This webinar discusses how you can use Navigator capabilities such as Encrypt and Key Trustee to secure data and enable compliance. Additionally, we will discuss our joint work with Intel on Project Rhino (an initiative to improve data security in Hadoop). We also hear from a security architect at a financial services company that is using encryption and key management to meet financial regulatory requirements.
Comprehensive Security for the Enterprise III: Protecting Data at Rest and In Motion
1. 1
Comprehensive Security for the Enterprise:
Protecting Data-at-Rest & in Motion
Ritu Kama, Director Product Management, Intel
Sam Heywood, Director Product Management - Security, Cloudera
“Mike”, CTO, Financial Services Company
15. 15
Ease of Deployment
• Install encryption client
• Cloudera parcel
• Package managers (yum, apt-get), Chef, Puppet, Ansible
• Configure key trustee account and store master key
• Passphrase method (optional “split security”)
• Key file method
• Create ACLs
• Almost any process, executable, script can be ‘trusted’
• Profile allows control of Jar files and other Java Parameters
• Encrypt data
16. 16
Key components of PCI
16
Customer
Cloudera Navigator
Requirement
Encrypt Sentry Kerberos Core
✔ Install and maintain a firewall
✔ Do not use vendor-supplied defaults
✔ ✔ Protect stored cardholder data
✔ Encrypt transmission of cardholder data across open, public networks
✔ Use and regularly update anti-virus software
✔ ✔ Develop and maintain secure systems and applications
✔ ✔ Restrict access to cardholder data by business need-to-know
✔ Assign a unique ID to each person with computer access
✔ Restrict physical access to cardholder data
✔ Track and monitor all access to network resources and cardholder data
✔ Regularly test security systems and processes Maintain an Information Security Policy
✔ ✔ Maintain a policy that addresses information security
17. 17
Key Components of HIPPA
17
Ref: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf
Customer
Cloudera Navigator
Requirement
Encrypt Sentry Kerberos
✔
Unique User Identification: Assign a unique name and/or number for identifying and tracking user
identity.
✔
Emergency Access Procedure: Establish procedures for obtaining necessary ePHI during an
emergency.
✔
Automatic Logoff: Implement electronic procedures that terminate an electronic session after a
predetermined time of inactivity.
✔ Encryption and Decryption: Implement a mechanism to encrypt and decrypt ePHI.
✔ ✔ ✔
Implement hardware, software, and/or procedural mechanisms that record and examine activity
in information systems that contain or use ePHI.
✔
Mechanism to Authenticate ePHI: Implement electronic mechanisms to corroborate that ePHI has
not been altered or destroyed in an unauthorized manner.
✔
Authentication: Implement procedures to verify that a person or entity seeking access to ePHI is
the one claimed.
✔
Transmission Security - Integrity Controls: Implement security measures to ensure that
electronically transmitted ePHI is not improperly modified without detection until disposed of.
✔
Transmission Security – Encryption: Implement a mechanism to encrypt ePHI whenever deemed
appropriate