Download Big Data Security and Business Intelligence: Challenges and Solutions and more Study notes Business in PDF only on Docsity! #RSAC SESSION ID: Anmol Singh Access Control for Multi-Vendor Big Data and BI Environments STR-W03 Lead Analyst KuppingerCole Analysts AG #RSAC Big Data & BI Environments An Introduction 2 Big Data Tons of Structured, Semi-unstructured and Unstructured Data Comprises of large and complex data sets that can’t be processed by traditional database and software techniques Business Intelligence Identify, extract and interpret business data using interactive tools for effective and accurate decision making Knowledge derived from discovering patterns and efficient data mining processes RSAConference2019
Security in Big Data & BI Environments
NCA Oar} 4203
#RSAC Big Data & BI Security Challenges Security remains an afterthought 6 Security is not part of Design and Strategy Access is dependent on proprietary methods Existing IAM tools don’t support Big Data/ BI operations Access control for unstructured data is not a ‘thing’ No data access governance for Big Data environments Big Data Security Solutions and Skills are a few and rare RSAConference2019
Security in Big Data & BI Environments
aa lta aY PLY
Security Threats in Big Data and BI Environments Generic and Targeted Attack Vectors #RSAC Targeted Attack Vectors Big Data & BI Security Risks & Threats Multiple generic and targeted attack vectors 11 SQL Injection Illegitimate Cubes Generic Attack Vectors Network- level Attacks Server-level Attacks Data Leakage Illegitimate Queries Abuse by Privileged Users Policy violations (PII etc.) Databases Big Data Platform, Data Lakes Analytics Platform Reporting/ BI Interfaces RSAConference2019
Big Data Security: Existing Technologies
Are these sufficient?
#RSAC IAM for Big Data & BI Environments Existing IAM tools do not support the complexity 15 Identity Provisioning Engine Entitlements Repository Database Access Entitlements AD/ LDAP User Groups CubeDB Tableau Tibco Data Analytics & Virtualization Platforms Business Intelligence Platforms SAP BW Microsoft BI IBM Cognos Oracle Hyperion Data, Cell Level Authorizations Identity BI/ Reporting Interfaces Role Data Level Authorizations Data Type Attribute 1 Attribute 2 Attribute n Enterprise Access Governance Access Request Management Access reviews Auditing Policy based Masking #RSACAccess Governance in Big Data & BI Environments The variety of data authorizations create complexity 16 Access at the Cube Level • Data per source • No further splits Access at the Cube splits • One dimensional access • Fewer access combinations Disjointed Access Patterns • Access across multiple data sets & providers • Complex role combinations Multi-dimensional access • Several access combinations • Granular role splits • Multiple access restrictions #RSACAccess Approvals: Granular Permissions Governing access down to data-level permissions 17 Access Request Data Owners Resulting data-set permissions Access Approval Access Approval Access Approval Access Request Approval Workflow Access Approval/ Denial A C A.1 B.3 C.1 C.2 A.1 {C.1} C.2 B B.3 Re qu es t P ro ce ss in g En tit le m en ts B re ak do w n #RSAC What are some of the tools in use today Can quickly turn into a ‘zoo’ of technologies! 20 Database Security Tools Data Discovery & Classification (for structured and unstructured data) Database & Data Encryption UBA (User Behaviour Analytics) for Data Access Data Masking & Tokenization Data Virtualization IGA (Identity Governance & Administration) PAM (Privileged Access Management) Dynamic Authorization Management DLP (Data Leakage Prevention) API (Application Programming Interface) Security #RSAC Limitations of existing security technologies There’s no perfect solution! 21 Technology Limitations Database Security Commonly limited to RDBMS, not built for today‘s Big Data and BI/analytics Data Discovery & Classification (for structured and unstructured data) Only identifies the critical data, might require significant manual effort – helps to target protection but does not protect by itself Database & Data Encryption Encryption works at rest (and, in other form such as TLS, in motion), but not or only very limited for data in use, and it creates additional challenges for „use of data“ UBA (User Behavior Analytics) for Data Access Helps in identifying critical use, but does not limit the access to data or the ability to combine certain sets of data Data Masking & Tokenization Potentially good protection also when it comes to exporting and recombining data, but applications might need access to full set of data Data Virtualization An efficient approach from a data protection perspective, but can create massive amounts of transient (insecure) information views , affects performance IGA (Identity Governance & Administration) Relatively few out-of-the-box connectors for managing users and, in particular, fine-grain access entitlements in these environments. Might require massive customization and suffer from complexity due to complex entitlement structures of multi-level/multi-dimensional data models PAM (Privileged Access Management) Focused on securing administrative access, not the fine-grained access control for business users Dynamic Authorization Management Very few out-of-the-box solutions, very limited support for environments, currently only a point solution. Potential performance impact DLP (Data Leakage Prevention) Focus on files, i.e. the results, not their creation API Security Limited to APIs access only #RSAC Efficacy of existing technologies to Big Data Security Few technologies are more effective than others 22 EF FE CT IV EN ES S #RSAC Question Is your data adequately protected during storage and distributed processing? Is governance and security consistently enforced across the entire Big Data ecosystem, from source to the target? Is there adequate insight and governance over data combinations? Key Questions on Big Data Security & Governance How to identify your priorities? 0 10 10 02 3 Database Security Tools Data Discovery & Classification Database & Data Encryption U ser Behaviour Analytics Data M asking & Tokenization Data Virtualization Identity G overnance & Adm inistration Privileged Access M anagem ent Dynam ic Authorization M anagem ent Data Leakage Prevention API Security 0 11 0 22 21 12 3 2 11 0 12 23 21 2 3 00 25 #RSAC Key Questions on Big Data Security & Governance How to identify your priorities? Contd...1 Question Do you know where sensitive data such as PII and credit card data resides? Is there a centralized solution for managing and protecting that data? Is your current approach for data protection performing well for the BI use cases? 0 01 12 01 2 Database Security Tools Data Discovery & Classification Database & Data Encryption U ser Behaviour Analytics Data M asking & Tokenization Data Virtualization Identity G overnance & Adm inistration Privileged Access M anagem ent Dynam ic Authorization M anagem ent Data Leakage Prevention API Security 0 03 0 21 21 13 2 1 12 1 22 23 12 2 2 11 26 #RSAC Key Questions on Big Data Security & Governance How to identify your priorities? Contd...2 Score Priority Time for action 0-3 Low No urgency 3-5 Medium 1 to 2 years >5 High Next 3-6 months 27 #RSAC Recommendations Plan to succeed with Big Data & BI Security Contd.. Implement Access Control and Dynamic Authorization • Understand data flows and authorization requirements of your Big Data & BI environments • Implement fine grained access controls: Define authorizations at file, service and data levels to implement an ABAC Model • Implement policy based dynamic masking and row filtering • Use PAM controls to prevent rouge administrative access to sensitive data • Use Application to Application Password Management (AAPM) for A2DB (Application to DB) authentication 30 #RSAC Recommendations Plan to succeed with Big Data & BI Security Enforce Monitoring Controls: Track user access details for activity reviewing, logging and auditing purposes Implement Access Governance: Conduct regular and periodic data access certifications Implement API security and input validation: Use API Gateways and device authentication Consider a ‘holistic approach’ - traditional security controls only address parts of Big Data Security Use the matrix discussed to assess your Big Data security state and prioritize your technology investments 31 #RSACRelated KuppingerCole Research Where to find more relevant research on the topic? Leadership Compass: Database Security - 70970 Advisory Note: Big Data Security, Governance, Stewardship - 72565 KuppingerCole and BARC Joint Study: Big Data and Information Security - 74001 Advisory Note: Enterprise Big Data IAM – Challenges and Opportunities - 71207 32