Protect Your Digital
Enterprise
Nicholas Hsiao
HPE SW PreSales Manager
3/08/2016
How … Protect your digital enterprise
Proactively protect the interactions
between users, applications and data
across any location or device
Challenges…
Nature and motivation of attacks
(Fame to fortune, market adversary)
1
Transformation of enterprise IT
(Delivery and consumption changes)
2
Compliance pressures
(Increasing cost and complexity)
3
Research Infiltration Discovery Capture Exfiltration
A new market adversary
Cloud Big data Mobile
Big shifts
Monetization
Data Sold on Black Market
Threat Intelligence
HP Security Research
Detect Adversary
HP ArcSight Research Potential Targets
Research
Block Adversary
• HP TippingPoint • HP Fortify
Infiltration
Phishing Attack and Malware
Discovery
Mapping Breached EnvironmentProtect Data
HP Data Security
( Atalla/Voltage)
Capture
Obtain data
Attack Life Cycle
Exfiltration/Damag
e
Exfiltrate/Destroy Stolen Data
Action
5
The waves of data are here…
Data yesterday:
Known volumes
Well defined
Easy to control
(Thought to be) well-managed
Data in today’s enterprise:
Runaway volume and velocity growth
Ill-defined variety
Hard to control
(Almost) unmanageable
Data
Stores
Data
Flows
Data
Analysi
s
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The growth in data is
outpacing the ability to
adequately protect it
99% of breaches
are about the data
Data Breaches – wider & growing #’s affected
HP Enterprise Secure Key Manager, HP Stateless Key Management
Complete key management support from infrastructure to the application level
HP Atalla Network Security Processor
Leading payments security product - also known as Atalla Payments HSM
HP Atalla Information Protection and Control
Lifecycle security classification & protection for unstructured sensitive enterprise data
HP SecureMail
Policy based enterprise-wide email encryption for employees, customers, & mobile users
HP SecureData Web
Uses unique HP Page-Integrated Encryption (PIE) to secure sensitive browser data
HP SecureData for Hadoop
Enables protection of sensitive data in use with Hadoop and big data technologies
HP SecureData Enterprise, HP SecureData Payments, HP Secure Stateless Tokenization
Protects sensitive data end-to-end, from moment of capture across information lifecycle
HP Cloud Access Security protection platform, HP SecureData Enterprise
Robust cloud data security & governance – Adallom, a Cloud Access Security Broker (CASB)
Solutions for data security, ATM PIN, EMV, Payments transaction security, Key Management, Enterprise, Collaboration, Cloud, e-commerce, and digital signature
PCI/ Compliance/
Scope reduction
Collaboration
security
for users, cloud apps,
and data interactions
HP Data Security
provides comprehensive data protection
Data
privacy
PCI/ Compliance / Scope Reduction
. HP SecureData Payments
. HP SecureData Web
2
3
PCI/compliance/scope reduction, addressed by:
HP SecureData Payments & HP SecureData Web, and the Atalla Network
Security Processor (Payments HSM)
Tokenization for retailers and financial services providers to reduce PCI scope
Point-to-Point encryption for retailers to address POS malware threats
Point-to-point and secure ecommerce for Payment Services providers to offer as a service
1
Airlines | Banks | E-commerce giants | Big box retailers | Payment service providers |
Healthcare | Governments
4
PIN debit protection and secure payments processing with FIPS and PCI compliant HSMs for banks and processorsTechnologies include:
HP Secure Stateless
Tokenization (SST)
HP Format Preserving
Encryption (FPE)
HP Page Integrated Encryption
(PIE)
Atalla Key Block
(AKB)
Card Data Risks in the Payments Ecosystem
POS malware risk Insider risk Server malware risk Network sniffing Skimming risk
End-to-end encryption & tokenization neutralize breach risks
End-to-End Encrypt Data
Upstream
Tokenize Data Back
Downstream
Remove Live Data
Remove Live Data
Encrypt/Tokenize in the acquirer or internal enterprise systems
Field level, format-preserving, reversible data de-identification
Customizable to granular requirements
Credit card
1234 5678 8765 4321
SSN/ID
934-72-2356
[email protected]
DOB
31-07-1966
Full
8736 5533 4678 9453
347-98-8309
[email protected]
20-05-1972
Partial
1234 5681 5310 4321
634-34-2356
[email protected]
20-05-1972
A familiar example paying by credit card – a threat and risk view
18 Secure Payment Card Readers Retail store IT Authorization gateway Merchant acquirer Point of Sale (POS) Issuing bank & merchant banks • Pre-card read skimming • Fake readers• POS and server malware • Memory scrapers • Insiders • Outsourced operations • Server malware • Insiders • Server malware • Insiders
Settlement processes Payment capture in store Analytics, reports, & backups Payment
authorization Customer service
applications
Data decrypted, tokenized for use in analytics. No live data stored using
SST technology.
Securing credit card payments with data-centric security
18
Customer service apps can use tokenized data
– reduce insider risk Data secured at
capture for transport to payment host
Card networks
PAN:7412 3456 7890 0000
7412 8724 9002 0000 7412 3487 8346 0000 7412 3487 8346 0000 7412 3487 8346 0000 7412 3487 8346 0000
19
We protect the world’s information
Your Telco’s information about your
account Banks’ data about your
finances and accounts
Your interactions with SaaS applications
Your customers’ data.
Your organizational data.
Your private email to and from your smartphone Your credit rating
information
Your email correspondence Health records your care
provider manages for you
Data De-identification and Privacy
. HP SecureData for Hadoop
. HP SecureData Enterprise
. HP Enterprise Secure Key Manager
– ESKM
What’s the problem?
Have you ever seen someone
re-packing their suitcase at the
airport?
What does that have to do
with how encryption is commonly
implemented?
Most applications use
information that is otherwise
stored encrypted
completely in
HP SecureData for Hadoop
• Traditional techniques insufficient to protect sensitive data in Hadoop from
new, advanced threats
− Data-at-rest protection does not secure data in analytics, in motion
− Leaves major compliance and exploitable security gaps
• A data-centric security strategy, complementary to Hadoop security options
− Enables data to be protected from advanced threats – always-on protection of data
wherever its stored, used or moved
− Enables data de-identification in test, development, and analytics
− Enables Hadoop deployment without compliance and insider risks
− Can cut risk compliance costs by as much as 90%
2
3
Data de-identification and privacy, addressed by:
Addressed by HP SecureData for Enterprise & Hadoop + The HP Enterprise
Secure Key Manager
Enabling Hadoop-centric unified data architecture and EDW (Enterprise Data Warehouse) 2.0
Removing risk barriers to Hadoop projects
Streamlined data security compliance for wholesale data across the enterprise
1
Gaming | Manufacturers | Credit monitoring companies | Credit card brands |
Supermarket chains | Health insurance companies | Carriers & telcos | Human capital
consultants
4
Automation of enterprise key management for data at rest with separation of controls for complianceTechnologies include:
HP Format Preserving
Encryption (FPE)
Stateless Key Management
Smart Array Controller
Encryption
HP SecureData for Hadoop use cases
• Global Telecommunication Company
− Need to analyze massive customer data, social media and communications feeds for patterns of behavior to detect fraud and enhance customer service
− HP Format-Preserving Encryption (FPE) deployed to de-identify sensitive data for several hundred million customer records from Teradata and IBM mainframes. Data ingested into Hadoop > 90 secs
• Health Care Insurance Company
− Need to open massive, untapped data to their Hadoop developers to enable research, and innovation through developer hackathons
− Need to automate identification of prescription fraud previously hampered by manual processes
− HP FPE enabled field-level de-identification of sensitive ePHI and PII data across a 1000-node distribution
• Global Financial Services Company
− Adopt Hadoop to improve fraud detection capabilities and analyze hundreds of millions of customer transaction patterns
− HP FPE de-identify data during ETL ingestion with Informatic, enabling secure analytics across data fields containing sensitive data without exposing live data
HP SecureData – Data Security Platform
HP SecureData Management Console Authentication & authorization sources (e.g. active directory) HSM HP SecureData Web Services API HP SecureData native APIs (C, Java, C#, .NET) HP SecureDataCommand Lines & Automated File Parsers HP SecureData z/Protect, z/FPE HP SecureData Native UDFs Partner integrations
SaaS & PaaS cloud apps
Policy controlled data protection and masking services & clients Payment terminals Volume Key Management Production databases Mainframe applications & databases 3rd party applications Teradata, Hadoop & Vertica ETL & data
integration suites Network Interceptors Payment systems
Business applications, data stores and processes HP Nonstop Applications & Databases Web/cloud applications (AWS, Azure) Enterprise applications Volumes and storage 3rd party SaaS gateways
HP Enterprise Secure Key Manager – (ESKM)
Unified key management for the enterprise
Any OASIS KMIP
Compliant Clients
StoreFabric
SAN Encryption
Free Client SDK
StoreEver
ESL G3
StoreEver
MSL6480
MSL G3s
ESKM 4.0 cluster
HP Secure Encryption
HP ProLiant Servers
NonStop
Volume Level
Encryption
BackBox®
Virtual TapeXP7 P9500 3PAR
HP HelionFrom real deployments
HP ESKM use case examples
• Organizations have
sensitive customer/ employee records
• Organized attacks, mistakes, and data breaches with loss of unencrypted data
• Regulations and
internal risk mgmt
mandate controls • PCI DSS, HIPAA, and
privacy laws drive
data-at-rest encryption • Controls for encryption keys are required, less reliance on expensive self-encrypting
drives
• Easily redeploy
servers from sensitive to more operational areas – without having to deal with special cases – shred keys and re-write • Crushing disks is painful, as is planning upgrades with limitations • Sensitive data in
remote offices without the right controls e.g., branches
• Key management today is a business-critical enterprise IT service
• Protect your critical keys, ensure and control access, and ease audit/compliance
Collaboration Security
. HP Atalla Information Protection & Control
. Cloud Access Security Protection
– Adallom
. HP SecureMail
2
3
Collaboration security, addressed by:
HP SecureMail, HP Atalla IPC, and HP Cloud Access Security Protection with
Adallom
Replacement of failed and legacy email encryption with something streamlined and more scalable to protect PII and PHI
Classification of sensitive data with context and persistent protection from the point of creation – enhance the value of DLP projects
Protection for SaaS usage with effective visibility, governance and control over cloud usage in the enterprise
1
Car rentals | Insurers | International banks | Payroll processors| Governments |
Manufacturers
Technologies include:
HP Identity Based Encryption
(IBE)
Adallom SmartEngine
Adallom Labs and HP Security
Research
HP Identity Based Encryption (IBE)
Visibility
Gain complete context into users, data devices, activities, access Governance Implement policies for access, activities and data sharing Protection Address risky activities, suspicious behaviors and threats
Integrates with multiple cloud applications
Works with any user, network, any device
(managed & unmanaged)
Secures data at rest and data in motion
Cloud Access Security Protection Platform - Adallom
Cloud Access Security Broker use cases
Discovery – discovery of
unsanctioned services (Shadow IT) in an org
Data Sharing & control in the cloud – monitor file
sharing trend and
management. Control what can and cannot be shared
Activity and Access
Management – monitors
users and activity (access for unmanaged devices)
Threat detection and risks
– 3rd party attacks, Velocity alerts, Suspicious location access
HP SecureMail
– Simple, native user experience – just like regular email
− Outlook, iPhone, iPad, Android, Blackberry, Web …
– HP Stateless Key Management Architecture
− No key or message stores to manage − Low operational and infrastructure costs
– Single HP IBE solution for all use cases
− Internal and external protection and compliance
− Single technology (IBE, 100% push, message format)
– Outlook, Exchange, Windows AD Support
− Global address list, distribution lists, contacts − AD Authentication, AD Groups
– The world’s most popular email encryption solution
− It just works
Full umbrella of data protection use cases
HP Atalla
& HP Security Voltage
PCI/Complianc
e/ scope
reduction
Atalla HSMs
Payments applications, EMV, mobile, customizations and compliance in FIPS Level 3+ appliances
HP SecureData
Reduce PCI costs up to 90% with P2P encryption; combine HP Secure Stateless Tokenization
(SST) with HP Page-Integrated Encryption (PIE) for complete ecommerce protection
Data
de-identification
and privacy
HP Enterprise Secure Key Manager
Secure server, storage infrastructure and cloud environments with KMIP enterprise
key management against losses,
mishandling, administrative and operational attacks.
HP SecureData
Secure sensitive data while enabling business process with HP Format-Preserving Encryption (FPE) ; enable analytics on sensitive data for Hadoop/Big Data; protect test data
Collaboration
security
HP Atalla IPC
Automatic enterprise data classification
Cloud Access Security Protection (Adallom)
–flexible architecture for visibility,
governance and control for SaaS protection
HP SecureMail and HP SecureData
Email security without PKI complexity using HP
Identity-Based Encryption (IBE); protect
sensitive PII and PHI throughout the enterprise and cloud