Upload
hortonworks
View
98
Download
0
Tags:
Embed Size (px)
Citation preview
Copyright © 2015 Centrify Corporation. All Rights Reserved. 1
Simplify and Secure Your Hadoop Environment with Hortonworks and Centrify
Satish Veerapuneni Senior Product Manager, Centrify
Vinod Nair Senior Manager, Hortonworks
Page 2 © Hortonworks Inc. 2011 – 2015. All Rights Reserved
Hadoop for the Enterprise: Implement a Modern Data Architecture with HDP
Customer Momentum
• 437 customers (end of Q1 2015)
Hortonworks Data Platform • Completely open multi-tenant platform for any app &
any data. • A centralized architecture of consistent enterprise
services for resource management, security, operations, and governance.
Partner for Customer Success • Open source community leadership focus on
enterprise needs • Unrivaled world class support
• Founded in 2011 • Original 24 architects, developers,
operators of Hadoop from Yahoo! • 650+ Employees • 1100+ Ecosystem Partners
Page 3 © Hortonworks Inc. 2011 – 2015. All Rights Reserved
Hadoop for the Enterprise Hortonworks. We do Hadoop.
Page 4 © Hortonworks Inc. 2011 – 2015. All Rights Reserved
Traditional systems under pressure
Challenges • Constrains data to app • Can’t manage new data • Costly to Scale
Clickstream
Geolocation
Web Data
Internet of Things
Docs, emails
Server logs
2012 2.8 Zettabytes
2020 40 Zettabytes
LAGGARDS
INDUSTRY LEADERS
1
2 New Data
Business Value
ERP CRM SCM
New
Traditional
Page 5 © Hortonworks Inc. 2011 – 2015. All Rights Reserved
Hadoop emerged as foundation of new data architecture
Apache Hadoop is an open source data platform for managing large volumes of high velocity and variety of data • Built by Yahoo! to be the heartbeat of its ad & search business
• Donated to Apache Software Foundation in 2005 with rapid adoption by large web properties & early adopter enterprises
• Incredibly disruptive to current platform economics
Traditional Hadoop Advantages
ü Manages new data paradigm
ü Handles data at scale ü Cost effective ü Open source
Traditional Hadoop Had Limitations " Batch-only architecture " Single purpose clusters, specific
data sets " Difficult to integrate with
existing investments " Not enterprise-grade
Application
Storage HDFS
Batch Processing MapReduce
Page 6 © Hortonworks Inc. 2011 – 2015. All Rights Reserved
Security in HDP Making Hadoop Enterprise Ready
Page 7 © Hortonworks Inc. 2011 – 2015. All Rights Reserved
Hadoop exacerbates the security challenge
New Security Requirements • Provide consistent and
granular access control to data for each application on top of Hadoop
• Enable complete & comprehensive definition and application of policy across all the different access types
• Must retain privacy and security despite ability to infer knowledge from co-existing & unstructured data
AN
ALY
TIC
S
Data Marts
Business Analytics
Visualization & Dashboards
AN
ALY
TIC
S
Applications Business Analytics
Visualization & Dashboards
°
°
°
°
°
°
°
°
°
°
°
°
°
°
°
°
°
°
°
°
°
°
°
°
°
°
°
°
°
°
HDFS (Hadoop Distributed File System)
YARN: Data Operating System
Interactive Real-Time Batch Partner ISV Batch Batch MPP
EDW
Clickstream
Web & Social
Geoloca7on
Sensor &
Machine
Server Logs
Unstructured
SOU
RC
ES
Existing Systems
ERP CRM SCM
Page 8 © Hortonworks Inc. 2011 – 2015. All Rights Reserved
HDP Security: comprehensive, complete and simple Security in HDP is comprehensive and complete for Hadoop
Administration Central management & consistent security
Authentication Authenticate users and systems
Authorization Provision access to data
Audit Maintain a record of data access
Data Protection Protect data at rest and in motion
• HDP ensures comprehensive enforcement of security policy across the entire Hadoop stack
• HDP provides functionality across the complete set of security requirements
• HDP is the only solution to provide a single simple interface for security policy definition and maintenance
Page 9 © Hortonworks Inc. 2011 – 2015. All Rights Reserved
HDP Security: comprehensive, complete and simple
In order to protect any data system you must implement the following
Administration Central management & consistent security
Only HDP delivers a single administrative console to set policy across the entire cluster
Apache Ranger, Centrify
Authentication Authenticate users and systems
Integrate with existing AD and LDAP authentication for perimeter and project access
Apache Knox, Native Kerberos, Centrify
Authorization Provision access to data
Work within all Apache projects to provide consistent authorization controls
Apache Ranger, Centrify
Audit Maintain a record of data access
Maintain a record of events across all components that is consistent and accessible
Apache Ranger, Centrify
Data Protection Protect data at rest and in motion
Wire and storage encryption in Hadoop. Refer partner encryption solutions for more advanced needs
HDFS, Partner Encryption
Copyright © 2015 Centrify Corporation. All Rights Reserved. 11
• Introduction
• IAM Challenges
• Centrify Solution
• Demo
• Case Study
Agenda
Copyright © 2015 Centrify Corporation. All Rights Reserved. 12
Active Directory
ID
Centrify: Unified Identity Management
CLOUD (IaaS & PaaS)
CLOUD (SaaS)
MOBILE
DATA CENTER SERVERS
DATA CENTER APPS
by Red Hat
DESKTOPS
ID
ID
ID
ID
ID
ID
ID
ID
ID ID
ID
ID
ID ID
ID
ID
ID
ID
ID
ID
ID
ID
Software and Cloud Service
ID
ID
ID ID ID
ID
Copyright © 2015 Centrify Corporation. All Rights Reserved. 13
Centrify: Summary
Addressing two major IT challenges: the shift to cloud and mobile and security as the perimeter dissolves
Unique portfolio that unifies identity across cloud, mobile and data center — for end users and privileged users
11 year enterprise security company with over 450 personnel, global sales and support
Trusted technology with 5,000+ customers – ~50% of Fortune 50 – and 97% retention rate
Strategic alliances with Microsoft, Apple, AVG and Samsung; 250+ reseller partners
Copyright © 2015 Centrify Corporation. All Rights Reserved. 14
Automotive & Energy Technology & Telecom Retail & Internet
Banking & Finance Pharma & Health Defense & Government
Our largest customers are using Centrify IAM for Hadoop
3 Pharma
Companies
2 Energy
Companies
14 Worldwide Telcos
& Technology
4 U.S. Retailers
2 Major U.S.
Federal Agencies
15 Financial Services
Companies
Copyright © 2015 Centrify Corporation. All Rights Reserved. 16
1. Leverage Existing Identity Infrastructure
Most Enterprises have Active Directory and want to leverage it for Hadoop Deployments Hadoop has rapidly evolving Applications, Enterprises want a consistent IAM mechanism across all the Applications
Copyright © 2015 Centrify Corporation. All Rights Reserved. 17
2. Regulatory compliance
Hadoop concentrates data from across the business making it a high value target Most will be required to meet one or more regulations
• PCI-DSS • Sarbanes Oxley • HIPAA • FISMA • FERC NERC • Monetary Authority of Singapore
Copyright © 2015 Centrify Corporation. All Rights Reserved. 18
3. IT Management
IT staff should have access to manage Hadoop clusters in Production IT require privileges to manage Hadoop IT don’t need access to the data (PCI DSS)
Copyright © 2015 Centrify Corporation. All Rights Reserved. 20
Centrify IAM for Hadoop
1. AD-based IAM for Hadoop environments
2. Role-based privilege management
3. Session auditing for regulatory compliance
Securing & simplifying Hadoop by using enterprise-grade identity & access management
Copyright © 2015 Centrify Corporation. All Rights Reserved. 21
1. AD-based IAM for Hadoop environments • Integrate Hadoop into enterprise-grade AD • Simplify AD integration for multiple Hadoop clusters • Give IT and end users a single Active Directory login
• SSO user access via Kerberized SSH, Web • SSO for other Applications – via Standards Based PAM/NSS, LDAP, SAML,
Kerberos or Plugins
Production/Departmental Clusters
PuTTY Kerberized ssh
WinSCP Kerberized scp
Browser
Copyright © 2015 Centrify Corporation. All Rights Reserved. 22
2. Role-based privilege management
Help Enforce least-privilege for access • Centralized role-based privilege
management • Eliminate use of root privileges for all but
break glass scenarios • Per command privilege elevation or
whitelisted restricted shell
• Example Roles • Data Scientist – read / write access to their
scripts • IT Admins – limited privileges to manage
config files and restart services • Hadoop Admins – grants privileges of
ambari, hdfs account
Network Monitoring Privileged Access Security
Perimeter Firewall
DATA CENTER SERVERS
CLOUD (IaaS & PaaS)
DESKTOPS
root root
local root
root root
Oracle domain
Copyright © 2015 Centrify Corporation. All Rights Reserved. 23
3. Session auditing for regulatory compliance
Fully audited user access to Hadoop clusters
• Satisfies regulatory mandates including PCI, HIPAA & SOX
• Record user session activity • Centralized audit stores for session
recordings • Ensure accountability through correlated
activity across the cluster
Network Monitoring Privileged Access Security
Perimeter Firewall
Report and Reply
Privileged Sessions
DATA CENTER SERVERS
Copyright © 2015 Centrify Corporation. All Rights Reserved. 24
Hortonworks and Centrify – Better Together
Access
PROVIDES
• Integration w/ LDAP • Kerberises Service
Accounts • Simple Management
per Cluster
EXTENDS
• LDAP to Complex AD
Environments • Kerberos for User Access • Delegated Management for
Multiple Clusters Auth • Data Level Access
Control • LDAP lookup for
Users / Groups
• Role-based Access Controls to OS
• LDAP to Complex AD Environments
Audit • Captures all Activity inside Hadoop
• Session Monitoring and Recording at OS Level
Copyright © 2015 Centrify Corporation. All Rights Reserved. 26
Centrify IAM for Big Data Customer Case Study
• Require secure access to Hadoop & AD is the company standard for user identity management
• Compliance required for SOX
• Privileged access visibility is required for regulatory compliance
Problem
• Centrify Server Suite (CSS): Enterprise Edition
• Integrates Hadoop into AD for identity, access and privilege management
• Least privilege access to sensitive data & session recording
• Leveraged existing investment, tools, process and skillsets with Active Directory
• Addressed SOX compliance requirements
• Improved visibility of access, entitlements and activity
Solution Benefit
Copyright © 2015 Centrify Corporation. All Rights Reserved. 27
Resources & Next Steps
More info http://www.centrify.com/solutions/data-center/big-data-security/ http://www.centrify.com/products/centrify-server-suite.asp
Request a trial http://www.centrify.com/free-trial
Chalktalks, webinars, whitepapers and collateral http://www.centrify.com/resources
Page 29 © Hortonworks Inc. 2011 – 2015. All Rights Reserved
Cautionary Statement Regarding Forward-Looking Statements
This presentation contains forward-looking statements involving risks and uncertainties. Such forward-looking statements in this presentation generally relate to future events, our ability to increase the number of support subscription customers, the growth in usage of the Hadoop framework, our ability to innovate and develop the various open source projects that will enhance the capabilities of the Hortonworks Data Platform, anticipated customer benefits and general business outlook. In some cases, you can identify forward-looking statements because they contain words such as “may,” “will,” “should,” “expects,” “plans,” “anticipates,” “could,” “intends,” “target,” “projects,” “contemplates,” “believes,” “estimates,” “predicts,” “potential” or “continue” or similar terms or expressions that concern our expectations, strategy, plans or intentions. You should not rely upon forward-looking statements as predictions of future events. We have based the forward-looking statements contained in this presentation primarily on our current expectations and projections about future events and trends that we believe may affect our business, financial condition and prospects. We cannot assure you that the results, events and circumstances reflected in the forward-looking statements will be achieved or occur, and actual results, events, or circumstances could differ materially from those described in the forward-looking statements. The forward-looking statements made in this prospectus relate only to events as of the date on which the statements are made and we undertake no obligation to update any of the information in this presentation. Trademarks Hortonworks is a trademark of Hortonworks, Inc. in the United States and other jurisdictions. Other names used herein may be trademarks of their respective owners.