New york oracle users group 2013 spring general meeting ulf mattsson

1. Bridging the Gap BetweenPrivacy and Data InsightUlf MattssonCTO, Protegrityulf . mattsson [at] protegrity . com

2. 2SecurityAnalysisCustomerSupportCustomerProfilesSales &MarketingSocialMediaBusinessImprovementBigDataRegulations& Breaches IncreasedprofitsIncreasedprofitsIncreasedprofitsIncreasedprofitsIncreasedprofitsBalancing security and data insight

3. Balancing security and data insightTug of war between security and data insightBig Data is designed for access, not securityPrivacy regulations require de-identification whichcreates problems with privileged users in an accesscontrol security modelOnly way to truly protect data is to provide data-level protectionTraditional means of security don’t offer granularprotection that allows for seamless data use3

4. 41. Classify 2. Discovery 3. Protect 4. Enforce 5. MonitorFive Point Data ProtectionMethodology

5. 51ClassifyDetermine what data issensitive to your organization.

6. 1. Classify6Data is classified as sensitive and must be protectedin response to Laws and regulations such as PCIDSS, HIPAA, State Privacy Laws and others.Companies may also have Intellectual Property andother Company Secrets that must be secured againstthe competition.All companies have sensitive data about theirCustomers and about their Employees.

7. 1. Classify: Examples of Sensitive Data7Sensitive Information Compliance Regulation / LawsCredit Card Numbers PCI DSSNames HIPAA, State Privacy LawsAddress HIPAA, State Privacy LawsDates HIPAA, State Privacy LawsPhone Numbers HIPAA, State Privacy LawsPersonal ID Numbers HIPAA, State Privacy LawsPersonally owned property numbers HIPAA, State Privacy LawsPersonal Characteristics HIPAA, State Privacy LawsAsset Information HIPAA, State Privacy LawsBreach notification laws are often the catalyst for a deepaudit in companies resulting in large fines.

8. HIPAA PHI: List of 18 Identifiers1. Names2. All geographical subdivisionssmaller than a State3. All elements of dates (exceptyear) related to individual4. Phone numbers5. Fax numbers6. Electronic mail addresses7. Social Security numbers8. Medical record numbers9. Health plan beneficiarynumbers10. Account numbers811. Certificate/license numbers12. Vehicle identifiers and serialnumbers13. Device identifiers and serialnumbers14. Web Universal Resource Locators(URLs)15. Internet Protocol (IP) addressnumbers16. Biometric identifiers, includingfinger prints17. Full face photographic images18. Any other unique identifyingnumber

9. PCI DSS (Payment Card Industry Data Security Standard)Build and maintain a securenetwork.1. Install and maintain a firewall configuration to protectdata2. Do not use vendor-supplied defaults for systempasswords and other security parametersProtect cardholder data. 3. Protect stored data4. Encrypt transmission of cardholder data andsensitive information across public networksMaintain a vulnerabilitymanagement program.5. Use and regularly update anti-virus software6. Develop and maintain secure systems andapplicationsImplement strong accesscontrol measures.7. Restrict access to data by business need-to-know8. Assign a unique ID to each person with computeraccess9. Restrict physical access to cardholder dataRegularly monitor and testnetworks.10. Track and monitor all access to network resourcesand cardholder data11. Regularly test security systems and processesMaintain an informationsecurity policy.12. Maintain a policy that addresses information security9

10. 102DiscoveryDiscover where the sensitivedata is located, how itflows, who can access it, theperformance requirements andother requirements forprotection.

11. The Discovery process peers into theenterprise to find sensitive data inpreparation for delivering an optimalprotection solution.• Existing Sensitive Data• New Sensitive Data• Archived Data2. Discovery11

12. 2. Discovery in a large enterprise with many systems012SystemSystemCorporate FirewallSystemSystemSystemSystemSystem012SystemSystemSystem SystemSystemSystemFocus onsystems thatcontainsensitive data

13. 2. Discovery: Determine the context to the Business013SystemSystemCorporate FirewallSystemSystem013SystemSystemSystemRetailEmployeesCorporate IPHealthcare

14. 2. Discover: Context to the Business and to Security014Stores &EcommerceCorporate FirewallApplicationsProcessing RetailTransactionsResearchDatabasesCustomerData ProtectionSolutionRequirementsFile Servercontaining IPFile Server landingzone for store and e-commercetransactionsSensitive datain columns indatabasesSensitive datain HadoopStores ande-commercecollectingtransactions

15. 153ProtectProtect the sensitive data atrest and in transit.

16. Big Data and The Insider Threat16

17. Privacy Laws (See Appendix)54 International Privacy Laws30 United States Privacy Laws17

18. Financial Services - Gramm-Leach-Bliley Act (GLBA),Sarbanes-Oxley Act (SARBOX), USA PATRIOT ACT, PCIData Security Standard, and the Basel II Accord (EU)Healthcare and Pharmaceuticals - HIPAA (Health InsurancePortability and Accountability Act of 1996) and FDA 21 CFRPart 11Infrastructure and Energy - Guidelines for FERC and NERCCybersecurity Standards, the Chemical Sector Cyber SecurityProgram and Customs-Trade Partnership Against Terrorism(C-TPAT)Federal Government - Compliance with FISMA and relatedNSA Guidelines and NIST StandardsSelect US Regulations for Security and Privacy18

19. Oracle’s Big Data Platform019Source: http://www.oracle.com/us/technologies/big-data/index.html

20. Software on Oracle Big Data Appliance20Source: http://www.oracle.com/us/products/database/big-data-for-enterprise-519135.pdf

21. Software Layout - Oracle Big Data Appliance21Source: 04_Oracle_Big_Data_Appliance_Deep_Dive.pdf

22. Hadoop - Protection Beyond KerberosData Access FrameworkPig HiveSqoop AvroData Storage Framework(HDFS)Data Processing Framework(MapReduce)BI Applications22Volume Encryption with Policy based accesscontrol of Files and Monitoring.Field level data protection with Policy basedaccess control and Monitoring; existing andnew data.API enabled Field level data protection withPolicy based access control and Monitoring.API enabled Field level data protection withPolicy based access control and Monitoring.

23. Many Ways to Hack Big DataSource: http://nosql.mypopescu.com/post/1473423255/apache-hadoop-and-hbase23HDFS(Hadoop Distributed File System)MapReduce(Job Scheduling/Execution System)Hbase (Column DB)Pig (Data Flow) Hive (SQL) SqoopETL Tools BI Reporting RDBMSAvro(Serialization)Zookeeper(Coordination)HackersPrivilegedUsersUnvettedApplicationsOrAd HocProcesses

24. Table scansEncryption• Data Size• Data type• Performance (SLA)AnalyticsInter-node data movementWhat’s the Problem with Securing Data?24

25. Reduction of Pain with New Protection Techniques251970 2000 2005 2010HighLowPain& TCOStrong EncryptionAES, 3DESFormat Preserving EncryptionDTP, FPEVault-based TokenizationVaultless TokenizationInput Value: 3872 3789 1620 3675!@#$%a^.,mhu7///&*B()_+!@8278 2789 2990 27898278 2789 2990 2789Format PreservingGreatly reduced KeyManagementNo Vault8278 2789 2990 2789

26. Protection Granularity: Field Protection26Production SystemsNon-Production SystemsEncryption• Reversible• Policy Control (authorized / Unauthorized Access)• Lacks Integration Transparency• Complex Key Management• ExampleMasking• Not reversible• No Policy, Everyone can access the data• Integrates Transparently• No Complex Key Management• Example 0389 3778 3652 0038Vaultless Tokenization / Pseudonymization• Reversible• Policy Control (Authorized / Unauthorized Access)• Not Reversible• Integrates Transparently• No Complex Key Management• Business Intelligence Credit Card: 0389 3778 3652 0038!@#$%a^.,mhu7///&*B()_+!@

27. Research Brief“Tokenization Gets Traction”Aberdeen has seen a steady increase in enterpriseuse of tokenization for protecting sensitive data overencryptionNearly half of the respondents (47%) are currentlyusing tokenization for something other than cardholderdataOver the last 12 months, tokenization users had 50%fewer security-related incidents than tokenization non-users28 Author: Derek Brink, VP and Research Fellow, IT Security and IT GRC

28. Enterprise Flexibility in Token Format ControlsType of Data Input Token CommentCredit Card 3872 3789 1620 3675 8278 2789 2990 2789 NumericCredit Card 3872 3789 1620 3675 3872 3789 2990 3675 Numeric, First 6, Last 4 digits exposedCredit Card 3872 3789 1620 3675 3872 qN4e 5yPx 3675 Alpha-Numeric, Digits exposedAccount Num 29M2009ID 497HF390D Alpha-NumericDate 10/30/1955 12/25/2034 Date - multiple date formatsE-mail Address yuri.gagarin@protegrity.com empo.snaugs@svtiensnni.snkAlpha Numeric, delimiters in inputpreservedSSN 075672278 or 075-67-2278 287382567 or 287-38-2567 Numeric, delimiters in inputBinary 0x010203 0x123296910112Decimal 123.45 9842.56 Non length preservingAlphanumericIndicator5105 1051 0510 5100 8278 2789 299A 2781 Position to place alpha is configurableInvalid Luhn 5105 1051 0510 5100 8278 2789 2990 2782 Luhn check will failMulti-MerchantorMulti-Client ID3872 3789 1620 3675ID 1: 8278 2789 2990 2789ID 2: 9302 8999 2662 6345This supports delivery of a differenttoken to different merchant or clientsbased on the same credit card number.29

29. Protection Beyond KerberosData Access FrameworkPig HiveSqoop AvroData Storage Framework(HDFS)Data Processing Framework(MapReduce)BI Applications30Volume Encryption with Policy based accesscontrol of Files and Monitoring.Field level data protection with Policy basedaccess control and Monitoring; existing andnew data.API enabled Field level data protection withPolicy based access control and Monitoring.API enabled Field level data protection withPolicy based access control and Monitoring.

30. Volume Encryption31HDFSMapReduceProtected withVolume EncryptionEntire file is in theclear when analyzed

31. Volume Encryption + Gateway Field Protection32HDFSMapReduceKerberosAccess ControlGranular FieldLevel ProtectionProtected withVolume EncryptionData Protection FileGateway

32. Volume Encryption + Internal MapReduce Field Protection33HDFSMapReduceKerberosAccess ControlGranular FieldLevel ProtectionProtected withVolume EncryptionHadoopStagingMapReduce

33. 344EnforcePolicies are used to enforcerules about how sensitive datashould be treated in theenterprise.

34. 4. Enforce35The goal of policy enforcement is to;1. Hide sensitive data from un-authorized usersbut disclose sensitive data to authorizedusers.2. Deliver the minimum information to anindividual or a process who needs theinformation to accomplish a task. LeastPrivilege by NIST.3. Collect information about who is attempting toaccess sensitive data – both authorized andunauthorized.

35. A Data Security Policy36What is the sensitive data that needs to be protected. DataElement.How you want to protect and present sensitive data. There areseveral methods for protecting sensitive data.Encryption, tokenization, monitoring, etc.Who should have access to sensitive data and who should not.Security access control. Roles & Members.When should sensitive data access be granted to those whohave access. Day of week, time of day.Where is the sensitive data stored? This will be where the policyis enforced. At the protector.Audit authorized or un-authorized access to sensitive data.Optional audit of protect/unprotect.WhatWhoWhenWhereHowAudit

36. 4. EnforceEnterprise DataWarehouseBig Data Clusters37PrivilegedUsersCorporate FirewallAccess ControlExternal User& ProcessesBusinessApplicationUsersBad GuysData Protection Policy

37. Volume Encryption + Field Protection + Policy Enforcement38HDFSProtected withVolume EncryptionMapReduceData Protection Policy

38. 4. Authorized User Example39Presentation to requestorName: Joe SmithAddress: 100 Main Street, Pleasantville, CAProtection at restName: csu wusojAddress: 476 srta coetse, cysieondusbak, CAData Scientist,Business AnalystPolicyEnforcementDoes the requestor have the authority toaccess the protected data?AuthorizedRequestResponse

39. 4. Un-Authorized User Example40RequestResponsePresentation to requestorName: csu wusojAddress: 476 srta coetse, cysieondusbak, CAProtection at restName: csu wusojAddress: 476 srta coetse, cysieondusbak, CAPrivilegedUsed, DBA, System AdministratorsPolicyEnforcementDoes the requestor have the authority toaccess the protected data?NotAuthorized

40. 415MonitorA critically important part of asecurity solution is the ongoingmonitoring of any activity onsensitive data.

41. 5. Monitor42Policy enforcement collects information in theform of audit logs about any activity on sensitivedata.Monitoring enables security personnel to gaininsights on what’s going on with your sensitivedata.It enables the understanding of what’s normaland what’s not normal activity on sensitive data.

42. De-Identified Sensitive DataField Real Data Tokenized / PseudonymizedName Joe Smith csu wusojAddress 100 Main Street, Pleasantville, CA 476 srta coetse, cysieondusbak, CADate of Birth 12/25/1966 01/02/1966Telephone 760-278-3389 760-389-2289E-Mail Address joe.smith@surferdude.org eoe.nwuer@beusorpdqo.orgSSN 076-39-2778 076-28-3390CC Number 3678 2289 3907 3378 3846 2290 3371 3378Business URL www.surferdude.com www.sheyinctao.comFingerprint EncryptedPhoto EncryptedX-Ray EncryptedHealthcareData – PrimaryCare DataDr. visits, prescriptions, hospital staysand discharges, clinical, billing, etc.Protection methods can be equallyapplied to the actual healthcare data, butnot needed with de-identification43

43. Best Practices for Protecting Big DataStart Early – Don’ wait until you have terabytes of sensitive data inHadoop before starting your Big Data protection program.Granular protection in addition to access control and volumeprotection.Future proof your protection. Select the optimal protection fortoday and for the future.Enterprise coverage to ensure nothing is left vulnerable.Protection against insider threat is more important today thanever before. Can only achieve this through granular data protectiontechniques.You can protect highly sensitive data while in a way that is mostlytransparent to the analysis process.Policy based protection provides a shield to your sensitive datawhile recording all events on that data.44

44. Proven enterprise data security softwareand innovation leader• Sole focus on the protection of dataGrowth driven by risk managementand compliance• PCI (Payment Card Industry)• PII (Personally Identifiable Information)• PHI (Protected Health Information) – HIPAA• State and Foreign Privacy Laws, BreachNotification LawsSuccessful across many key industriesIntroduction to Protegrity45

45. How Protegrity Can Help4612345We can help you Classify the sensitive data that needs to besecured in your enterprise.We can help you Discover where the sensitive data sits inyour environment and design the optimal security solution.We can help you Protect your sensitive data with a flexible setof protectors and protection methods.We can help you Enforce policies that will enable businessfunctions while preventing sensitive data from getting in the wronghands.We can help you Monitor activity on sensitive data to gain insightson abnormal behaviors.

46. Please contact me for more informationUlf . Mattsson [at] protegrity . ComInfo@protegrity.comwww.protegrity.com