Sqrrl May Webinar: Data-Centric Security

Securely explore your data

BULLET-PROOF YOUR BIG APPS

WITH DATA-CENTRIC SECURITY

Joe Travaglini, Director of Product Marketing May 27, 2014

OUTLINE

•  The Context •  Stakes of security in Big Data •  Breakdown of the “Trusted Zone”

•  Data-Centric Security •  What is it and why should I care? •  Examples in practice with Sqrrl Enterprise

•  Wrap Up

2 © 2014 Sqrrl Data, Inc. | All Rights Reserved

SETTING CONTEXT

SOME DIFFICULT REALITIES

© 2014 Sqrrl Data, Inc. | All Rights Reserved 3

THERE IS NO SECURE PERIMETER

•  Corporate intranets are dirty •  Cloud Computing •  Bring your own device

•  Sophistication of threats: APT / malicious insider

•  Know thy network •  Embrace the chaos, change the game

The changing face of the “trusted zone”

4 © 2014 Sqrrl Data, Inc. | All Rights Reserved

UPPING THE ANTE

•  The “Big Promise” – keep everything, mine it, strike gold

•  Consolidating data means compounding risk •  Traditional protection is insufficient •  Breach events have larger blast radius

•  We can’t protect data, why not let it protect itself?

Big Data amplifies the stakes of security

5 © 2014 Sqrrl Data, Inc. | All Rights Reserved

THE IMPORTANCE OF

DATA-CENTRIC SECURITY

© 2014 Sqrrl Data, Inc. | All Rights Reserved 6

DCS REFERENCE ARCHITECTURE Things to consider when protecting data

7 © 2014 Sqrrl Data, Inc. | All Rights Reserved

REFERENCE IMPLEMENTATION How Sqrrl manifests Data-Centric Security

8 © 2014 Sqrrl Data, Inc. | All Rights Reserved

ACCUMULO DATUM RECORD

Example Accumulo Row

© 2014 Sqrrl Data, Inc. | All Rights Reserved 9

Visibility Labels, BigTable style

SQRRL DATUM RECORD

Example Nested Sqrrl Document

© 2014 Sqrrl Data, Inc. | All Rights Reserved 10

Visibility Labels, Sqrrl style

SQRRL LABELING ENGINE

{ “message-id” : “129434”, “message” : { “from” : “Dr. Bob Doctor <[email protected]>”, “subject” : “Test Results”, “importance” : 10, “body” : “Everything came back OK.\n\nI will see you in the office on Friday.” } }

© 2014 Sqrrl Data, Inc. | All Rights Reserved 11

Rule-based assignment of labels to data

{ “message-id” : “129434”, “message@[veryimportant]” : { “from” : “Dr. Bob Doctor <[email protected]>”, “subject” : “Test Results”, “importance” : 10, “body” : “Everything came back OK.\n\nI will see you in the office on Friday.” } }

APPLY veryimportant to //mailbox/messages[**]/message WHERE CHILD importance >= 10

ENCRYPTION CAPABILITIES

•  Encryption at rest

•  Encryption in motion

•  Pluggable Encryption

© 2014 Sqrrl Data, Inc. | All Rights Reserved 12

ENCRYPTION AT REST

© 2014 Sqrrl Data, Inc. | All Rights Reserved 13

ENCRYPTION IN MOTION

•  Encrypt all network traffic with SSL •  Sqrrl client to Sqrrl server •  Sqrrl server to Accumulo server •  Accumulo server to Accumulo server

© 2014 Sqrrl Data, Inc. | All Rights Reserved 14

Sqrrl Enterprise was never vulnerable to Heartbleed

CRYPTO CONTRIBUTIONS

•  ACCUMULO-958: Pluggable encryption to Write-Ahead Logs

•  ACCUMULO-980: Pluggable encryption to RFiles •  ACCUMULO-1009: Encryption in motion

Sqrrl contributed each to open-source Accumulo

© 2014 Sqrrl Data, Inc. | All Rights Reserved 15

SECURE SEARCH

•  Search can be a source of leakage •  Revealing existence of data elements, names… •  …or worse, more information

•  Indexes are data too •  Protections should mirror underlying data

Sqrrl Enterprise is the only Big Data Solution

with term-level security on search indexes

© 2014 Sqrrl Data, Inc. | All Rights Reserved 16

Preserving data security in search indexes

SQRRL AUDIT

•  Records every client action against system

•  Provides info on request, security operations attempted

•  Stored securely to prevent tampering

© 2014 Sqrrl Data, Inc. | All Rights Reserved 17

Immutable history for compliance purposes

WRAPPING UP

© 2014 Sqrrl Data, Inc. | All Rights Reserved 18

RECAP

•  Changing technology landscape •  Perimeter controls not keeping pace

•  Big Data security is hard •  Technology velocity, data gravity •  Unknown unknowns

•  Adopt Data-Centric Security principles for best chances at success

•  (Sqrrl has them)

© 2014 Sqrrl Data, Inc. | All Rights Reserved 19

NARROWING THE BOUNDARY

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

NARROWING THE BOUNDARY

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

TOWARDS THE FUTURE

© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential

DCS MATURITY CHART

© 2014 Sqrrl Data, Inc. | All Rights Reserved | Proprietary and Confidential 23

Sqrrl leads the NoSQL pack Apache HBase

Apache Accumulo

Datastax Enterprise

MongoDB Enterprise

Sqrrl Enterprise

Secure Full-Text Search Non-secure Non-secure ✔ Secure Graph Search ✔ Cell-Level Security ✔ ✔ Not robust ✔ Labeling + Policy Engines ✔ Native Encryption At rest ✔ ✔ In motion,

client-server only ✔

ABAC ✔

Audit 3rd Party ✔ Unauthorized only ✔

THANKS!

Brought to you by: Sqrrl Data, Inc. [email protected]

@SqrrlData http://www.sqrrl.com

Presented by: Joe Travaglini [email protected] @joe_travaglini http://www.linkedin.com/in/jtrav

© 2014 Sqrrl Data, Inc. | All Rights Reserved 24

Follow us to keep up with the latest

Q&A

© 2014 Sqrrl Data, Inc. | All Rights Reserved 25