SlideShare una empresa de Scribd logo

Comprehensive Security for the Enterprise III: Protecting Data at Rest and In Motion

Cloudera, Inc.
Cloudera, Inc.

This webinar discusses how you can use Navigator capabilities such as Encrypt and Key Trustee to secure data and enable compliance. Additionally, we will discuss our joint work with Intel on Project Rhino (an initiative to improve data security in Hadoop). We also hear from a security architect at a financial services company that is using encryption and key management to meet financial regulatory requirements.

Software
1 de 27
1 Comprehensive Security for the Enterprise: Protecting Data-at-Rest & in Motion Ritu Kama, Director Product Management, Intel Sam Heywood, Director Product Management - Security, Cloudera “Mike”, CTO, Financial Services Company
2 ©2014 Cloudera, Inc. All rights reserved. Cloudera’s Vision for Hadoop Security Compliance-Ready Comprehensive Transparent • Standards-based Authentication • Centralized, Granular Authorization • Native Data Protection • End-to-End Data Audit and Lineage • Meet compliance requirements • HIPAA, PCI-DSS, FERPA, etc… • Encryption and key management • Security at the core • Minimal performance impact • Compatible with new components • Insight with compliance 2
3 Contributed by Intel in 2013 Blueprint for enterprise-grade security: • Data Encryption • Authentication and Single Sign on • Fine-grained Authorization • Audit Achieves it’s goals & is open source: • Encryption and fine-grained access controls have been added to Apache HBase https://github.com/intel-hadoop/project-rhino/ Project Rhino — Overview ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
4 Rhino Goal: Encryption and Key Management Framework Cloudera and Intel engineers are now contributing HDFS encryption capabilities that can plug into enterprise key managers. NOTE: Enterprise key management, compliant key storage, and encrypting sensitive data outside of HDFS are not addressed. Project Rhino ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
5 ©2014 Cloudera, Inc. All rights reserved. Project Rhino Scope Apache ZooKeeper Apache Bigtop
6 Combining strengths • Leading in stability, compatibility, continuity • Leading SQL functionality & performance • Leading management capabilities • 150 engineers, 100 open source committers Converged CDH + IDH open source platform by end of 2014 • Leading security feature set • Leading silicon optimizations • 50 engineers, 12 open source committers • Leading Big Data encryption and key management solution • 40+ employees with maniacal focus on Big Data Security ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
7 ©2014 Cloudera, Inc. All rights reserved. Key Requirements for Security in Hadoop Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage
8 ©2014 Cloudera, Inc. All rights reserved. Guard the Perimeter Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage Kerberos | AD/LDAP Preserve multiple entry points while providing strong authentication that’s easy to manage • Kerberos • Industry Standard • Integrated into Manager • LDAP/AD • Username/Password • SAML • Single Sign-On
9 ©2014 Cloudera, Inc. All rights reserved. Control Access Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Kerberos | AD/LDAP Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Sentry | Rhino Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage Cloudera Navigator Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Encrypt | Key Trustee Sentry • Apache project contributed by Cloudera in 2013 • Unified authorization for Hive, Impala and Search Rhino • Contributed by Intel in 2013 • Blueprint for enterprise-grade security, including authorization
10 ©2014 Cloudera, Inc. All rights reserved. Protecting Data At Rest & In Motion Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Kerberos | AD/LDAP Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Sentry Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Encrypt | Key Trustee Navigator encrypt • Compliance-Ready • Transparent encryption for Hadoop data that’s highly performant, scalable, and easy to deploy • Integrated into Navigator Navigator key trustee • Compliance-Ready • Enterprise key management for encryption keys, certificates, and passwords • Integrated into Navigator Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Encrypt | Key Trustee
11 Now Available: Cloudera Navigator encrypt + Cloudera Navigator key trustee 3RD PARTY APPS STORAGE FOR ANY TYPE OF DATA UNIFIED, ELASTIC, RESILIENT, SECURE SENTRY CLOUDERA’S ENTERPRISE DATA HUB BATCH PROCESSING MAPREDUCE ANALYTIC SQL IMPALA SEARCH ENGINE SOLR MACHINE LEARNING SPARK STREAM PROCESSING SPARK STREAMING WORKLOAD MANAGEMENT YARN FILESYSTEM HDFS ONLINE NOSQL HBASE DATA MANAGEMENT CLOUDERANAVIGATOR SYSTEM MANAGEMENT CLOUDERAMANAGER Compliance-Ready Transparent Encryption and Key Management ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
12 • Transparent protection for all data and metadata • Enterprise Key Management for all Hadoop encryption keys Now Available: Cloudera Navigator encrypt + Cloudera Navigator key trustee ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
13 ©2014 Cloudera, Inc. All rights reserved. Navigator encrypt Navigator encrypt provides transparent encryption for Hadoop data as it’s written to disk • AES-256 encryption for HDFS data, Hive metadata, log files, ingest paths, etc... • Process-based ACLs • High-performance optimized on Intel • Fast, easy deployment with Cloudera Parcel • Enterprise scalability • Keys protected by Navigator key trustee 13 ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
14 Navigator key trustee is a “virtual safe-deposit box” for managing encrypt keys or any other Hadoop security artifact Navigator key trustee • Separates keys from encrypted data • Centralized management of SSL certificates, SSH keys, tokens, passwords, kerberos keytab files and more • Unique “trustee” and machine-based policies deliver multifactor authentication • Integration with HSMs from Thales, RSA and SafeNet 14 ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
15 Ease of Deployment • Install encryption client • Cloudera parcel • Package managers (yum, apt-get), Chef, Puppet, Ansible • Configure key trustee account and store master key • Passphrase method (optional “split security”) • Key file method • Create ACLs • Almost any process, executable, script can be ‘trusted’ • Profile allows control of Jar files and other Java Parameters • Encrypt data
16 Key components of PCI 16 Customer Cloudera Navigator Requirement Encrypt Sentry Kerberos Core ✔ Install and maintain a firewall ✔ Do not use vendor-supplied defaults ✔ ✔ Protect stored cardholder data ✔ Encrypt transmission of cardholder data across open, public networks ✔ Use and regularly update anti-virus software ✔ ✔ Develop and maintain secure systems and applications ✔ ✔ Restrict access to cardholder data by business need-to-know ✔ Assign a unique ID to each person with computer access ✔ Restrict physical access to cardholder data ✔ Track and monitor all access to network resources and cardholder data ✔ Regularly test security systems and processes Maintain an Information Security Policy ✔ ✔ Maintain a policy that addresses information security
17 Key Components of HIPPA 17 Ref: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf Customer Cloudera Navigator Requirement Encrypt Sentry Kerberos ✔ Unique User Identification: Assign a unique name and/or number for identifying and tracking user identity. ✔ Emergency Access Procedure: Establish procedures for obtaining necessary ePHI during an emergency. ✔ Automatic Logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. ✔ Encryption and Decryption: Implement a mechanism to encrypt and decrypt ePHI. ✔ ✔ ✔ Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. ✔ Mechanism to Authenticate ePHI: Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. ✔ Authentication: Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. ✔ Transmission Security - Integrity Controls: Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of. ✔ Transmission Security – Encryption: Implement a mechanism to encrypt ePHI whenever deemed appropriate
18 ©2014 Cloudera, Inc. All rights reserved. • The App • Cloud Security Challenges • Evolving the Approach Case Study
19 ©2014 Cloudera, Inc. All rights reserved. • Customer transaction data • Could reveal strategic investment of customer resources • Could expose customers to public embarrassment/inquiry The App
20 ©2014 Cloudera, Inc. All rights reserved. • Sensitive financial data in cloud-hosted SaaS? • Payment card and bank account information • Financial transactions, inc. payer, payee, amounts, methods, etc. • API keys for banks integrated into system • What was happening when cloud data security topic came up • Level of effort to address • Effect on sales cycle Cloud Security Challenges
21 ©2014 Cloudera, Inc. All rights reserved. • Switching cloud providers • Customer reactions to this… Evolving the Approach
22 ©2014 Cloudera, Inc. All rights reserved. • Switching cloud providers • Doubling down on data encryption • Customer reactions to this… Evolving the Approach
23 ©2014 Cloudera, Inc. All rights reserved. • Considered by customers they couldn’t sell to before • Considerably less effort & shortening sales cycles Twofold Business Impact
24 ©2014 Cloudera, Inc. All rights reserved. Mike’s crystal ball What’s Next?
25 ©2014 Cloudera, Inc. All rights reserved. Key Requirements for Security in Hadoop Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage Available On- Demand Available On Demand Available Soon Register for Aug 7 Webinar
26 ©2014 Cloudera, Inc. All rights reserved. Enterprise Security for Apache Hadoop: Finding and Filling the Gaps • Wed. July 23rd (tomorrow!) • 6pm-9pm • @HP in Sunnyvale, CA • Presented by The Hive Big Data Think Tank Hadoop Security Meetup
27 ©2014 Cloudera, Inc. All rights reserved. Thank You!

Recomendados

Comprehensive Security for the Enterprise II: Guarding the Perimeter and Cont...
Comprehensive Security for the Enterprise II: Guarding the Perimeter and Cont...Comprehensive Security for the Enterprise II: Guarding the Perimeter and Cont...
Comprehensive Security for the Enterprise II: Guarding the Perimeter and Cont...
Cloudera, Inc.
 
The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014
Cloudera, Inc.
 
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
Cloudera, Inc.
 
Deploying Enterprise-grade Security for Hadoop
Deploying Enterprise-grade Security for HadoopDeploying Enterprise-grade Security for Hadoop
Deploying Enterprise-grade Security for Hadoop
Cloudera, Inc.
 
Project Rhino: Enhancing Data Protection for Hadoop
Project Rhino: Enhancing Data Protection for HadoopProject Rhino: Enhancing Data Protection for Hadoop
Project Rhino: Enhancing Data Protection for Hadoop
Cloudera, Inc.
 
Comprehensive Security for the Enterprise IV: Visibility Through a Single End...
Comprehensive Security for the Enterprise IV: Visibility Through a Single End...Comprehensive Security for the Enterprise IV: Visibility Through a Single End...
Comprehensive Security for the Enterprise IV: Visibility Through a Single End...
Cloudera, Inc.
 
Hadoop and Data Access Security
Hadoop and Data Access SecurityHadoop and Data Access Security
Hadoop and Data Access Security
Cloudera, Inc.
 
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Cloudera, Inc.
 

Recomendados

Comprehensive Security for the Enterprise II: Guarding the Perimeter and Cont...
Comprehensive Security for the Enterprise II: Guarding the Perimeter and Cont...Comprehensive Security for the Enterprise II: Guarding the Perimeter and Cont...
Comprehensive Security for the Enterprise II: Guarding the Perimeter and Cont...
Cloudera, Inc.
 
The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014
Cloudera, Inc.
 
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
Cloudera, Inc.
 
Deploying Enterprise-grade Security for Hadoop
Deploying Enterprise-grade Security for HadoopDeploying Enterprise-grade Security for Hadoop
Deploying Enterprise-grade Security for Hadoop
Cloudera, Inc.
 
Project Rhino: Enhancing Data Protection for Hadoop
Project Rhino: Enhancing Data Protection for HadoopProject Rhino: Enhancing Data Protection for Hadoop
Project Rhino: Enhancing Data Protection for Hadoop
Cloudera, Inc.
 
Comprehensive Security for the Enterprise IV: Visibility Through a Single End...
Comprehensive Security for the Enterprise IV: Visibility Through a Single End...Comprehensive Security for the Enterprise IV: Visibility Through a Single End...
Comprehensive Security for the Enterprise IV: Visibility Through a Single End...
Cloudera, Inc.
 
Hadoop and Data Access Security
Hadoop and Data Access SecurityHadoop and Data Access Security
Hadoop and Data Access Security
Cloudera, Inc.
 
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Hadoop Security, Cloudera - Todd Lipcon and Aaron Myers - Hadoop World 2010
Cloudera, Inc.
 
Big Data Security with Hadoop
Big Data Security with HadoopBig Data Security with Hadoop
Big Data Security with Hadoop
Cloudera, Inc.
 
Apache Sentry for Hadoop security
Apache Sentry for Hadoop securityApache Sentry for Hadoop security
Apache Sentry for Hadoop security
bigdatagurus_meetup
 
Article data-centric security key to cloud and digital business
Article data-centric security key to cloud and digital businessArticle data-centric security key to cloud and digital business
Article data-centric security key to cloud and digital business
Ulf Mattsson
 
Hadoop Security: Overview
Hadoop Security: OverviewHadoop Security: Overview
Hadoop Security: Overview
Cloudera, Inc.
 
Securing the Hadoop Ecosystem
Securing the Hadoop EcosystemSecuring the Hadoop Ecosystem
Securing the Hadoop Ecosystem
DataWorks Summit
 
Hadoop Security Features That make your risk officer happy
Hadoop Security Features That make your risk officer happyHadoop Security Features That make your risk officer happy
Hadoop Security Features That make your risk officer happy
DataWorks Summit
 
Hadoop security @ Philly Hadoop Meetup May 2015
Hadoop security @ Philly Hadoop Meetup May 2015Hadoop security @ Philly Hadoop Meetup May 2015
Hadoop security @ Philly Hadoop Meetup May 2015
Shravan (Sean) Pabba
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
Shivaji Dutta
 
Big data security
Big data securityBig data security
Big data security
Joey Echeverria
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
Rommel Garcia
 
April 2014 HUG : Apache Sentry
April 2014 HUG : Apache SentryApril 2014 HUG : Apache Sentry
April 2014 HUG : Apache Sentry
Yahoo Developer Network
 
Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache Knox
Vinay Shukla
 
Hadoop Security Features that make your risk officer happy
Hadoop Security Features that make your risk officer happyHadoop Security Features that make your risk officer happy
Hadoop Security Features that make your risk officer happy
Anurag Shrivastava
 
Hadoop Operations: How to Secure and Control Cluster Access
Hadoop Operations: How to Secure and Control Cluster AccessHadoop Operations: How to Secure and Control Cluster Access
Hadoop Operations: How to Secure and Control Cluster Access
Cloudera, Inc.
 
Hadoop security overview_hit2012_1117rev
Hadoop security overview_hit2012_1117revHadoop security overview_hit2012_1117rev
Hadoop security overview_hit2012_1117rev
Jason Shih
 
Sentry - An Introduction
Sentry - An Introduction Sentry - An Introduction
Sentry - An Introduction
Alexander Alten
 
Hadoop Security Today and Tomorrow
Hadoop Security Today and TomorrowHadoop Security Today and Tomorrow
Hadoop Security Today and Tomorrow
DataWorks Summit
 
BigData Security - A Point of View
BigData Security - A Point of ViewBigData Security - A Point of View
BigData Security - A Point of View
Karan Alang
 
Hadoop Security Architecture
Hadoop Security ArchitectureHadoop Security Architecture
Hadoop Security Architecture
Owen O'Malley
 
Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption
Cloudera, Inc.
 
One Hadoop, Multiple Clouds
One Hadoop, Multiple CloudsOne Hadoop, Multiple Clouds
One Hadoop, Multiple Clouds
Cloudera, Inc.
 
Data: Open for Good and Secure by Default | Eddie Garcia
Data: Open for Good and Secure by Default | Eddie GarciaData: Open for Good and Secure by Default | Eddie Garcia
Data: Open for Good and Secure by Default | Eddie Garcia
Cloudera, Inc.
 

Más contenido relacionado

La actualidad más candente

Article data-centric security key to cloud and digital business
Article data-centric security key to cloud and digital businessArticle data-centric security key to cloud and digital business
Article data-centric security key to cloud and digital business
Ulf Mattsson
 
Securing the Hadoop Ecosystem
Securing the Hadoop EcosystemSecuring the Hadoop Ecosystem
Securing the Hadoop Ecosystem
DataWorks Summit
 
Hadoop Security Today and Tomorrow
Hadoop Security Today and TomorrowHadoop Security Today and Tomorrow
Hadoop Security Today and Tomorrow
DataWorks Summit
 

La actualidad más candente (20)

Big Data Security with Hadoop
Big Data Security with HadoopBig Data Security with Hadoop
Big Data Security with Hadoop
 
Apache Sentry for Hadoop security
Apache Sentry for Hadoop securityApache Sentry for Hadoop security
Apache Sentry for Hadoop security
 
Article data-centric security key to cloud and digital business
Article data-centric security key to cloud and digital businessArticle data-centric security key to cloud and digital business
Article data-centric security key to cloud and digital business
 
Hadoop Security: Overview
Hadoop Security: OverviewHadoop Security: Overview
Hadoop Security: Overview
 
Securing the Hadoop Ecosystem
Securing the Hadoop EcosystemSecuring the Hadoop Ecosystem
Securing the Hadoop Ecosystem
 
Hadoop Security Features That make your risk officer happy
Hadoop Security Features That make your risk officer happyHadoop Security Features That make your risk officer happy
Hadoop Security Features That make your risk officer happy
 
Hadoop security @ Philly Hadoop Meetup May 2015
Hadoop security @ Philly Hadoop Meetup May 2015Hadoop security @ Philly Hadoop Meetup May 2015
Hadoop security @ Philly Hadoop Meetup May 2015
 
Hadoop security
Hadoop securityHadoop security
Hadoop security
 
Big data security
Big data securityBig data security
Big data security
 
Open Source Security Tools for Big Data
Open Source Security Tools for Big DataOpen Source Security Tools for Big Data
Open Source Security Tools for Big Data
 
April 2014 HUG : Apache Sentry
April 2014 HUG : Apache SentryApril 2014 HUG : Apache Sentry
April 2014 HUG : Apache Sentry
 
Hadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache KnoxHadoop Security Today & Tomorrow with Apache Knox
Hadoop Security Today & Tomorrow with Apache Knox
 
Hadoop Security Features that make your risk officer happy
Hadoop Security Features that make your risk officer happyHadoop Security Features that make your risk officer happy
Hadoop Security Features that make your risk officer happy
 
Hadoop Operations: How to Secure and Control Cluster Access
Hadoop Operations: How to Secure and Control Cluster AccessHadoop Operations: How to Secure and Control Cluster Access
Hadoop Operations: How to Secure and Control Cluster Access
 
Hadoop security overview_hit2012_1117rev
Hadoop security overview_hit2012_1117revHadoop security overview_hit2012_1117rev
Hadoop security overview_hit2012_1117rev
 
Sentry - An Introduction
Sentry - An Introduction Sentry - An Introduction
Sentry - An Introduction
 
Hadoop Security Today and Tomorrow
Hadoop Security Today and TomorrowHadoop Security Today and Tomorrow
Hadoop Security Today and Tomorrow
 
BigData Security - A Point of View
BigData Security - A Point of ViewBigData Security - A Point of View
BigData Security - A Point of View
 
Hadoop Security Architecture
Hadoop Security ArchitectureHadoop Security Architecture
Hadoop Security Architecture
 
Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption Overview of HDFS Transparent Encryption
Overview of HDFS Transparent Encryption
 

Destacado

Destacado (15)

One Hadoop, Multiple Clouds
One Hadoop, Multiple CloudsOne Hadoop, Multiple Clouds
One Hadoop, Multiple Clouds
 
Data: Open for Good and Secure by Default | Eddie Garcia
Data: Open for Good and Secure by Default | Eddie GarciaData: Open for Good and Secure by Default | Eddie Garcia
Data: Open for Good and Secure by Default | Eddie Garcia
 
Securing Your Apache Spark Applications
Securing Your Apache Spark ApplicationsSecuring Your Apache Spark Applications
Securing Your Apache Spark Applications
 
Tech Backpack Brief v1
Tech Backpack Brief v1Tech Backpack Brief v1
Tech Backpack Brief v1
 
Using Big Data to Transform Your Customer’s Experience - Part 1

Using Big Data to Transform Your Customer’s Experience - Part 1
Using Big Data to Transform Your Customer’s Experience - Part 1

Using Big Data to Transform Your Customer’s Experience - Part 1

 
Analyzing Hadoop Data Using Sparklyr

Analyzing Hadoop Data Using Sparklyr
Analyzing Hadoop Data Using Sparklyr

Analyzing Hadoop Data Using Sparklyr

 
Part 1: Cloudera’s Analytic Database: BI & SQL Analytics in a Hybrid Cloud World
Part 1: Cloudera’s Analytic Database: BI & SQL Analytics in a Hybrid Cloud WorldPart 1: Cloudera’s Analytic Database: BI & SQL Analytics in a Hybrid Cloud World
Part 1: Cloudera’s Analytic Database: BI & SQL Analytics in a Hybrid Cloud World
 
Top 5 IoT Use Cases
Top 5 IoT Use CasesTop 5 IoT Use Cases
Top 5 IoT Use Cases
 
Data Engineering: Elastic, Low-Cost Data Processing in the Cloud
Data Engineering: Elastic, Low-Cost Data Processing in the CloudData Engineering: Elastic, Low-Cost Data Processing in the Cloud
Data Engineering: Elastic, Low-Cost Data Processing in the Cloud
 
Part 1: Lambda Architectures: Simplified by Apache Kudu
Part 1: Lambda Architectures: Simplified by Apache KuduPart 1: Lambda Architectures: Simplified by Apache Kudu
Part 1: Lambda Architectures: Simplified by Apache Kudu
 
Part 2: Cloudera’s Operational Database: Unlocking New Benefits in the Cloud
Part 2: Cloudera’s Operational Database: Unlocking New Benefits in the CloudPart 2: Cloudera’s Operational Database: Unlocking New Benefits in the Cloud
Part 2: Cloudera’s Operational Database: Unlocking New Benefits in the Cloud
 
Gartner Data and Analytics Summit: Bringing Self-Service BI & SQL Analytics ...
Gartner Data and Analytics Summit: Bringing Self-Service BI & SQL Analytics ... Gartner Data and Analytics Summit: Bringing Self-Service BI & SQL Analytics ...
Gartner Data and Analytics Summit: Bringing Self-Service BI & SQL Analytics ...
 
Part 2: Apache Kudu: Extending the Capabilities of Operational and Analytic D...
Part 2: Apache Kudu: Extending the Capabilities of Operational and Analytic D...Part 2: Apache Kudu: Extending the Capabilities of Operational and Analytic D...
Part 2: Apache Kudu: Extending the Capabilities of Operational and Analytic D...
 
Enabling the Connected Car Revolution

Enabling the Connected Car Revolution
Enabling the Connected Car Revolution

Enabling the Connected Car Revolution

 
Kudu Forrester Webinar
Kudu Forrester WebinarKudu Forrester Webinar
Kudu Forrester Webinar
 

Similar a Comprehensive Security for the Enterprise III: Protecting Data at Rest and In Motion

The Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubThe Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data Hub
DataWorks Summit
 
Fighting cyber fraud with hadoop
Fighting cyber fraud with hadoopFighting cyber fraud with hadoop
Fighting cyber fraud with hadoop
Niel Dunnage
 
The Key to Strong Cloud Security
The Key to Strong Cloud SecurityThe Key to Strong Cloud Security
The Key to Strong Cloud Security
Akeyless
 
Preparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity RenaissancePreparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity Renaissance
Cloudera, Inc.
 
Hadoop and Manufacturing
Hadoop and ManufacturingHadoop and Manufacturing
Hadoop and Manufacturing
Cloudera, Inc.
 

Similar a Comprehensive Security for the Enterprise III: Protecting Data at Rest and In Motion (20)

The Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubThe Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data Hub
 
Fighting cyber fraud with hadoop
Fighting cyber fraud with hadoopFighting cyber fraud with hadoop
Fighting cyber fraud with hadoop
 
Seeking Cybersecurity--Strategies to Protect the Data
Seeking Cybersecurity--Strategies to Protect the DataSeeking Cybersecurity--Strategies to Protect the Data
Seeking Cybersecurity--Strategies to Protect the Data
 
Cloudera GoDataFest Security and Governance
Cloudera GoDataFest Security and GovernanceCloudera GoDataFest Security and Governance
Cloudera GoDataFest Security and Governance
 
Intel boubker el mouttahid
Intel boubker el mouttahidIntel boubker el mouttahid
Intel boubker el mouttahid
 
大数据数据安全
大数据数据安全大数据数据安全
大数据数据安全
 
Cloudera training secure your cloudera cluster 7.10.18
Cloudera training secure your cloudera cluster 7.10.18Cloudera training secure your cloudera cluster 7.10.18
Cloudera training secure your cloudera cluster 7.10.18
 
Hadoop security implementationon 20171003
Hadoop security implementationon 20171003Hadoop security implementationon 20171003
Hadoop security implementationon 20171003
 
Security implementation on hadoop
Security implementation on hadoopSecurity implementation on hadoop
Security implementation on hadoop
 
Webinar: Enable ServiceNow with Data Security, Visibility, and Compliance
Webinar: Enable ServiceNow with Data Security, Visibility, and ComplianceWebinar: Enable ServiceNow with Data Security, Visibility, and Compliance
Webinar: Enable ServiceNow with Data Security, Visibility, and Compliance
 
The Key to Strong Cloud Security
The Key to Strong Cloud SecurityThe Key to Strong Cloud Security
The Key to Strong Cloud Security
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
Hadoop and Financial Services
Hadoop and Financial ServicesHadoop and Financial Services
Hadoop and Financial Services
 
大数据数据治理及数据安全
大数据数据治理及数据安全大数据数据治理及数据安全
大数据数据治理及数据安全
 
Preparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity RenaissancePreparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity Renaissance
 
Cloudera training: secure your Cloudera cluster
Cloudera training: secure your Cloudera clusterCloudera training: secure your Cloudera cluster
Cloudera training: secure your Cloudera cluster
 
Hadoop and Manufacturing
Hadoop and ManufacturingHadoop and Manufacturing
Hadoop and Manufacturing
 
Let's Discuss Security with SFWelly
Let's Discuss Security with SFWellyLet's Discuss Security with SFWelly
Let's Discuss Security with SFWelly
 
Jak využít cloudu pro zvýšení bezpečnosti vašeho IT
Jak využít cloudu pro zvýšení bezpečnosti vašeho ITJak využít cloudu pro zvýšení bezpečnosti vašeho IT
Jak využít cloudu pro zvýšení bezpečnosti vašeho IT
 
Webinar hiware
Webinar hiwareWebinar hiware
Webinar hiware
 

Más de Cloudera, Inc.

Más de Cloudera, Inc. (20)

Partner Briefing_January 25 (FINAL).pptx
Partner Briefing_January 25 (FINAL).pptxPartner Briefing_January 25 (FINAL).pptx
Partner Briefing_January 25 (FINAL).pptx
 
Cloudera Data Impact Awards 2021 - Finalists
Cloudera Data Impact Awards 2021 - Finalists Cloudera Data Impact Awards 2021 - Finalists
Cloudera Data Impact Awards 2021 - Finalists
 
2020 Cloudera Data Impact Awards Finalists
2020 Cloudera Data Impact Awards Finalists2020 Cloudera Data Impact Awards Finalists
2020 Cloudera Data Impact Awards Finalists
 
Edc event vienna presentation 1 oct 2019
Edc event vienna presentation 1 oct 2019Edc event vienna presentation 1 oct 2019
Edc event vienna presentation 1 oct 2019
 
Machine Learning with Limited Labeled Data 4/3/19
Machine Learning with Limited Labeled Data 4/3/19Machine Learning with Limited Labeled Data 4/3/19
Machine Learning with Limited Labeled Data 4/3/19
 
Data Driven With the Cloudera Modern Data Warehouse 3.19.19
Data Driven With the Cloudera Modern Data Warehouse 3.19.19Data Driven With the Cloudera Modern Data Warehouse 3.19.19
Data Driven With the Cloudera Modern Data Warehouse 3.19.19
 
Introducing Cloudera DataFlow (CDF) 2.13.19
Introducing Cloudera DataFlow (CDF) 2.13.19Introducing Cloudera DataFlow (CDF) 2.13.19
Introducing Cloudera DataFlow (CDF) 2.13.19
 
Introducing Cloudera Data Science Workbench for HDP 2.12.19
Introducing Cloudera Data Science Workbench for HDP 2.12.19Introducing Cloudera Data Science Workbench for HDP 2.12.19
Introducing Cloudera Data Science Workbench for HDP 2.12.19
 
Shortening the Sales Cycle with a Modern Data Warehouse 1.30.19
Shortening the Sales Cycle with a Modern Data Warehouse 1.30.19Shortening the Sales Cycle with a Modern Data Warehouse 1.30.19
Shortening the Sales Cycle with a Modern Data Warehouse 1.30.19
 
Leveraging the cloud for analytics and machine learning 1.29.19
Leveraging the cloud for analytics and machine learning 1.29.19Leveraging the cloud for analytics and machine learning 1.29.19
Leveraging the cloud for analytics and machine learning 1.29.19
 
Modernizing the Legacy Data Warehouse – What, Why, and How 1.23.19
Modernizing the Legacy Data Warehouse – What, Why, and How 1.23.19Modernizing the Legacy Data Warehouse – What, Why, and How 1.23.19
Modernizing the Legacy Data Warehouse – What, Why, and How 1.23.19
 
Leveraging the Cloud for Big Data Analytics 12.11.18
Leveraging the Cloud for Big Data Analytics 12.11.18Leveraging the Cloud for Big Data Analytics 12.11.18
Leveraging the Cloud for Big Data Analytics 12.11.18
 
Modern Data Warehouse Fundamentals Part 3
Modern Data Warehouse Fundamentals Part 3Modern Data Warehouse Fundamentals Part 3
Modern Data Warehouse Fundamentals Part 3
 
Modern Data Warehouse Fundamentals Part 2
Modern Data Warehouse Fundamentals Part 2Modern Data Warehouse Fundamentals Part 2
Modern Data Warehouse Fundamentals Part 2
 
Modern Data Warehouse Fundamentals Part 1
Modern Data Warehouse Fundamentals Part 1Modern Data Warehouse Fundamentals Part 1
Modern Data Warehouse Fundamentals Part 1
 
Extending Cloudera SDX beyond the Platform
Extending Cloudera SDX beyond the PlatformExtending Cloudera SDX beyond the Platform
Extending Cloudera SDX beyond the Platform
 
Federated Learning: ML with Privacy on the Edge 11.15.18
Federated Learning: ML with Privacy on the Edge 11.15.18Federated Learning: ML with Privacy on the Edge 11.15.18
Federated Learning: ML with Privacy on the Edge 11.15.18
 
Analyst Webinar: Doing a 180 on Customer 360
Analyst Webinar: Doing a 180 on Customer 360Analyst Webinar: Doing a 180 on Customer 360
Analyst Webinar: Doing a 180 on Customer 360
 
Build a modern platform for anti-money laundering 9.19.18
Build a modern platform for anti-money laundering 9.19.18Build a modern platform for anti-money laundering 9.19.18
Build a modern platform for anti-money laundering 9.19.18
 
Introducing the data science sandbox as a service 8.30.18
Introducing the data science sandbox as a service 8.30.18Introducing the data science sandbox as a service 8.30.18
Introducing the data science sandbox as a service 8.30.18
 

Último

Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
ayushiqss
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 

Último (20)

Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Pharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyPharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodology
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 

Comprehensive Security for the Enterprise III: Protecting Data at Rest and In Motion

  • 1. 1 Comprehensive Security for the Enterprise: Protecting Data-at-Rest & in Motion Ritu Kama, Director Product Management, Intel Sam Heywood, Director Product Management - Security, Cloudera “Mike”, CTO, Financial Services Company
  • 2. 2 ©2014 Cloudera, Inc. All rights reserved. Cloudera’s Vision for Hadoop Security Compliance-Ready Comprehensive Transparent • Standards-based Authentication • Centralized, Granular Authorization • Native Data Protection • End-to-End Data Audit and Lineage • Meet compliance requirements • HIPAA, PCI-DSS, FERPA, etc… • Encryption and key management • Security at the core • Minimal performance impact • Compatible with new components • Insight with compliance 2
  • 3. 3 Contributed by Intel in 2013 Blueprint for enterprise-grade security: • Data Encryption • Authentication and Single Sign on • Fine-grained Authorization • Audit Achieves it’s goals & is open source: • Encryption and fine-grained access controls have been added to Apache HBase https://github.com/intel-hadoop/project-rhino/ Project Rhino — Overview ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
  • 4. 4 Rhino Goal: Encryption and Key Management Framework Cloudera and Intel engineers are now contributing HDFS encryption capabilities that can plug into enterprise key managers. NOTE: Enterprise key management, compliant key storage, and encrypting sensitive data outside of HDFS are not addressed. Project Rhino ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
  • 5. 5 ©2014 Cloudera, Inc. All rights reserved. Project Rhino Scope Apache ZooKeeper Apache Bigtop
  • 6. 6 Combining strengths • Leading in stability, compatibility, continuity • Leading SQL functionality & performance • Leading management capabilities • 150 engineers, 100 open source committers Converged CDH + IDH open source platform by end of 2014 • Leading security feature set • Leading silicon optimizations • 50 engineers, 12 open source committers • Leading Big Data encryption and key management solution • 40+ employees with maniacal focus on Big Data Security ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
  • 7. 7 ©2014 Cloudera, Inc. All rights reserved. Key Requirements for Security in Hadoop Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage
  • 8. 8 ©2014 Cloudera, Inc. All rights reserved. Guard the Perimeter Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage Kerberos | AD/LDAP Preserve multiple entry points while providing strong authentication that’s easy to manage • Kerberos • Industry Standard • Integrated into Manager • LDAP/AD • Username/Password • SAML • Single Sign-On
  • 9. 9 ©2014 Cloudera, Inc. All rights reserved. Control Access Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Kerberos | AD/LDAP Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Sentry | Rhino Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage Cloudera Navigator Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Encrypt | Key Trustee Sentry • Apache project contributed by Cloudera in 2013 • Unified authorization for Hive, Impala and Search Rhino • Contributed by Intel in 2013 • Blueprint for enterprise-grade security, including authorization
  • 10. 10 ©2014 Cloudera, Inc. All rights reserved. Protecting Data At Rest & In Motion Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Kerberos | AD/LDAP Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Sentry Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Encrypt | Key Trustee Navigator encrypt • Compliance-Ready • Transparent encryption for Hadoop data that’s highly performant, scalable, and easy to deploy • Integrated into Navigator Navigator key trustee • Compliance-Ready • Enterprise key management for encryption keys, certificates, and passwords • Integrated into Navigator Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Encrypt | Key Trustee
  • 11. 11 Now Available: Cloudera Navigator encrypt + Cloudera Navigator key trustee 3RD PARTY APPS STORAGE FOR ANY TYPE OF DATA UNIFIED, ELASTIC, RESILIENT, SECURE SENTRY CLOUDERA’S ENTERPRISE DATA HUB BATCH PROCESSING MAPREDUCE ANALYTIC SQL IMPALA SEARCH ENGINE SOLR MACHINE LEARNING SPARK STREAM PROCESSING SPARK STREAMING WORKLOAD MANAGEMENT YARN FILESYSTEM HDFS ONLINE NOSQL HBASE DATA MANAGEMENT CLOUDERANAVIGATOR SYSTEM MANAGEMENT CLOUDERAMANAGER Compliance-Ready Transparent Encryption and Key Management ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
  • 12. 12 • Transparent protection for all data and metadata • Enterprise Key Management for all Hadoop encryption keys Now Available: Cloudera Navigator encrypt + Cloudera Navigator key trustee ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
  • 13. 13 ©2014 Cloudera, Inc. All rights reserved. Navigator encrypt Navigator encrypt provides transparent encryption for Hadoop data as it’s written to disk • AES-256 encryption for HDFS data, Hive metadata, log files, ingest paths, etc... • Process-based ACLs • High-performance optimized on Intel • Fast, easy deployment with Cloudera Parcel • Enterprise scalability • Keys protected by Navigator key trustee 13 ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
  • 14. 14 Navigator key trustee is a “virtual safe-deposit box” for managing encrypt keys or any other Hadoop security artifact Navigator key trustee • Separates keys from encrypted data • Centralized management of SSL certificates, SSH keys, tokens, passwords, kerberos keytab files and more • Unique “trustee” and machine-based policies deliver multifactor authentication • Integration with HSMs from Thales, RSA and SafeNet 14 ©2014 Cloudera, Inc. All Rights Reserved. CONFIDENTIAL: Reproduction or redistribution without written permission is prohibited.
  • 15. 15 Ease of Deployment • Install encryption client • Cloudera parcel • Package managers (yum, apt-get), Chef, Puppet, Ansible • Configure key trustee account and store master key • Passphrase method (optional “split security”) • Key file method • Create ACLs • Almost any process, executable, script can be ‘trusted’ • Profile allows control of Jar files and other Java Parameters • Encrypt data
  • 16. 16 Key components of PCI 16 Customer Cloudera Navigator Requirement Encrypt Sentry Kerberos Core ✔ Install and maintain a firewall ✔ Do not use vendor-supplied defaults ✔ ✔ Protect stored cardholder data ✔ Encrypt transmission of cardholder data across open, public networks ✔ Use and regularly update anti-virus software ✔ ✔ Develop and maintain secure systems and applications ✔ ✔ Restrict access to cardholder data by business need-to-know ✔ Assign a unique ID to each person with computer access ✔ Restrict physical access to cardholder data ✔ Track and monitor all access to network resources and cardholder data ✔ Regularly test security systems and processes Maintain an Information Security Policy ✔ ✔ Maintain a policy that addresses information security
  • 17. 17 Key Components of HIPPA 17 Ref: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf Customer Cloudera Navigator Requirement Encrypt Sentry Kerberos ✔ Unique User Identification: Assign a unique name and/or number for identifying and tracking user identity. ✔ Emergency Access Procedure: Establish procedures for obtaining necessary ePHI during an emergency. ✔ Automatic Logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. ✔ Encryption and Decryption: Implement a mechanism to encrypt and decrypt ePHI. ✔ ✔ ✔ Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. ✔ Mechanism to Authenticate ePHI: Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. ✔ Authentication: Implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. ✔ Transmission Security - Integrity Controls: Implement security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of. ✔ Transmission Security – Encryption: Implement a mechanism to encrypt ePHI whenever deemed appropriate
  • 18. 18 ©2014 Cloudera, Inc. All rights reserved. • The App • Cloud Security Challenges • Evolving the Approach Case Study
  • 19. 19 ©2014 Cloudera, Inc. All rights reserved. • Customer transaction data • Could reveal strategic investment of customer resources • Could expose customers to public embarrassment/inquiry The App
  • 20. 20 ©2014 Cloudera, Inc. All rights reserved. • Sensitive financial data in cloud-hosted SaaS? • Payment card and bank account information • Financial transactions, inc. payer, payee, amounts, methods, etc. • API keys for banks integrated into system • What was happening when cloud data security topic came up • Level of effort to address • Effect on sales cycle Cloud Security Challenges
  • 21. 21 ©2014 Cloudera, Inc. All rights reserved. • Switching cloud providers • Customer reactions to this… Evolving the Approach
  • 22. 22 ©2014 Cloudera, Inc. All rights reserved. • Switching cloud providers • Doubling down on data encryption • Customer reactions to this… Evolving the Approach
  • 23. 23 ©2014 Cloudera, Inc. All rights reserved. • Considered by customers they couldn’t sell to before • Considerably less effort & shortening sales cycles Twofold Business Impact
  • 24. 24 ©2014 Cloudera, Inc. All rights reserved. Mike’s crystal ball What’s Next?
  • 25. 25 ©2014 Cloudera, Inc. All rights reserved. Key Requirements for Security in Hadoop Perimeter Guarding access to the cluster itself Technical Concepts: Authentication Network isolation Data Protecting data in the cluster from unauthorized visibility Technical Concepts: Encryption, Tokenization, Data masking Access Defining what users and applications can do with data Technical Concepts: Permissions Authorization Visibility Reporting on where data came from and how it’s being used Technical Concepts: Auditing Lineage Available On- Demand Available On Demand Available Soon Register for Aug 7 Webinar
  • 26. 26 ©2014 Cloudera, Inc. All rights reserved. Enterprise Security for Apache Hadoop: Finding and Filling the Gaps • Wed. July 23rd (tomorrow!) • 6pm-9pm • @HP in Sunnyvale, CA • Presented by The Hive Big Data Think Tank Hadoop Security Meetup
  • 27. 27 ©2014 Cloudera, Inc. All rights reserved. Thank You!