Big Data Security and Governance

June 30th , 2016
Big Data Security & Governance
Instilling Confidence and Trust
Nick Curcuru

©2016 MasterCard. Proprietary and Confidential
• Introduction to MasterCard
• Security Landscape
• Security Pillars
• Top 10 threats: Infrastructure and Data Architecture
• Hadoop Security Model
• Governance and Compliance
• Summary
2
Today’s Discussion

©2016 MasterCard. Proprietary and Confidential3
MasterCard – Technology & Services
Payment Processing
Payment Products
Sponsorships
Consulting Expertise
Information Services
Implementation Services

©2016 MasterCard. Proprietary and ConfidentialAugust 26, 20164
MasterCard helps our customers use Big Data
Increasing Revenue Generation
Increasing Analytic & IT Capabilities
Protecting Assets
Customer
Centricity
Monetization
of data
MasterCard Data Providing Hosting*
Capabilities
Real time interactions
Improve enterprise data
stewardship
Reduce risk of security
incident
Media
Measurements
Journey
Analytics

MasterCard Securing Big Data
2.2B+ GLOBAL
CARDS
160MM
TRANSACTIONS
PER HOUR
Advanced analytics
are applied in a
safe and secure
environment
finding trends and
insights
Card Swipes
Amount, spent, time, merchant & location.
Data Anonymized
Analysis | Risk Detection | Customer 360 | Location selection | Customer Engagement | Economic Indicators

Top 5 Industries for Cyber Attacks
Source: 2016 Cyber Security Intelligence Index
2015 1. Healthcare 2. Manufacturing 3. Financial Services 4. Government 5. Transportation
2014 1. Financial Services
2. Information &
Communication
3. Manufacturing
4. Retail and
wholesale
5. Energy and
Utilities

Per Record Cost of a Data Breach
Source : 2015 Cost of Data Breach Study:Global Analysis: Benchmark research sponsored by IBM Independently conducted by Ponemon Institute LLC, May 2015
$363
$300
$220 $215
$179 $165 $155
$137 $136 $132 $129 $127 $126 $124 $121
$68

Your next attacker is likely to be someone you
thought you could trust

Top 10 Infrastructure Vulnerabilities
Systems, Software, Storage
Perimeter Authentication
System Monitoring
Testing
User Authentication
Applications
Hardware
Encryption keys
Environments
Shared Responsibilities
Software Updates
1
2
3
4
5
6
7
8
9
10

Top 10 Data Architecture Vulnerabilities
Data - Architecture, Governance, Management
User Authentication
Applications
Hardware
Encryption keys
1
2
3
4
User Authentication
Applications
Hardware
Encryption keys
5
6
7
8
User Authentication
Applications
Hardware
9
10
11
User Authentication12

Nearly half of security incidents in 2015 were the result
of unauthorized access
Unauthorized
access
Malicious
code
Sustained
probe/scan
Suspicious
activity
Access or
credentials
abuse
37%
20%
20%
11%
8%
45%
29%
16%
6%
3%
2014 2015

Four Pillars of Security
PERIMETER
[Authenticating]
VISIBILITY
[Auditing]
ACCESS
[Authorizing]
DATA
[Architecting]

Perimeter Security – Authenticating
Guarding access to the environment (cluster)
Ensure your cluster:
• Preserves user choice of the right Hadoop service (e.g. Impala, Spark)
• Conforms to centrally managed authentication policies
• Implements with existing standard systems:
Active Directory and Kerberos -
1. User authenticates to Active Directory
2. Authenticated user gets Kerboros ticket
3. Ticket grants access to services

Access Security - Authorizing
Defining user roles and their data access
Outlining what data applications can use
• Defines and provides users access to data needed to do their job
• Centrally manages access policies – protect all paths with strong policies
moving security away from the applications
• Leverages a role-based access control model built on active directory

Visibility Security- Auditing
Reporting on where data came from and how it’s put together
• Can document where report data came from and how it was put together
• Complies with policies for audit, data classification, and lineage
• Centralizes the audit repository

Data Security – Architecting
Protecting data to internal and external standards
• Controls the data analysis is performed on
• Encrypts data protecting it from the root to its final destination
• Applies security at the meta data level
• Has well laid out encryption key management and token policies
• Integrates with existing hierarchical storage management as part of key
management infrastructure

Table stakes for big data security
• Native data encryption
• Security embedded in metadata
• Integrated key management
• Authorisation
• Authentication – Multi-Factor
• Strong role based access
• Monitoring in real time
• Audit and data lineage
• Hardware-enabled security
• Enterprise Identity management
integration

Best practices
People and Process
• Segregation of Duties
• Segregation of Data Access
• Continuous knowledge transfer, training and awareness
• Process documentation – controls, response and continuity planning
Technology
• Strong Authentication & Authorization
• Real Time Monitoring
• Regular Penetration Testing

Lessons learned
• Emphasize Hadoop isn’t one thing, but a “collection of things”
• Education & documentation is 60% of the effort
• Explain why Hadoop isn’t a database so don’t expect similar controls
• Security is neither quick nor easy
• Big Data technology is still maturing
• Close collaboration with your partners is critical
• Security is continuous not a check in the box

Where to Start
1. Assess security maturity over three dimension:
– People, Process and Technology
2. Classify data into categories
– Personally Identifiable, Health Data, Payment Related, Analysis
3. Start real time system and data monitoring
4. Take inventory of current Hadoop system security capabilities
– Refer to security table stakes and identify gaps
5. Identify training needs
– Business, Technology and Third Party Partners

Start with the Hadoop Security Maturity
Pilot: Data Free-for-All:
Available & Error-Prone
Basic Security Controls:
• Authorization
• Authentication
• Auditing
Data Security & Governance:
• Lineage Visibility
• Metadata Discovery
• Encryption & Key
Management
Regularoty Compliance
Audit-Ready & Protected
Security enforcement for all
data-at-rest and data-in-
motion
• Full encryption
• Encryption management
• Token system
management
• Transparency
• Real time monitoring
• Element level security
DataVolume&Sensitivity
Security Compliance & Risk Mitigation
Highly Vulnerable
Data at Risk
Reduced Risk
Exposure
Managed, Secure,
Protected
Enterprise Data Hub
Secure Data Vault
0 1 2 3

Transparent Encryption & Key Management
Protection for all data:
• Structured and unstructured
• Metadata, temp files and log files
Data-at-rest encryption options:
• HDFS Encryption for the data
• Encryption for: metadata – log files
Yarn – Resource
Manager
Data Management
Layer
Impala Hive
HDFS HBase
Apache Sentry
SSL Certificates and SSH Keys
Log/Config/Spill filesHSM

Look at Apache Atlas
Source: Apache Software Foundation and Hortonworks
Features
• Data Classification
• Metadata
• Centralized Auditing
• Search & Lineage (Browse)
• Security & Policy Engine

Compliance and Governance
Compliance
Evolution
Integrity
Stewardship
Ethics
Specific
• Taxonomy
• Transparency
• Auditability
• Consistency
• Accountability
• Checks-and-
Balances
• Standards
Governance
Controls
Guardian

Summary
• 60 % of threats are from inside the organization
• Security is applied end to end in the process
• Access: People, Process and Technology in your security strategy
• Hadoop is still maturing
• Governance includes data usage
• Don’t confuse compliance with security

Contact Us
29
Nick Curcuru
+1 (914) 413 3822
Nick.Curcuru@mastercard.com

Top 10 Infrastructure Vulnerabilities
Perimeter Authentication
System Monitoring
Testing
User Authentication
Applications
Hardware
Encryption keys
Environments
Shared Responsibilities
Software Updates
1
2
3
4
5
6
7
8
9
10

Points of Attack- Infrastructure
Threat
Only password credentials for
authentication to environment
Applications controls data access
Database and application servers are the
same hardware
Users authenticate with generic/ shared/
application ID
Weakness Mitigation
Perimeter
Authentication
Access to data is at the system level and
at the data element (fine-grained)
User
authentication
Applications
Hardware
Encryption Keys Encryption keys are not rotated.
Use two-factor authentication: tokens, RSA
or Biometric technology
Credentials should never be shared: each user
and application should have unique/non-shared
credentials to host systems
Separate database and application
servers – isolates attack vectors
Set up periodic rotation of encryption
1
2
3
4
5

Points of Attack- Infrastructure
Threat
Insecure/uncertified environments have direct
access to secure/certified environments.
Patches or upgrades do not happen on a
regular release cycle to ensure the system is
protected from software vulnerabilities.
Platform not monitored on continual basis
setting up reactive posture: after the fact
Systems admin, DBA, application developer,
and web admin responsibilities are shared
Weakness Mitigation
Environments
Set up release schedule, hold software vendors to
security standards & verify standards are met
Shared
Responsibilities
Software Updates
System
Monitoring
Testing
Infrequent penetration tests and
application security scans
Segregate systems. Systems with access to each
other need the same levels of security and controls
Divide responsibilities implement role based
access and controls
Set up constant monitoring of
environment using data driven alert
Develop penetration testing schedule
and remediation review quarterly
6
7
8
9
10

Top 10 Data Architecture Vulnerabilities
User Authentication
Applications
Hardware
Encryption keys
1
2
3
4
User Authentication
Applications
Hardware
Encryption keys
5
6
7
8
User Authentication
Applications
Hardware
9
10
11
User Authentication12

Points of Attack-Enterprise Information Management
Threat
Sensitive data - encrypted /tokenized
/hashed is comingled with non- sensitive data
Users have access to data they should not, or
access to data that is unnecessary
Encryption Keys stored with the data they
encrypt.
Reliant on applications to control access to
data and enforce data security standards
Weakness Mitigation
Co-mingling of data
Use role based access control - Apply
fine-grained data access controls
Applications
Access Controls
Key Storage
Data Movement Sensitive data is not encrypted on
disk/at-rest or on the wire motion.
Use physical or logical separation between
data types.
Apply security at the table, field and element
level, as well as application level
Store encryption keys in a spate location
away from data and limit access through
control processes
Encrypt all sensitive data on disk/at-rest
or on the wire motion.
1
2
3
4
5
Access

Points of Attack-Enterprise Information Management
Threat
Security and operational configurations are
not documented or reviewed regularly
Little to no governance standards and rules
exist if they do they are focused on data quality
Information security response and business
continuity plan does not exist or is not
reviewed/exercised on a regular basis
Sensitive data is written to systems logs in an
unprotected form
Weakness Mitigation
Security & Operational
Configurations
Document standards, set up review cycle at
minimum yearly and include data usage as part of
the standards
Data Logs
Governance
standards
Response & Business
Continuity Plans
Data Usage Monitoring
Data usage either not monitored on
continual basis or is buried in logs with no
one looking at them
Document all configurations, develop audit trail
for changes, review configurations yearly
Metadata carries security throughout the data
trail and enables enforcement
Yearly review and revision of each plan using a
cross functional team: Infosec, IT, Operations, Legal
Set automated thresholds and
measurements using data to drive
exception alerts
6
7
8
9
10
Data - Architecture, Governance, Management

Big Data Security and Governance

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Big Data Security and Governance

Similar to Big Data Security and Governance (20)

More from DataWorks Summit/Hadoop Summit

More from DataWorks Summit/Hadoop Summit (20)

Recently uploaded

Recently uploaded (20)

Big Data Security and Governance