Upload
sqrrl
View
80
Download
0
Tags:
Embed Size (px)
DESCRIPTION
This webinar discusses the dissolution of the "trusted zone" and shares insights on how you can build secure applications on Hadoop by adopting best practices in Data-Centric Security with Sqrrl Enterprise.
Citation preview
Securely explore your data
BULLET-PROOF YOUR BIG APPS
WITH DATA-CENTRIC SECURITY
Joe Travaglini, Director of Product Marketing May 27, 2014
OUTLINE
• The Context • Stakes of security in Big Data • Breakdown of the “Trusted Zone”
• Data-Centric Security • What is it and why should I care? • Examples in practice with Sqrrl Enterprise
• Wrap Up
2 © 2014 Sqrrl Data, Inc. | All Rights Reserved
SETTING CONTEXT
SOME DIFFICULT REALITIES
© 2014 Sqrrl Data, Inc. | All Rights Reserved 3
THERE IS NO SECURE PERIMETER
• Corporate intranets are dirty • Cloud Computing • Bring your own device
• Sophistication of threats: APT / malicious insider
• Know thy network • Embrace the chaos, change the game
The changing face of the “trusted zone”
4 © 2014 Sqrrl Data, Inc. | All Rights Reserved
UPPING THE ANTE
• The “Big Promise” – keep everything, mine it, strike gold
• Consolidating data means compounding risk • Traditional protection is insufficient • Breach events have larger blast radius
• We can’t protect data, why not let it protect itself?
Big Data amplifies the stakes of security
5 © 2014 Sqrrl Data, Inc. | All Rights Reserved
THE IMPORTANCE OF
DATA-CENTRIC SECURITY
© 2014 Sqrrl Data, Inc. | All Rights Reserved 6
DCS REFERENCE ARCHITECTURE Things to consider when protecting data
7 © 2014 Sqrrl Data, Inc. | All Rights Reserved
REFERENCE IMPLEMENTATION How Sqrrl manifests Data-Centric Security
8 © 2014 Sqrrl Data, Inc. | All Rights Reserved
ACCUMULO DATUM RECORD
Example Accumulo Row
© 2014 Sqrrl Data, Inc. | All Rights Reserved 9
Visibility Labels, BigTable style
SQRRL DATUM RECORD
Example Nested Sqrrl Document
© 2014 Sqrrl Data, Inc. | All Rights Reserved 10
Visibility Labels, Sqrrl style
SQRRL LABELING ENGINE
{ “message-id” : “129434”, “message” : { “from” : “Dr. Bob Doctor <[email protected]>”, “subject” : “Test Results”, “importance” : 10, “body” : “Everything came back OK.\n\nI will see you in the office on Friday.” } }
© 2014 Sqrrl Data, Inc. | All Rights Reserved 11
Rule-based assignment of labels to data
{ “message-id” : “129434”, “message@[veryimportant]” : { “from” : “Dr. Bob Doctor <[email protected]>”, “subject” : “Test Results”, “importance” : 10, “body” : “Everything came back OK.\n\nI will see you in the office on Friday.” } }
APPLY veryimportant to //mailbox/messages[**]/message WHERE CHILD importance >= 10
ENCRYPTION CAPABILITIES
• Encryption at rest
• Encryption in motion
• Pluggable Encryption
© 2014 Sqrrl Data, Inc. | All Rights Reserved 12
ENCRYPTION AT REST
© 2014 Sqrrl Data, Inc. | All Rights Reserved 13
ENCRYPTION IN MOTION
• Encrypt all network traffic with SSL • Sqrrl client to Sqrrl server • Sqrrl server to Accumulo server • Accumulo server to Accumulo server
© 2014 Sqrrl Data, Inc. | All Rights Reserved 14
Sqrrl Enterprise was never vulnerable to Heartbleed
CRYPTO CONTRIBUTIONS
• ACCUMULO-958: Pluggable encryption to Write-Ahead Logs
• ACCUMULO-980: Pluggable encryption to RFiles • ACCUMULO-1009: Encryption in motion
Sqrrl contributed each to open-source Accumulo
© 2014 Sqrrl Data, Inc. | All Rights Reserved 15
SECURE SEARCH
• Search can be a source of leakage • Revealing existence of data elements, names… • …or worse, more information
• Indexes are data too • Protections should mirror underlying data
Sqrrl Enterprise is the only Big Data Solution
with term-level security on search indexes
© 2014 Sqrrl Data, Inc. | All Rights Reserved 16
Preserving data security in search indexes
SQRRL AUDIT
• Records every client action against system
• Provides info on request, security operations attempted
• Stored securely to prevent tampering
© 2014 Sqrrl Data, Inc. | All Rights Reserved 17
Immutable history for compliance purposes
WRAPPING UP
© 2014 Sqrrl Data, Inc. | All Rights Reserved 18
RECAP
• Changing technology landscape • Perimeter controls not keeping pace
• Big Data security is hard • Technology velocity, data gravity • Unknown unknowns
• Adopt Data-Centric Security principles for best chances at success
• (Sqrrl has them)
© 2014 Sqrrl Data, Inc. | All Rights Reserved 19
NARROWING THE BOUNDARY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
NARROWING THE BOUNDARY
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
TOWARDS THE FUTURE
© 2013 Sqrrl | All Rights Reserved | Proprietary and Confidential
DCS MATURITY CHART
© 2014 Sqrrl Data, Inc. | All Rights Reserved | Proprietary and Confidential 23
Sqrrl leads the NoSQL pack Apache HBase
Apache Accumulo
Datastax Enterprise
MongoDB Enterprise
Sqrrl Enterprise
Secure Full-Text Search Non-secure Non-secure ✔ Secure Graph Search ✔ Cell-Level Security ✔ ✔ Not robust ✔ Labeling + Policy Engines ✔ Native Encryption At rest ✔ ✔ In motion,
client-server only ✔
ABAC ✔
Audit 3rd Party ✔ Unauthorized only ✔
THANKS!
Brought to you by: Sqrrl Data, Inc. [email protected]
@SqrrlData http://www.sqrrl.com
Presented by: Joe Travaglini [email protected] @joe_travaglini http://www.linkedin.com/in/jtrav
© 2014 Sqrrl Data, Inc. | All Rights Reserved 24
Follow us to keep up with the latest
Q&A
© 2014 Sqrrl Data, Inc. | All Rights Reserved 25