSON
SQL
DATA VIRTUALIZATION
CONNECTIVITY
Traditional
DB & DW
150+
data
adapters
Cloud
Stores
Hadoop
& NoSQL
OLAP Files Apps Streaming SaaS
Query
Optimization
Security
AI/ML Governance
Semantic
Layer
DATA OPPS
Deployment
Cloud PaaS
Containers/K8
On-Prem
Monitoring
Scheduling
Version Control
DEVELOPMENT
MODELING
DELIVERY
SOLUTION MANAGER
Real Time
Smart Query
Acceleration
Caching
MPP Engine
MDX Access
Denodo Cubes
CONSUMERS
LOGICAL
DATA
FABRIC
SOURCES

15. 17
Security Architecture
DATA CATALOG
Discover - Explore - Document
{ API ACCESS }
RESTful / OData
GraphQL / GeoJSON
SQL
Traditional
DB & DW
150+
data
adapters
Cloud
Stores
Hadoop
& NoSQL OLAP Files Apps Streaming SaaS
MDX Access
Denodo Cubes
CONSUMERS
LOGICAL
DATA
FABRIC
SOURCES
Schema-wide permission Tag-Based Policy Security
(Including integration with entitlement systems)
LDAP / Active
Directory
External Identity
Providers
Encrypted Data at Rest
Cache / Swap
Authentication
• User/Password and token based
• Kerberos, SAML, OpenID and Oauth (JDBC, ODBC & Web services)
• SSO and two-factor authentication
Data in Motion
• TLS 1.2
• SSL
Data in Motion
• TLS 1.2
• SSL
Authentication
• Pass-Through authentication (user/password,
Kerberos) and service accounts
• Web Service Security: SAML, OAuth, SPNEGO
Role-Based authorization
(guest, employee, corporate)
Data-Specific Permissions
(Row and column level including masking)
Edge Data Ciphering
ABE / KMS

16. Cosmian’s Cryptography Technology

17. Copyright © 2022 Cosmian Tech. Confidential
cosmian.com
19
Copyright © 2022 Cosmian Tech. Confidential
“The Stripe for advanced cryptography
to protect sensitive data & computations in the cloud”
Privacy by default
● HTTP -> HTTP/S Plaintext -> Ciphertext
● API based: librairies + backend services (secure enclaves, secure KMS,...)
Cosmian develops encryption technology to enable
privacy-by-default in cloud-native computing.
Ubiquitous Encryption
● Confidential Data Access: secure storage and access
● Secure Computation: keep data encrypted while processed

18. Copyright © 2022 Cosmian Tech. Confidential
20
cosmian.com
Confidential Data Access
Attributes Based Encryption
The next generation of application level cryptography
1
System level Symmetric Encryption
• A single symmetric key for all partitions -> leaking the key, leaks the whole data.
Encrypting and decrypting systems must be secured.
2
Built on top of end to end encryption
• One symmetric key per partition -> complex key management with many keys to
share among many clients. Encrypting and decrypting systems must be secured
Attributes Based Encryption
• Public key crypto system with overlapping partitions -> encrypting systems do not
need to be secured and client decryption keys are all unique
Unit/Country France UK Germany Spain
Finance
Marketing
Human Res.
Sales
3
2
3
1
Data partitioned by Security Axis
• As many axes and attributes per axis as desired
• Axes can be hierarchical e.g. confidential -> secret -> top secret
Decryption keys defined with Access Policies
• Key3: (Unit::Marketing || Unit::Sales) && (Country::Spain || Country::Germany )
• Keys are unique, even though they have the same access policy
• Keys can be issued at any time post encryption

19. Copyright © 2022 Cosmian Tech. Confidential
22
cosmian.com
Cosmian Confidential Data
Access
- provides improved
security primitives in
zero trust environments
using ABE
- can be augmented with
Searchable Symmetric
Encryption (SSE)
A
Better Security through partitioning. Leaking a
key, only leaks access to the partition.
A
Encryption is performed using a public key:
encrypting systems do not need to be secured
A
The system natively allows overlapping set of
partitions over multipe axes for sophisticated
and fined grained access control
A
User decryption keys are truly unique even if
they have the same access policy: better tracing
of security breaches
A
Access policies can be complex and can be
crafted after data has been encrypted which
facilitates user access management
A
Policiy attributes can be rotated, providing
forward secrecy for designated partitions
without re-encrypting the entire database
+ Searchable Symmetric Encryption (SSE)
• Fast, secure data search based on symmetric encryption primitives
• The index is encrypted and can be stored in a zero trust environment
• Queries are encrypted and responses are encrypted
The zero trust environement does not learn anything about
the data, the queries or the responses

20. Copyright © 2022 Cosmian Tech. Confidential
Cosmian’s ABE embedded

21. 24
REST API / TSL
Cosmian KMS & Edge Embedded ABE Engine
Open Source
Java Client
https://github.com/Cosm
ian/cosmian_java_lib
• Create Policy
• Request Keys
• Encryption
• Descryption
ABE Crypto Engine
Confidential Data
Intelligence Platform
Secure Enclave
KMS K1
K2
N
1
N
1
N
2
REST HTTPS

22. 25
Denodo’s, Role & Tag Base Data Access Protection
API / TSL
Protected Source
Protected Source
N
1
N
2
JDBC
REST/JSON
KMIP / TSL
Finance
HR
K1 K2
Open Source
Java Client Library
ABE Crypto Engine
Confidential Data
Intelligence Platform
Secure Enclave
KMS K1
K2
N
1
N
1
N
2
Attributes
N
2
N
1
Custom Function & Policy
• Get User Key uid
• Build JSON Policy
• Build JSON Access Policy
• Request Master Key
• Request User Key
• Encrypt with Attributes
• Decrypt

23. 26
Denodo’s Tag-based Policies
§ The semantic layers enforces standardized
data models and consistency across domains
§ Centrally enforce semantic, tag-based
security policies
§ Completely abstracted from specific tables
§ Easier to manage and less error prone
§ E.g mask the #SSN with *** for HR and Finance
§ Advanced Cryptographic integration
§ Allows for implementation of semantic
security rules across the data landscape,
independent of technologies underneath

24. 27
JSON Master Policy Definition
ABE Security Policy Definition
Top Secret
High Secret
Medium Secret
Low Secret
R&D HR MKG FIN
Min
Max
Security
Level
hirarchy
Department (no hirarchy)

25. 28
Key Management Functions
SELECT csgeneratemasterkey (JSON_Policy)
=> Publlic & Private Master Key UID
SELECT csgenerateuserkey (MasterKeyUID, JSON_AccessPolicy)
=> User Key UID

26. 29
Cyphering Functions
SELECT csencrypt (String_to_encrypt, JSON_Tags)
=> Cypher text
SELECT csdecrypt (UserKeyUID, Cypher_text)
=> Clear text

27. 30
Cipher Data Virtualization
RDMS
SAS
API
Cipher Join
Decrypt Role Based
Views
Interfaces
Remote Tables
Contact
SQL
Cipher Data
Data Materialization
Remote Table
Synchronization
C1ph3r
API
Key UID
Portfolios
User Key
UID Open Source
Java Client Library
ABE Crypto Engine
Confidential Data
Intelligence Platform
Secure Enclave
KMS K1
K2
N
1
N
1
N
2
Attributes
N
2
N
1
Tag-based
Policies engine

28. Q&A

29. © All rights reserved.
Unless otherwise specified, no part of this PDF file may be reproduced or utilized in any for or by any means, electronic or mechanical, including photocopying and microfilm, without prior the written authorization from Denodo Technologies.
Merci !
Bruno Grieder
CTO & Co-founder,
Cosmian
bruno.grieder@cosmian.com
www.cosmian.com
Vincent Fages-Gouyou
Director of Product Management EMEA,
Denodo
vfages@denodo.com
www.denodo.com