Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Big Data Security and Governance

1,991 views

Published on

Big Data Security and Governance

Published in: Technology
  • Be the first to comment

Big Data Security and Governance

  1. 1. June 30th , 2016 Big Data Security & Governance Instilling Confidence and Trust Nick Curcuru
  2. 2. ©2016 MasterCard. Proprietary and Confidential • Introduction to MasterCard • Security Landscape • Security Pillars • Top 10 threats: Infrastructure and Data Architecture • Hadoop Security Model • Governance and Compliance • Summary 2 Today’s Discussion
  3. 3. ©2016 MasterCard. Proprietary and Confidential3 MasterCard – Technology & Services Payment Processing Payment Products Sponsorships Consulting Expertise Information Services Implementation Services
  4. 4. ©2016 MasterCard. Proprietary and ConfidentialAugust 26, 20164 MasterCard helps our customers use Big Data Increasing Revenue Generation Increasing Analytic & IT Capabilities Protecting Assets Customer Centricity Monetization of data MasterCard Data Providing Hosting* Capabilities Real time interactions Improve enterprise data stewardship Reduce risk of security incident Media Measurements Journey Analytics
  5. 5. ©2016 MasterCard. Proprietary and Confidential5 MasterCard Securing Big Data 2.2B+ GLOBAL CARDS 160MM TRANSACTIONS PER HOUR Advanced analytics are applied in a safe and secure environment finding trends and insights Card Swipes Amount, spent, time, merchant & location. Data Anonymized Analysis | Risk Detection | Customer 360 | Location selection | Customer Engagement | Economic Indicators
  6. 6. ©2016 MasterCard. Proprietary and Confidential6 Top 5 Industries for Cyber Attacks Source: 2016 Cyber Security Intelligence Index 2015 1. Healthcare 2. Manufacturing 3. Financial Services 4. Government 5. Transportation 2014 1. Financial Services 2. Information & Communication 3. Manufacturing 4. Retail and wholesale 5. Energy and Utilities
  7. 7. ©2016 MasterCard. Proprietary and Confidential7 Per Record Cost of a Data Breach Source : 2015 Cost of Data Breach Study:Global Analysis: Benchmark research sponsored by IBM Independently conducted by Ponemon Institute LLC, May 2015 $363 $300 $220 $215 $179 $165 $155 $137 $136 $132 $129 $127 $126 $124 $121 $68
  8. 8. ©2016 MasterCard. Proprietary and Confidential8 Your next attacker is likely to be someone you thought you could trust Source: 2016 Cyber Security Intelligence Index
  9. 9. ©2016 MasterCard. Proprietary and Confidential9 Top 10 Infrastructure Vulnerabilities Systems, Software, Storage Perimeter Authentication System Monitoring Testing User Authentication Applications Hardware Encryption keys Environments Shared Responsibilities Software Updates 1 2 3 4 5 6 7 8 9 10
  10. 10. ©2016 MasterCard. Proprietary and Confidential10 Top 10 Data Architecture Vulnerabilities Data - Architecture, Governance, Management User Authentication Applications Hardware Encryption keys 1 2 3 4 User Authentication Applications Hardware Encryption keys 5 6 7 8 User Authentication Applications Hardware 9 10 11 User Authentication12
  11. 11. ©2016 MasterCard. Proprietary and Confidential11 Nearly half of security incidents in 2015 were the result of unauthorized access Source: 2016 Cyber Security Intelligence Index Unauthorized access Malicious code Sustained probe/scan Suspicious activity Access or credentials abuse 37% 20% 20% 11% 8% 45% 29% 16% 6% 3% 2014 2015
  12. 12. SECURITY PILLARS
  13. 13. ©2016 MasterCard. Proprietary and Confidential13 Four Pillars of Security PERIMETER [Authenticating] VISIBILITY [Auditing] ACCESS [Authorizing] DATA [Architecting]
  14. 14. ©2016 MasterCard. Proprietary and Confidential14 Perimeter Security – Authenticating Guarding access to the environment (cluster) Ensure your cluster: • Preserves user choice of the right Hadoop service (e.g. Impala, Spark) • Conforms to centrally managed authentication policies • Implements with existing standard systems: Active Directory and Kerberos - 1. User authenticates to Active Directory 2. Authenticated user gets Kerboros ticket 3. Ticket grants access to services
  15. 15. ©2016 MasterCard. Proprietary and Confidential15 Access Security - Authorizing Defining user roles and their data access Outlining what data applications can use Ensure your cluster: • Defines and provides users access to data needed to do their job • Centrally manages access policies – protect all paths with strong policies moving security away from the applications • Leverages a role-based access control model built on active directory
  16. 16. ©2016 MasterCard. Proprietary and Confidential16 Visibility Security- Auditing Reporting on where data came from and how it’s put together Ensure your cluster: • Can document where report data came from and how it was put together • Complies with policies for audit, data classification, and lineage • Centralizes the audit repository
  17. 17. ©2016 MasterCard. Proprietary and Confidential17 Data Security – Architecting Protecting data to internal and external standards Ensure your cluster: • Controls the data analysis is performed on • Encrypts data protecting it from the root to its final destination • Applies security at the meta data level • Has well laid out encryption key management and token policies • Integrates with existing hierarchical storage management as part of key management infrastructure
  18. 18. ©2016 MasterCard. Proprietary and Confidential18 Table stakes for big data security • Native data encryption • Security embedded in metadata • Integrated key management • Authorisation • Authentication – Multi-Factor • Strong role based access • Monitoring in real time • Audit and data lineage • Hardware-enabled security • Enterprise Identity management integration
  19. 19. ©2016 MasterCard. Proprietary and Confidential19 Best practices People and Process • Segregation of Duties • Segregation of Data Access • Continuous knowledge transfer, training and awareness • Process documentation – controls, response and continuity planning Technology • Strong Authentication & Authorization • Real Time Monitoring • Regular Penetration Testing
  20. 20. ©2016 MasterCard. Proprietary and Confidential20 Lessons learned • Emphasize Hadoop isn’t one thing, but a “collection of things” • Education & documentation is 60% of the effort • Explain why Hadoop isn’t a database so don’t expect similar controls • Security is neither quick nor easy • Big Data technology is still maturing • Close collaboration with your partners is critical • Security is continuous not a check in the box
  21. 21. What to do
  22. 22. ©2016 MasterCard. Proprietary and Confidential22 Where to Start 1. Assess security maturity over three dimension: – People, Process and Technology 2. Classify data into categories – Personally Identifiable, Health Data, Payment Related, Analysis 3. Start real time system and data monitoring 4. Take inventory of current Hadoop system security capabilities – Refer to security table stakes and identify gaps 5. Identify training needs – Business, Technology and Third Party Partners
  23. 23. ©2016 MasterCard. Proprietary and Confidential23 Start with the Hadoop Security Maturity Pilot: Data Free-for-All: Available & Error-Prone Basic Security Controls: • Authorization • Authentication • Auditing Data Security & Governance: • Lineage Visibility • Metadata Discovery • Encryption & Key Management Regularoty Compliance Audit-Ready & Protected Security enforcement for all data-at-rest and data-in- motion • Full encryption • Encryption management • Token system management • Transparency • Real time monitoring • Element level security DataVolume&Sensitivity Security Compliance & Risk Mitigation Highly Vulnerable Data at Risk Reduced Risk Exposure Managed, Secure, Protected Enterprise Data Hub Secure Data Vault 0 1 2 3
  24. 24. ©2016 MasterCard. Proprietary and Confidential24 Transparent Encryption & Key Management Protection for all data: • Structured and unstructured • Metadata, temp files and log files Data-at-rest encryption options: • HDFS Encryption for the data • Encryption for: metadata – log files Yarn – Resource Manager Data Management Layer Impala Hive HDFS HBase Apache Sentry SSL Certificates and SSH Keys Log/Config/Spill filesHSM
  25. 25. ©2016 MasterCard. Proprietary and Confidential Look at Apache Atlas Source: Apache Software Foundation and Hortonworks Features • Data Classification • Metadata • Centralized Auditing • Search & Lineage (Browse) • Security & Policy Engine
  26. 26. ©2016 MasterCard. Proprietary and Confidential Compliance and Governance Compliance Evolution Integrity Stewardship Ethics Specific • Taxonomy • Transparency • Auditability • Consistency • Accountability • Checks-and- Balances • Standards Governance Controls Guardian
  27. 27. ©2016 MasterCard. Proprietary and Confidential27 Summary • 60 % of threats are from inside the organization • Security is applied end to end in the process • Access: People, Process and Technology in your security strategy • Hadoop is still maturing • Governance includes data usage • Don’t confuse compliance with security
  28. 28. QUESTIONS
  29. 29. ©2016 MasterCard. Proprietary and Confidential Contact Us 29 Nick Curcuru +1 (914) 413 3822 Nick.Curcuru@mastercard.com
  30. 30. BONUS SLIDES
  31. 31. ©2016 MasterCard. Proprietary and Confidential31 Top 10 Infrastructure Vulnerabilities Perimeter Authentication System Monitoring Testing User Authentication Applications Hardware Encryption keys Environments Shared Responsibilities Software Updates 1 2 3 4 5 6 7 8 9 10
  32. 32. ©2016 MasterCard. Proprietary and Confidential32 Points of Attack- Infrastructure Threat Only password credentials for authentication to environment Applications controls data access Database and application servers are the same hardware Users authenticate with generic/ shared/ application ID Weakness Mitigation Perimeter Authentication Access to data is at the system level and at the data element (fine-grained) User authentication Applications Hardware Encryption Keys Encryption keys are not rotated. Use two-factor authentication: tokens, RSA or Biometric technology Credentials should never be shared: each user and application should have unique/non-shared credentials to host systems Separate database and application servers – isolates attack vectors Set up periodic rotation of encryption 1 2 3 4 5
  33. 33. ©2016 MasterCard. Proprietary and Confidential33 Points of Attack- Infrastructure Threat Insecure/uncertified environments have direct access to secure/certified environments. Patches or upgrades do not happen on a regular release cycle to ensure the system is protected from software vulnerabilities. Platform not monitored on continual basis setting up reactive posture: after the fact Systems admin, DBA, application developer, and web admin responsibilities are shared Weakness Mitigation Environments Set up release schedule, hold software vendors to security standards & verify standards are met Shared Responsibilities Software Updates System Monitoring Testing Infrequent penetration tests and application security scans Segregate systems. Systems with access to each other need the same levels of security and controls Divide responsibilities implement role based access and controls Set up constant monitoring of environment using data driven alert Develop penetration testing schedule and remediation review quarterly 6 7 8 9 10
  34. 34. ©2016 MasterCard. Proprietary and Confidential34 Top 10 Data Architecture Vulnerabilities User Authentication Applications Hardware Encryption keys 1 2 3 4 User Authentication Applications Hardware Encryption keys 5 6 7 8 User Authentication Applications Hardware 9 10 11 User Authentication12
  35. 35. ©2016 MasterCard. Proprietary and Confidential35 Points of Attack-Enterprise Information Management Threat Sensitive data - encrypted /tokenized /hashed is comingled with non- sensitive data Users have access to data they should not, or access to data that is unnecessary Encryption Keys stored with the data they encrypt. Reliant on applications to control access to data and enforce data security standards Weakness Mitigation Co-mingling of data Use role based access control - Apply fine-grained data access controls Applications Access Controls Key Storage Data Movement Sensitive data is not encrypted on disk/at-rest or on the wire motion. Use physical or logical separation between data types. Apply security at the table, field and element level, as well as application level Store encryption keys in a spate location away from data and limit access through control processes Encrypt all sensitive data on disk/at-rest or on the wire motion. 1 2 3 4 5 Access
  36. 36. ©2016 MasterCard. Proprietary and Confidential36 Points of Attack-Enterprise Information Management Threat Security and operational configurations are not documented or reviewed regularly Little to no governance standards and rules exist if they do they are focused on data quality Information security response and business continuity plan does not exist or is not reviewed/exercised on a regular basis Sensitive data is written to systems logs in an unprotected form Weakness Mitigation Security & Operational Configurations Document standards, set up review cycle at minimum yearly and include data usage as part of the standards Data Logs Governance standards Response & Business Continuity Plans Data Usage Monitoring Data usage either not monitored on continual basis or is buried in logs with no one looking at them Document all configurations, develop audit trail for changes, review configurations yearly Metadata carries security throughout the data trail and enables enforcement Yearly review and revision of each plan using a cross functional team: Infosec, IT, Operations, Legal Set automated thresholds and measurements using data to drive exception alerts 6 7 8 9 10 Data - Architecture, Governance, Management

×