Things you need to know in implementing security controls to comply with PCI for Hadoop and ancillary applications either through tokenization or encryption.

1. PCI Compliance With Hadoop

2. Rommel Garcia
Currently Global Security SME @ Hortonworks
Was Tokenization Solutions Engineer @ Liaison Technologies

3. PCI Focus
Hadoop environment
This is what we will cover
Business process
Let’s leave this to business folks

4. PCI In A Nutshell

5. Level of Paranoia
PCI Extra Measures Cybersecurity

6. PCI Compliance Guideline
Transmission of identity must be encrypted
Two factor authentication
Key management
location
encryption
expiration of keys/tokens
Management of user access to resources
Services
Data
Geography

7. PCI Compliance Guideline
Strong encryption protocols at rest (AES-256, etc.) and in
motion (latest TLS/SSL)
No passwords in the clear
System audit information based on resource, time, client
info, userid and function
Prove “Chain of Custody”
No sensitive data stored in logs

8. PCI Scope
De-scope using Tokenization
100% in-scope using Encryption

9. De-Scoping Through
Tokenization
Reduce sensitive data footprint

10. What is tokenization?
Process of turning sensitive data into a value with no
meaning, called token i.e. 1234-567890-12345 =>
$^hAt_786Ab}+=-12345
If token is compromised, there’s zero risk
Recipient of token is out-of-scope for PCI compliance

11. De-scoping
Tokenization App
keys
tokens/
encrypted data
lookup token
Hadoop Environments
batch/realtime data sourcescreate token
Non-Hadoop Environments
tokens/non-sensitivedata
= in scope

12. Sample De-Scoping Architecture v1
Data
Sources
CDC Kafka NiFi HBase
HDFS
API
Tokenization
App

13. Sample De-Scoping Architecture v2
Data
Sources
CDC Kafka NiFi HBase
HDFS
API
Tokenization
App

14. Compliance Thru Encryption
100% In-Scope

15. Hadoop Security Quadrant

16. Encryption Scope
Network links
Data streams
Local storage
HDFS
In-Motion At-Rest

17. At-Rest Encryption
Data
Sources
CDC Kafka NiFi HBase
HDFS
API
1
1 32334
1
2
3
4
HDFS TDE
EncryptContent Processor or LUKS
LUKS
LUKS / Encryption Appliance / Native Encryption

18. In-Motion Encryption
Data
Sources
CDC Kafka NiFi HBase
HDFS
API
7
5 64321
1
2
3
4
FTPS / SFTP / HTTPS / JDBC, ODBC over SSL
SSL
SSL
TLS/SSL
5
6
7
SSL
TLS/SSL
RPC / DTP / SSL

19. Secure DR Link
DC DR
1 distcp (mapred over ssl)
2 vpn (guaranteed)
2 SSL

20. Separation Of Concerns
Admins
Operators
Developers
Analyst
Data Scientist
InfoSec
Infrastructure Engineer

21. What To Watch Out For
Kerberos is a MUST
If using Tokenization App, choose with NoSQL Backend (HBase,
Redis, etc.)
No RC4 or MD5
Use TLSv1.2 or newer
Use key length greater than 128 bits
All passwords must be encrypted
No super user - root & hdfs has access to encryption keys

22. What To Watch Out For
Do not delete encryption keys/rolled over keys
LDAPS is a MUST
If operators, not admins, has access to machines at OS level,
LUKS won’t work.
Lock down permissions to OS security config files
Use CA Certs if possible
Only open ports you will use
Guarantee “ordered” processing from a batch source