Big Data Security and Governance

June 30th , 2016

Big Data Security & GovernanceInstilling Confidence and Trust

Nick Curcuru

©2016 MasterCard. Proprietary and Confidential

• Introduction to MasterCard

• Security Landscape

• Security Pillars

• Top 10 threats: Infrastructure and Data Architecture

• Hadoop Security Model

• Governance and Compliance

• Summary

2

Today’s Discussion

©2016 MasterCard. Proprietary and Confidential3

MasterCard – Technology & Services

Payment Processing

Payment Products

Sponsorships

Consulting Expertise

Information Services

Implementation Services

©2016 MasterCard. Proprietary and ConfidentialAugust 26, 20164

MasterCard helps our customers use Big Data

Increasing Revenue Generation

Increasing Analytic & IT Capabilities

Protecting Assets

Customer

Centricity

Monetization

of data

MasterCard Data Providing Hosting*

Capabilities

Real time interactions

Improve enterprise data

stewardship

Reduce risk of security

incident

Media

MeasurementsJourney

Analytics


MasterCard Securing Big Data

2.2B+ GLOBAL CARDS

160MMTRANSACTIONSPER HOUR

Advanced analytics are applied in a safe and secure environment finding trends and insights

Card SwipesAmount, spent, time, merchant & location.

Data Anonymized

Analysis | Risk Detection | Customer 360 | Location selection | Customer Engagement | Economic Indicators


Top 5 Industries for Cyber Attacks

Source: 2016 Cyber Security Intelligence Index

2015 1. Healthcare 2. Manufacturing 3. Financial Services 4. Government 5. Transportation

2014 1. Financial Services2. Information &Communication

3. Manufacturing4. Retail and

wholesale5. Energy and

Utilities


Per Record Cost of a Data Breach

Source : 2015 Cost of Data Breach Study:Global Analysis: Benchmark research sponsored by IBM Independently conducted by Ponemon Institute LLC, May 2015

$363

$300

$220 $215$179 $165 $155

$137 $136 $132 $129 $127 $126 $124 $121

$68


Your next attacker is likely to be someone you thought you could trust



Top 10 Infrastructure VulnerabilitiesSystems, Software, Storage

Perimeter Authentication

System Monitoring

Testing

User Authentication

Applications

Hardware

Encryption keys

Environments

Shared Responsibilities

Software Updates

1

2

3

4

5

6

7

8

9

10


Top 10 Data Architecture VulnerabilitiesData - Architecture, Governance, Management

User Authentication

Applications

Hardware

Encryption keys

1

2

3

4

User Authentication

Applications

Hardware

Encryption keys

5

6

7

8

User Authentication

Applications

Hardware

9

10

11

User Authentication12


Nearly half of security incidents in 2015 were the result of unauthorized access


Unauthorizedaccess

Maliciouscode

Sustainedprobe/scan

Suspiciousactivity

Access orcredentials

abuse

37%

20%

20%

11%

8%

45%

29%

16%

6%

3%

2014 2015

SECURITY PILLARS


Four Pillars of Security

PERIMETER[Authenticating]

VISIBILITY[Auditing]

ACCESS[Authorizing]

DATA[Architecting]


Perimeter Security – AuthenticatingGuarding access to the environment (cluster)

Ensure your cluster:

• Preserves user choice of the right Hadoop service (e.g. Impala, Spark)

• Conforms to centrally managed authentication policies

• Implements with existing standard systems:

Active Directory and Kerberos -1. User authenticates to Active Directory2. Authenticated user gets Kerboros ticket3. Ticket grants access to services


Access Security - AuthorizingDefining user roles and their data access

Outlining what data applications can use


• Defines and provides users access to data needed to do their job

• Centrally manages access policies – protect all paths with strong policies moving security away from the applications

• Leverages a role-based access control model built on active directory


Visibility Security- AuditingReporting on where data came from and how it’s put together


• Can document where report data came from and how it was put together

• Complies with policies for audit, data classification, and lineage

• Centralizes the audit repository


Data Security – Architecting Protecting data to internal and external standards


• Controls the data analysis is performed on

• Encrypts data protecting it from the root to its final destination

• Applies security at the meta data level

• Has well laid out encryption key management and token policies

• Integrates with existing hierarchical storage management as part of key management infrastructure


Table stakes for big data security

• Native data encryption

• Security embedded in metadata

• Integrated key management

• Authorisation

• Authentication – Multi-Factor

• Strong role based access

• Monitoring in real time

• Audit and data lineage

• Hardware-enabled security

• Enterprise Identity managementintegration


Best practices

People and Process

• Segregation of Duties

• Segregation of Data Access

• Continuous knowledge transfer, training and awareness

• Process documentation – controls, response and continuity planning

Technology

• Strong Authentication & Authorization

• Real Time Monitoring

• Regular Penetration Testing


Lessons learned

• Emphasize Hadoop isn’t one thing, but a “collection of things”

• Education & documentation is 60% of the effort

• Explain why Hadoop isn’t a database so don’t expect similar controls

• Security is neither quick nor easy

• Big Data technology is still maturing

• Close collaboration with your partners is critical

• Security is continuous not a check in the box

What to do


Where to Start

1. Assess security maturity over three dimension:

– People, Process and Technology

2. Classify data into categories

– Personally Identifiable, Health Data, Payment Related, Analysis

3. Start real time system and data monitoring

4. Take inventory of current Hadoop system security capabilities

– Refer to security table stakes and identify gaps

5. Identify training needs

– Business, Technology and Third Party Partners


Start with the Hadoop Security Maturity

Pilot: Data Free-for-All: Available & Error-Prone

Basic Security Controls:• Authorization • Authentication• Auditing

Data Security & Governance:• Lineage Visibility• Metadata Discovery• Encryption & Key

Management

Regularoty Compliance

Audit-Ready & ProtectedSecurity enforcement for all data-at-rest and data-in-motion• Full encryption• Encryption management• Token system

management• Transparency• Real time monitoring• Element level security

Dat

a V

olu

me

& S

ensi

tivi

ty

Security Compliance & Risk Mitigation

Highly VulnerableData at Risk

Reduced RiskExposure

Managed, Secure, Protected

Enterprise Data HubSecure Data Vault

0 1 2 3


Transparent Encryption & Key Management

Protection for all data:

• Structured and unstructured

• Metadata, temp files and log files

Data-at-rest encryption options:

• HDFS Encryption for the data

• Encryption for: metadata – log files

Yarn – Resource Manager

Data Management Layer

Impala Hive

HDFS HBase

Apache Sentry

SSL Certificates and SSH Keys

Log/Config/Spill filesHSM


Look at Apache Atlas

Source: Apache Software Foundation and Hortonworks

Features

• Data Classification

• Metadata

• Centralized Auditing

• Search & Lineage (Browse)

• Security & Policy Engine


Compliance and Governance

ComplianceEvolution

Integrity

Stewardship

Ethics

Specific

• Taxonomy

• Transparency

• Auditability

• Consistency

• Accountability

• Checks-and-Balances

• Standards

Governance

ControlsGuardian


Summary

• 60 % of threats are from inside the organization

• Security is applied end to end in the process

• Access: People, Process and Technology in your security strategy

• Hadoop is still maturing

• Governance includes data usage

• Don’t confuse compliance with security

QUESTIONS


Contact Us

29

Nick Curcuru+1 (914) 413 3822

[email protected]

BONUS SLIDES


Top 10 Infrastructure Vulnerabilities

Perimeter Authentication

System Monitoring

Testing

User Authentication

Applications

Hardware

Encryption keys

Environments

Shared Responsibilities

Software Updates

1

2

3

4

5

6

7

8

9

10


Points of Attack- InfrastructureThreat

Only password credentials for authentication to environment

Applications controls data access

Database and application servers are the same hardware

Users authenticate with generic/ shared/ application ID

Weakness Mitigation

PerimeterAuthentication

Access to data is at the system level and at the data element (fine-grained)

Userauthentication

Applications

Hardware

Encryption Keys Encryption keys are not rotated.

Use two-factor authentication: tokens, RSA or Biometric technology

Credentials should never be shared: each user and application should have unique/non-shared credentials to host systems

Separate database and application servers – isolates attack vectors

Set up periodic rotation of encryption

1

2

3

4

5


Points of Attack- InfrastructureThreat

Insecure/uncertified environments have direct access to secure/certified environments.

Patches or upgrades do not happen on a regular release cycle to ensure the system is protected from software vulnerabilities.

Platform not monitored on continual basis setting up reactive posture: after the fact

Systems admin, DBA, application developer, and web admin responsibilities are shared

Weakness Mitigation

Environments

Set up release schedule, hold software vendors to security standards & verify standards are met

SharedResponsibilities

Software Updates

System Monitoring

TestingInfrequent penetration tests andapplication security scans

Segregate systems. Systems with access to each other need the same levels of security and controls

Divide responsibilities implement role based access and controls

Set up constant monitoring of environment using data driven alert

Develop penetration testing schedule and remediation review quarterly

6

7

8

9

10


Top 10 Data Architecture Vulnerabilities

User Authentication

Applications

Hardware

Encryption keys

1

2

3

4

User Authentication

Applications

Hardware

Encryption keys

5

6

7

8

User Authentication

Applications

Hardware

9

10

11

User Authentication12


Points of Attack-Enterprise Information Management

Threat

Sensitive data - encrypted /tokenized /hashed is comingled with non- sensitive data

Users have access to data they should not, or access to data that is unnecessary

Encryption Keys stored with the data they encrypt.

Reliant on applications to control access to data and enforce data security standards

Weakness Mitigation

Co-mingling of data

Use role based access control - Apply fine-grained data access controls

Applications

Access Controls

Key Storage

Data Movement Sensitive data is not encrypted ondisk/at-rest or on the wire motion.

Use physical or logical separation between data types.

Apply security at the table, field and element level, as well as application level

Store encryption keys in a spate location away from data and limit access through control processes

Encrypt all sensitive data on disk/at-rest or on the wire motion.

1

2

3

4

5

Access


Points of Attack-Enterprise Information Management

Threat

Security and operational configurations are not documented or reviewed regularly

Little to no governance standards and rules exist if they do they are focused on data quality

Information security response and business continuity plan does not exist or is not reviewed/exercised on a regular basis

Sensitive data is written to systems logs in an unprotected form

Weakness Mitigation

Security & Operational Configurations

Document standards, set up review cycle at minimum yearly and include data usage as part of the standards

Data Logs

Governance standards

Response & Business Continuity Plans

Data Usage MonitoringData usage either not monitored on continual basis or is buried in logs with no one looking at them

Document all configurations, develop audit trail for changes, review configurations yearly

Metadata carries security throughout the data trail and enables enforcement

Yearly review and revision of each plan using a cross functional team: Infosec, IT, Operations, Legal

Set automated thresholds and measurements using data to drive exception alerts

6

7

8

9

10

Data - Architecture, Governance, Management

Date post:	16-Apr-2017
Category:	Technology
Upload:	dataworks-summithadoop-summit
View:	897 times
Download:	0 times