June 30th , 2016
Big Data Security & GovernanceInstilling Confidence and Trust
Nick Curcuru
©2016 MasterCard. Proprietary and Confidential
• Introduction to MasterCard
• Security Landscape
• Security Pillars
• Top 10 threats: Infrastructure and Data Architecture
• Hadoop Security Model
• Governance and Compliance
• Summary
2
Today’s Discussion
©2016 MasterCard. Proprietary and Confidential3
MasterCard – Technology & Services
Payment Processing
Payment Products
Sponsorships
Consulting Expertise
Information Services
Implementation Services
©2016 MasterCard. Proprietary and ConfidentialAugust 26, 20164
MasterCard helps our customers use Big Data
Increasing Revenue Generation
Increasing Analytic & IT Capabilities
Protecting Assets
Customer
Centricity
Monetization
of data
MasterCard Data Providing Hosting*
Capabilities
Real time interactions
Improve enterprise data
stewardship
Reduce risk of security
incident
Media
MeasurementsJourney
Analytics
©2016 MasterCard. Proprietary and Confidential5
MasterCard Securing Big Data
2.2B+ GLOBAL CARDS
160MMTRANSACTIONSPER HOUR
Advanced analytics are applied in a safe and secure environment finding trends and insights
Card SwipesAmount, spent, time, merchant & location.
Data Anonymized
Analysis | Risk Detection | Customer 360 | Location selection | Customer Engagement | Economic Indicators
©2016 MasterCard. Proprietary and Confidential6
Top 5 Industries for Cyber Attacks
Source: 2016 Cyber Security Intelligence Index
2015 1. Healthcare 2. Manufacturing 3. Financial Services 4. Government 5. Transportation
2014 1. Financial Services2. Information &Communication
3. Manufacturing4. Retail and
wholesale5. Energy and
Utilities
©2016 MasterCard. Proprietary and Confidential7
Per Record Cost of a Data Breach
Source : 2015 Cost of Data Breach Study:Global Analysis: Benchmark research sponsored by IBM Independently conducted by Ponemon Institute LLC, May 2015
$363
$300
$220 $215$179 $165 $155
$137 $136 $132 $129 $127 $126 $124 $121
$68
©2016 MasterCard. Proprietary and Confidential8
Your next attacker is likely to be someone you thought you could trust
Source: 2016 Cyber Security Intelligence Index
©2016 MasterCard. Proprietary and Confidential9
Top 10 Infrastructure VulnerabilitiesSystems, Software, Storage
Perimeter Authentication
System Monitoring
Testing
User Authentication
Applications
Hardware
Encryption keys
Environments
Shared Responsibilities
Software Updates
1
2
3
4
5
6
7
8
9
10
©2016 MasterCard. Proprietary and Confidential10
Top 10 Data Architecture VulnerabilitiesData - Architecture, Governance, Management
User Authentication
Applications
Hardware
Encryption keys
1
2
3
4
User Authentication
Applications
Hardware
Encryption keys
5
6
7
8
User Authentication
Applications
Hardware
9
10
11
User Authentication12
©2016 MasterCard. Proprietary and Confidential11
Nearly half of security incidents in 2015 were the result of unauthorized access
Source: 2016 Cyber Security Intelligence Index
Unauthorizedaccess
Maliciouscode
Sustainedprobe/scan
Suspiciousactivity
Access orcredentials
abuse
37%
20%
20%
11%
8%
45%
29%
16%
6%
3%
2014 2015
SECURITY PILLARS
©2016 MasterCard. Proprietary and Confidential13
Four Pillars of Security
PERIMETER[Authenticating]
VISIBILITY[Auditing]
ACCESS[Authorizing]
DATA[Architecting]
©2016 MasterCard. Proprietary and Confidential14
Perimeter Security – AuthenticatingGuarding access to the environment (cluster)
Ensure your cluster:
• Preserves user choice of the right Hadoop service (e.g. Impala, Spark)
• Conforms to centrally managed authentication policies
• Implements with existing standard systems:
Active Directory and Kerberos -1. User authenticates to Active Directory2. Authenticated user gets Kerboros ticket3. Ticket grants access to services
©2016 MasterCard. Proprietary and Confidential15
Access Security - AuthorizingDefining user roles and their data access
Outlining what data applications can use
Ensure your cluster:
• Defines and provides users access to data needed to do their job
• Centrally manages access policies – protect all paths with strong policies moving security away from the applications
• Leverages a role-based access control model built on active directory
©2016 MasterCard. Proprietary and Confidential16
Visibility Security- AuditingReporting on where data came from and how it’s put together
Ensure your cluster:
• Can document where report data came from and how it was put together
• Complies with policies for audit, data classification, and lineage
• Centralizes the audit repository
©2016 MasterCard. Proprietary and Confidential17
Data Security – Architecting Protecting data to internal and external standards
Ensure your cluster:
• Controls the data analysis is performed on
• Encrypts data protecting it from the root to its final destination
• Applies security at the meta data level
• Has well laid out encryption key management and token policies
• Integrates with existing hierarchical storage management as part of key management infrastructure
©2016 MasterCard. Proprietary and Confidential18
Table stakes for big data security
• Native data encryption
• Security embedded in metadata
• Integrated key management
• Authorisation
• Authentication – Multi-Factor
• Strong role based access
• Monitoring in real time
• Audit and data lineage
• Hardware-enabled security
• Enterprise Identity managementintegration
©2016 MasterCard. Proprietary and Confidential19
Best practices
People and Process
• Segregation of Duties
• Segregation of Data Access
• Continuous knowledge transfer, training and awareness
• Process documentation – controls, response and continuity planning
Technology
• Strong Authentication & Authorization
• Real Time Monitoring
• Regular Penetration Testing
©2016 MasterCard. Proprietary and Confidential20
Lessons learned
• Emphasize Hadoop isn’t one thing, but a “collection of things”
• Education & documentation is 60% of the effort
• Explain why Hadoop isn’t a database so don’t expect similar controls
• Security is neither quick nor easy
• Big Data technology is still maturing
• Close collaboration with your partners is critical
• Security is continuous not a check in the box
What to do
©2016 MasterCard. Proprietary and Confidential22
Where to Start
1. Assess security maturity over three dimension:
– People, Process and Technology
2. Classify data into categories
– Personally Identifiable, Health Data, Payment Related, Analysis
3. Start real time system and data monitoring
4. Take inventory of current Hadoop system security capabilities
– Refer to security table stakes and identify gaps
5. Identify training needs
– Business, Technology and Third Party Partners
©2016 MasterCard. Proprietary and Confidential23
Start with the Hadoop Security Maturity
Pilot: Data Free-for-All: Available & Error-Prone
Basic Security Controls:• Authorization • Authentication• Auditing
Data Security & Governance:• Lineage Visibility• Metadata Discovery• Encryption & Key
Management
Regularoty Compliance
Audit-Ready & ProtectedSecurity enforcement for all data-at-rest and data-in-motion• Full encryption• Encryption management• Token system
management• Transparency• Real time monitoring• Element level security
Dat
a V
olu
me
& S
ensi
tivi
ty
Security Compliance & Risk Mitigation
Highly VulnerableData at Risk
Reduced RiskExposure
Managed, Secure, Protected
Enterprise Data HubSecure Data Vault
0 1 2 3
©2016 MasterCard. Proprietary and Confidential24
Transparent Encryption & Key Management
Protection for all data:
• Structured and unstructured
• Metadata, temp files and log files
Data-at-rest encryption options:
• HDFS Encryption for the data
• Encryption for: metadata – log files
Yarn – Resource Manager
Data Management Layer
Impala Hive
HDFS HBase
Apache Sentry
SSL Certificates and SSH Keys
Log/Config/Spill filesHSM
©2016 MasterCard. Proprietary and Confidential
Look at Apache Atlas
Source: Apache Software Foundation and Hortonworks
Features
• Data Classification
• Metadata
• Centralized Auditing
• Search & Lineage (Browse)
• Security & Policy Engine
©2016 MasterCard. Proprietary and Confidential
Compliance and Governance
ComplianceEvolution
Integrity
Stewardship
Ethics
Specific
• Taxonomy
• Transparency
• Auditability
• Consistency
• Accountability
• Checks-and-Balances
• Standards
Governance
ControlsGuardian
©2016 MasterCard. Proprietary and Confidential27
Summary
• 60 % of threats are from inside the organization
• Security is applied end to end in the process
• Access: People, Process and Technology in your security strategy
• Hadoop is still maturing
• Governance includes data usage
• Don’t confuse compliance with security
QUESTIONS
©2016 MasterCard. Proprietary and Confidential
Contact Us
29
Nick Curcuru+1 (914) 413 3822
BONUS SLIDES
©2016 MasterCard. Proprietary and Confidential31
Top 10 Infrastructure Vulnerabilities
Perimeter Authentication
System Monitoring
Testing
User Authentication
Applications
Hardware
Encryption keys
Environments
Shared Responsibilities
Software Updates
1
2
3
4
5
6
7
8
9
10
©2016 MasterCard. Proprietary and Confidential32
Points of Attack- InfrastructureThreat
Only password credentials for authentication to environment
Applications controls data access
Database and application servers are the same hardware
Users authenticate with generic/ shared/ application ID
Weakness Mitigation
PerimeterAuthentication
Access to data is at the system level and at the data element (fine-grained)
Userauthentication
Applications
Hardware
Encryption Keys Encryption keys are not rotated.
Use two-factor authentication: tokens, RSA or Biometric technology
Credentials should never be shared: each user and application should have unique/non-shared credentials to host systems
Separate database and application servers – isolates attack vectors
Set up periodic rotation of encryption
1
2
3
4
5
©2016 MasterCard. Proprietary and Confidential33
Points of Attack- InfrastructureThreat
Insecure/uncertified environments have direct access to secure/certified environments.
Patches or upgrades do not happen on a regular release cycle to ensure the system is protected from software vulnerabilities.
Platform not monitored on continual basis setting up reactive posture: after the fact
Systems admin, DBA, application developer, and web admin responsibilities are shared
Weakness Mitigation
Environments
Set up release schedule, hold software vendors to security standards & verify standards are met
SharedResponsibilities
Software Updates
System Monitoring
TestingInfrequent penetration tests andapplication security scans
Segregate systems. Systems with access to each other need the same levels of security and controls
Divide responsibilities implement role based access and controls
Set up constant monitoring of environment using data driven alert
Develop penetration testing schedule and remediation review quarterly
6
7
8
9
10
©2016 MasterCard. Proprietary and Confidential34
Top 10 Data Architecture Vulnerabilities
User Authentication
Applications
Hardware
Encryption keys
1
2
3
4
User Authentication
Applications
Hardware
Encryption keys
5
6
7
8
User Authentication
Applications
Hardware
9
10
11
User Authentication12
©2016 MasterCard. Proprietary and Confidential35
Points of Attack-Enterprise Information Management
Threat
Sensitive data - encrypted /tokenized /hashed is comingled with non- sensitive data
Users have access to data they should not, or access to data that is unnecessary
Encryption Keys stored with the data they encrypt.
Reliant on applications to control access to data and enforce data security standards
Weakness Mitigation
Co-mingling of data
Use role based access control - Apply fine-grained data access controls
Applications
Access Controls
Key Storage
Data Movement Sensitive data is not encrypted ondisk/at-rest or on the wire motion.
Use physical or logical separation between data types.
Apply security at the table, field and element level, as well as application level
Store encryption keys in a spate location away from data and limit access through control processes
Encrypt all sensitive data on disk/at-rest or on the wire motion.
1
2
3
4
5
Access
©2016 MasterCard. Proprietary and Confidential36
Points of Attack-Enterprise Information Management
Threat
Security and operational configurations are not documented or reviewed regularly
Little to no governance standards and rules exist if they do they are focused on data quality
Information security response and business continuity plan does not exist or is not reviewed/exercised on a regular basis
Sensitive data is written to systems logs in an unprotected form
Weakness Mitigation
Security & Operational Configurations
Document standards, set up review cycle at minimum yearly and include data usage as part of the standards
Data Logs
Governance standards
Response & Business Continuity Plans
Data Usage MonitoringData usage either not monitored on continual basis or is buried in logs with no one looking at them
Document all configurations, develop audit trail for changes, review configurations yearly
Metadata carries security throughout the data trail and enables enforcement
Yearly review and revision of each plan using a cross functional team: Infosec, IT, Operations, Legal
Set automated thresholds and measurements using data to drive exception alerts
6
7
8
9
10
Data - Architecture, Governance, Management