Securely explore your data BULLET-PROOF YOUR BIG APPS WITH DATA-CENTRIC SECURITY Joe Travaglini, Director of Product Marketing May 27, 2014
Jan 15, 2015
Securely explore your data
BULLET-PROOF YOUR BIG APPS
WITH DATA-CENTRIC SECURITY
Joe Travaglini, Director of Product Marketing May 27, 2014
OUTLINE
• The Context • Stakes of security in Big Data • Breakdown of the “Trusted Zone”
• Data-Centric Security • What is it and why should I care? • Examples in practice with Sqrrl Enterprise
• Wrap Up
2 © 2014 Sqrrl Data, Inc. | All Rights Reserved
SETTING CONTEXT
SOME DIFFICULT REALITIES
© 2014 Sqrrl Data, Inc. | All Rights Reserved 3
THERE IS NO SECURE PERIMETER
• Corporate intranets are dirty • Cloud Computing • Bring your own device
• Sophistication of threats: APT / malicious insider
• Know thy network • Embrace the chaos, change the game
The changing face of the “trusted zone”
4 © 2014 Sqrrl Data, Inc. | All Rights Reserved
UPPING THE ANTE
• The “Big Promise” – keep everything, mine it, strike gold
• Consolidating data means compounding risk • Traditional protection is insufficient • Breach events have larger blast radius
• We can’t protect data, why not let it protect itself?
Big Data amplifies the stakes of security
5 © 2014 Sqrrl Data, Inc. | All Rights Reserved
THE IMPORTANCE OF
DATA-CENTRIC SECURITY
© 2014 Sqrrl Data, Inc. | All Rights Reserved 6
DCS REFERENCE ARCHITECTURE Things to consider when protecting data
7 © 2014 Sqrrl Data, Inc. | All Rights Reserved
REFERENCE IMPLEMENTATION How Sqrrl manifests Data-Centric Security
8 © 2014 Sqrrl Data, Inc. | All Rights Reserved
ACCUMULO DATUM RECORD
Example Accumulo Row
© 2014 Sqrrl Data, Inc. | All Rights Reserved 9
Visibility Labels, BigTable style
SQRRL DATUM RECORD
Example Nested Sqrrl Document
© 2014 Sqrrl Data, Inc. | All Rights Reserved 10
Visibility Labels, Sqrrl style
SQRRL LABELING ENGINE
{ “message-id” : “129434”, “message” : { “from” : “Dr. Bob Doctor <[email protected]>”, “subject” : “Test Results”, “importance” : 10, “body” : “Everything came back OK.\n\nI will see you in the office on Friday.” } }
© 2014 Sqrrl Data, Inc. | All Rights Reserved 11
Rule-based assignment of labels to data
{ “message-id” : “129434”, “message@[veryimportant]” : { “from” : “Dr. Bob Doctor <[email protected]>”, “subject” : “Test Results”, “importance” : 10, “body” : “Everything came back OK.\n\nI will see you in the office on Friday.” } }
APPLY veryimportant to //mailbox/messages[**]/message WHERE CHILD importance >= 10
ENCRYPTION CAPABILITIES
• Encryption at rest
• Encryption in motion
• Pluggable Encryption
© 2014 Sqrrl Data, Inc. | All Rights Reserved 12
ENCRYPTION AT REST
© 2014 Sqrrl Data, Inc. | All Rights Reserved 13
ENCRYPTION IN MOTION
• Encrypt all network traffic with SSL • Sqrrl client to Sqrrl server • Sqrrl server to Accumulo server • Accumulo server to Accumulo server
© 2014 Sqrrl Data, Inc. | All Rights Reserved 14
Sqrrl Enterprise was never vulnerable to Heartbleed
CRYPTO CONTRIBUTIONS
• ACCUMULO-958: Pluggable encryption to Write-Ahead Logs
• ACCUMULO-980: Pluggable encryption to RFiles • ACCUMULO-1009: Encryption in motion
Sqrrl contributed each to open-source Accumulo
© 2014 Sqrrl Data, Inc. | All Rights Reserved 15
SECURE SEARCH
• Search can be a source of leakage • Revealing existence of data elements, names… • …or worse, more information
• Indexes are data too • Protections should mirror underlying data
Sqrrl Enterprise is the only Big Data Solution
with term-level security on search indexes
© 2014 Sqrrl Data, Inc. | All Rights Reserved 16
Preserving data security in search indexes
SQRRL AUDIT
• Records every client action against system
• Provides info on request, security operations attempted
• Stored securely to prevent tampering
© 2014 Sqrrl Data, Inc. | All Rights Reserved 17
Immutable history for compliance purposes
WRAPPING UP
© 2014 Sqrrl Data, Inc. | All Rights Reserved 18
RECAP
• Changing technology landscape • Perimeter controls not keeping pace
• Big Data security is hard • Technology velocity, data gravity • Unknown unknowns
• Adopt Data-Centric Security principles for best chances at success
• (Sqrrl has them)
© 2014 Sqrrl Data, Inc. | All Rights Reserved 19
NARROWING THE BOUNDARY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
NARROWING THE BOUNDARY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
TOWARDS THE FUTURE
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
DCS MATURITY CHART
© 2014 Sqrrl Data, Inc. | All Rights Reserved | Proprietary and Confidential 23
Sqrrl leads the NoSQL pack Apache HBase
Apache Accumulo
Datastax Enterprise
MongoDB Enterprise
Sqrrl Enterprise
Secure Full-Text Search Non-secure Non-secure ✔ Secure Graph Search ✔ Cell-Level Security ✔ ✔ Not robust ✔ Labeling + Policy Engines ✔ Native Encryption At rest ✔ ✔ In motion,
client-server only ✔
ABAC ✔
Audit 3rd Party ✔ Unauthorized only ✔
THANKS!
Brought to you by: Sqrrl Data, Inc. [email protected]
@SqrrlData http://www.sqrrl.com
Presented by: Joe Travaglini [email protected] @joe_travaglini http://www.linkedin.com/in/jtrav
© 2014 Sqrrl Data, Inc. | All Rights Reserved 24
Follow us to keep up with the latest
Q&A
© 2014 Sqrrl Data, Inc. | All Rights Reserved 25