Upload
couchbase
View
1.415
Download
0
Tags:
Embed Size (px)
DESCRIPTION
With increased adoption of the Couchbase NoSQL database, companies are also increasingly populating Couchbase Server with sensitive information. This information can take the form of such things as personally identifiable information (PII), personal health information (PHI), or sensitive customer or internal information. This information must adhere to regulatory requirements such as PCI and HIPPA, adhere to state and local privacy laws, adhere to customer and partner service level agreements, and have controls in place to prevent insider abuse of the sensitive information. Vormetric and Couchbase have partnered together to address the data security needs for protecting sensitive information being stored in Couchbase Server.
Citation preview
Transparent Data Encryption for Couchbase
ServerDerek Tumulak
VP of Product ManagementOctober 6th 2014
Copyright 2014 Vormetric, Inc. All rights reserved.
Administered Enterprise Strategy Group, October 2013
Sensitive Data at RiskOrganizations Rarely Detect or Block Access
2 Copyright 2014 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.
24% 27%
40% 45%
Detect anomalous data access in real time
Block privileged
user access
Monitor privilegedUser activities
Review sensitive data access
weekly/ or more
Big Data Heightens Need to Protect DataPrivate, Public, Hybrid Cloud and Big Data
3 Copyright 2014 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.
Yet The Data is Increasingly More Difficult to Protect
Data CentersPhysical
Virtual
Outsourced
Big DataSources
Nodes
Results
CloudsPrivate, Public, Hybrid
Multiple vendors
Physical ServersLocal offices and retail locations
Labs
TrialAnalysi
s
Research PHI CreditCards
PlansCustomer
Stats
Contracts
CallRecord
s
FinanceFiles
SourceCode
Customer
Records
HR Files
5
Feb 2014
Widening Adoption of Encryption to Defend Sensitive Business Data
Figure 15. The main drivers for using encryption technology solutions
To lessen the impact
of data breaches
To protect our organization’s
brand or reputation
To ensure that our organization’s privacy
Commitments are honored
To comply with privacy or
Data security regulations
and requirements
50%
0%
40%
30%
20%
10%
46%44%
42%40%
2005-2013: Companies with Consistent Encryption Strategy
15%
35%
70% 5+ encryption vendors
5 Copyright 2014 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.
Data Data source Analytics
Reports
Dashboards
What if queries
Database
Datawarehouse
ERP
CRM
Audio video
Excel, CSV
Social media
Logs
Un
stru
ctu
red
Str
uct
ure
d
Financial Data
Healthcare Data
Credit cards
Logs
PII
Error logsDisk cache ConfigurationSystem logs
Vormetric Transparent Encryption orVormetric Application Encryption
Vormetric Transparent Encryption Vormetric Transparent Encryption orVormetric Application Encryption
Vormetric’s End-to-End Data Protection for Big Data Environments
8
World-Class Brands Rely on the Vormetric Data Security Platform
7
Cloud Service Providers Trust Vormetric
Global Customers
Over 1,300 customers
17 of the Fortune 25
Most Security Conscious Brands
Largest financial institutions
Largest retail companies
Major manufacturers
Third party business service providers
Government agencies
OEM Partners
IBM
Symantec
With Vormetric, people have no idea it’s even running. Vormetric Encryption also saved us at least nine months of application rewrite effort, and its installation was one of the easiest we’ve ever experienced.
Karl Mudra, CIODelta Dental of Missouri
Cloud ManagedServices
Vormetric Data Security PlatformSolves inefficiencies of point product solutions
8 Copyright 2014 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.
Follow The Cloud AdoptionPrivate, Public Hybrid Cloud
Cloud ManagedServices
9 Copyright 2014 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.
“The Vormetric Solution allowscustomers to extend provensecurity practices to theircloud deployments and we are pleased to see it also made available in AWS marketplace.”
Terry WiseDirector, WW Ecosystem
Follow The Big Data AdoptionWorld-Class Vendors Rely on Vormetric +
10 Copyright 2014 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.
“Most enterprise big data projects were initially grassroots efforts with no involvement from enterprise information security departments, inadvertently exposing sensitive data.”
GartnerNovember 2013
2013
31%30%
19%15%
5%
64% Investing or
Planning(n = 720)
Have invested in big data technology
Plan to within the next year
Plan to within two years
No plans at this timeDon’t know
Vormetric Data Security Platform
Delivering data security extensibility
Copyright 2014 Vormetric, Inc. All rights reserved.Slide No: 11
Vormetric Data Security ManagerAccelerated Time to Value with Consolidated Control
Vormetric Data Security Manager
• Centrally manage keys and policy• Virtual and physical appliance • High-availability with cluster• Multi-tenant and strong separation of duties• Proven 10,000+ device and key management scale• Web, CLI, API Interfaces• FIPS 140-2 certified
Policy and key Management
Web GUI CLI/ API
DSM
DSM
KMIP
15
Vormetric Data Security ManagerHigh Availability
Protected Server
DSMPrimary
DSMSecondary
X
No Service Disruption
1. Agent Communicates with primary DSM
2. Keys received from Primary when needed
3. Agents now retrieve keys from Secondary DSM
4. Keys received from Secondary when key expires
16
Vormetric Transparent EncryptionSimplified Encryption and Access Control
Allow/BlockEncrypt/Decrypt
Database
Storage
Database
Application
User
File Systems
VolumeManagers
Big Data, Databases or Files
Approved Processes and Users
Privileged Users SA
root user*$^!@#)(
-|”_}?$%-:>>
Encrypted
John Smith 401 Main Street
Cle
ar T
ext
Cloud Provider /Outsource
Administrators
*$^!@#)(-|”_}?$%-:>>
Encrypted
DSM
VormetricSecurity IntelligenceLogs to SIEM
VormetricData Security Manager
on Enterprise premise or in cloudvirtual or physical appliance
17
Policy Example: Structured Data
Policy Summary:Only the DB Service account, using the whitelisted DB binaries have full transparent access to the encrypted DB objects.
The privileged administrative accounts are allowed to manage the encrypted DB objects but have no ability to decrypt the DB objects.
Deny and Audit non-conforming data requests at the I/O layer.
Copyright © 2012 Vormetric, Inc. - Proprietary and Confidential. All Rights Reserved.
15
# Resource User Process Action Effects
DB and Log files DB Service account
DB binary (sqlservr.exe, oracle)
read/write permit, encrypt/decrypt
DB and Log files Administrative accounts
* read metadata only
permit, audit
DB and Log files * * * deny, audit
1
2
3
1
2
3
Policy Benefits Database encryption, without changing database schema
or application code. Remove custodial risk of privileged account compromise.
www.acme.comWeb Server
Vormetric Application EncryptionCompliance Without the Complexity
VAE
Database, Big Data or File
Storage
Application Vormetric Application Encryption
Application Server
*Key exchange at initial request or policy changes
1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7
J o n D o u g h
Encryption KeyRequest / Response*
$ # A d # $ g & * j % J 1 TJ C Z
J o n D o u g h
DSM
Leverage Vormetric encryption and key management proven reliability and performance
APIs, Libraries and Sample code
• Java, C/C++, .Net
18
Vormetric Security IntelligenceAccelerate Insider Threat and APT Detection
• Log and audit data access• Alarm abnormal access patterns • Identify compromised users, administrators and
applications • Accelerate APT and malicious insider recognition• Supports compliance and contractual mandate
reporting
20
Security Intelligence, Detecting AbuseSplunk App Example
It is suspicious that Dirk has so many denied file access events.
This behavior might be abuse or malware with Dirk’s credentials.
21
attempted to read
and was denied access
Admin Dirk Snowman imitated user steve
this file because he violated this policy
22
Couchbase and VormetricAddressing Data Security and Compliance Needs
Follow the data: Organizations must address increasing security, data privacy and compliance requirements
Business is increasingly moving to Big Data
Big Data adoption debate shifted from “if” to “how”
Couchbase and Vormetric have conducted integration testing
Upcoming technical collateral and training
20 Copyright 2014 Vormetric, Inc. – Proprietary and Confidential. All rights reserved.
Transparent Data Encryption for Couchbase
ServerDerek Tumulak
VP of Product ManagementOctober 6th 2014
Copyright 2014 Vormetric, Inc. All rights reserved.