O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Seeking Cybersecurity--Strategies to Protect the Data

445 visualizações

Publicada em

Agency professionals are responsible for protecting the data they collect, store, analyze, and share. While Hadoop has been especially popular for data analytics given its ability to handle volume, velocity, and variety of data, this flexibility and scale can present challenges for securing and governing the data. Plan to attend this session to understand the Hadoop Security Maturity Model—from the fundamentals to the latest developments--and how to ensure your data analytics cluster complies with the latest INFOSEC standards and audit requirements. Bring your experience and your questions to this informative and interactive cybersecurity session.

Publicada em: Software
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Seeking Cybersecurity--Strategies to Protect the Data

  1. 1. 1© Cloudera, Inc. All rights reserved. 5th Annual
  2. 2. 2© Cloudera, Inc. All rights reserved. Strategies to Protect the Data Eddie Garcia, Chief Security Architect
  3. 3. 3© Cloudera, Inc. All rights reserved. One Platform, Many Workloads Batch, Interactive, and Real-Time. Leading performance and usability in one platform. • End-to-end analytic workflows • Access more data • Work with data in new ways • Enable new users Security and Administration Process Ingest Sqoop, Flume, Kafka Transform MapReduce, Hive, Pig, Spark Discover Analytic Database Impala Search Solr Model Machine Learning SAS, R, Spark, Mahout Serve NoSQL Database HBase Streaming Spark Streaming Unlimited Storage HDFS, HBase YARN, Cloudera Manager, Cloudera Navigator
  4. 4. 4© Cloudera, Inc. All rights reserved. What is Big Data? Credit Cards & Payments Banking Retail Customer & Operations Marketing & CRM • Card Transactions • Customer Data • Online Activity • Merchant / Retailer / Bank Co-Branding • Loyalty Programs / Promotions / Offers • POS / TLOG • E-commerce / Mobile Sales • Memberships / Loyalty Programs • Warranties • In-Store Sensors / Surveillance / IoT • Schematic / Display • Supply Chain / Inventory • Promotions / Offers • Website / SEO • Campaigns / Affiliate • Surveys • Competitive Intelligence Public & Trade • Demographic / Census • Psychographic • Inflation / Macroeconomic • Gas Prices • Labor Statistics • Weather Data • Public Health Data • Industry Research • Social / Sentiment A better data strategy can help you address your biggest challenges and opportunities Cost SavingsCompliance Customer Insights Competitive Advantage • Bank Transactions • ATM Activity • Online Activity • Mobile Activity
  5. 5. 5© Cloudera, Inc. All rights reserved. What is Big Data? Information Is the Basis of Industry for Merchants Cost Savings Customer Insights Compliance is mandatory for any data strategy A Secure Data Vault transforms risk from a cost center into a profit center and enables immediate rather than staged delivery Compliance Competitive Advantage
  6. 6. 6© Cloudera, Inc. All rights reserved. What is an Enterprise Data Hub? Data Sources Data Systems Data Access Business Analytics Custom Applications Existing Data Databases Operational Applications New Data Keep Unlimited Data From disparate, limited views, to unlimited access. Unlock Value from Data From analytics for some, to insights for all. Manage Compliance From risk due to regulations and privacy concerns, to trust in a secure and compliant platform. Enterprise Data Hub powered by Hadoop Security and Administration Unlimited Storage Process Discover Model Serve An Open-Source Data Engine Powered by Apache Hadoop
  7. 7. 7© Cloudera, Inc. All rights reserved. The High Cost of Non-Compliance Steep Fines Greater Scrutiny Brand Damage Suspension or Termination Lessons Learned from the Battlefield
  8. 8. 8© Cloudera, Inc. All rights reserved. The High Value of Full Compliance Unlock the Business Potential of Big Data: Security Enables Strategy Next Best Offer Better profile the customer and use collaborative and content-based filtering to offer the most appropriate product or bundle of products at any given time. Unified Customer Identity Compress the customer IDs created through various siloed and third-party touch points to correlate as a single customer identity across all operational systems. Fraud Prevention Text mining and machine learning model rare events and combine data from suspicious transactions with extracts from other sources to confirm and target. Productizing Deep Insights Combine, analyze, and digest complex data from across multiple business units and data sources to drive segmentation and profiling partners, merchants, etc.
  9. 9. 9© Cloudera, Inc. All rights reserved. Achieve Scale and Cost Effectiveness via Best Practices from the Field Start with the Hadoop Security Maturity Model Fully Compliance-Ready: Audit-Ready & Protected Data Volume & Risk Mitigation Data Free-for-All: Available & Error-Prone Basic Security Controls: Authorization Authentication Comprehensive Auditing Data Security & Governance: Lineage Visibility Metadata Discovery Encryption/Key Management Full encryption, key management, transparency, and enforcement for all data-at-rest and data-in-motion Audit Ready For: EU Data Protection Directive PCI DSS HIPAA FERPA FISMA PII 0 Highly Vulnerable Data at Risk 2 Managed, Secure, Protected 3 Enterprise Data Hub Secure Data Vault 1 Reduced Risk Exposure
  10. 10. 10© Cloudera, Inc. All rights reserved. Pervasive Data Security and Regulatory Compliance Build a Data Security Center of Excellence for Business Transformation Technology Enterprise Data Hub • Massive full-fidelity data retention • Reporting and retrieval for audit • Full portfolio risk management • Active fraud detection and prevention • Central, scalable data security • Governance for lifecycle management Tech Process People Secure Data Vault
  11. 11. 11© Cloudera, Inc. All rights reserved. Process Pervasive Data Security and Regulatory Compliance Build a Data Security Center of Excellence for Business Transformation Process Security Integration SOW • Review compliance requirements • Audit architecture and current systems • Tailor a security reference architecture • Review audit and lineage • Install and configure custom system • Implement ongoing compliance plan Tech People Secure Data Vault
  12. 12. 12© Cloudera, Inc. All rights reserved. People Pervasive Data Security and Regulatory Compliance Build a Data Security Center of Excellence for Business Transformation People Technical Training & Support • Removal of complexity to deliver results • Leadership for broad and deep adoption • Experience to develop effective projects • Proactive technical guidance/planning • Predictive performance optimization • Implementation of ongoing compliance Tech Process Secure Data Vault
  13. 13. 13© 2014 Cloudera and/or its affiliates. All rights reserved. Comprehensive, Compliance-Ready Security Four pillars of Hadoop Security
  14. 14. 14© Cloudera, Inc. All rights reserved. Comprehensive, Compliance-Ready Security Authentication, Authorization, Audit, and Compliance Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Access Defining what users and applications can do with data Technical Concepts: Authorization Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage Cloudera Manager Apache Sentry Cloudera Navigator Navigator Encrypt & Key Trustee | Partners
  15. 15. 15© Cloudera, Inc. All rights reserved. Perimeter Security Requirements Preserve user choice of the right Hadoop service (e.g. Impala, Spark) Conform to centrally managed authentication policies Implement with existing standard systems: Active Directory and Kerberos Perimeter Guarding access to the cluster itself InfoSec Concept: Authentication Cloudera Manager
  16. 16. 16© Cloudera, Inc. All rights reserved. Active Directory and Kerberos • Manages Users, Groups, and Services • Provides username / password authentication • Group membership determines Service access Active Directory • Trusted and standard third-party • Authenticated users receive “Tickets” • “Tickets” gain access to Services Kerberos User authenticates to AD Authenticated user gets Kerberos Ticket Ticket grants access to Services e.g. Impala User [ssmith] Password[***** ]
  17. 17. 17© Cloudera, Inc. All rights reserved. Access Security Requirements Provide users access to data needed to do their job Centrally manage access policies Leverage a role-based access control model built on AD Access Defining what users and applications can do with data InfoSec Concept: Authorization Apache Sentry
  18. 18. 18© Cloudera, Inc. All rights reserved. Sentry and Active Directory Groups • Sentry can be configured to use AD to determine a user’s group assignments • Group assignment changes in AD are automatically picked up, resulting in updated Sentry role assignments Sentry Perm. Read Access to ALL Transaction Data Sentry Role Fraud Analyst Role AD Group Fraud Analysts Sam Smith
  19. 19. 19© Cloudera, Inc. All rights reserved. Visual Policy Management
  20. 20. 20© Cloudera, Inc. All rights reserved. RecordService (Beta) Unified Access Control Enforcement • New high performance security layer that centrally enforces fine grained access control in HDFS • Complements Apache Sentry’s unified policy definition • Row- and column-based security • Dynamic data masking • Apache-licensed open source • Beta now available FILESYSTEM HDFS NoSQL HBase SECURITY – Sentry, RecordService
  21. 21. 21© Cloudera, Inc. All rights reserved. Visibility Security Requirements Understand where report data came from and discover more data like it Comply with policies for audit, data classification, and lineage Centralize the audit repository; perform discovery; automate lineage Visibility Reporting on where data came from and how it’s being used InfoSec Concept: Audit Cloudera Navigator
  22. 22. 22© Cloudera, Inc. All rights reserved. Data Governance Requirements • Identify access to a data asset around the time of security breach • Generate alert when a restricted data asset is accessedAuditing • Given a data set, trace back to the original source • Understand the downstream impact of purging/modifying a data setLineage • Search through metadata to find data sets of interest • Given a data set, view schema, metadata and policies Metadata Tagging and Discovery • Automate periodic ingestion/replication/purge of data • Compress/encrypt a data set at restLifecycle Management
  23. 23. 23© Cloudera, Inc. All rights reserved.
  24. 24. 24© Cloudera, Inc. All rights reserved. Data Security Requirements Perform analytics on regulated data Encrypt data, conform to key management policies, protect from root Integrate with existing HSM as part of key management infrastructure Data Protecting data in the cluster from unauthorized visibility InfoSec Concept: Compliance Navigator Encrypt & Key Trustee
  25. 25. 25© Cloudera, Inc. All rights reserved. HDFS Encryption ©2014 Cloudera, Inc. All rights • Supports specification of HDFS directories as “Encryption Zones” • All subsequent directory contents encrypted • Multi-tenant encryption with tenant specific keys • Compliments Navigator encrypt for meta-data encryption • Key management via Navigator key trustee
  26. 26. 26© Cloudera, Inc. All rights reserved. Navigator Key Trustee “Virtual safe-deposit box” for managing encryption keys or other Hadoop security artifact • Separates Keys from Encrypted Data • Centralized Management with Audit Controls • Integration with HSMs from Thales, and SafeNet • Roadmap: Management of SSL certificates, SSH keys, tokens, passwords, Kerberos Keytab Files, and more
  27. 27. 27© Cloudera, Inc. All rights reserved. Transparent Encryption & Key Management • Protection for all data • Structured and unstructured • Metadata, temp files and log files • High performance – apply it as blanket protection to all data on disk • IT admins can’t read data • Data-at-rest encryption options: • HDFS Encryption for the data • Navigator Encrypt for the metadata Manager Navigator Impala Hive HDFS HBase Sentry Navigator Key Trustee Log/Con fig/Spill files HSM
  28. 28. 28© Cloudera, Inc. All rights reserved. Navigator Encrypt Transparent layer between application and file system • Compliance-Ready • Massively Scalable • High Performance: Optimized for Intel • Separation of Duties • Key Management with Navigator Key Trustee Applications/Processes File System Process-Based ACLs File-Level Encryption Blocks Storage Users Key Manager
  29. 29. 29© Cloudera, Inc. All rights reserved. Expertise - Cloudera Center for Security Excellence • Based in Austin, Texas • Comprehensive data and cluster security technologies • Hadoop security test and certification lab • Compliance cookbooks • Security ecosystem partner enablement • Intel chipset, cloud and virtualization security alignment
  30. 30. 30© Cloudera, Inc. All rights reserved. Data Free-for-All: Available & Error-Prone Basic Security Controls: Authorization Authentication Comprehensive Auditing Data Security & Governance: Lineage Visibility Metadata Discovery Encryption & Key Management Start with the Hadoop Security Maturity Model Achieve Scale and Cost Effectiveness via a Secure Data Vault Fully Compliance Ready: Audit-Ready & Protected Audit Ready For: EU Data Protection Directive PCI DSS, HIPAA FERPA, FISMA, PII Full encryption, key management, transparency, and enforcement for all data-at-rest and data-in-motion Security Compliance & Risk Mitigation 0 Highly Vulnerable Data at Risk 1 Reduced Risk Exposure 2 Managed, Secure, Protected 3 Enterprise Data Hub Secure Data Vault
  31. 31. 31© Cloudera, Inc. All rights reserved. Balance Security and Privacy with Business Agility Cloudera is the leader in Hadoop security Unique Capabilities: • Comprehensive and Unified • Secure at the core • No Performance Impact • Jointly engineered with Intel • Compliance-Ready • Only distribution to pass PCI audit 1. Perimeter Standards-based Authentication Security and Administration Unlimited Storage Process Discover Model Serve 2. Access Unified Role-based Authorization 4. Data Encryption & Key Management 3. Visibility Auditing & Governance
  32. 32. 32© Cloudera, Inc. All rights reserved. Thank You Eddie Garcia, Chief Security Architect

×