6
Ways Global BRANDS SECURE ANALYTIC SUCCESS IN CLOUDERA
How this eBook can help your brand
COMPLIANCE
CAPABILITIES
Payment Card Industry (PCI)
Encryption
Protected Health Information (PHI)
Tokenization
Personally Identifiable Information (PII)
Audit & Compliance
As the leading provider of data security solutions that preserve the performance and analytics vital to big data platforms, we are keen to share with you the best practices for protecting sensitive information within Hadoop that we’ve honed working with some of the world’s biggest organizations using Cloudera to innovate and transform business. Given the highly sensitive nature of the services we provide to our customers, their identities have been anonymized here to protect their security posture but further details are available upon request. Look out for icons in the following pages to easily recognize how the described use cases relate to your business enterprise.
2
6 Ways Global BRANDS SECURE ANALYTIC SUCCESS IN CLOUDERA
6 Ways Global BRANDS SECURE ANALYTIC SUCCESS IN CLOUDERA
3
1
RETAIL Bank
INPUT >15 Source systems
PERFORMANCE SLA for <1-hour end-to-end processing met
VOLUME >120m records per day
A global financial services brand with a long history of analytical leadership continuously strives to drive value and enhance relationships through better customer understanding.
DEPLOYMENT <40 working days effort
DRIVER Exploration of Hadoop using the Cloudera distribution led this retail bank to reconsider analytical processing and data handling efficiency, which resulted in a new strategy: to use the big data platform as a central landing area for all analytical sources. From the outset of their project the bank recognized that they wanted to go beyond native user authentication; they understood it was optimal to tokenize all sensitive data elements as they land into Cloudera, to keep personal information protected and take PCI data out of audit scope without impacting its analytical value. After rejecting in-house and alternative tokenization solutions as not performant or scalable enough, the bank found Protegrity’s enterprise data security solution utterly compelling in its alignment with their goal to protect data throughout its analytical journey.
4
Without impact to performance, Protegrity has enabled the bank to extend data protection from the file level to tables, columns, and attributes. With Protegrity’s multi-platform security solution the bank can tokenize sensitive data as early in its lifecycle as possible and consistently enforce a security policy that allows access to data in the clear only by authorized users and only when necessary. For example, account numbers are completely protected by default and for transactional analytics while the first two and last four of 16-digit credit card numbers are displayed in the clear for customer facing users, when needed. This granular approach to protecting PCI data and personal information has provided a solid basis for the bank’s GDPR program.
6 Ways Global BRANDS SECURE ANALYTIC SUCCESS IN CLOUDERA
Our GDPR strategy is built on the ‘by design’ nature of Protegrity’s data security solutions.
Improving a long established analytic history by making effective use of Cloudera Hadoop and reducing PCI audit scope
CHALLENGE Securely re-engineering a complex analytical environment that touches all aspects of retail banking process
STEPS TO SUCCESS Prioritizing the sensitivity of data and recognizing the value of tokenizing it as early as possible to take systems out of PCI scope
SOLUTION Protegrity File Gateway Protectors tokenize data as it is captured and Protegrity Enterprise Security Administrator limits access to unprotected data to defined, authorized users within Cloudera
BENEFITS Tokenization and a datacentric protection approach has reduced PCI compliance costs and provided a blueprint for ensuring that all sensitive data is protected for GDPR compliance while analytic value is preserved
6 Ways Global BRANDS SECURE ANALYTIC SUCCESS IN CLOUDERA
5
2
TAX SERVICES PROVIDER
DEPLOYMENT @ 1 Month
INPUT >70 Source systems
PERFORMANCE >24 million worldwide records processed annually
Given the nature of their business, client confidentiality and data protection has always been a core brand value for this global provider of tax filing services.
VOLUME @30,000 data fields
DRIVER They first selected Protegrity in 2014 for help securing data when business growth rendered their homegrown encryption solution inadequate for protecting personal and financial information from over 24 million annual tax returns. With so many historic and real-time tax records all containing ‘hidden depth’, this service provider was uniquely positioned to provide a more comprehensive service to its customers by delivering advanced analytical insights to identify tax efficiencies that would save customers money and generate revenue for the service provider. Once certain that Cloudera in the cloud could provide the performance and scalability necessary to achieve their analytic excellence ambitions, from the outset of their big data project the tax service provider again chose Protegrity to realize their commitment to protecting valuable and sensitive customer information, including inhouse payment and loyalty card data.
6
After a strategic discovery and design project, Protegrity outlined the best way to secure the all sensitive data in a very complex, multiplatform ecosystem. All incoming data – including pdfs, online forms, protocol buffers, XML and other document formats – from multiple sources is file encrypted as it lands, then a Cloudera parsing process identifies data fields to protect and uses Protegrity Vaultless Tokenization to replace sensitive data with non-sensitive substitute tokens. These tokens look and feel like the original value in data type and length, and can keep specific data fully or partially visible for processing and analytics. Protecting sensitive information with tokenization helps this tax service provider to keep customer data protected throughout its lifecycle and enables a growing set of searchoriented analytic use cases to be applied with confidence.
6 Ways Global BRANDS SECURE ANALYTIC SUCCESS IN CLOUDERA
With Protegrity we can meet the data protection expectations of our customers and provide them with better service.
Identifying opportunities for customers to make identify tax efficiencies and increase corporate revenue using Cloudera in the cloud for advanced analytics
CHALLENGE Overcoming concerns about meeting long established internal standards for data protection without impeding analytic processes or the use of new technology
STEPS TO SUCCESS Thorough understanding of data lifecycles and enterprise dataflows facilitated a security design that was robust, scalable and ensured business continuity
SOLUTION Protegrity’s Enterprise Security Administrator, Data Security Gateways, File Protector and Application Protector enable centrally managed, end-to-end protection of sensitive information and role-based control of access to it
BENEFITS A data-centric approach with fine grained protection ensures that all sensitive data is protected, while authorized use and analytic value is preserved
6 Ways Global BRANDS SECURE ANALYTIC SUCCESS IN CLOUDERA
7
3
GOVERNMENT DEPARTMENT DEPLOYMENT
To provide better service to citizens and businesses and ease the burden and cost of managing multiple systems, this government department decided to consolidate many silo environments into a single governmental Cloudera Enterprise Data Hub (EDH). As the department manages highly personal records for all individuals and businesses, maintaining maximum security was imperative.
27 nodes rising to 100+
VOLUME >100m records
VARIETY <20 fields
DRIVER Records are internally classified for sensitivity in several ways based on many criteria. Users may only access records for which they have the appropriate security clearance necessary for them to fulfill their specific duties. Further, due to changes in circumstance, a citizen’s records may need to be reclassified at a different security level meaning unauthorized users and analysts should no longer be able to access the record or its historic data. The ‘no-delete’ nature of Hadoop meant that protecting old records of individuals that had over time become more sensitive proved to be a challenge. Protegrity worked with the department to develop Entity Based Protection (EBP) that provides both field and record level protection to overcome the complexities of securing data in Hadoop. This advanced form of Row Level Protection is now a core Protegrity capability. In this environment, with EBP, each citizen’s sensitivity classification is programmatically 8
defined by the security policy centrally managed in Protegrity Enterprise Security Administrator (ESA), and all sensitive fields for each citizen are uniquely tokenized to replace identifiable information with similar fake values that are of no value if stolen or accessed by rogue users. Each user and analyst is also classified programmatically through an API call to the Protegrity platform so they will only be able to detokenize records and retrieve real data if they have the appropriate level of security clearance. Without the appropriate level of security clearance, returned records will appear tokenized or not be visible to the analyst at all. If a change is required to a citizen’s classification level, an update is sent to the Protegrity platform that reconfigures the policy and access to all future, current and historical records for that individual are immediately reclassified. This is done without needing to delete any data and offers maximum security, transparency and performance.
6 Ways Global BRANDS SECURE ANALYTIC SUCCESS IN CLOUDERA
We’re currently consolidating the data from all of our legacy data warehouses into the EDH, which will use advanced security solutions to keep the data safe.
Streamlining processes, improving analytic capability and reducing costs with a single governmental Cloudera data lake
CHALLENGE Ensuring maximum security in an EDH environment with complicated levels of access authorization in a constant state of flux
STEPS TO SUCCESS Working closely with Protegrity, Cloudera and other big data vendor experts as a team to accomplish a shared vision of excellence
SOLUTION Centralized policy, key, auditing, and reporting management using Protegrity’s ESA and patented Vaultless Tokenization to control access to data by defined, authorized users within Cloudera. EBP fully protects current and historic data, irrespective of classification changes.
BENEFITS Citizen data privacy and business processing are ensured while whole population analytic value is realized and preserved, end to end, in compliance with internal security requirements
6 Ways Global BRANDS SECURE ANALYTIC SUCCESS IN CLOUDERA
9
4
FINANCIAL SERVICES FIRM
VARIETY PCI &PII
VOLUME 8m+ Accounts
DEPLOYMENT >25 Nodes
A $16bn revenue diversified financial services firm relies on their reputation as a trusted brand to ensure the loyalty of their customers so for them, protection of their customer data is a priority.
DRIVER Historically they relied on in-house data masking to protect sensitive information in their data warehouse but as their analytics environments expanded across all business units and included new technology they realized they had to rethink their approach to more effectively manage data protection throughout their enterprise. The financial services firm’s Enterprise Data Management Division recognized the power of Protegrity’s solutions to secure sensitive data consistently, across all platforms in their ecosystem, including Cloudera Hadoop (CDH), without impacting analytical performance. Initial usage of Hadoop was driven by new analytic use cases, but the firm had to align with their corporate security strategy and protect Cloudera data from the outset of the project. They chose to utilize Protegrity’s patented Vaultless Tokenization to protect all personal and financial data flowing from their
10
data warehouse and NoSQL environments via Informatica into Hadoop and Hive. Tokenization desensitizes information by replacing it with tokens that are format and data-type preserving and can allow full or partial ‘business bleed-through’ of specific data for processing and analytics. Users access data via a variety of tools including Apache Impala and Tableau Software and, with Protegrity’s Enterprise Security Administrator, centrally and consistently managing security policies which control access to sensitive information by context, authorized users who need data in the clear to perform their duties are allowed to see detokenized data while other users see only tokens. In this way the financial services firm has been able to establish a highly efficient model for the successful protection of all sensitive data without disruption to users or systems, enterprise-wide.
6 Ways Global BRANDS SECURE ANALYTIC SUCCESS IN CLOUDERA
As we enter phase two of our goal to achieve enterprise-wide protection of data, Protegrity is our data security standard.
Make use of Cloudera Hadoop’s powerful performance to enhance data management and customer service
CHALLENGE Maintaining privacy and data protection as a trusted brand value while improving analytic capability in a complicated IT ecosystem
STEPS TO SUCCESS Taking a ‘measured’ approach to thoroughly understand how Protegrity’s tokenization and data protection by design and by default can best advantage an environment with myriad data sources
SOLUTION Protegrity’s Big Data Protectors and Application Protectors are centrally managed by Protegrity Enterprise Security Administrator to limit access to unprotected data to defined, authorized users and systems within Cloudera
BENEFITS A data-centric protection approach utilizing tokenization technology has preserved data’s analytic value without impact to performance
6 Ways Global BRANDS SECURE ANALYTIC SUCCESS IN CLOUDERA
11
5
ONLINE GAMING PLATFORM DEPLOYMENT <30 days in development
VOLUME
After a much-publicized data breach with the loss of millions of global customer credit card details, this organization knew they had to defend against future attacks. They identified that tokenizing sensitive data was the optimal route to protecting their cloudbased gaming platform whilst maintaining its value and usability.
75+ million subscribers
VARIETY 24+ payment processors
DRIVER They sent an RFP to several major vendors; for vault based token solutions that would protect the credit card and personal information of players by substituting sensitive information with fake data. They emphasized the importance of not impacting functionality or performance of their registration or back end payment processes based on virtual machines. Protegrity responded with details of the requested Protection Server approach, but also suggested an alternative which included API integration into the payment processor part of the customer architecture. With dozens of payment processors, this simplified architecture of API integration (over calls to the Protection Server) appealed to the brand’s engineering team and eliminated the alternative vendor solutions. It highlighted Protegrity’s superior experience and ability to provide flexible designs optimal to a specific customer scenario.
12
As a large company, the online gaming platform had a thirty-plus day process to make any changes to their environments. So Protegrity set up a lab environment to accelerate run through of concepts and use cases to further advance their architecture. The customer could see the solution successfully working before establishing an instance in their Cloudera development environment that was rolled out into production. This meant they could quickly test the concept of using Hadoop via Cloudera in the cloud, knowing from the outset that all PCI and PII data was secure without impact to performance.
6 Ways Global BRANDS SECURE ANALYTIC SUCCESS IN CLOUDERA
Restoring consumer trust and avoiding reputational and financial consequences of further data breaches
CHALLENGE Achieving maximum protection of PII and PCI without compromising established processes or the user experience in a globally accessed cloud based environment
STEPS TO SUCCESS Utilizing Protegrity’s digital strategy data protection expertise and working as a team to overcome the challenges associated with an always-on, globally accessed, cloud-based service
SOLUTION Protegrity’s patented Vaultless Tokenization takes data out of scope for PCI audit and protects personal information in the event of breach
BENEFITS Simplified compliance with PCI DSS and multiple geographical data protection laws with lower cost and greater protection from the consequences of future data breaches without disruption to online gamers 6 Ways Global BRANDS SECURE ANALYTIC SUCCESS IN CLOUDERA
13
6
Multinational BANK CHARACTERS 10k strings
DEPLOYMENT
This multi-national bank wanted to integrate data from individual European entities to their Italian Headquarters, but EU Cross Border Data Protection Laws meant that access to customer data needed to be restricted to only requesters in each respective country.
They chose Cloudera because they wanted to improve price and performance for analytics. The initial project to SWIFT message strings required scalable protection and secure multi tenancy within their Cloudera data lake. To assure consistent security and auditing across all regions, the bank desired a solution compatible with multiple data types from a variety of systems, including Mainframe, ERP and SAS, which could be tailored for each territory, but controlled centrally. From the inception of their Cloudera project the bank relied on Protegrity as their trusted data protection partner, to protect all PII and financial data, with minimal impact to performance, functionality and ETL processes. Customer and employee data files are protected using the Protegrity File Protector as they are extracted from the mainframe, then loaded in their protected state into the bank’s Cloudera data lake using Oracle Data
14
Integrator (ODI) and parsed using Spark into underlying fields of interest – names, account numbers, International Bank Account Numbers (IBANs), etc. – protected at a granular level. Protegrity Vaultless Tokenization (PVT) was selected to deidentify sensitive information, due to its high performance, transparency and compliance, without compromising business analysis capabilities. The bank implemented PVT in each country, to de-identify PII within the source banking entities before transfer to HQ. Centralized, rule-based access control policies were deployed, integrated with LDAP and Active Directory, restricting access to reidentified data to authorized users only. Protegrity’s unique Entity Based Protection (EBP) allows data access to be restricted by row, field, or based on the security credentials of the user executing a query, ensuring that workers can only access data pertinent to their country via tools including Apache Hive and Cloudera Impala. EBP
6 Ways Global BRANDS SECURE ANALYTIC SUCCESS IN CLOUDERA
30-node Cloudera data lake
USERS Globally distributed
simplifies the design and coding of security in applications with access restriction logic located in the database tier. This makes database security systems more reliable and robust by reducing the perimeter access area, minimizing audit scope and reducing risk substantially. As the bank explores their obligations under GDPR they recognize that the use of Protegrity has provided them with the visibility and security of sensitive PII that is foundational to compliance with the Regulation’s requirements.
DRIVER Improve price and performance for analytics of global customer and employee data
CHALLENGE Compliantly restrict analytic access to privacy data by country-specific user groups
STEPS TO SUCCESS Fine-grained protection at source in each country using policy-enforced controls to deprotect data only for authorized users
SOLUTION
Protegrity allows us to centrally manage the security of sensitive data regardless of where it goes.
Protegrity’s Enterprise Security Administrator and Entity Based Protection allows this bank to ensure access to unprotected data is only by authorized users for end-to-end data security and compliance
BENEFITS Maintained efficiency and value of Cloudera with robust data protection has established a blue print for future GDPR compliance
6 Ways Global BRANDS SECURE ANALYTIC SUCCESS IN CLOUDERA
15
Protegrity was born of the need to deliver a new kind of data security that is equipped to meet the challenges of modern enterprises: security that protects the data itself everywhere it goes while enabling businesses the freedom to transform and innovate with their data. The right balance between sophisticated data analysis and risk management can be achieved. Neither needs to be sacrificed. Data today is more than power—it is the lifeblood of the organization and needs to flow to the right data owners in realtime. If it can’t be mined and manipulated at or near real-time while still maintaining security and privacy, it’s not delivering maximum value.
Protegrity Credentials
CONTACT Protegrity
Organizations from every industry worldwide leverage our expertise and solutions to strengthen their security posture and simplify compliance with internal and regulatory data protection requirements.
Corporate Headquarters: Protegrity USA, Inc. 5 High Ridge Park, 2nd Floor Stamford, CT 06905 Phone: +1.203.326.7200
Our customers include: Many of Cloudera’s most high profile customers The world’s largest company and private employer 20% of all Global Fortune 500 Retail organizations The most powerful transnational corporation globally 25% of Global 500 Financial Services Institutions Europe’s largest financial institutions
Protegrity (Europe) Suite 2, First Floor | Braywick House West | Windsor Road Maidenhead, Berkshire SL6 1DN | United Kingdom Phone: +44 1494 857762
www.protegrity.com
America’s most trusted source for high-quality healthcare and service One of the world’s largest online retailers The premier driver of air travel intelligence and commerce worldwide Over 200 brands worldwide including public and private sector
Copyright© 2017 Protegrity Corporation. All rights reserved. Protegrity® is a registered trademark of Protegrity Corporation. All other trademarks are the property of their respective owners. Teradata and the Teradata logo are registered trademarks of Teradata Corporation and/or its affiliates in the U.S. and worldwide.
16
6 Ways Global BRANDS SECURE ANALYTIC SUCCESS IN CLOUDERA
6 Ways Global BRANDS SECURE ANALYTIC SUCCESS IN CLOUDERA
17