Introduction to HPE SecureData · Introduction to HPE SecureData ... mainframe platforms ......
Transcript of Introduction to HPE SecureData · Introduction to HPE SecureData ... mainframe platforms ......
Introduction to HPE SecureDataHPE Security – Data Security
Month day, year
my story,
–Daniel Clift
–Solution Architect – HPE Data Security
–+44 (0) 7789 633 572
–https://www.linkedin.com/in/danielclift
2
33
Transformto a hybrid
infrastructure
Enableworkplace
productivity
Protect yourdigital enterprise
Empowerthe data-drivenorganization
Proactively protect the interactions between users, applications and data across any location or device.
Hewlett Packard Enterprise: Protect your digital enterprise
HPE SecureData framework
4
PCI / compliance /
scope reduction
Data de-identification
and privacy
Collaboration
securityUse cases
Environments
Mobile | Cloud | Enterprise | Payments | Big Data Physical environments
HPE SecureMailHPE SecureDataProducts
Data security policy control Policy control
New data security standards
ANSI | NIST | IEEE | IETFStandards Foundation
Stateless architecture
HPE IBE | HPE Stateless Key ManagementInnovative architecture
Data-centric security technology
HPE FPE | HPE SST | HPE PIEBreakthrough technologies
Structured and Un-Structured Data
5
Use cases: Data de-identification
6
– Need: Compliance with PCI, HIPAA, State Privacy Laws
– For: 550 Apps, 26 data elements, Mainframe, Teradata, Windows, Unix
– Without HPE SecureData: Attempts to protect data in each app and db resulted in high costs
– With HPE SecureData: Data-centric security using HPE FPE applied to hundreds of apps & dbs
Top global telecom
‒ Need: Advance medical research by sharing de-identified patient data / HIPAA
‒ For: 100TB of sensitive data, Informatica ETL
‒ Without HPE SecureData: No sharing of data outside the organization
‒ With HPE SecureData: HPE FPE used to mask data, while allowing reversibility when needed
Branch of the
US Military
‒ Need: Developing new European payments platform, reduce PCI costs – outsourced IT
‒ For: Mobile Wallets solution securely enabled with identity and payment services
‒ Without HPE SecureData: Deploy cumbersome and non-scalable database driven tokenization
‒ With HPE SecureData: Enable secure scaling of up to 2 billion cardholders in EU
Global credit card brand
HPE SecureData Technologies
Multiple solutions with multiple security gaps
8
Traditional IT
Infrastructure Security
Disk encryption
Database encryption
SSL/TLS/firewalls
Authentication
Management
Threats to
Data
Malware,
Insiders
SQL injection,
Malware
Traffic
Interceptors
Malware,
Insiders
Credential
Compromise
Security
Gaps
SSL/TLS/firewalls
Data
secu
rity
co
vera
ge
Middleware/Network
Storage
Databases
File Systems
Data & Applications
Data
Ecosystem
Security gap
Security gap
Security gap
Security gap
Attack Trends vs. Protection Strategy Effectiveness
9
Traditional infrastructure
level protection:
• Disk, File
• Data at rest only
Data-centric Security
• Fields & Objects
• Any databases, any data,
anywhere
• Data in use, in motion, and
at rest
Graph source: Verizon Data Breach Report 2014
Data-centric security protects data over its lifecycle vs. broad threats.
Data at rest only solutions only protect from physical threats
© Voltage Security, Inc. 2014
Problems with Traditional Data Security Solutions
10
Need to change data structures & applications
Fully encrypted data is unusable until decrypted
Key Management can be a nightmare
Requires multiple, piecemeal solutions which
create multiple security gaps
Need to change data structures & applications
HPE SecureData provides this protection
11
Traditional IT
Infrastructure Security
Disk encryption
Database encryption
SSL/TLS/firewalls
Authentication
Management
Threats to
Data
Malware,
Insiders
SQL injection,
Malware
Traffic
Interceptors
Malware,
Insiders
Credential
Compromise
Security
Gaps
HPE SecureData
Data-centric Security
SSL/TLS/firewalls
Data
secu
rity
co
vera
ge
En
d-t
o-e
nd
Pro
tecti
on
Middleware/Network
Storage
Databases
File Systems
Data & Applications
Data
Ecosystem
Security gap
Security gap
Security gap
Security gap
12
Need to change data structures & applications
Fully encrypted data is unusable until decrypted
Key Management can be a nightmare
Requires multiple, piecemeal
solutions which
create multiple security gaps
Need to change data structures & applications
Largest Platform Support
z/OS, UNIX’s, Windows, Tandem, &c.
Protected data has same schema
No DB & minimized code changes
Column and sub-column encryption
Data is usable in a protected state.
Stateless Key Management
Simplest process and no data loss
HP SecureData Critical Differentiators
HPE Format-Preserving Encryption (FPE)
13
– Standard, proven HPE Format-Preserving Encryption mode of AES (NIST SP800-38G draft standard)
– High Performance, minimal impact
– Encrypt at capture, Data Stays Protected, most apps can run using protected data
– Fits into existing systems, protocols, schemas – any data (name, address, dates, numbers)
– Preserves referential integrity
Regular
AES-CBC mode
FPE
AES-FF1 mode253- 67-2356
8juYE%Uks&dDFa2345^WFLERG
First Name: Uywjlqo Last Name: Muwruwwbp
SSN: 253- 67- 2356
DOB: 01-02-1972
Ija&3k24kQotugDF2390^32 0OWioNu2(*872weW
Oiuqwriuweuwr%oIUOw1@
Tax ID
934-72-2356
First Name: Gunther
Last Name: Robertson
SSN: 934-72-2356
DOB: 08-07-1966
Format-preserving encryption: standards and leadership
14
– The use of standards based cryptography is essential
− Open standards are vendor agnostic and remove risks
− Non-standard and unpublished crypto has security and liability implications
− E.g. Organizations cannot claim safe harbor exceptions incase of a breach
– Format-Preserving Encryption (NIST SP800-38G)
− HPE Security – Data Security invented the FFX mode of FPE standardized by NIST
− HPE Security – Data Security patents cover all modes of FFX
HP Secure Stateless Tokenization (SST)
–PCI DSS QSAs recommend tokenization to protect cardholder data at rest
–PCI scope reduction simplifies compliance and reduces costs
–Traditional tokenization technologies:
− Utilize database based “token vaults”
− Issues with scalability, performance and disaster recovery
− Introduce token collisions
− Require backup per transaction
Encrypted Original Data
Encrypted Original Data
Encrypted Original Data
Token
Token
Token
Token Vaults
Traditional Tokenization
Encrypted Original Data
Encrypted Original Data
Encrypted Original Data
Token
Token
Token
Calling Applications
4040-1111-1111-1111
Encrypted Original Data
Encrypted Original Data
Encrypted Original Data
Token
Token
Token
2200-ABCD-1234-1111 2200-ABCD-1234-1111 ?
2200-WXYZ-9999-1111 ?
RNG RNG
4040-1111-1111-11112200-ABCD-1234-11112200-ABCD-1234-1111 4040-1111-1111-1111
Voltage Secure Stateless Tokenization
17
Management Console
Voltage SecureData Appliance
Calling Application
Web Services API
Key Server
PAN Token
00000000000 19182929129
00000000001 87871251521
00000000002 21872773612
00000000003 39289736131
…
99999999999 67362615625
Management Console
Voltage SecureData Appliance
Web Services API
Key Server
PAN Token
00000000000 19182929129
00000000001 87871251521
00000000002 21872773612
00000000003 39289736131
…
99999999999 673626156254040-1111-1111-1111
HPE Secure Stateless Tokenization (SST)
Credit Card
934-72-2356
Tax ID
1234 5678 8765 4321
Partial SST
SST 347-98-8309
Obvious SST
8736 5533 4678 9453
1234 5633 4678 4321
1234 56AZ UYTZ 4321
347-98-2356
AZS-UX-2356
– Replaces token database with a smaller token mapping table
– Token values mapped using random numbers
– Lower costs
− No database hardware, software, replication problems, etc.
18
Tokenization: standards and leadership
– Secure Stateless Tokenization
− Design is available for review
− Validated by Coalfire for PCI use cases and scope reduction
− Used by major credit card brands, acquirers and retailers
− Independently vetted by numerous well known crypto expert
– ANSI Standards X9.124 and X9.119
− HP Security – Data Security CTO Chair of ANSI X9 F1
− Driving tokenization, Format-Preserving Encryption and key management for financial services
19
Mapping the Flow of Sensitive Data
Web FormNew Account Application
Mainframe Database
Fraud Detection
Customer Service
Application Hadoop Analytics
4040 1234 1234 9999John Smith
4040 1234 1234 9999John Smith
4040 1234 1234 9999John Smith
4040 1234 1234 9999John Smith
4040 1234 1234 9999John Smith
4040 1234 1234 9999John Smith
CC Processing
Designing a Data-centric Solution
Web FormNew Account Application
Mainframe Database
Fraud Detection
Customer Service
Application Hadoop Analytics
4040 1234 1234 9999John Smith
4040 1234 1234 9999John Smith
4040 6763 0123 9999Kelt Dqitp
4040 6763 0123 9999John Smith
4040 6763 0123 9999Kelt Dqitp
4040 6763 0123 9999Kelt Dqitp
CC Processing
Data protection with HPE FPE and HPE SST
– Guaranteed referential integrity or fully randomized output by policy
– Enables data protection and data de-identification from one framework
− Can be used to generate test data for QA, training, etc.
Name SS# Credit Card # Street Address Customer ID
James Potter 385-12-1199 3712 3456 7890 1001 1279 Farland Avenue G8199143
Ryan Johnson 857-64-4190 5587 0806 2212 0139 111 Grant Street S3626248
Carrie Young 761-58-6733 5348 9261 0695 2829 4513 Cambridge Court B0191348
Brent Warner 604-41-6687 4929 4358 7398 4379 1984 Middleville Road G8888767
Anna Berman 416-03-4226 4556 2525 1285 1830 2893 Hamilton Drive S9298273
Name SS# Credit Card # Street Address Customer ID
Kwfdv Cqvzgk 161-82-1292 3712 3486 3545 1001 2890 Ykzbpoi Clpppn S7202483
Veks Iounrfo 200-79-7127 5587 0856 7634 0139 406 Cmxto Osfalu B0928254
Pdnme Wntob 095-52-8683 5348 9209 2367 2829 1498 Zejojtbbx Pqkag G7265029
Eskfw Gzhqlv 178-17-8353 4929 4333 0934 4379 8261 Saicbmeayqw Yotv G3951257
Jsfk Tbluhm 525-25-2125 4556 2545 6223 1830 8412 Wbbhalhs Ueyzg B6625294
FP
E
FP
E
FP
E
FP
E
SS
T
Key management
– Key management introduces several questions
− How are keys accessed?
− How are keys rotated?
− How are keys replicated for scale?
– Traditional key management
− Utilizes database based “key vaults”
− Requires manual processes
− Challenges with scalability, performance and disaster recovery
− Requires backup per new key
Key Vault
23
Encrypted Key
Encrypted Key
Encrypted Key
Key 1
Key 2
Key N
Key generation and authentication
Base Keys = 18723619236161872361923616…..
Key Server
Authentication Resource, e.g. LDAP, AD, RACF
HSM
– Multiple servers seeded with the same base key
– Keys generated “just-in-time” after authentication and authorization
– No key store/vault: No key replication required
– Simple DR: Multiple servers load balanced
24
Request [email protected]
Application
1872361923616
HPE SecureData architecture
26
HPE SecureData
Management Console
Authentication &
authorization sources
(e.g. active directory)
HSM
HPE SecureData
Web Services API
HPE SecureData
Native APIs
(C, Java, C#/.NET)
HPE SecureData
Command LinesHPE SecureData
z/Protect, z/FPE
HPE
SecureData
Native UDFs
Partner
integrations
SaaS & PaaS
cloud apps
Policy controlled data protection and masking services & clients
Payment
terminals
Volume Key
Management
Production
databases
Mainframe
applications &
databases
3rd party
applications
Teradata,
Hadoop &
HPE Haven
ETL & data
integration
suites
Network
Interceptors
Payment
systems
Business applications, data stores and processes
HPE Nonstop
Applications &
Databases
Web/cloud
applications
(AWS, Azure)
Enterprise
applications
Volumes and
storage3rd party SaaS
gateways
HPE SecureData
File Processor
HPE SecureData
HPE SecureData – data security platform
HPE SecureData infrastructure
– Scalability
− Stateless servers fronted by load balancers
− System scales horizontally; no key replication required
− Components can scale independently
– Browser based Management Console for policy and audit
– HSMs for compliance requirements
– Event logging management to Syslog
27
Load
Balancer
HPE SecureData platform tools
Protected Data Environment
Native APIs
– Enable encryption in custom apps
– C/C++/C#/Java
– Distributed and mainframe platforms
Command Line Tools
‒ Bulk encryption and tokenization
‒ Files and databases
‒ Variety of distributed and mainframe platforms
‒ Any web services enabled platform
‒ Additional layer of masking
‒ Offload processing on HPE SecureData Server
Web Services APIs
28
Name SS# Credit Card # Street Address Customer ID
Kwfdv Cqvzgk 161-82-1292 3712 3486 3545 1001 2890 Ykzbpoi Clpppn S7202483
Veks Iounrfo 200-79-7127 5587 0856 7634 0139 406 Cmxto Osfalu B0928254
Pdnme Wntob 095-52-8683 5348 9209 2367 2829 1498 Zejojtbbx Pqkag G7265029
Eskfw Gzhqlv 178-17-8353 4929 4333 0934 4379 8261 Saicbmeayqw Yotv G3951257
Jsfk Tbluhm 525-25-2125 4556 2545 6223 1830 8412 Wbbhalhs Ueyzg B6625294
‒ Converged HPE SST and FPE client solution in Java
‒ Handles different record types within the same file
‒ Efficient multi-field, multi-threading architecture
HPE SecureData
File Processor
HPE SecureData enabled platforms
Protected data environment
ETL and data
integration suites
XML gateways3rd party
applications Teradata and
Hadoop
Mainframe
applications and
databases
Custom
applications
Web and
browser
applications
Payment devicesProduction databases
and flat files
Network
firewalls
29
Name SS# Credit Card # Street Address Customer ID
Kwfdv Cqvzgk 161-82-1292 3712 3486 3545 1001 2890 Ykzbpoi Clpppn S7202483
Veks Iounrfo 200-79-7127 5587 0856 7634 0139 406 Cmxto Osfalu B0928254
Pdnme Wntob 095-52-8683 5348 9209 2367 2829 1498 Zejojtbbx Pqkag G7265029
Eskfw Gzhqlv 178-17-8353 4929 4333 0934 4379 8261 Saicbmeayqw Yotv G3951257
Jsfk Tbluhm 525-25-2125 4556 2545 6223 1830 8412 Wbbhalhs Ueyzg B6625294
Usage: HPE SecureData SimpleAPI
HPE Format-Preserved Encrypted SSN
SSN: 022-37-2773
fpe.protect(SSN)
SSN: 734-81-9292 SSN: 734-81-9292 SSN: XXX-XX-2773
fpe.access(SSNe)
SSN: 734-81-9292
Mainframe databaseWeb form Logs, reports, and
backupsNew account
application
Customer service
application
30
Summary and Q&A
45
HPE SecureData Summary
– Data centric - persistent data protection
– Standards based AES FFX based encryption
– Open approach to security
– Central policy management and control
– Stateless key management
– Simple, high performance native platform APIs covering enterprise and cloud platforms
– Easy to use web services API’s for distributed and cloud environments
– Support for diverse platforms for enterprise, including Big Data, and cloud data security
– Agnostic of databases, disk, volume, back up, transport
46
Thank youContact information
47