Protect your digital enterprise

Transcription

1 Protect your digital enterprise Application and Data Security Cezary Prokopowicz ESP Regional Sales Manager CEE 14 April 2016

2 Transform to a hybrid infrastructure Protect your digital enterprise Enable workplace productivity Empower the data-driven organization

3 Transform to a hybrid infrastructure Protect your digital enterprise Protect your most prized digital assets whether they are on premise, in the cloud or in between. Enable workplace productivity Empower the data-driven organization

4 Managing risk in today s digital enterprise Increasingly sophisticated cyber attacks More sophisticated More frequent More damaging Cost and complexity of regulatory pressures Compliance Privacy Data protection Rapid transformation of enterprise IT Shift to hybrid Mobile connectivity Big data explosion

5 Today s digital Enterprise needs a new style of protection IaaS PaaS SaaS Off Premise On Premise USERS Protect your most business-critical digital assets and their interactions, regardless of location device APPS DATA BIG DATA Off Premise BYOD 5

6 Protect your digital enterprise Prevent Detect & Respond Recover Build it in Identify the threats you face, assess your organization s capabilities to protect your enterprise, Harden your applications, protect your users, and encrypt your most important data Proactively detect and manage breaches Help reduce time-to-breach-resolution with a tight coupling of analytics, correlation, and orchestration. Establish situational awareness to find and shut down threats at scale Safeguard continuity and compliance Drive resilience and business continuity across your IT environments, systems, and applications. Reduce risk with enterprise-wide governance, risk & compliance strategies

7 Build Security into the fabric of your organization Prevent Detect & Respond Identify the threats you face Assess your organization s capabilities to protect your enterprise Build proactive defenses into user management, applications, and data Recover

8 HPE SecureData 8

9 Traditional data security Everything encrypted at the end point

10 Data Centric Security for end-to-end protection Simplified Compliance More Secure Analytics Easier Move to the Cloud Safer Back-End Storage

11 Data security coverage Introducing: Data-centric security Threats to Data Traditional IT infrastructure security Data Ecosystem Security Gaps Credential Compromise Authentication Management Data and applications Security gap Traffic Interceptors NG-IPS/NG-FWs/WAFs Middleware Security gap SQL injection, Malware Database encryption Databases Security gap Malware, Insiders SSL/TLS/firewalls File systems Malware, Insiders Disk encryption Security gap Storage 11

12 Data security coverage End-to-end Protection HPE Security Data Security provides this protection Threats to Data Traditional IT infrastructure security Data Ecosystem Security Gaps HPE Security data-centric security Credential Compromise Authentication Management Data and applications Security gap Traffic Interceptors NG-IPS/NG-FWs/WAFs Middleware Security gap SQL injection, Malware Database encryption Databases Security gap Malware, Insiders SSL/TLS/firewalls File systems Malware, Insiders Disk encryption Security gap Storage 12

13 HPE Format-Preserving Encryption (FPE) Tax ID FPE First Name: Miroslav Last Name: Knapovsky SSN: DOB: First Name: Uywjlqac Last Name: Muwruwwb SSN: DOB: AES 8juYE%Uks&dDFa2345^WFLERG Ija&3k24kQotugDF2390^32 0OWioNu2(*872weW Supports data of any format: name, address, dates, numbers, etc. Preserves referential integrity Only applications that need the original value need change Used for production protection and data masking 13

14 HPE Secure Stateless Tokenization (SST) Credit Card Tax ID SST Partial SST Obvious SST AZ UYTZ AZS-UX-2356 Replaces token database with a smaller token mapping table Token values mapped using random numbers Lower costs No database hardware, software, replication problems, etc. 14

15 Field level, format-preserving, reversible data de-identification Customizable to granular requirements addressed by encryption & tokenization SST FPE Credit card SSN/ID DOB Full Partial Obvious AZ UYTZ 4321 AZS-UD

16 Mapping the Flow of Sensitive Data Elen Smith Elen Smith Web Form New Account Application Fraud Detection Elen Smith Elen Smith Mainframe Database CC Processing Elen Smith Customer Service Application Hadoop Analytics Elen Smith

17 The Same Environment With HPE SecureData Elen Smith Kelt Dqitp Kelt Dqitp Web Form with HPE PIE New Account Application Fraud Detection Elen Smith HP SecureData Kelt Dqitp Mainframe Database CC Processing Elen Smith Customer Service Application Hadoop Analytics Kelt Dqitp

18 HPE SecureData HPE Stateless Key Management No key database to store or manage High performance, unlimited scalability Both encryption and tokenization technologies Customize solution to meet exact requirements Broad platform support On-premise / Cloud / Big Data Structured / Unstructured Linux, Hadoop, Windows, AWS, IBM z/os, HPE NonStop, Teradata, etc. Quick time-to-value Complete end-to-end protection within a common platform Format-preservation dramatically reduces implementation effort HPE SecureData Web Services API HPE SecureData Key Servers HPE SecureData Command Lines HPE SecureData Native APIs (C, Java, C#./NET) HPE SecureData Management Console HPE SecureData File Processor 18

19 HPE SecureData platform tools Name SS# Credit Card # Street Address Customer ID Kwfdv Cqvzgk Ykzbpoi Clpppn S Veks Iounrfo Cmxto Osfalu B Pdnme Wntob Zejojtbbx Pqkag G Eskfw Gzhqlv Saicbmeayqw Yotv G Jsfk Tbluhm Wbbhalhs Ueyzg B Protected Data Environment Native APIs Command Line Tools Web Services APIs HPE SecureData File Processor Enable encryption in custom apps Bulk encryption and tokenization Any web services enabled platform Converged HPE SST and FPE client solution in Java C/C++/C#/Java Distributed and mainframe platforms Files and databases Variety of distributed and mainframe platforms Additional layer of masking Offload processing on HPE SecureData Server Handles different record types within the same file Efficient multi-field, multithreading architecture 19

20 Key generation and authentication Base Key s = Key Server HSM optional Request Key app@corp.com Authentication Resource, e.g. LDAP, AD, Application Multiple servers seeded with the same base key (master secret) Keys generated just-in-time after authentication and authorization No key store/vault: No key replication required, key is destroyed after use Simple DR: Multiple servers load balanced 20

21 HPE SecureData concept: formats HPE Security Data Security HP FPE Partial HP FPE Stateless token WX4WDL 4321 efpe BQDSJHKGZS Obviously protected XXXXXXXXXXXX 4321 Masked 21

22 Before: All applications and users have access to data HR Application ETL Tool Mainframe App Malware Name SS# Credit Card # Street Address Customer ID James Potter Farland Avenue G Ryan Johnson Grant Street S Carrie Young Cambridge Court B Brent Warner Middleville Road G Anna Berman Hamilton Drive S Analysts Help Desk DBAs Malicious User

23 After: Data is protected at source from Field Level HR Application ETL Tool Payments App Malware Name SS# Credit Card # Street Address Customer ID Kwfdv Cqvzgk Ykzbpoi Clpppn S Veks Iounrfo Cmxto Osfalu B Pdnme Wntob Zejojtbbx Pqkag G Eskfw Gzhqlv Saicbmeayqw Yotv G Jsfk Tbluhm Wbbhalhs Ueyzg B Analysts Help Desk DBAs Malicious User

24 Malicious users, malware and DBAs: only see protected data Malware Name SS# Credit Card # Street Address Customer ID Kwfdv Cqvzgk Ykzbpoi Clpppn S Veks Iounrfo Cmxto Osfalu B Pdnme Wntob Zejojtbbx Pqkag G Eskfw Gzhqlv Saicbmeayqw Yotv G Jsfk Tbluhm Wbbhalhs Ueyzg B DBAs Malicious User

25 Help desk and payments apps: operate on partially protected data Payments App Name SS# Credit Card # Street Address Customer ID Kwfdv Cqvzgk Ykzbpoi Clpppn S Veks Iounrfo Cmxto Osfalu B Pdnme Wntob Zejojtbbx Pqkag G Eskfw Gzhqlv Saicbmeayqw Yotv G Jsfk Tbluhm Wbbhalhs Ueyzg B Help Desk

26 Authorized applications access real data Authorized HR Application HPE SecureData Tools Name James Potter Ryan Johnson Carrie Young Brent Warner Anna Berman Name SS# Credit Card # Street Address Customer ID Kwfdv Cqvzgk Ykzbpoi Clpppn S Veks Iounrfo Cmxto Osfalu B Pdnme Wntob Zejojtbbx Pqkag G Eskfw Gzhqlv Saicbmeayqw Yotv G Jsfk Tbluhm Wbbhalhs Ueyzg B Authorized Fraud Analysts HPE SecureData Tools SS#

27 HPE Application Security 27

28 Traditional Application Security 84% of breaches target applications Applications have become the new perimeter Develop Test Deploy

29 Securing the new SDLC Secure Development Find and fix as developer codes Security Testing Expand testing to web, mobile and cloud applications in production Test Operate Software Security Assurance Programmatic approach to securing applications at scale Develop Deploy

30 The number of apps is growing Increasing platforms and complexity many delivery models Monitoring / Protecting Production Software LEGACY SOFTWARE Securing legacy applications DEMONSTRATING COMPLIANCE Certifying new releases IN-HOUSE DEVELOPMENT Procuring secure software OUTSOURCED COMMERCIAL OPEN SOURCE

31 Requirements Design/ Architecture Coding Testing Deployments/ Maintenance $6.5M 50 $12.7M 122 Cost to Remediate A reactive approach to AppSec is inefficient and expensive $ The Problem Costs and incidence of attacks are high and growing. Average cost of cyber crime per company: 95% increase in 4 years Number of successful attacks per year per company: 144% increase in 4 years 2010! Somebody builds insecure software 2 IT deploys the insecure software 4 We convince & pay the developer to fix it 3 We are breached or pay to have someone tell us our code is bad The ROI 7X 15X 30X

32 Comprehensive End to End Application Security Static Dynamic Runtime On Premise Static Code Analyzer WebInspect App Defender Design Code Test Integration & Staging Production On Demand Fortify on Demand App Defender Application Development IT Operations

33 Static Application Security Testing Accurately identify root cause and remediate underlying security flaw Results User Input XML PL/SQL VBScript VB.NET HTML Java.NET ABAP ASP C# CFML COBOL Visual Basic PHP T-SQL Python Classic ASP JavaScript/AJA X C/C++ SCA Frontend JSP T-SQL XML Java SCA Analysis JSP XML Java T-SQL 22+ Languages SQL Injection

34 Proven Over a decade of successful deployments backed by the largest security research team 10 out of 10 of the largest information technology companies 9 out of 10 of the largest banks 4 out of 5 of the largest pharmaceutical companies 3 out of 3 of the largest independent software vendors 5 out of 5 of the largest telecommunication companies

35 HPE Security Fortify WebInspect Dynamic Analysis WebInspect Dynamic Testing in QA or Production Dynamic and Runtime Analysis Technology Made Simple Compliance Management Build Integration Centralized Program Management

36 Dynamic Analysis Dashboard HPE Security Fortify SSC Live dynamic scan visualization Coverage Analysis Live scan dashboard Live scan statistics Detailed attack table Vulnerabilities found in application

37 HPE Security Fortify Software Security Center Vulnerability detail Line of code vulnerability detail Remediation explanation and advice Vulnerabilities identified in the scan

38 Application testing flexibility on Demand HPE Security Fortify on Demand on Premise HPE Security Fortify Software Security Center

39 Proven Over a decade of successful deployments backed by the largest security research team 10 out of 10 of the largest information technology companies 9 out of 10 of the largest banks 4 out of 5 of the largest pharmaceutical companies 3 out of 3 of the largest independent software vendors 5 out of 5 of the largest telecommunication companies

40 Protect your digital enterprise at scale UK Germany Toronto Virginia Texas Costa Rica Bulgaria India Malaysia Technology Consulting Managed Services Australia Leader Visionary Leader Leader application security and network access control (Gartner) data security (Gartner) SIEM (Gartner) managed security services (Forrester) security professionals managed global SOCs 42 business continuity and recovery centers 40

41 Accelerate Security Protect your digital enterprise 41