Professional Documents
Culture Documents
Big Data Big Deal 012717
Big Data Big Deal 012717
”
DATA SECURITY & PRIVACY FOR BIG DATA
1/27/17
“A ship in port is safe; but that is not what ships are built for.
Sail out to sea and do new things” – Grace Hopper
2 IBM Security
Agenda
• Introduction
• Mega Trends
• Security & Privacy considerations
• Architecture, Technical controls, best practices
• Wrap up
3 IBM Security
Short History Lesson
4 IBM Security
Big Data Grows Up
5 IBM Security
Client Challenges: Megatrends
1 Forrester Research: “Understand The State Of Data Security And Privacy: 2014 To 2015
6 IBM Security
Digital Convergence: IoT, Analytics, Big
Data, Cognitive, Cloud
Analytics that Learn
8 IBM Security
A Data Lake is a Data Scientist’s Dream!
11 IBM Security
Why is Big Data different?
* http://www.techrepublic.com/article/cios-still-dont-care-about-hadoop-data-security/
12 IBM Security
Cool or Creepy?
http://www.zdnet.com/pictures/nine-warning-signs-that-your-technology-needs-an-upgrade/2/
13
EU GDPR will change the Analytics and Cognitive Landscape
Initial / exploratory
. . . . . . . . 192 Used for business decisions
use cases
Few security or privacy concerns Protect, Secure, Encrypt
16 IBM Security
Privacy is the ‘Why’ and ‘What’…
Security is the ‘How’
PI, PII, PHI, NPI.. What is ‘Personal’? It Depends1
18 IBM Security
How unique are you?
• Dr. Latanya Sweeney (Harvard, FTC Chief Technologist)- 1997 study identified
uniqueness using US Census predicted 87 percent of U.S. population had unique
combinations- just using date of birth, gender, and zip code
• Try it yourself here: http://aboutmyinfo.org
• Additional study on personal genome project identified 84-97% of records, also
using demographics plus data mining
(http://dataprivacylab.org/projects/pgp/1021-1.pdf)
19 IBM Security
Location Location Location
20 IBM Security
Questions to ask
21 IBM Security
5 steps to a Critical Data Protection Program
22 IBM Security
Where Next? Data Classification
Explosive
Toxic
23 IBM Security
Architecture, Technical Controls, Best Practices
Security is Security.. Same Disciplines apply… BUT..
Global Threat Intelligence
Antivirus
Endpoint patching and management
Malware protection
Incident and threat management Transaction protection
Firewalls Device management
Sandboxing Content security
Virtual patching
Network visibility
25 IBM Security
Big Data Technical Components
26 IBM Security 26
A Hadoop Security Architecture
http://www.hadoopsphere.com/2013/01/security-architecture-for-apache-hadoop.html
27 IBM Security
Monitoring and auditing challenges
•Security and
authentication is evolving
28 IBM Security
Data Security and Privacy Core Disciplines
Redact/encrypt/mask
Classify Assets & Quantify Monitor and enforce;
sensitive data in all Review policy exceptions
risk.
environments
29 IBM Security
Security Controls for Privacy
Manage Access
Protect Data Gain Visibility
Enforce Separation of duties ,
Identify vulnerabilities Monitor data and applications:
Safeguard privileged user
Prevent attacks targeting Security breaches
access, ,Applications, and
sensitive data Compliance violations
devices
• Data Encryption, Masking, Redaction
• Identity Governance • Security Information and Event Monitoring
• Security Intelligence
• Privileged Identity Management • Real-time alerting and blocking
• Data and File Activity Monitoring
• Mobile Data Management • Cloud access and risk assessment
• Application and Mobile App Scanning
• Privacy Program Management • Security & Privacy Risk and Performance Metrics
30 IBM Security
Utilitize real-time data activity monitoring for privacy, security & compliance
Data Repositories
Continuous, policy-based, real-time (databases, warehouses, file
shares, Big Data)
monitoring of all data traffic activities,
including actions by privileged users
Centralize compliance reporting
Data protection compliance automation
Real-time alerting
Monitoring
Appliance
Key Requirements
31 IBM Security
Sample Activity
Privileged Monitoring
User Activity ReportReport
32 IBM Security
Data Obfuscation Controls Original Value
4536 6382 9896
5200
Masking Redaction
The ability to desensitize sensitive The process of obscuring part of a text for
information and make it unreadable from security purposes.
its original form while preserving its format
The ability to replace real data with
and referential integrity
substitute characters like (*)
it is a one way algorithm – ie. No unmasking data
SDM – Static Data Masking
DDM – Dynamic
Data Masking Masked Value Redacted Value
4212 5454 6565 7780 4536 6382 **** ****
Tokenization Encryption
The process of substituting a “token” which The process of encoding data in such a
can be mapped to the original value way that only authorized individuals can
Token is a non-sensitive equivalent which has no read it by decrypting the encoded data
extrinsic value
with a key
Must maintain a mapping between the tokens and
the original values Format Preserving Encryption (FPE) is special
form of encryption
Encryption can provide Safe Harbor protection from breach disclosure in many states (consult your
compliance team for details)
Implement Data protection for your database, HADOOP, and file system environments
Look for high performance encryption, access control and auditing
Data privacy for both online and backup environments
Unified policy and key management for centralized administration across multiple data servers
Look for transparency to users, databases, applications, storage
No coding or changes to existing IT infrastructure
Protect data in any storage environment
User access to data same as before
Look for centralized administration and Separation of Duties
Policy and Key management
Audit logs
High Availability
34 IBM Security
Identity and Access Management helps
secure the digital identities for an open
enterprise: Big and ‘Little’ Data
Datacenter Web Social Mobile Cloud
Directory Services
Business policies
Big Data
4 Activity Monitoring
Sensitive data
2 discovery
Discovery Monitor & audit Big Data access
(HDFS, Hive, HBase, MapReduce, HUE, etc.)
3 Masked
MapReduce
Data-
Masked
Files
3 files
bases Masking Hadoop masking
files
Components Capability
1 Information Catalogue Define privacy policies and share
2 Sensitive Data Discovery Discover and classify sensitive data
Data masking and document
3 Masking and Redaction
redaction
Monitor and audit Big Data (Hadoop)
4 Hadoop Activity Monitoring (HAM)
36 IBM Security activity
Best Practices: Build the foundation
37 IBM Security
Wrap Up
Key messages for sound public policy
- Accommodate diversity
39 39
39 IBM Security
Summary: Keys to Success
40 IBM Security
THANK YOU
www.ibm.com/security
FOLLOW US ON:
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any
statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International
Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper
access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be
considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful,
comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products
or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
Resources
42 IBM Security
A recommended approach for Big Data:
Activity Monitoring
43 IBM Security
Notices and • Copyright © 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or
transmitted in any form without written permission from IBM.
disclaimers • U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM.
• Information in these presentations (including information relating to products that have not yet been announced by IBM) has been
reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM
shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY,
EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF
THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT
OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the
agreements under which they are provided.
• IBM products are manufactured from new parts or new and used parts. In some cases, a product may not be new and may have
been previously installed. Regardless, our warranty terms apply.”
• Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without
notice.
• Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are
presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual
performance, cost, savings or other results in other operating environments may vary.
• References in this document to IBM products, programs, or services does not imply that IBM intends to make such products,
programs or services available in all countries in which IBM operates or does business.
• Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not
necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither
intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
• It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal
counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s
business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or
represent or warrant that its services or products will ensure that the customer is in compliance with any law.
• The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents,
copyrights, trademarks or other intellectual property right.
• IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise
Document Management System™, FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM
ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®,
Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®,
PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®,
SoDA, SPSS, Sterling Commerce®, StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®,
X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions
worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available
on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
• Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the
European Union General Data Protection Regulation. Clients are solely responsibility for obtaining advice of competent
legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’
business and any actions the clients may need to take to comply with such laws and regulations. The products, services,
and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM
does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that
clients are in compliance with any law or regulation.