1 © 2014 cloudera, inc. all rights reserved. preventing a big data security breach
TRANSCRIPT
1© 2014 Cloudera, Inc. All rights reserved.
Preventing a Big Data Security Breach
2© Cloudera, Inc. All rights reserved.
SpeakersRitu Kama,Director Product Management, Big DataIntelTwitter: @ritukama
Nick CurcuruVP Big Data PracticeMastercard Advisors
Sam HeywoodDirector Product Management, SecurityClouderaTwitter: @sam_heywood
3© 2014 Cloudera, Inc. All rights reserved.
The Benefits of Hadoop...
One place for unlimited data• All types• More sources• Faster, larger ingestion
Unified, multi-framework data access
• More users• More tools• Faster changes
4© 2014 Cloudera, Inc. All rights reserved.
Business Manager
• Run high value workloads in cluster
• Quickly adopt new innovations
Information Security
• Follow established policies and procedures
• Maintain compliance
IT/Operations
• Integrate with existing IT investments
• Minimize end-user support
• Automate configuration
…Can Create Information Security Challenges
5© 2014 Cloudera, Inc. All rights reserved.
Big Data = Sensitive Data
© 2015 The SANS™ Institute – www.sans.org
5
6© 2014 Cloudera, Inc. All rights reserved.
Comprehensive, Compliance-Ready SecurityAuthentication, Authorization, Audit, and Compliance
PerimeterGuarding access to
the cluster itself
AccessDefining what users and applications can
do with data
InfoSec Concept:Authentication
InfoSec Concept:Authorization
VisibilityReporting on where data came from and how it’s being used
InfoSec Concept:Audit
DataProtecting data in the
cluster from unauthorized visibility
InfoSec Concept:Compliance
7© 2014 Cloudera, Inc. All rights reserved.
Data Free-for-All: Available & Error-Prone
Basic Security Controls: Authorization Authentication
Comprehensive Auditing
Data Security & Governance:
Lineage VisibilityMetadata Discovery
Encryption & Key Management
Start with the Hadoop Security Maturity Model Achieve Scale and Cost Effectiveness via a Secure Data Vault
Fully Compliance Ready:
Audit-Ready & Protected
Audit Ready For:EU Data Protection Directive
PCI DSSHIPAAFERPAFISMA
PII
Full encryption, key management, transparency, and enforcement for all
data-at-rest and data-in-motion
Dat
a Vo
lum
e &
Sen
sitiv
ity
Security Compliance & Risk Mitigation
0 Highly Vulnerable Data at Risk
1 Reduced Risk Exposure
2 Managed, Secure, Protected
3 Enterprise Data Hub Secure Data Vault
8© 2014 Cloudera, Inc. All rights reserved.
Comprehensive, Compliance-Ready SecurityAuthentication, Authorization, Audit, and Compliance
PerimeterGuarding access to
the cluster itself
InfoSec Concept:Authentication
AccessDefining what users and applications can
do with data
InfoSec Concept:Authorization
Cloudera ManagerApache Sentry &RecordService
VisibilityReporting on where data came from and how it’s being used
InfoSec Concept:Audit
Cloudera Navigator
DataProtecting data in the
cluster from unauthorized visibility
InfoSec Concept:Compliance
Navigator Encrypt & Key Trustee
9© 2014 Cloudera, Inc. All rights reserved.
RecordService (Beta)Unified Access Control Enforcement
• New high performance security layer that centrally enforces fine trained access control in HDFS• Complements Apache Sentry’s
unified policy definition• Row- and column-based security• Dynamic data masking
• Apache-licensed open source
• Beta now available
FILESYSTEMHDFS
NoSQLHBase
SECURITY – Sentry, RecordService
10© 2014 Cloudera, Inc. All rights reserved.
Data Free-for-All:
Basic Security Controls:
Data Security & Governance:
MasterCard’s Journeyfrom pilot to compliance
Fully Compliance Ready:
Dat
a Vo
lum
e &
Sen
sitiv
ity
Security Compliance & Risk Mitigation
0 Highly Vulnerable Data at Risk
1 Reduced Risk Exposure
2 Managed, Secure, Protected
3 Enterprise Data Hub Secure Data Vault
11© 2014 Cloudera, Inc. All rights reserved.
MasterCard’s journey to PCI certification
2016 –>
DiscoveryMay 2012
Proof of ConceptJuly –> Oct. 2012
RoadmapOct. –> Nov. 2012
Mainstream EOY 2012
PCI CertifiedJune 2014
RecertifiedJun 2015
Wide Adoption2013 –>
Security Security Security Security
12© 2014 Cloudera, Inc. All rights reserved.
Security goes beyond technology• Install, modify, and support Technology• Act within the guidelines of Process to ensure security• Create and revise Process and polices as required• Are ultimately accountable for ongoing security
People
• Are the yardstick by which configurations and actions is measured and reported against
• Are governed by People with authority to set best practices and define policy within an organisation
• Change over time to address evolving security concerns and needs of the business
Process
• Tools for security that are installed and configured by People, governed by Process
• Provide the audit, data protection, and user administraiton capabilties delivered by People, within the framework of established and documented Process
Technology
13© 2014 Cloudera, Inc. All rights reserved.
• People and Process– Segregation of Duties– Segregation of Data Access– Process documentation – controls, response and continuity
planning– Continuous knowledge transfer, training and awareness
• Technology– Strong Authentication & Authorisation– Security Logging– Penetration Testing
Best practices
14© 2014 Cloudera, Inc. All rights reserved.
• Hadoop isn’t one thing, but a “collection of things”
• Education & documentation is 60-70% of the effort
• This isn’t a database, don’t expect similar controls
• Security is neither quick nor easy
• Technology is still maturing
• Close collaboration with your partner is critical
• This is just the beginning – it is continuous
Lessons learned
15© 2014 Cloudera, Inc. All rights reserved.
Table stakes for big data security• Native data encryption
• Security embedded in metadata
• Integrated key management
• Authorisation
• Authentication – Multi-Factor
• Strong role based access
• Monitoring in real time
• Audit and data lineage
• Hardware-enabled security
• Enterprise Identity management integration
16© 2014 Cloudera, Inc. All rights reserved.
Where to Start
• Assess security maturity
• Review data and information strategy
• Layout data protection strategy
• Identify education and training needs
17© 2014 Cloudera, Inc. All rights reserved.
Thank You