Introduction to HPE SecureDataHPE Security – Data Security

Month day, year

my story,

–Daniel Clift

–Solution Architect – HPE Data Security

–Daniel.Clift@hpe.com

–+44 (0) 7789 633 572

–https://www.linkedin.com/in/danielclift

2

33

Transformto a hybrid

infrastructure

Enableworkplace

productivity

Protect yourdigital enterprise

Empowerthe data-drivenorganization

Proactively protect the interactions between users, applications and data across any location or device.

Hewlett Packard Enterprise: Protect your digital enterprise

HPE SecureData framework

4

PCI / compliance /

scope reduction

Data de-identification

and privacy

Collaboration

securityUse cases

Environments

Mobile | Cloud | Enterprise | Payments | Big Data Physical environments

HPE SecureMailHPE SecureDataProducts

Data security policy control Policy control

New data security standards

ANSI | NIST | IEEE | IETFStandards Foundation

Stateless architecture

HPE IBE | HPE Stateless Key ManagementInnovative architecture

Data-centric security technology

HPE FPE | HPE SST | HPE PIEBreakthrough technologies

Structured and Un-Structured Data

5

Use cases: Data de-identification

6

– Need: Compliance with PCI, HIPAA, State Privacy Laws

– For: 550 Apps, 26 data elements, Mainframe, Teradata, Windows, Unix

– Without HPE SecureData: Attempts to protect data in each app and db resulted in high costs

– With HPE SecureData: Data-centric security using HPE FPE applied to hundreds of apps & dbs

Top global telecom

‒ Need: Advance medical research by sharing de-identified patient data / HIPAA

‒ For: 100TB of sensitive data, Informatica ETL

‒ Without HPE SecureData: No sharing of data outside the organization

‒ With HPE SecureData: HPE FPE used to mask data, while allowing reversibility when needed

Branch of the

US Military

‒ Need: Developing new European payments platform, reduce PCI costs – outsourced IT

‒ For: Mobile Wallets solution securely enabled with identity and payment services

‒ Without HPE SecureData: Deploy cumbersome and non-scalable database driven tokenization

‒ With HPE SecureData: Enable secure scaling of up to 2 billion cardholders in EU

Global credit card brand

HPE SecureData Technologies

Multiple solutions with multiple security gaps

8

Traditional IT

Infrastructure Security

Disk encryption

Database encryption

SSL/TLS/firewalls

Authentication

Management

Threats to

Data

Malware,

Insiders

SQL injection,

Malware

Traffic

Interceptors

Malware,

Insiders

Credential

Compromise

Security

Gaps

SSL/TLS/firewalls

Data

secu

rity

co

vera

ge

Middleware/Network

Storage

Databases

File Systems

Data & Applications

Data

Ecosystem

Security gap

Security gap

Security gap

Security gap

Attack Trends vs. Protection Strategy Effectiveness

9

Traditional infrastructure

level protection:

• Disk, File

• Data at rest only

Data-centric Security

• Fields & Objects

• Any databases, any data,

anywhere

• Data in use, in motion, and

at rest

Graph source: Verizon Data Breach Report 2014

Data-centric security protects data over its lifecycle vs. broad threats.

Data at rest only solutions only protect from physical threats

© Voltage Security, Inc. 2014

Problems with Traditional Data Security Solutions

10

Need to change data structures & applications

Fully encrypted data is unusable until decrypted

Key Management can be a nightmare

Requires multiple, piecemeal solutions which

create multiple security gaps

Need to change data structures & applications

HPE SecureData provides this protection

11

Traditional IT

Infrastructure Security

Disk encryption

Database encryption

SSL/TLS/firewalls

Authentication

Management

Threats to

Data

Malware,

Insiders

SQL injection,

Malware

Traffic

Interceptors

Malware,

Insiders

Credential

Compromise

Security

Gaps

HPE SecureData

Data-centric Security

SSL/TLS/firewalls

Data

secu

rity

co

vera

ge

En

d-t

o-e

nd

Pro

tecti

on

Middleware/Network

Storage

Databases

File Systems

Data & Applications

Data

Ecosystem

Security gap

Security gap

Security gap

Security gap

12

Need to change data structures & applications

Fully encrypted data is unusable until decrypted

Key Management can be a nightmare

Requires multiple, piecemeal

solutions which

create multiple security gaps

Need to change data structures & applications

Largest Platform Support

z/OS, UNIX’s, Windows, Tandem, &c.

Protected data has same schema

No DB & minimized code changes

Column and sub-column encryption

Data is usable in a protected state.

Stateless Key Management

Simplest process and no data loss

HP SecureData Critical Differentiators

HPE Format-Preserving Encryption (FPE)

13

– Standard, proven HPE Format-Preserving Encryption mode of AES (NIST SP800-38G draft standard)

– High Performance, minimal impact

– Encrypt at capture, Data Stays Protected, most apps can run using protected data

– Fits into existing systems, protocols, schemas – any data (name, address, dates, numbers)

– Preserves referential integrity

Regular

AES-CBC mode

FPE

AES-FF1 mode253- 67-2356

8juYE%Uks&dDFa2345^WFLERG

First Name: Uywjlqo Last Name: Muwruwwbp

SSN: 253- 67- 2356

DOB: 01-02-1972

Ija&3k24kQotugDF2390^32 0OWioNu2(*872weW

Oiuqwriuweuwr%oIUOw1@

Tax ID

934-72-2356

First Name: Gunther

Last Name: Robertson

SSN: 934-72-2356

DOB: 08-07-1966

Format-preserving encryption: standards and leadership

14

– The use of standards based cryptography is essential

− Open standards are vendor agnostic and remove risks

− Non-standard and unpublished crypto has security and liability implications

− E.g. Organizations cannot claim safe harbor exceptions incase of a breach

– Format-Preserving Encryption (NIST SP800-38G)

− HPE Security – Data Security invented the FFX mode of FPE standardized by NIST

− HPE Security – Data Security patents cover all modes of FFX

HP Secure Stateless Tokenization (SST)

–PCI DSS QSAs recommend tokenization to protect cardholder data at rest

–PCI scope reduction simplifies compliance and reduces costs

–Traditional tokenization technologies:

− Utilize database based “token vaults”

− Issues with scalability, performance and disaster recovery

− Introduce token collisions

− Require backup per transaction

Encrypted Original Data

Encrypted Original Data

Encrypted Original Data

Token

Token

Token

Token Vaults

Traditional Tokenization

Encrypted Original Data

Encrypted Original Data

Encrypted Original Data

Token

Token

Token

Calling Applications

4040-1111-1111-1111

Encrypted Original Data

Encrypted Original Data

Encrypted Original Data

Token

Token

Token

2200-ABCD-1234-1111 2200-ABCD-1234-1111 ?

2200-WXYZ-9999-1111 ?

RNG RNG

4040-1111-1111-11112200-ABCD-1234-11112200-ABCD-1234-1111 4040-1111-1111-1111

Voltage Secure Stateless Tokenization

17

Management Console

Voltage SecureData Appliance

Calling Application

Web Services API

Key Server

PAN Token

00000000000 19182929129

00000000001 87871251521

00000000002 21872773612

00000000003 39289736131

…

99999999999 67362615625

Management Console

Voltage SecureData Appliance

Web Services API

Key Server

PAN Token

00000000000 19182929129

00000000001 87871251521

00000000002 21872773612

00000000003 39289736131

…

99999999999 673626156254040-1111-1111-1111

HPE Secure Stateless Tokenization (SST)

Credit Card

934-72-2356

Tax ID

1234 5678 8765 4321

Partial SST

SST 347-98-8309

Obvious SST

8736 5533 4678 9453

1234 5633 4678 4321

1234 56AZ UYTZ 4321

347-98-2356

AZS-UX-2356

– Replaces token database with a smaller token mapping table

– Token values mapped using random numbers

– Lower costs

− No database hardware, software, replication problems, etc.

18

Tokenization: standards and leadership

– Secure Stateless Tokenization

− Design is available for review

− Validated by Coalfire for PCI use cases and scope reduction

− Used by major credit card brands, acquirers and retailers

− Independently vetted by numerous well known crypto expert

– ANSI Standards X9.124 and X9.119

− HP Security – Data Security CTO Chair of ANSI X9 F1

− Driving tokenization, Format-Preserving Encryption and key management for financial services

19

Mapping the Flow of Sensitive Data

Web FormNew Account Application

Mainframe Database

Fraud Detection

Customer Service

Application Hadoop Analytics

4040 1234 1234 9999John Smith

4040 1234 1234 9999John Smith

4040 1234 1234 9999John Smith

4040 1234 1234 9999John Smith

4040 1234 1234 9999John Smith

4040 1234 1234 9999John Smith

CC Processing

Designing a Data-centric Solution

Web FormNew Account Application

Mainframe Database

Fraud Detection

Customer Service

Application Hadoop Analytics

4040 1234 1234 9999John Smith

4040 1234 1234 9999John Smith

4040 6763 0123 9999Kelt Dqitp

4040 6763 0123 9999John Smith

4040 6763 0123 9999Kelt Dqitp

4040 6763 0123 9999Kelt Dqitp

CC Processing

Data protection with HPE FPE and HPE SST

– Guaranteed referential integrity or fully randomized output by policy

– Enables data protection and data de-identification from one framework

− Can be used to generate test data for QA, training, etc.

Name SS# Credit Card # Street Address Customer ID

James Potter 385-12-1199 3712 3456 7890 1001 1279 Farland Avenue G8199143

Ryan Johnson 857-64-4190 5587 0806 2212 0139 111 Grant Street S3626248

Carrie Young 761-58-6733 5348 9261 0695 2829 4513 Cambridge Court B0191348

Brent Warner 604-41-6687 4929 4358 7398 4379 1984 Middleville Road G8888767

Anna Berman 416-03-4226 4556 2525 1285 1830 2893 Hamilton Drive S9298273

Name SS# Credit Card # Street Address Customer ID

Kwfdv Cqvzgk 161-82-1292 3712 3486 3545 1001 2890 Ykzbpoi Clpppn S7202483

Veks Iounrfo 200-79-7127 5587 0856 7634 0139 406 Cmxto Osfalu B0928254

Pdnme Wntob 095-52-8683 5348 9209 2367 2829 1498 Zejojtbbx Pqkag G7265029

Eskfw Gzhqlv 178-17-8353 4929 4333 0934 4379 8261 Saicbmeayqw Yotv G3951257

Jsfk Tbluhm 525-25-2125 4556 2545 6223 1830 8412 Wbbhalhs Ueyzg B6625294

FP

E

FP

E

FP

E

FP

E

SS

T

Key management

– Key management introduces several questions

− How are keys accessed?

− How are keys rotated?

− How are keys replicated for scale?

– Traditional key management

− Utilizes database based “key vaults”

− Requires manual processes

− Challenges with scalability, performance and disaster recovery

− Requires backup per new key

Key Vault

23

Encrypted Key

Encrypted Key

Encrypted Key

Key 1

Key 2

Key N

Key generation and authentication

Base Keys = 18723619236161872361923616…..

Key Server

Authentication Resource, e.g. LDAP, AD, RACF

HSM

– Multiple servers seeded with the same base key

– Keys generated “just-in-time” after authentication and authorization

– No key store/vault: No key replication required

– Simple DR: Multiple servers load balanced

24

Request Keyapp@corp.com

Application

1872361923616

app@corp.com

HPE SecureData architecture

26

HPE SecureData

Management Console

Authentication &

authorization sources

(e.g. active directory)

HSM

HPE SecureData

Web Services API

HPE SecureData

Native APIs

(C, Java, C#/.NET)

HPE SecureData

Command LinesHPE SecureData

z/Protect, z/FPE

HPE

SecureData

Native UDFs

Partner

integrations

SaaS & PaaS

cloud apps

Policy controlled data protection and masking services & clients

Payment

terminals

Volume Key

Management

Production

databases

Mainframe

applications &

databases

3rd party

applications

Teradata,

Hadoop &

HPE Haven

ETL & data

integration

suites

Network

Interceptors

Payment

systems

Business applications, data stores and processes

HPE Nonstop

Applications &

Databases

Web/cloud

applications

(AWS, Azure)

Enterprise

applications

Volumes and

storage3rd party SaaS

gateways

HPE SecureData

File Processor

HPE SecureData

HPE SecureData – data security platform

HPE SecureData infrastructure

– Scalability

− Stateless servers fronted by load balancers

− System scales horizontally; no key replication required

− Components can scale independently

– Browser based Management Console for policy and audit

– HSMs for compliance requirements

– Event logging management to Syslog

27

Load

Balancer

HPE SecureData platform tools

Protected Data Environment

Native APIs

– Enable encryption in custom apps

– C/C++/C#/Java

– Distributed and mainframe platforms

Command Line Tools

‒ Bulk encryption and tokenization

‒ Files and databases

‒ Variety of distributed and mainframe platforms

‒ Any web services enabled platform

‒ Additional layer of masking

‒ Offload processing on HPE SecureData Server

Web Services APIs

28

Name SS# Credit Card # Street Address Customer ID

Kwfdv Cqvzgk 161-82-1292 3712 3486 3545 1001 2890 Ykzbpoi Clpppn S7202483

Veks Iounrfo 200-79-7127 5587 0856 7634 0139 406 Cmxto Osfalu B0928254

Pdnme Wntob 095-52-8683 5348 9209 2367 2829 1498 Zejojtbbx Pqkag G7265029

Eskfw Gzhqlv 178-17-8353 4929 4333 0934 4379 8261 Saicbmeayqw Yotv G3951257

Jsfk Tbluhm 525-25-2125 4556 2545 6223 1830 8412 Wbbhalhs Ueyzg B6625294

‒ Converged HPE SST and FPE client solution in Java

‒ Handles different record types within the same file

‒ Efficient multi-field, multi-threading architecture

HPE SecureData

File Processor

HPE SecureData enabled platforms

Protected data environment

ETL and data

integration suites

XML gateways3rd party

applications Teradata and

Hadoop

Mainframe

applications and

databases

Custom

applications

Web and

browser

applications

Payment devicesProduction databases

and flat files

Network

firewalls

29

Name SS# Credit Card # Street Address Customer ID

Kwfdv Cqvzgk 161-82-1292 3712 3486 3545 1001 2890 Ykzbpoi Clpppn S7202483

Veks Iounrfo 200-79-7127 5587 0856 7634 0139 406 Cmxto Osfalu B0928254

Pdnme Wntob 095-52-8683 5348 9209 2367 2829 1498 Zejojtbbx Pqkag G7265029

Eskfw Gzhqlv 178-17-8353 4929 4333 0934 4379 8261 Saicbmeayqw Yotv G3951257

Jsfk Tbluhm 525-25-2125 4556 2545 6223 1830 8412 Wbbhalhs Ueyzg B6625294

Usage: HPE SecureData SimpleAPI

HPE Format-Preserved Encrypted SSN

SSN: 022-37-2773

fpe.protect(SSN)

SSN: 734-81-9292 SSN: 734-81-9292 SSN: XXX-XX-2773

fpe.access(SSNe)

SSN: 734-81-9292

Mainframe databaseWeb form Logs, reports, and

backupsNew account

application

Customer service

application

30

Summary and Q&A

45

HPE SecureData Summary

– Data centric - persistent data protection

– Standards based AES FFX based encryption

– Open approach to security

– Central policy management and control

– Stateless key management

– Simple, high performance native platform APIs covering enterprise and cloud platforms

– Easy to use web services API’s for distributed and cloud environments

– Support for diverse platforms for enterprise, including Big Data, and cloud data security

– Agnostic of databases, disk, volume, back up, transport

46

Thank youContact information

47