end-to-end data-centric security - be.westcon.combe.westcon.com/documents/56682/hp enterprise gdpr...
TRANSCRIPT
End-to-end Data-centric Security
Toon Van den bergh,HPE Software Security Sales SpecialistJune 2017
Agenda
• HPE Point of View
• GDPR, more than just Compliance!
• End-To-End Data-Centric Security
• Use Cases
• GDPR Journey to Value
• Summary
99% of breaches are about the data
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
USERS
APPS DATA
Today’s digital Enterprise needs a new style of protection
4
Off Premise
Protect your most business-critical
digital assets and their interactions,
regardless of location device
Off Premise
BIG DATA
IaaS
SaaS
PaaS
BYOD
On Premise
Compelling Business Logic for GDPR Compliance
5
GDPR
Revenue Generation
• Fine• Reputation damage• Government contract
pre-requisite• Enforcement action
• Strategic records management• Move to cloud accelerator• Security and compliance
accelerator
Brand Loyalty & Data Mining for improved customer service & Data Exploitation
End-to-end Data-centric Securitywith HPE Voltage SecureData
7
Encryption is an area poised for wider adoption: 2nd highest ROI against cyber crime
Why do enterprises care about encryption?
Introducing: “Data-centric” security
9
Traditional IT
infrastructure security
Threats to
Data
Malware,
Insiders
SQL injection,
Malware
Traffic
Interceptors
Malware,
Insiders
Credential
Compromise
Data
Ecosystem
Security
Gaps
Disk encryption
Database encryption
SSL/TLS/firewalls
SSL/TLS/firewalls
Authentication
Management
Storage
File systems
Databases
Data and applications
Security gap
Security gap
Security gap
Security gap
Middleware
Data
secu
rity
co
vera
ge
HPE Security – Data Security provides this protection
10
Traditional IT
infrastructure security
Disk encryption
Database encryption
SSL/TLS/firewalls
Authentication
Management
Threats to
Data
Malware,
Insiders
SQL injection,
Malware
Traffic
Interceptors
Malware,
Insiders
Credential
Compromise
Data
Ecosystem
Security
Gaps
HPE Security
data-centric security
SSL/TLS/firewalls
Data
secu
rity
co
vera
ge
En
d-t
o-e
nd
Pro
tecti
on
Storage
File systems
Databases
Data and applications
Security gap
Security gap
Security gap
Security gap
Middleware
11
Field level, format-preserving, reversible data de-identificationCustomizable to granular requirements addressed by encryption & tokenization
Credit card
1234 5678 8765 4321
SSN/ID
934-72-2356
DOB
31-07-1966
Full 8736 5533 4678 9453 347-98-8309 [email protected] 20-05-1972
Partial 1234 5681 5310 4321 634-34-2356 [email protected] 20-05-1972
Obvious 1234 56AZ UYTZ 4321 AZS-UD-2356 [email protected] 20-05-1972
FPESST
Web Form
Mainframe
Database
New Account
Application
Fraud
Detection
Customer
Service
Application Hadoop
Analytics
4040 1234 1234 9999Elen Smith
4040 1234 1234 9999Elen Smith
4040 1234 1234 9999Elen Smith
4040 1234 1234 9999Elen Smith
4040 1234 1234 9999Elen Smith
4040 1234 1234 9999Elen Smith
CC
Processing
Mapping the Flow of Sensitive Data, using no encryption
Web Form with HPE PIENew Account
Application
Mainframe
Database
Fraud
Detection
Customer
Service
Application Hadoop
Analytics
4040 1234 1234 9999Elen Smith
4040 1234 1234 9999Elen Smith
4040 6763 0123 9999Kelt Dqitp
4040 6763 0123 9999Elen Smith
4040 6763 0123 9999Kelt Dqitp
4040 6763 0123 9999Kelt Dqitp
CC
Processing
The Same Environment, with HPE SecureData
HPE SecureData
4040 6763 0123 9999Kelt Dqitp
HPE SecureData – Full Data Security Platform
HPE
SecureData
Management
Console
Authentication &
authorization sources
(e.g. active directory)
HSM
HPE SecureData
Web Services
API
HPE SecureData
native APIs
(C, Java, C#, .NET)
HPE SecureData
Command Lines &
Automated File
Parsers
HPE SecureData
z/Protect, z/FPE
HPE
SecureData
Native UDFs
Partner
integrations
SaaS & PaaS
cloud apps
Policy controlled data protection and masking services & clients
Payment
terminalsVolume Key
Management
Production
databasesMainframe
applications &
databases
3rd party
applicationsTeradata,
Hadoop &
Vertica
ETL & data
integration
suites
Network
Interceptors
Payment
systems
Business applications, data stores and processes
HPE Nonstop
Applications &
Databases
Web/cloud
applications
(AWS, Azure)
Enterprise
applicationsVolumes and
storage
3rd party SaaS
gateways
HPE SecureData
HPE SecureData platform tools
Protected Data Environment
Native APIs
– Enable encryption in custom apps
– C/C++/C#/Java
– Distributed and mainframe platforms
Command Line Tools
‒ Bulk encryption and tokenization
‒ Files and databases
‒ Variety of distributed and mainframe platforms
‒ Any web services enabled platform
‒ Additional layer of masking
‒ Offload processing on HPE SecureData Server
Web Services APIs
15
Name SS# Credit Card # Street Address Customer ID
Kwfdv Cqvzgk 161-82-1292 3712 3486 3545 1001 2890 Ykzbpoi Clpppn S7202483
Veks Iounrfo 200-79-7127 5587 0856 7634 0139 406 Cmxto Osfalu B0928254
Pdnme Wntob 095-52-8683 5348 9209 2367 2829 1498 Zejojtbbx Pqkag G7265029
Eskfw Gzhqlv 178-17-8353 4929 4333 0934 4379 8261 Saicbmeayqw Yotv G3951257
Jsfk Tbluhm 525-25-2125 4556 2545 6223 1830 8412 Wbbhalhs Ueyzg B6625294
‒ Converged HPE SST and FPE client solution in Java
‒ Handles different record types within the same file
‒ Efficient multi-field, multi-threading architecture
HPE SecureData
File Processor
HPE SecureData
16
– HPE Stateless Key Management
– No key database to store or manage
– High performance, unlimited scalability
– Both encryption and tokenization technologies
– Customize solution to meet exact requirements
– Broad platform support
– On-premise / Cloud / Big Data
– Structured / Unstructured
– Linux, Hadoop, Windows, AWS, IBM z/OS, HPE NonStop, Teradata, etc.
– Quick time-to-value
– Complete end-to-end protection within a common platform
– Format-preservation dramatically reduces implementation effort
HPE SecureData
Management Console
HPE SecureData
Web Services API
HPE SecureData
Native APIs
(C, Java, C#./NET)
HPE SecureData
Command Lines
HPE SecureData
Key Servers
HPE SecureData
File Processor
Use Cases
17
Use Case 1: Securing PII Data in Big Data Platforms (Hadoop)
18
‒ Analyze several hundred million customer
records for analytic patterns, retail
optimization, business intelligence
‒ Records contain personal customer data, log
data, activity data, location information, buying
information etc.
‒ 17 fields are deemed to be sensitive
‒ Deployed a 500 node Hadoop cluster; moving
into the thousands
‒ Typically ingest 300 million customer records in
< 1.5 minutes. SLAs should not be significantly
affected
‒ Integrated HPE SecureData into MapReduce jobs
that ingest data
‒ Sensitive data in 17 fields is protected using HPE
Format-Preserving Encryption
‒ Almost all analysis is performed on protected data
‒ HPE SecureData tools integrate into Hive and
MapReduce if results are to be re-identified
‒ HPE SecureData added 90 seconds to the
ingestion process
‒ Data that is protected by HPE SecureData tools at
source (z/OS, Teradata, Oracle, etc.) can directly
flow into Hadoop
Securing Sensitive Data in Big Data Platforms and Hadoop
Public
data
Big Data Platform
Teradata, Vertica, Hadoop
SqoopHive
UDFs
Map
Reduce
“Landing
zone”
TD
E
SQL Spark
Sensor
Data
Power
user re-
identifies
data
BI tools
work on
protected
data
Business
processes
use
protected
data
Laptop
log files
Server
log files
Any data
Source
FlumeNiFi
Storm
Kafka
Use Case 2: Using Production data in Test/Dev environments
– Pre-configured solution for protecting sensitive data used in
test and development environments
– Provides ability to use HPE Format-Preserving Encryption &
HPE Secure Stateless Tokenization for data de-identification
in test/dev
– Fits within an overall Test Data Management / ETL flow
Simplified View of Integration
21
HPE SDMDestinationSource
Simple APIor SOAP(groovy)
SecureData key server& web services server
Using Structured Data Manager’s (SDM)groovy plugin capability, we can integrate the client part of SecureData
Live DataProtected
Data
GDPR… the bigger picture
22
USERS
APPS DATA
Today’s digital Enterprise needs a new style of protection
23
Off Premise
Protect your most business-critical
digital assets and their interactions,
regardless of location device
Off Premise
BIG DATA
IaaS
SaaS
PaaS
BYOD
On Premise
Security IntelligenceBreach
Detection
Application SecurityBreach
Prevention
Data SecurityEncryption /
Pseudonymization
Security and IM&G (SIG), Better Together for GDPR
Data RepositoriesRecords
Repository
Find Classify Govern
SecureData ESKM
ArcSight Correlation / Analytics
Fortify Application Security
SecureMail
SDM
CP
CMAdaptive
Backup & RecoveryRetention Management
SDM: Structured Data ManagerCP: Control PointCM: Secure Content Manager
ESKM: Atalla Enterprise Secure Key ManagerSAST/DAST: Sataic/Dynamic Application Security TestingRASP: Runtime Application Self Protection
ADP: ArcSight Data PlatformESM: Enterprise Security ManagerDMA: DNS Malware AnalyticsUEBA: User and Entity Behavior Analytics
GDPRJourney to Value(JtV)
25
26
sub-capabilities non-Compliant Limited Compliance Compliant
Assurance (Personal Data Records
Mgmt. and Security)
No defined process for assurance control and
reviews for Personal Data Records Mgmt. and
Security.
Ad-hoc and manual reviews for assurance of
Personal Data Records Mgmt. and Security of
Personal Data.X
A process if defined for regular reviews for
assurance of Personal Data Records Mgmt. and
Security of Personal Data, but execution issues due
to limited capacity / technology support.
A dedicated Team and regular reviews for assurance
of both Personal Data Records Mgmt. and Security of
Personal Data.
Organization is able to proactively demonstrate
compliance with GDPR principles both Personal
Data Records Management and Security.
Respond to Data Subjects XNo mechanism or process defined to handle Data
Subject inquires about Personal data processing /
usage
Data Subjects' requests handled in ad-hoc way.
Process defined but execution is not stable.
Organization is able to respond Data Subject
requests partially.
A clear process is defined to handle data subject
requests
Handling Data Subject Requests is defined,
integrated as a std process of Help Desk and
Customer Care.
Respond & Report to Litigation /
Regulatory Investigation
Lack of building legal base for personal data
processing activities. Lack of capability for mapping
the Personal Data and processing activities to Legal
Hold processes. (High risk for responding to
litigation, regulatory investigation).
X
Personal Data processing policies and processes
are defined / limitedly enforced by the organization,
with manual records mgmt., data security and data
protection capabilities. Limited capability to build
legal basis for data processing activities.
Organization is capable of responding & reporting to
Litigation / Regulatory Investigation for major
applications and system that are processing
personal data with manual efforts.
Legal base constructed for the applications and systems
processing Personal Data. Solutions implemented identify
and protect personal data subject to legal hold, either in
place, or migrate data to a secure repository for storage for
the lifetime of the hold.
Centralized & Automated records management processes
and system constructed the legal base for applications and
systems processing Personal Data across the Enterprise,
that enables the organization's Compliance with GDPR
Requirements.
Governance Domain Questionnaire
27
Domain Capablity sub-capabilities High Risk Medium to High Risk Medium Risk Medium to Low Risk Low Risk Scores
Assurance (Personal Data Records Mgmt. and Security) X 3
Respond to Data Subjects X 5
Respond & Report to Litigation / Regulatory Investigation X 4
Data Processing Models X 1
Personal Data Inventory X 3
Systems & Applications Inventory X 2
Policy Management X 2
Personal Data Protection X 1
Records Management X 1
Privacy by Design / Privacy by Default X 5
Data Flow Mapping X 5
Accountability X 4
Data Protection Impact Assessments X 3
Program GAP Analysis X 2
High Risk Medium to High Risk Medium Risk Medium to Low Risk Low Risk Scores
Consent Structure and Management X 5
Obtaining Methodology and Coverage X 5
Registry and Mapping X 4
Accuracy X 2
Purpose Limitation X 4
Data Minimisation X 4
Pseudonymisation / Anonymisation X 3
Storage Limitation X 4
Transfer Controls X 3
Lawful & Transparent Processing X 2
Legal base for Data Processing X 5
Contractual Necessity X 2
Data Retention Management X 3
Archival Management X 2
Destroy / Erase Right to be Forgotten X 4 4.00
Records Mgmt. for Personal Data X Automated updates 3
Data Flow Mapping X 5
Records Mgmt. for Personal Data processing X 5
High Risk Medium to High Risk Medium Risk Medium to Low Risk Low Risk Scores
Notification for Authorities X 3
Notification for Impacted Data Subjects X 5
Data Encryption / Pseudonymisation X 3
Server / Disk / Volume Security X 2
Encryption Key Management X 1
Encrypted e-mail X 1
Security Monitoring & Breach detection X 2
Breach Root Cause Analysis & Remediation X 2
Detection Non-compliant Behavior X 4
Application Security X 4
Assess / Remediation
Data Processing / Lifecycle
Management
Consent
Capture / Discover
Transform / Transfer
Use / Share
Archive / Retention
Records Management
Governance
Assurance / Respond /
Report
Inventory
Policies
Design / Accountability
Security
Breach Notification
Data Security (Integrity &
Confidentiality)
IT Security & Operatons
4.67
4.00
1.75
3.00
2.73
3.60
2.92
3.33
3.33
3.00
4.33
2.50
4.00
2.00
1.33
4.67
1.67
GDPR Risk Assessment Map
28
Security Sub-Capability Risk Score
Notification to affected data subjects (individuals) 5
Application Security 4
Notification to Data Protection Authority (DPA) 3
Pseudonymisation (Data-In-Motion protection) 3
Data-at-Rest Protection 2
Security Monitoring & Breach detection 2
E-Mail security 1
Governance Sub-Capability Risk Score
Respond to Data Subjects 5
Privacy by Design / Privacy by Default 5
Respond & Report to Litigation / Regulatory Investigation 4
Accountability 4
Assurance (Personal Data Records Mgmt. and Security) 3
Personal Data Inventory 3
Data Protection Impact Assessments 3
Applications, Systems & Storage Inventory 2
Access Control Management 2
Program GAP Analysis & Remediation 2
Data Processing Models 1
Data Protection 1
Records Management 1
Data Processing / Lifecycle Mgmt. Sub-Capability Risk Score
Capture, Structure and Manage 5
Legal base for Data Processing 5
Records Mgmt. for Personal Data Processing 5
Registry and Mapping 4
Purpose Limitation 4
Data Minimization 4
Storage Limitation 4
Right to be Forgotten 4
Pseudonymisation / Anonymization 3
Transfer Controls 3
Data Retention & Archival Management 3
Records Mgmt. for Personal Data 3
Accuracy 2
Lawful & Transparent Processing 2
Priority Maps to be used as a guideline for Customers in their
Journey to GDPR readiness
Sample Roadmap – GDPR JTV
29
2016 2017 2018 2019
Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1
Qu
ick w
ins
Exte
nd
th
e
valu
eL
on
g t
erm
Sh
ort
term
Consent Structure & Management
Data Flow Mapping
Enterprise Records Management
Pseudonymisation / encryption
Privacy by Design
Accountability
Application Security
Legal base for Data Processing
Behavior Analysis
Personal Data Inventory
Strategic Outcomes
Sustained returns
Rapid Business Benefits
Quick Value BenefitsUnlock value of current
investment
Sustained returns
Strategic Outcomes
High Impact ROI, Rapid
TTV
Alternative approaches to GDPR compliance fall short
• Loosely integrated solutions from multiple vendors
• Lack of information insight to drive efficiencies and lower risk
• Technology not mapped to GDPR use cases, for simplicity
• Solutions not comprised of market-leading technology
• Most vendors unable to package IM&G, Security, Storage & services together
31
In summary, HPE is strongly positioned to address GDPR
– Broad technology set covering all phases of protection
– Robust, cross-silo data classification
– Deep information insight for automated policy setting
– Advanced analytics for value creation
– Partnership strategy to deliver maximum value
– Solutions mapped to GDPR-specific use cases for simplicity
32
GDPR Collateral
• HPE external GDPR Programme Portal: www.hpe.com/solutions/GDPR
• Information Insight for GDPR Compliance: https://www.youtube.com/watch?v=erkRCEbHX08
• Mini assessment: http://gdprcomplianceassessment.com
• Questions?
Toon Van den bergh, [email protected], +32 479 93 04 43
Manuel Gonzalez, [email protected], +32 498 94 60 93
Thank You!