Upload
khangminh22
View
7
Download
0
Embed Size (px)
Citation preview
Encryption and Masking of Sensitive Data for Spark Analytics (CCPA Compliance & Governance)Les McMonagle Alon RosenthalChief Security Strategist – SecuPi CEO – SecuPi
Les McMonagle - Speaker BioChief Security StrategistLes has 25 years’ experience in information security consulting and advisory services. He has held the position of CISO for a credit card company and ILC bank, founded a computer training & IT outsourcing company and directed the security and network technology practice for Cambridge Technology Partners across Europe and helped several security technology firms develop their initial product strategy.
Les founded and managed Teradata’s InfoSec COE, was Chief Security Strategist at Protegrity, Vice President of Security Strategy at BlueTalon and is now Chief Security Strategist at SecuPi.
Les holds a BS in MIS, CISSP, CISA, ITIL and other relevant industry certifications.
Alon Rosenthal - Speaker BioSecuPi CEOAlon has more than 15 years of technology leadership experience.
Prior to establishing SecuPi in 2014, Alon was the founder of ActiveBase where he invented dynamic data masking. ActiveBase won the 2010 Gartner Cool Vendor prize and the 2011 SC Magazine Innovation Award. Alon sold ActiveBase to Informatica, where it later became Informatica’s DDM solution.
Alon has a MBA degree in Business from Tel Aviv University and dual Bachelors in Industrial Engineering and Economics, both summa cum laude from Technion Israel Institute of Technology. He is a 3rd DAN Okinawan Goju-ryu black belt.
AgendaLes McMonagleBalancing Data Protection with Analytics Value
Satisfying CCPA Privacy Compliance Mandates
Why HYOK Eclipses BYOK
Alon RosenthalDemonstrating practical methods to achieve appropriate balance between data protection and data usability on Spark and Kafka
Plethora of Data Privacy Regulations
California Consumer Privacy Act (CCPA)
New York StateNYDFS 23 NYCRR 500
South Carolina Insurance Data Security Act
EU’s General Data Protection Regulation (GDPR)
Dubai DIFC Data Protection Law
Japan Act on the Protection of Personal Information
Chicago Personal Data Collection & Protection Ordinance (Introduced)
India Personal Data Protection Bill (PDPB)
ColoradoHouse Bill 18-1128
Brazil General Data Protection Regulation
Russia Data Protection Law
San Francisco “Privacy First Policy”: Nov 2018 Ballot
Thailand Personal Data Protection Act (PDPA)
S. Africa Data Protection Act (POPI)
Canada Digital Privacy Act & PIPEDA
Australia Data Privacy Regulations
Family Education Rights and Privacy Act (FERPA)
Common Use Cases
Real-time User Behavior Activity (UBA) Monitoring & AuditingImmediately detect, alert, report or even block any anomalous or abnormal data access
3
4
1
Cross Border / LOB / Business Partner Access RestrictionsGeographic “Fencing” of access within Country / State / Legal Entity
2
Block unauthorized employee access to other staff, neighbors, family member or VIP customer
Staff/VIP/Celebrity Patient Customers/Unmask Feature
Consent & Preference Management (Opt-In / Opt-Out), RTBFEnforce Near Real Time (NRT) “Soft Delete” (RTBF), other Opt-In / Opt-Out preferences in one place
Balancing Two Opposing Forces
▪ Personally Identifable Information (PII) must be protected and access strictly controlled on a “Need-to-Know” basis
▪ California Consumer Protection Act (CCPA) introduces strict new data privacy requirements that must always be satisfied
▪ RTBF, Consent and Preference Management (Opt-In/Opt-Out) must be managed
▪ Unlimited access to all possible data
▪ Data hosted and processed in a plethora of data repositories On-Prem and in the Cloud
▪ Data Mobility and Hosting Flexibility
▪ Freedom to leverage Any or All Analytics Tools or Applications from anywhere
Advanced Data Analytics & Monetization of DataData Protection and Privacy Compliance
Essential Data Protection & Compliance Capabilities
Data Loss Prevention (DLP)
DataGovernance
Column-Level Encryption
Prevent abuse / malicious insiders / credential theft• Fine-grained access control, auditing and activity monitoring including
sensitive columns tokenized or encrypted at rest or not
• Monitor end-user/role/Geo-location
Compliance with GDPR/ CCPA/Geo-Fencing• Row-level security• Dynamic Data Masking• VIP Client filtering• “Right of Erasure”
Column-encryption & decryption without API / code changes• Support Key per column,• 3rd Party HSM or KMS encryption integration
SECURITY
BYOK (Bring your Own Key) versus HYOK (Hold Your Own Key)
Encrypted name: SGDA GBBQA, SSN:731 433 663
BYOK Decryption: John Smith, SSN: 123 456 789 available on the Cloud Data Platform for ALL incoming requests!
Business Users, Analysts & Data Scientists, Application Admins, Developers & DBAs
All can see John Smith, SSN: 123 456 789
Business Users, Analysts & Data Scientists, Application Admins, Developers & DBAs
Authorized users see: John Smith | Unauthorized see: SGDA GBBQA
Encrypted name: SGDA GBBQA, SSN:731 433 663
HYOK Decryption
BYOK – Key SharedDecryption Key resides on Cloud Data Platform!
All users can access decrypted data
HYOK – Key NOT SharedKey Segregated from Cloud Data Platform!Decryption applied only on apps/tools for
users/roles on a ”need-to-know” basis
Sense
PowerBI
Sense
PowerBI
PowerBI
DBeaverDashboardsNative-Cloud
Applications
SageMakerLambda Functions
DynamoDBRDS
EMR
On-prem Data Sources
KSQL Cluster
SecuPi Policy Management Docker Container, K8s ClusterPolicy Management, Orchestration, Audit Trail
Cloud KMS, HSM
REDSHIFT
Applications
KSQL Client
Aurora
Data-Centric Security & Privacy Example for all AWS Data ServicesApply Column-level Encryption (at rest & in transit), Fine-Grained Access Control to ALL sensitive data with Dynamic Masking, Anonymization, Accountability, Audit Trail and UBA across ALL AWS Workloads
1> Column-levelEncrypted HYOK while holding keys on-prem
3> Decrypt per user/role/location on ”Need-to-know”/legal basis…
2> Sensitive Columns Remain Encrypted On All AWS Compute Layer
Information Security Level 2 – Sensitive© 2019 – Proprietary & Confidential Information of SecuPI13
BCBS (Healthcare) – Case Study
• Encrypted Patient ID • Data Discovery & • Data Flow Mapping• HYOK
Support for:Spark, Hive, LLAPKafka, Storm, R, Jupyter
SecuPi Management ServerPolicy Definition, Distribution, Orchestration, …
Data Flow Classification
Sensitive Data User Activity Monitoring
Real Time Activity Monitoring
Discovery & Classification
Data Inventory
Data Discovery & Inventory
Encryption at Rest
Encryption in Use
Logical Deletion
Dynamic Masking
Physical Deletion
Enforcement & Remediation
Consent v Active Directory/LDAPv Send log data and alerts
to SIEMv KMS/HSM Integration
Integrations
Azure CloudColumn
FPE Encryption During Ingestion
SecuPi Application Overlays
Original Data Decrypted on a need-to-know basis & ABAC
(3) SecuPi Gateways
(2) SecuPi ODBC/JDBC Driver Wrappers
(1) SecuPi Application-Server Instrumentation Overlays
PowerBI
Java, .Net, NodeJS, Python, Custom Apps
Snowflake Web Tools, CLI
FPE Encryption
Column levelFPE
Encryption SnowSQL, Python connector
John Smith 123 456 789 SGDA GBBQA 731 433 663 John Smith 123 456 789
Ingestion Consumption
LLAP
BCBS Requirements
Information Security Level 2 – Sensitive© 2019 – Proprietary & Confidential Information of SecuPI14
Demo
How important is it for your organization to apply column-level encryption (HYOK) prior to data being hosted in the cloud?
Essential for any Cloud migration involving sensitive or regulated PII
Nice to have the option for data sets involving PII
Not required – No plans to host sensitive or regulated data on Cloud
Cloud Hosting provider file-level encryption and key management is good enough
Information Security Level 2 – Sensitive© 2019 – Proprietary & Confidential Information of SecuPI17
Elmar Grasser, CTO at Sunrise Switzerland
“At Sunrise, customers’ data protection has the highest priority. Security and data protection is a complex global issue. SecuPi were able to fulfil our requirements, ensuring peace of mind for our enterprise clients and their customers.”