Transparent Data Encryption for Couchbase

ServerDerek Tumulak

VP of Product ManagementOctober 6th 2014

Copyright 2014 Vormetric, Inc. All rights reserved.

Administered Enterprise Strategy Group, October 2013

Sensitive Data at RiskOrganizations Rarely Detect or Block Access

2 Copyright 2014 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.

24% 27%

40% 45%

Detect anomalous data access in real time

Block privileged

user access

Monitor privilegedUser activities

Review sensitive data access

weekly/ or more

Big Data Heightens Need to Protect DataPrivate, Public, Hybrid Cloud and Big Data

3 Copyright 2014 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.

Yet The Data is Increasingly More Difficult to Protect

Data CentersPhysical

Virtual

Outsourced

Big DataSources

Nodes

Results

CloudsPrivate, Public, Hybrid

Multiple vendors

Physical ServersLocal offices and retail locations

Labs

TrialAnalysi

s

Research PHI CreditCards

PlansCustomer

Stats

Contracts

CallRecord

s

FinanceFiles

SourceCode

Customer

Records

HR Files

5

Feb 2014

Widening Adoption of Encryption to Defend Sensitive Business Data

Figure 15. The main drivers for using encryption technology solutions

To lessen the impact

of data breaches

To protect our organization’s

brand or reputation

To ensure that our organization’s privacy

Commitments are honored

To comply with privacy or

Data security regulations

and requirements

50%

0%

40%

30%

20%

10%

46%44%

42%40%

2005-2013: Companies with Consistent Encryption Strategy

15%

35%

70% 5+ encryption vendors

5 Copyright 2014 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.

Data Data source Analytics

Reports

Dashboards

What if queries

Database

Datawarehouse

ERP

CRM

Audio video

Excel, CSV

Social media

Logs

Un

stru

ctu

red

Str

uct

ure

d

Financial Data

Healthcare Data

Credit cards

Logs

PII

Error logsDisk cache ConfigurationSystem logs

Vormetric Transparent Encryption orVormetric Application Encryption

Vormetric Transparent Encryption Vormetric Transparent Encryption orVormetric Application Encryption

Vormetric’s End-to-End Data Protection for Big Data Environments

8

World-Class Brands Rely on the Vormetric Data Security Platform

7

Cloud Service Providers Trust Vormetric

Global Customers

Over 1,300 customers

17 of the Fortune 25

Most Security Conscious Brands

Largest financial institutions

Largest retail companies

Major manufacturers

Third party business service providers

Government agencies

OEM Partners

IBM

Symantec

With Vormetric, people have no idea it’s even running. Vormetric Encryption also saved us at least nine months of application rewrite effort, and its installation was one of the easiest we’ve ever experienced.

Karl Mudra, CIODelta Dental of Missouri

Cloud ManagedServices

Vormetric Data Security PlatformSolves inefficiencies of point product solutions

8 Copyright 2014 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.

Follow The Cloud AdoptionPrivate, Public Hybrid Cloud

Cloud ManagedServices

9 Copyright 2014 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.

“The Vormetric Solution allowscustomers to extend provensecurity practices to theircloud deployments and we are pleased to see it also made available in AWS marketplace.”

Terry WiseDirector, WW Ecosystem

Follow The Big Data AdoptionWorld-Class Vendors Rely on Vormetric +

10 Copyright 2014 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.

“Most enterprise big data projects were initially grassroots efforts with no involvement from enterprise information security departments, inadvertently exposing sensitive data.”

GartnerNovember 2013

2013

31%30%

19%15%

5%

64% Investing or

Planning(n = 720)

Have invested in big data technology

Plan to within the next year

Plan to within two years

No plans at this timeDon’t know

Vormetric Data Security Platform

Delivering data security extensibility

Copyright 2014 Vormetric, Inc. All rights reserved.Slide No: 11

Vormetric Data Security ManagerAccelerated Time to Value with Consolidated Control

Vormetric Data Security Manager

• Centrally manage keys and policy• Virtual and physical appliance • High-availability with cluster• Multi-tenant and strong separation of duties• Proven 10,000+ device and key management scale• Web, CLI, API Interfaces• FIPS 140-2 certified

Policy and key Management

Web GUI CLI/ API

DSM

DSM

KMIP

15

Vormetric Data Security ManagerHigh Availability

Protected Server

DSMPrimary

DSMSecondary

X

No Service Disruption

1. Agent Communicates with primary DSM

2. Keys received from Primary when needed

3. Agents now retrieve keys from Secondary DSM

4. Keys received from Secondary when key expires

16

Vormetric Transparent EncryptionSimplified Encryption and Access Control

Allow/BlockEncrypt/Decrypt

Database

Storage

Database

Application

User

File Systems

VolumeManagers

Big Data, Databases or Files

Approved Processes and Users

Privileged Users SA

root user*$^!@#)(

-|”_}?$%-:>>

Encrypted

John Smith 401 Main Street

Cle

ar T

ext

Cloud Provider /Outsource

Administrators

*$^!@#)(-|”_}?$%-:>>

Encrypted

DSM

VormetricSecurity IntelligenceLogs to SIEM

VormetricData Security Manager

on Enterprise premise or in cloudvirtual or physical appliance

17

Policy Example: Structured Data

Policy Summary:Only the DB Service account, using the whitelisted DB binaries have full transparent access to the encrypted DB objects.

The privileged administrative accounts are allowed to manage the encrypted DB objects but have no ability to decrypt the DB objects.

Deny and Audit non-conforming data requests at the I/O layer.

Copyright © 2012 Vormetric, Inc. - Proprietary and Confidential. All Rights Reserved.

15

# Resource User Process Action Effects

DB and Log files DB Service account

DB binary (sqlservr.exe, oracle)

read/write permit, encrypt/decrypt

DB and Log files Administrative accounts

* read metadata only

permit, audit

DB and Log files * * * deny, audit

1

2

3

1

2

3

Policy Benefits Database encryption, without changing database schema

or application code. Remove custodial risk of privileged account compromise.

www.acme.comWeb Server

Vormetric Application EncryptionCompliance Without the Complexity

VAE

Database, Big Data or File

Storage

Application Vormetric Application Encryption

Application Server

*Key exchange at initial request or policy changes

1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7

J o n D o u g h

Encryption KeyRequest / Response*

$ # A d # $ g & * j % J 1 TJ C Z

J o n D o u g h

DSM

Leverage Vormetric encryption and key management proven reliability and performance

APIs, Libraries and Sample code

• Java, C/C++, .Net

18

Vormetric Security IntelligenceAccelerate Insider Threat and APT Detection

• Log and audit data access• Alarm abnormal access patterns • Identify compromised users, administrators and

applications • Accelerate APT and malicious insider recognition• Supports compliance and contractual mandate

reporting

20

Security Intelligence, Detecting AbuseSplunk App Example

It is suspicious that Dirk has so many denied file access events.

This behavior might be abuse or malware with Dirk’s credentials.

21

attempted to read

and was denied access

Admin Dirk Snowman imitated user steve

this file because he violated this policy

22

Couchbase and VormetricAddressing Data Security and Compliance Needs

Follow the data: Organizations must address increasing security, data privacy and compliance requirements

Business is increasingly moving to Big Data

Big Data adoption debate shifted from “if” to “how”

Couchbase and Vormetric have conducted integration testing

Upcoming technical collateral and training

20 Copyright 2014 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.

Transparent Data Encryption for Couchbase

ServerDerek Tumulak

VP of Product ManagementOctober 6th 2014

Copyright 2014 Vormetric, Inc. All rights reserved.