1 © 2014 cloudera, inc. all rights reserved. preventing a big data security breach

1© 2014 Cloudera, Inc. All rights reserved.

Preventing a Big Data Security Breach

2© Cloudera, Inc. All rights reserved.

SpeakersRitu Kama,Director Product Management, Big DataIntelTwitter: @ritukama

Nick CurcuruVP Big Data PracticeMastercard Advisors

Sam HeywoodDirector Product Management, SecurityClouderaTwitter: @sam_heywood

https://twitter.com/StevenTotman





The Benefits of Hadoop...

One place for unlimited data• All types• More sources• Faster, larger ingestion

Unified, multi-framework data access

• More users• More tools• Faster changes


Business Manager

• Run high value workloads in cluster

• Quickly adopt new innovations

Information Security

• Follow established policies and procedures

• Maintain compliance

IT/Operations

• Integrate with existing IT investments

• Minimize end-user support

• Automate configuration

…Can Create Information Security Challenges


Big Data = Sensitive Data

© 2015 The SANS™ Institute – www.sans.org

5


Comprehensive, Compliance-Ready SecurityAuthentication, Authorization, Audit, and Compliance

PerimeterGuarding access to

the cluster itself

AccessDefining what users and applications can

do with data

InfoSec Concept:Authentication

InfoSec Concept:Authorization

VisibilityReporting on where data came from and how it’s being used

InfoSec Concept:Audit

DataProtecting data in the

cluster from unauthorized visibility

InfoSec Concept:Compliance


Data Free-for-All: Available & Error-Prone

Basic Security Controls: Authorization Authentication

Comprehensive Auditing

Data Security & Governance:

Lineage VisibilityMetadata Discovery

Encryption & Key Management

Start with the Hadoop Security Maturity Model Achieve Scale and Cost Effectiveness via a Secure Data Vault

Fully Compliance Ready:

Audit-Ready & Protected

Audit Ready For:EU Data Protection Directive

PCI DSSHIPAAFERPAFISMA

PII

Full encryption, key management, transparency, and enforcement for all

data-at-rest and data-in-motion

Dat

a Vo

lum

e &

Sen

sitiv

ity

Security Compliance & Risk Mitigation

0 Highly Vulnerable Data at Risk

1 Reduced Risk Exposure

2 Managed, Secure, Protected

3 Enterprise Data Hub Secure Data Vault


Comprehensive, Compliance-Ready SecurityAuthentication, Authorization, Audit, and Compliance

PerimeterGuarding access to

the cluster itself

InfoSec Concept:Authentication

AccessDefining what users and applications can

do with data

InfoSec Concept:Authorization

Cloudera ManagerApache Sentry &RecordService

VisibilityReporting on where data came from and how it’s being used

InfoSec Concept:Audit

Cloudera Navigator

DataProtecting data in the

cluster from unauthorized visibility

InfoSec Concept:Compliance

Navigator Encrypt & Key Trustee


RecordService (Beta)Unified Access Control Enforcement

• New high performance security layer that centrally enforces fine trained access control in HDFS• Complements Apache Sentry’s

unified policy definition• Row- and column-based security• Dynamic data masking

• Apache-licensed open source

• Beta now available

FILESYSTEMHDFS

NoSQLHBase

SECURITY – Sentry, RecordService


Data Free-for-All:

Basic Security Controls:

Data Security & Governance:

MasterCard’s Journeyfrom pilot to compliance

Fully Compliance Ready:

Dat

a Vo

lum

e &

Sen

sitiv

ity

Security Compliance & Risk Mitigation

0 Highly Vulnerable Data at Risk

1 Reduced Risk Exposure

2 Managed, Secure, Protected

3 Enterprise Data Hub Secure Data Vault


MasterCard’s journey to PCI certification

2016 –>

DiscoveryMay 2012

Proof of ConceptJuly –> Oct. 2012

RoadmapOct. –> Nov. 2012

Mainstream EOY 2012

PCI CertifiedJune 2014

RecertifiedJun 2015

Wide Adoption2013 –>

Security Security Security Security


Security goes beyond technology• Install, modify, and support Technology• Act within the guidelines of Process to ensure security• Create and revise Process and polices as required• Are ultimately accountable for ongoing security

People

• Are the yardstick by which configurations and actions is measured and reported against

• Are governed by People with authority to set best practices and define policy within an organisation

• Change over time to address evolving security concerns and needs of the business

Process

• Tools for security that are installed and configured by People, governed by Process

• Provide the audit, data protection, and user administraiton capabilties delivered by People, within the framework of established and documented Process

Technology


• People and Process– Segregation of Duties– Segregation of Data Access– Process documentation – controls, response and continuity

planning– Continuous knowledge transfer, training and awareness

• Technology– Strong Authentication & Authorisation– Security Logging– Penetration Testing

Best practices


• Hadoop isn’t one thing, but a “collection of things”

• Education & documentation is 60-70% of the effort

• This isn’t a database, don’t expect similar controls

• Security is neither quick nor easy

• Technology is still maturing

• Close collaboration with your partner is critical

• This is just the beginning – it is continuous

Lessons learned


Table stakes for big data security• Native data encryption

• Security embedded in metadata

• Integrated key management

• Authorisation

• Authentication – Multi-Factor

• Strong role based access

• Monitoring in real time

• Audit and data lineage

• Hardware-enabled security

• Enterprise Identity management integration


Where to Start

• Assess security maturity

• Review data and information strategy

• Layout data protection strategy

• Identify education and training needs


Thank You

1 © 2014 cloudera, inc. all rights reserved. preventing a big data security breach

Documents

vulnerable data

data freeforall

auditdataprotecting

big data security breach

data infosec concept

security available

comprehensive security

pillars of security