#TDPARTNERS16 GEORGIA WORLD CONGRESS CENTER Flying Blind: The Promise and Threat of IoT Reiner Kappenberger HPE - Global Product Manager, Big Data & IoT Jay Irwin Teradata - Director, Center for Enterprise Security
#TDPARTNERS16 GEORGIA WORLD CONGRESS CENTER
Flying Blind: The Promise and Threat of IoTReiner KappenbergerHPE - Global Product Manager, Big Data & IoT
Jay IrwinTeradata - Director, Center for Enterprise Security
Our digital world is radically changing the risk landscape
2
Sophisticated cyber attacks
Mobile and cloud dissolvethe “perimeter”
Cost and complexity of
data protection
Massive data growth from multiple sources
External disasters and internal failures
Hyper-connected sensors and devices create new
exposures
Regulatory pressures
Regulatory, privacy and compliance concerns
A leading expert in data-centric encryption and tokenization solutions for 1,100 of the world’s foremost enterprises:8 of the 10 top U.S. banks6 of the 7 top U.S. payment processors3 of top 5 telephone/mobile operatorsTop 5 global Internet retailerTop 5 auto manufacturerU.S. Tier 1 home improvement retailerFortune 50 healthcare benefits providersGlobal leaders in retail, insurance and
healthcareOver 70 million HPE SecureMail users
worldwide
Selected customers
HPE Security – Data Security
3
Why is securing IoT, Hadoop and Big Data difficult?
4
Rapid innovation in a well funded open source
community
Multiple feeds of data in real time from different sources with different
protection needs
Mainframe
MQ
RDBMs
XMLSalesforce
Flat Files
Multiple types of data combined in a “Data Lake”
Options for securing Big Data with HPE SecureData
Applications, analytics and
data
Applications, analytics and
data
Hadoop Cluster / Teradata UDA
Hadoop jobs ETL andbatch
BI Tools and Downstream Applications
Hadoop jobs and analytics
Hadoop jobs and analytics
Egress Zone
Application with HPE SecureData Interface PointUnprotected DataDe-Identified Data
Legend:
Standard Application
HDFS, Teradata,
Aster
Storage encryption
HPE SecureStorage
HPE SecureData
2
1
6
4
5
7
ETL andbatch
HPE SecureData
HPE SecureData
HPE SecureData
3
Applications and data
HPE SecureData
Applicationsand data
Applicationsand data
Landing Zone
5
Multiple solutions with multiple security gapsTraditional IT
Infrastructure Security
Disk encryption
Database encryption
SSL/TLS/firewalls
AuthenticationManagement
Threats toData
Malware,Insiders
SQL injection,Malware
TrafficInterceptors
Malware,Insiders
CredentialCompromise
Security Gaps
SSL/TLS/firewalls
Data
secu
rity
cove
rageMiddleware/Network
Storage
Databases
File Systems
Data & Applications
DataEcosystem
Security gap
Security gap
Security gap
Security gap
6
HPE SecureData provides this protection
7
Traditional IT Infrastructure Security
Disk encryption
Database encryption
SSL/TLS/firewalls
AuthenticationManagement
Threats toData
Malware,Insiders
SQL injection,Malware
TrafficInterceptors
Malware,Insiders
CredentialCompromise
Security Gaps
HPE SecureData Data-centric Security
SSL/TLS/firewalls
Data
secu
rity
cove
rage
End-
to-e
nd P
rote
ctio
n Middleware/Network
Storage
Databases
File Systems
Data & Applications
DataEcosystem
Security gap
Security gap
Security gap
Security gap
General Data Protection Regulation (GDPR)
European Commission (EC) modernizing data protection legislation
− GDPR released May 2016 replaces EU Data Protection Directive
− Applicable across all EU member states and global enterprises holding EU citizens’ data
GDPR – new era of data privacy control, compliance and enforcement
− Expands the definition of personal data, including location data, online id, genetic factors, etc.; PII, PCI, and PHI data must be secured
− Enterprises have until May 2018 to reach compliance, with significant financial penalties for non-compliance (up to 4% of company’s revenue)
8
GDPR and Encryption
9
GDPR calls out encryption as an approach to mitigate risks associated with the processing of sensitive data
– Encryption and pseudonymisation are appropriate safeguards for sensitive data – with specific criteria listed
– HPE SecureData with Format-Preserving Encryption (FPE) specifically meets those criteria– Encryption does not break existing business process– Data can be decrypted if need be, and – If data is encrypted then breach notification is not required
Designation of a Data Protection Officer (DPO) mandatory for companies with over 250 employees based in EU, or processing data of over 5000 people per year
– Responsible for ensuring GDPR compliance and conducting GDPR audits
What does it mean– Organisations need to review their entire security posture with a view of
understanding the processes and controls needed to be implemented to protect the privacy of EU citizens
HPE Format-Preserving Encryption (FPE)
10
– Supports virtually any data types in any format: name, address, dates, numbers, etc.
–Provides Unicode Latin 1 for format and character set preserving encryption in languages such as German, Spanish, French and more
– Preserves referential integrity
– Only applications that need the original value need change
– Used for production protection and data masking
– NIST-standard using FF1 AES Encryption
AES-CBC
AES-FPEFirst Name: Uywjlqo Last Name: MuwruwwbpSSN: 253- 67- 2356DOB: 01-02-1972
Ija&3k24kQotugDF2390^32 0OWioNu2(*872weWOiuqwriuweuwr%oIUOw1@
First Name: GuntherLast Name: RobertsonSSN: 934-72-2356DOB: 08-07-1966
First Name: K×ýAçy Last Name: ĎwlämÜqßrChequing Acct #: 122105278 827572346
8juYE%UkFa2345^WFLE
First Name: JürgenLast Name: KlinsmannChequing Acct: 122105278 674301068
HPE Security – Data Security Stateless Architecture
• Cornerstone of HPE Security – Data Security simplicity and scalability
• Keys are derived dynamically based on identity • No key database to store, protect and back-up• No need to manually manage keys, certificates, or key
databases• Enables high-performance data protection that scales• HPE Stateless Key Management used for structured data • HPE Identity-Based Encryption used for unstructured data
HPE Stateless Key Management and HPE Identity-Based Encryption (IBE)
11
HPE SecureData – Data Security Platform
12
HPE SecureData
Management Console
Authentication & authorization sources
(e.g. active directory)
HSM
HPE SecureDataWeb Services
API (REST, SOAP)
HPE SecureDatanative APIs
(C, Java, C#, .NET)
HPE SecureData Command Lines &
Automated File Parsers
HPE SecureData z/Protect, z/FPE
HPE SecureData Native UDFs
Partnerintegrations
SaaS & PaaS cloud apps
Policy controlled data protection and masking services & clients
Paymentterminals
Volume Key Management
Production databases
Mainframeapplications &
databases
3rd party applications
Teradata,Hadoop &
Aster
ETL & data integration
suites
NetworkInterceptors
Paymentsystems
Business applications, data stores and processes
HPE NonstopApplications &
Databases
Web/cloudapplications(AWS, Azure)
Enterprise applications
Volumes and storage
3rd party SaaS
gateways
APIAPI
HPE SecureData File Processor
iOS and Android devices
Mobile apps
HPE SecureData
HPE SecureData for Teradata UDA – End-to-End ProtectionAcquisition AnalyticsData Engines
OperationalSystems
CustomersPartners
Engineers
DataScientists
BusinessAnalysts
KnowledgeWorkers
MarketingExecutives
Sources
ERP
SCM
CRM
Sensors
Audio and Video
Machine Logs
Text
Web and Social
REAL TIME
EMERGING
MULTI GENRE
Aster Analytics
R, Spark, Giraph
SAS, SPSS, KXEN
DATAWAREHOUSE
TeradataDatabase
IN MEMORY
HadoopTeradataDatabase
DATA LAKE
No SQL
COMPUTE CLUSTER
OPERATIONAL
INGEST
Listener
PLATFORM SERVICES DEVELOPMENTDATA OPERATIONS
PRIVATE HYBRIDCLOUD DEPLOYMENT PUBLIC
AppCenter
QueryGrid
VIRTUAL QUERY
BusinessIntelligence
Languages
IntegratedDevelopmentEnvironment
CONVENTIONAL
APP FRAMEWORK
End-to-End Protection
Access Users
13
Use Case: Leading Telecoms Provider
14
PII Data Protection in Big Data
Solution Business Needs
• HPE SecureData encrypting sensitive data in Hadoop, Teradata and staging areas
• De-identifying Personal, Location, Mobile Device, and Billing Data
• Integration with centralized policies in LDAP
• Storm, Sqoop, and Flume used for protection during ingestion; SecureData File Processor for protection in staging area
• Data cleansing during ingestion process
Outcome
• Protecting all sensitive data (~48 attributes) in IDW
• 240 Nodes of Hadoop, 28 Nodes of Teradata
• Reducing risk through a proven solution & mature methodology
• Moving towards enterprise implementation
• Extending data protection to upstream sources, downstream tools and systems, including IoT
• Meeting existing performance SLAs
• Accelerating deployment schedule
• Aggregate market and usage data with sensitive PII elements
• Provide wide access to data in the organization without exposing PII
• Strong C-level sensitivity to data breach exposure
• Failed deployment with another solution
• Consistent approach for Teradata, Hadoop & Open Systems
• Remediate audit concerns related to creating non-production data sets
Leading Telecoms Provider – Big Data Primary Data Flow
15
Sensitive structuredsources
Staging Area
HPE SecureData File Processor
Hadoop Cluster
Map Reduce
SqoopFlumeStorm
Hive UDFs
Data Cleansing
Data Virtualization layer
HPE SecureData Key Servers & WS API’s
Teradata EDW
Analytics & Data Science
UDFs
Tableau60 Data Sources20 Million records
per day = 1TB
250 NodesLDAP
Data Breaches in IoT
16
– Shodan search engine is only one reminder of why we need to fix IoT security– Shodan lets users browse vulnerable webcams – baby
cams, schools, bank back rooms, cash registers in retail stores, etc. (Ars Technica, “Internet of Things Security”, by J.M. Porup, Jan 23, 2016)
– Comcast Xfinity Wi-Fi discloses customer names and addresses– Xfinity Wi-Fi reaches 11 million hotspots nationwide,
including residential locations (CSO, Nov 19, 2015)
– Jeep Owners Urged To Update Cars To Stop Hackers Taking Them Off The Road– Benevolent hackers Miller and Valasek were able to
connect to the Uconnect system via an Android phone running on the Sprint network (Forbes/Security, Thomas Fox-Brewster, July 21, 2015)
Threats in the IoT space
17
Collector Control
PMTS
Config
Logging/monitoring
Back-end infrastructure
Deep Thoughts
19
• Audi uses three segmented subnets to Cadillac Escalade’s one
• Segregating critical systems is one key step to securing any IoT device
• Over 230,000 Baseboard Management Controllers (BMCs) are exposed to the internet, of which 90% plus could be compromised by a handful of basic configuration and protocol weaknesses
• Most managed servers use BMCs that contain a copy of the Linux OS
• Why most wireless routers are still so easy to attack & control
• What will the Security Operations Center (SOC) look like for IoT?
This was just the beginning
20
What about the:• Bluetooth Ear Piece• Smart Watch• Router• Car• Self-Service Gas Pump• Video Rental Machine• ATM• Managed Server Linux Server Chip• Wireless Charger• Remote Car Starter• Home Medical Lifeline Alarm• Remotely Administrable Cloud
Use case: Leading Car Manufacturer
21
Protecting PII data for analytics
• Protect data in Hadoop, Teradata, DataStage and Cognos
• Ingest real-time data from vehicles
• Analyze faults to detect recall requirements and affected vehicles
• HPE SecureData with HPE Format-Preserving Encryption
• Utilize Flume to protect incoming real-time data feeds
• De-identify data within Sqoop from internal data sources
• Re-identify data within Hadoop, Teradata, DataStage and Cognos
• Protect sensitive information such as VIN, phone numbers, addresses, etc.
• Analytics are done on de-identified data and not exposing customers
Leading car manufacturer – Big Data primary data flow
22
Sensitive structuredsources
Sensitive structured
data
Hadoop Edge Nodes
HPE SecureData Hadoop Tools
Hadoop Cluster
Map Reduce
Sqoop
Hive UDFs
“Landing zone”
“Integration Controls” IBM DataStage
HPE SecureData Key Servers & WS API’s
Teradata EDW
Analytics & Data Science
UDFs
Cognos
Flume real time ingest
~2 Billion real time transactions/day
Other real-time data feeds –
customer data from dealerships, manufacturers.
Existing data sets and 3rd party data, e.g.. accident data
Best Practices – 5 Steps to Take Back Control
23
IoT’s Potential Comes with Big Security Questions
23
1. Audit and understand your data.
2. Perform threat modeling on sensitive data.
3. Identify the business-critical values within sensitive data.
4. Apply tokenization and format-preserving encryption on data asit is ingested.
5. Provide data-at-rest encryption throughout Hadoop clusters
Thank You
Questions/CommentsEmail:
Follow MeTwitter @
Rate This Session # with the PARTNERS Mobile App
Remember To Share Your Virtual Passes
@hpe_voltage
24