Protect your digital enterpriseProtect your digital enterprise Prevent Detect & Respond Recover...

Protect your digital enterprise Application and Data Security

Cezary Prokopowicz ESP Regional Sales Manager CEE

14 April 2016

Transform to a hybrid

infrastructure

Enable workplace

productivity

Protect your digital enterprise

Empower the data-driven organization

Transform to a hybrid

infrastructure

Enable workplace

productivity

Empower the data-driven organization


Protect your most prized digital assets whether they are on premise, in the cloud or in between.

Managing risk in today’s digital enterprise

Rapid transformation of enterprise IT

Shift to hybrid

Mobile connectivity

Big data explosion

Cost and complexity of regulatory pressures

Compliance

Privacy

Data protection

Increasingly sophisticated cyber attacks

More sophisticated

More frequent

More damaging

USERS

APPS DATA

Today’s digital Enterprise needs a new style of protection

5

Off Premise

Protect your most business-critical digital assets

and their interactions, regardless of location

device

Off Premise

BIG DATA

IaaS

SaaS

PaaS

BYOD

On Premise


Prevent Detect & Respond Recover

Build it in

Identify the threats you face, assess your

organization’s capabilities to protect your

enterprise,

Harden your applications, protect your

users, and encrypt your most important data

Proactively detect and

manage breaches

Help reduce time-to-breach-resolution

with a tight coupling of analytics,

correlation, and orchestration.

Establish situational awareness to find

and shut down threats at scale

Safeguard continuity

and compliance

Drive resilience and business continuity

across your IT environments, systems, and

applications.

Reduce risk with enterprise-wide governance,

risk & compliance strategies

• Identify the threats you face

• Assess your organization’s

capabilities to protect your enterprise

• Build proactive defenses into user

management, applications, and data

Prevent

Detect & Respond

Recover

Build Security into the fabric of your organization

HPE SecureData

8

Everything encrypted at the end point

Traditional data security

• Simplified Compliance

• More Secure Analytics

• Easier Move to the Cloud

• Safer Back-End Storage

Data Centric Security for end-to-end protection

Introducing: “Data-centric” security

11

Traditional IT

infrastructure security

Threats to

Data

Malware,

Insiders

SQL injection,

Malware

Traffic

Interceptors

Malware,

Insiders

Credential

Compromise

Data

Ecosystem

Security

Gaps

Disk encryption

Database encryption

NG-IPS/NG-FWs/WAFs

SSL/TLS/firewalls

Authentication

Management

Storage

File systems

Databases

Data and applications

Security gap

Security gap

Security gap

Security gap

Middleware

Data

secu

rity

co

vera

ge

HPE Security – Data Security provides this protection

12

Traditional IT

infrastructure security

Disk encryption

Database encryption

Authentication

Management

Threats to

Data

Malware,

Insiders

SQL injection,

Malware

Traffic

Interceptors

Malware,

Insiders

Credential

Compromise

Data

Ecosystem

Security

Gaps

HPE Security

data-centric security

SSL/TLS/firewalls

Data

secu

rity

co

vera

ge

En

d-t

o-e

nd

Pro

tecti

on

Storage

File systems

Databases

Data and applications

Security gap

Security gap

Security gap

Security gap

Middleware NG-IPS/NG-FWs/WAFs

HPE Format-Preserving Encryption (FPE)

13

– Supports data of any format: name, address, dates, numbers, etc.

– Preserves referential integrity

– Only applications that need the original value need change

– Used for production protection and data masking

AES

FPE 253- 67-2356

8juYE%Uks&dDFa2345^WFLERG

First Name: Uywjlqac Last Name: Muwruwwb

SSN: 253- 67- 2356

DOB: 01-02-1972

Ija&3k24kQotugDF2390^32 0OWioNu2(*872weW

Oiuqwriuweuwr%oIUOw1@

Tax ID

934-72-2356

First Name: Miroslav

Last Name: Knapovsky

SSN: 934-72-2356

DOB: 11-07-1971

HPE Secure Stateless Tokenization (SST)

Credit Card

934-72-2356

Tax ID

1234 5678 8765 4321

Partial SST

SST 347-98-8309

Obvious SST

8736 5533 4678 9453

1234 5633 4678 4321

1234 56AZ UYTZ 4321

347-98-2356

AZS-UX-2356

– Replaces token database with a smaller token mapping table

– Token values mapped using random numbers

– Lower costs

− No database hardware, software, replication problems, etc.

14

15

Field level, format-preserving, reversible data de-identification Customizable to granular requirements addressed by encryption & tokenization

Credit card

1234 5678 8765 4321

SSN/ID

934-72-2356

Email

[email protected]

DOB

11-07-1971

Full 8736 5533 4678 9453 347-98-8309 [email protected] 20-05-1972

Partial 1234 5681 5310 4321 634-34-2356 [email protected] 20-05-1972

Obvious 1234 56AZ UYTZ 4321 AZS-UD-2356 [email protected] 20-05-1972

FPE SST

Web Form

Mainframe

Database

New Account

Application

Fraud

Detection

Customer

Service

Application Hadoop

Analytics

4040 1234 1234 9999 Elen Smith

4040 1234 1234 9999 Elen Smith

4040 1234 1234 9999 Elen Smith

4040 1234 1234 9999 Elen Smith

4040 1234 1234 9999 Elen Smith

4040 1234 1234 9999 Elen Smith

CC

Processing

Mapping the Flow of Sensitive Data

Web Form with HPE PIE New Account

Application

Mainframe

Database

Fraud

Detection

Customer

Service

Application Hadoop

Analytics

4040 1234 1234 9999 Elen Smith

4040 1234 1234 9999 Elen Smith

4040 6763 0123 9999 Kelt Dqitp

4040 6763 0123 9999 Elen Smith

4040 6763 0123 9999 Kelt Dqitp

4040 6763 0123 9999 Kelt Dqitp

CC

Processing

The Same Environment With HPE SecureData

HP SecureData

4040 6763 0123 9999 Kelt Dqitp

HPE SecureData

18

– HPE Stateless Key Management

– No key database to store or manage

– High performance, unlimited scalability

– Both encryption and tokenization technologies

– Customize solution to meet exact requirements

– Broad platform support

– On-premise / Cloud / Big Data

– Structured / Unstructured

– Linux, Hadoop, Windows, AWS, IBM z/OS, HPE NonStop, Teradata, etc.

– Quick time-to-value

– Complete end-to-end protection within a common platform

– Format-preservation dramatically reduces implementation effort

HPE SecureData

Management Console

HPE SecureData

Web Services API

HPE SecureData

Native APIs

(C, Java, C#./NET)

HPE SecureData

Command Lines

HPE SecureData

Key Servers

HPE SecureData

File Processor

HPE SecureData platform tools

Protected Data Environment

Native APIs

– Enable encryption in custom apps

– C/C++/C#/Java

– Distributed and mainframe platforms

Command Line Tools

‒ Bulk encryption and tokenization

‒ Files and databases

‒ Variety of distributed and mainframe platforms

‒ Any web services enabled platform

‒ Additional layer of masking

‒ Offload processing on HPE SecureData Server

Web Services APIs

19

Name SS# Credit Card # Street Address Customer ID

Kwfdv Cqvzgk 161-82-1292 3712 3486 3545 1001 2890 Ykzbpoi Clpppn S7202483

Veks Iounrfo 200-79-7127 5587 0856 7634 0139 406 Cmxto Osfalu B0928254

Pdnme Wntob 095-52-8683 5348 9209 2367 2829 1498 Zejojtbbx Pqkag G7265029

Eskfw Gzhqlv 178-17-8353 4929 4333 0934 4379 8261 Saicbmeayqw Yotv G3951257

Jsfk Tbluhm 525-25-2125 4556 2545 6223 1830 8412 Wbbhalhs Ueyzg B6625294

‒ Converged HPE SST and FPE client solution in Java

‒ Handles different record types within the same file

‒ Efficient multi-field, multi-threading architecture

HPE SecureData

File Processor

Key generation and authentication

Base Key s = 1872361923616 1872361923616…..

Key Server

Authentication Resource, e.g. LDAP, AD, …

HSM

optional

– Multiple servers seeded with the same base key (master secret)

– Keys generated “just-in-time” after authentication and authorization

– No key store/vault: No key replication required, key is destroyed after use

– Simple DR: Multiple servers load balanced

20

Request Key [email protected]

Application

1872361923616

[email protected]

1234 5678 8765 4321

HPE SecureData concept: formats

21

4361 4871 1917 5946

HP FPE

1234 56024342 4321

Partial HP FPE

1234 56116197 4321

Stateless token

1234 56WX4WDL 4321

eFPE

1234 56BQDSJHKGZS

Obviously protected

XXXXXXXXXXXX 4321

Masked

HPE Security – Data Security

Before: All applications and users have access to data

Analysts Help Desk DBAs Malicious User

HR Application ETL Tool Mainframe App Malware


James Potter 385-12-1199 37123 456789 01001 1279 Farland Avenue G8199143

Ryan Johnson 857-64-4190 5587 0806 2212 0139 111 Grant Street S3626248

Carrie Young 761-58-6733 5348 9261 0695 2829 4513 Cambridge Court B0191348

Brent Warner 604-41-6687 4929 4358 7398 4379 1984 Middleville Road G8888767

Anna Berman 416-03-4226 4556 2525 1285 1830 2893 Hamilton Drive S9298273

After: Data is protected at source from “Field Level”

Analysts Help Desk DBAs Malicious User

HR Application ETL Tool Payments App Malware







Malicious users, malware and DBAs: only see protected data

DBAs Malicious User

Malware







Help desk and payments apps: operate on partially protected data

Help Desk

Payments App







Authorized applications access real data

Authorized Fraud

Analysts

Authorized HR

Application

HPE SecureData

Tools







HPE SecureData

Tools

Name

James Potter

Ryan Johnson

Carrie Young

Brent Warner

Anna Berman

SS#

385-12-1292

857-64-7127

761-58-8683

604-41-8353

416-03-2125

HPE Application Security

27

Develop Test Deploy

• 84% of breaches target applications

• Applications have become the new perimeter

Traditional Application Security

Operate

Develop

Test

Deploy

• Secure Development • Find and fix as developer codes

• Security Testing • Expand testing to web, mobile and cloud applications in

production

• Software Security Assurance • Programmatic approach to securing applications at scale

Securing the new SDLC

The number of apps is growing Increasing platforms and complexity …many delivery models

OPEN SOURCE OUTSOURCED COMMERCIAL

Procuring secure

software

DEMONSTRATING

COMPLIANCE

LEGACY SOFTWARE

IN-HOUSE

DEVELOPMENT

Certifying new

releases

Securing legacy

applications

Monitoring / Protecting

Production Software

A reactive approach to AppSec is inefficient and expensive

3 We are breached

or pay to have

someone tell us

our code is bad

2 IT deploys the

insecure software

4 We convince

& pay the

developer to fix it

1 Somebody builds

insecure software

The Problem Costs and incidence of attacks

are high and growing.

Number of successful attacks

per year per company:

144% increase in 4 years

Average cost of cyber

crime

per company:

95% increase in 4 years

2014

$12

.7M

2010

$6.5

M

2010

50

2014

122

Deplo

yments

/ M

ain

tenance

Testing

Codin

g

Desig

n/

Arc

hitectu

re

Requirem

ents

Co

st to

Re

me

dia

te

30X

15X

7X

The ROI

$

!

Comprehensive End to End Application Security

Dynamic Runtime Static

Production

Fortify on Demand App Defender

On Premise App Defender

Application Development

Test Code Design Integration & Staging

IT Operations

On Demand

WebInspect Static Code Analyzer

SCA

Analysis

Static Application Security Testing Accurately identify root cause and remediate underlying security flaw

XML

Java

JSP

T-SQL

Results

T-SQL

Java

XML

JSP

User Input

SQL Injection

22+ Languages

VBScript

HTML ASP

XML PL/SQL

Java

C# .NET COBOL

PHP

Python Visual Basic

ABAP

T-SQL

C/C++

Classic ASP

CFML

VB.NET

JavaScript/AJA

X

SCA Frontend

Proven Over a decade of successful deployments backed by the largest security research team

• 10 out of 10 of the largest information technology companies

• 9 out of 10 of the largest banks

• 4 out of 5 of the largest pharmaceutical companies

• 3 out of 3 of the largest independent software vendors

• 5 out of 5 of the largest telecommunication companies

http://en.wikipedia.org/wiki/File:Delta_logo.svg

Dynamic and

Runtime Analysis

Technology Made

Simple

Compliance

Management Build Integration

Centralized Program

Management

Dynamic Analysis – WebInspect

HPE Security Fortify WebInspect

Dynamic Testing in

QA or Production

Dynamic Analysis Dashboard – HPE Security Fortify SSC Live dynamic scan visualization

Live scan dashboard

Live scan statistics

Detailed attack table

Vulnerabilities found in application

Coverage Analysis

HPE Security Fortify Software Security Center Vulnerability detail

Remediation

explanation and

advice

Line of code

vulnerability detail

Vulnerabilities

identified

in the scan

Application testing flexibility

on Demand

HPE Security Fortify on Demand

on Premise

HPE Security Fortify Software Security Center

Proven Over a decade of successful deployments backed by the largest security research team

• 10 out of 10 of the largest information technology companies

• 9 out of 10 of the largest banks

• 4 out of 5 of the largest pharmaceutical companies

• 3 out of 3 of the largest independent software vendors

• 5 out of 5 of the largest telecommunication companies

http://en.wikipedia.org/wiki/File:Delta_logo.svg

Texas

UK

Australia

Toronto

Virginia

Costa Rica

Germany

Bulgaria

Malaysia

India

Protect your digital enterprise at scale

40

application security and network access

control (Gartner)

data security (Gartner)

SIEM (Gartner)

Leader 10 managed

global SOCs

42 business continuity

and recovery centers

managed security services

(Forrester)

Technology

Consulting

Managed Services

Leader Visionary Leader 5000+ security

professionals

41


Accelerate Security

Protect your digital enterpriseProtect your digital enterprise Prevent Detect & Respond Recover...

Documents

Transcript of Protect your digital enterpriseProtect your digital enterprise Prevent Detect & Respond Recover...