SECURE BUSINESS EXECUTION

Ron Miles
Tony Ward
Dejan Lozanovic

25 January 2017

COMPANY CONFIDENTIAL
 Data is the biggest Asset

It is also the biggest Vulnerability

2016 Dataguise, Inc. Confidential and Proprietary 2

 SENSITVE DATA SECURITY IS A BIG ISSUE

16%
Only 16% of the respondents believe they know where all
sensitive structured data is located.

79% 51%
79% said that not knowing where the 51% believes that securing
organizations sensitive information and/or protecting data is a high
is represents a significant security priority in their organizations.
risk.
Source: Ponemon.org 2015
2016 Dataguise, Inc. Confidential and Proprietary
 DATAGUISE DgSECURE
Seamless Integration with Hadoop, Databases or File System

Proactively Discover Sensitive Data and Secure it with

Appropriate Remediation Polices with Actionable
Compliance Intelligence
SUPPORTING THE DATA
GOVERNANCE PROCESS

2015 Dataguise, Inc.

2016 Dataguise, Inc. Confidential and Proprietary Confidential and Proprietary 4
SECURE BUSINESS EXECUTION
Dataguise enables monetization of your companys Data Assets
1. Identify the location of sensitive assets across ALL repositories
2. Protect those assets with precise and pinpoint accuracy
3. Open up access to data now that sensitive elements are protected
4. Enable employees, trusted partners and customers to make data
driven decision on behalf of the company
5. Only vendor enabling Lower Risks and Increased Value

RISKS VALUE

BREACH REVENUE

SECURITY DATA DRIVEN DECISIONS

COMPLIANCE BUSINESS INTELLIGENCE

2016 Dataguise, Inc. Confidential and Proprietary 5

TRUSTED BY THE WORLDS LARGEST BRANDS- 50 BILLION DATA RECORDS
UNDER PROTECTION- 100% Revenue Growth

Key Partnerships

2016 Dataguise, Inc. Confidential and Proprietary 6

Dataguise: One Solution for All Sensitive Data

Data Discovery & Data Protection

CENTRALLY MANAGED
&
VIEWED

Or On Premise

HADOOP DBMS File Systems

COMPANY CONFIDENTIAL
Big Data Protective Intelligence
Data-centric security is the preferred Hadoop
security strategy for customers seeking
the strongest data protection in Hadoop

You CANT encrypt or mask what you dont know

How discovery anchors a data-centric approach

Automated Coverage for Fast Changing Hadoop

RC/ORC/HIVE, Avro & Sequence, Spark & Kafka,
Oozie & Falcon, Ranger & Knox, Sentry & Navigator,
MapR ACE & Auth plugins, Mesos and Drill,
8
Elastic Search and NoSQL
COMPANY CONFIDENTIAL
GDPR - General Data Protection
Regulation
GDPR - (Regulation (EU) 2016/679) is a Regulation by which the European
Commission intends to strengthen and unify data protection for individuals
within the European Union(EU). It addresses export of personal data outside
the EU.

The proposed new EU data protection regime extends the scope of the EU
data protection law to all foreign companies processing data of EU residents.
It provides for a harmonization of the data protection regulations
throughout the EU, thereby making it easier for non-European companies to
comply with these regulations;

The Commission's primary objectives of the GDPR are to give citizens back
the control of their personal data and to simplify the regulatory environment
for international business by unifying the regulation within the EU. When
the GDPR takes effect it will replace the Data Protection Directive (officially
Directive 95/46/EC) from 1995.

9 COMPANY CONFIDENTIAL
 Any structured/delimited file (csv, etc.)
RC Files (compressed / uncompressed)

Whats Happening in Data

ORC Files (compressed / uncompressed)
TXT Files
Discovery is now critical for
SEQ Files
AVRO Files
protecting sensitive data
Log Files
XML Files
JSON Files
Parquet Files

COMPANY CONFIDENTIAL 10
 Whats Happening in Hadoop Data Today
Data Feeds HDFS
Batch
9351SD878 Processing
Steve Johnson Hive Tables
95 Dean Street
Norwood, MA 02062 etc.. Steve Johnson
95 Dean Street Norwood, Processing
6745RT334 MA 02062 Framework
6745RT334
Paula Scott 6745RT334 Spark / Storm
Paula Scott
2201 Walnut AvePaula Scott Johnson Norwood
2201 Walnut Ave
Fremont, CA 94538
2201etc.
Walnut Ave MA 02062
Fremont, CA 94538 etc.
Fremont, CA 94538 etc. 9351SD878
Steve Johnson Analytics
CC 5413 5675 3345 2213 Hive / Pig /
EXP 08/2016 etc Steve Johnson
Cancer 02062
SQL
Score 566
Paula Scott
Paula Scott Steve Johnson
CC 4522 6766 Paula
2300 3498
Scott
CC 4522 6766 2300 3498
EXP 04/2015 CCetc
4522 6766 2300 3498
Cancer 02062 BI &
EXP 04/2015 etc Score 566
EXP 04/2015 etc Reporting
Steve Johnson
Doctor Notes: Cancer 02062
Tools
Steve Johnson Score 566
Condition and Treatment
Apps
R / Python /
Credit Rating
Paula Scott Scala / Java
566

2014 Dataguise Inc. All rights reserved. COMPANY CONFIDENTIAL

DATAGUISE DgSECURE
Seamless Integration with Hadoop, Databases or File System

Proactively Discover Sensitive Data and Secure it with

Appropriate Remediation Polices with Actionable
Compliance Intelligence
SUPPORTING THE DATA
GOVERNANCE PROCESS

2014 Dataguise Inc. All rights reserved. COMPANY CONFIDENTIAL 2015 Dataguise, Inc.
Confidential and 12
 Complex Data
DATA DETECTION
Discovery

DISCOVERY FOR: SENSITIVE DATA DISCOVERY

FOR COMPLEX
ENVIRONMENTS
Data at Rest
Hadoop (HDFS) Patterns in Strings
Digit Patterns: 4451 3340 0023 1200 8/16
DBMS 10 platforms B7127157 Expires 04-19-15
Teradata
Patterns in Grammar
Files April Thomson vs
SharePoint 1240 April Ave vs
12 April
Data in Motion
Patterns in Context
Flume (into HDFS) Other data elements in horizontal or vertical
FTP (into HDFS or between file vicinity
systems)
Sqoop (into HDFS) Patterns in Knowledge
Kafka (Q4 2016) Ontologies HL7 Encoding, Financial Market
Data

COMPANY CONFIDENTIAL 2015 Dataguise, Inc.

Confidential and Proprietary 13
Dataguise DgSecure PreBuilt Policies PII / PCI / HIPAA / GDPR
Seamless Integration with Hadoop, Databases or File System

COMPANY CONFIDENTIAL 2015 Dataguise, Inc.

Confidential and Proprietary 14
 Dataguise Discovery Task
Seamless Integration with Hadoop, Databases or File System

COMPANY CONFIDENTIAL 2015 Dataguise, Inc.

Confidential and Proprietary 15
Dataguise Discovery Task Results

COMPANY CONFIDENTIAL 2015 Dataguise, Inc.

Confidential and Proprietary 16
 DATAGUISE DgSECURE
Seamless Integration with Hadoop, Databases or File System

Proactively Discover Sensitive Data and Secure it with

Appropriate Remediation Polices with Actionable
Compliance Intelligence
SUPPORTING THE DATA
GOVERNANCE PROCESS

2015 Dataguise, Inc.

2016 Dataguise, Inc. Confidential and Proprietary Confidential and 17
 Hadoop Today with DgSecure (Masking)
Data Feeds HDFS
Batch
9351SD878 9351SXXXX Processing
Steve Johnson John Smith Hive Tables
95 Dean Street 25 Park Drive
Norwood, MA 02062 etc.. Walpole, MA 02081 etc.. John Smith
25 Park Drive Walpole Processing
6745RXXXX MA 02081
6745RT334 Framework
Paula Scott Jane Doe Spark / Storm
6745RXXXX
2201 Walnut Ave 4507 State Ave.
Jane Doe Smith Walpole
Fremont, CA 94538 etc. Fresno CA 93611 etc.
4507 6745RXXXX
State Ave. MA 02081
Jane
Fresno CADoe
93611 etc. 9351SXXXX
Steve Johnson 4507 State Ave.
John Smith Analytics
CC 5413 5675 3345 2213 CC 5413 Fresno CA 2098
7855 3455 93611 etc Hive / Pig /
EXP 08/2016 etc EXP 08/2017 etc John Smith
Cancer 02081
SQL
Score 762
Paula Scott Jane Doe
CC 4522 6766 2300 3498 Jane 5677
CC 4522 Doe 4533 2344 John Smith
EXP 04/2015 etc EXPCC etc
4522 5677
02/2015 4533 2344 Cancer 02081 BI &
Jane Doe
EXP 02/2015 etc Score 762 Reporting
CC 4522 5677 4533 2344
EXP 02/2015
Doctor Notes:
John Smith Tools
Doctor Notes: Cancer 02081
Steve Johnson John Smith Score 762
Condition and Treatment Condition and Treatment
Apps
R / Python /
Credit Rating Credit Rating
Jane Doe Scala / Java
Paula Scott
566 762

2014 Dataguise Inc. All rights reserved. COMPANY CONFIDENTIAL

 Hadoop Selective Masking
(Cell Level Masking Example)

2014 Dataguise Inc. All rights reserved. COMPANY CONFIDENTIAL

Hadoop Today with DgSecure (Encryption)
Data Feeds HDFS
Batch
9351SD878 Dg!!frthyuojn Processing

Individual Field Decryption by USERID

Steve Johnson Dg!!6754 Dg!!4567 Hive Tables
95 Dean Street Dg!!6789
Norwood, MA 02062 etc.. Dg!!567e, MA Dg!!54 etc.. Dg!!6754 Dg!!4567
Dg!!6789 Dg!!567e Processing
Dg!!9876 MA Dg!!54
6745RT334 Framework
Paula Scott Dg!!789 Dg!!444
Dg!!9876 Spark / Storm
2201 Walnut Ave Dg!!97fhg
Dg!!789 Dg!!444 9351SD878
Dg!!4567 Dg!!567e Dg!!6754 Dg!!4567
Fremont, CA 94538 etc. Dg!!789 CA Dg!!ghf etc.
Dg!!97fhg
Dg!!9876 MA Dg!!54 95 Dean Street
Dg!!789 CA Dg!!ghf
Dg!!789 Dg!!444etc. Dg!!frthyuojnn Norwood, MA 02062 etc..
Analytics
Steve Johnson Dg!!97fhg
Dg!!6754 Dg!!4567
CC 5413 5675 3345 2213 Dg!!789 CA Dg!!ghf etc
Dg!!94802384848484 Hive / Pig /
EXP 08/2016 etc EXP 08/2017 etc Dg!!6754 Dg!!4567
Cancer Dg!!54
SQL
DDg!!987
Paula Scott Dg!!789 Dg!!444
CC 4522 6766 2300 3498 Dg!!0980-9344 Dg!!6754 Dg!!4567
EXP 04/2015 etc
Dg!!789 Dg!!444
Dg!!7835 etc Cancer Dg!!54 BI &
Dg!!0980-9344
Dg!!789 Dg!!444 DDg!!987
Dg!!7835 etc
Dg!!0980-9344
Reporting
Dg!!7835 etc Dg!!6754 Dg!!4567 Tools
Doctor Notes: Doctor Notes: Cancer Dg!!54
Steve Johnson Dg!!6754 Dg!!4567 DDg!!987
Condition and Treatment Condition and Treatment
Apps
R / Python /
Credit Rating Credit Rating
DDg!!987 Scala / Java
Paula Scott
566

2014 Dataguise Inc. All rights reserved. COMPANY CONFIDENTIAL

 Hadoop Selective Encryption
(Cell Level Encryption Example)

2014 Dataguise Inc. All rights reserved. COMPANY CONFIDENTIAL

Structured Encryption: Row/Cell Level

2014 Dataguise Inc. All rights reserved. COMPANY CONFIDENTIAL 22

Structured Encryption: FPE Row/Cell Level

2014 Dataguise Inc. All rights reserved. COMPANY CONFIDENTIAL 23

 Structured Encryption: Row/Cell Level

2014 Dataguise Inc. All rights reserved. COMPANY CONFIDENTIAL 24

 Structured Encryption: Row/Cell Level

2014 Dataguise Inc. All rights reserved. COMPANY CONFIDENTIAL 25

 ACL-Based Decryption of the data through beeline
queries
User WITHOUT decryption allowed on Names or SSN

2014 Dataguise Inc. All rights reserved. COMPANY CONFIDENTIAL

 ACL-Based Decryption of the data through hive queries

User WITH decryption allowed on Names & SSN

2014 Dataguise Inc. All rights reserved. COMPANY CONFIDENTIAL

 DgSecure Dynamic Decryption Flow
User Code (Hive Query, Pig Program,
Java Map-Reduce)

1. User initializes Decrypter library ACL in

2. User calls DgDecrypter Function
Explicitly(Hive - UDF, Pig - UDF) or
HDFS
Implicitly (Java - Formatter, Hive
Loader Function)
3. User codes gets back values from
DgDecrypter based on ACL.
O
DgSecure ACL read in from HDFS or R
Decrypter.jar Controller based on
1. Initialization reads
setting in Properties file.
ACL in
in Properties file,
and ACL for User DgSecure
from appropriate
source
Controller
2. Decryption call
received from user
code.
3. Function Executes
decryption on field
O
based on ACL.
R
KMIP
Properties File
Compliant
(ACL Location, Keystore
Keystore Details)

2014 Dataguise Inc. All rights reserved. COMPANY CONFIDENTIAL 28

 Access is Different:
The Democratization of Data

DAP Database Audit and Protection

2014 Dataguise Inc. All rights reserved. COMPANY CONFIDENTIAL 29
DgSecure Architecture

2015 Dataguise, Inc.

Confidential and Proprietary 30
Assess
Step 3: Encryption
Discover Protect
or Masking Directory Management
Protect

Masking / Encryption Define Directory Tree COPY Location

Production Test / Dev Production Copy

HR HR_MASKED HR_ENCRYPT

A A A

B B B

C1 C2 C1 C2 C1 C2

D1 E1 D1 E1 D1 E1

F1 F1 F1
2014 Dataguise Inc. All rights reserved. COMPANY CONFIDENTIAL 31
 Step 3: Encryption or Masking Directory Management
Protect

Test / Dev Production Copy

HR_MASKED HR_ENCRYPT

A A

B B

C1 C2 C1 C2

D1 E1 D1 E1
Ongoing Feeds:
F1 FTP / Flume / Sqoop F1
2014 Dataguise Inc. All rights reserved. COMPANY CONFIDENTIAL 32
DATAGUISE DgSECURE
Seamless Integration with Hadoop, Databases or File System

Proactively Discover Sensitive Data and Secure it with

Appropriate Remediation Polices with Actionable
Compliance Intelligence
SUPPORTING THE DATA
GOVERNANCE PROCESS

2014 Dataguise Inc. All rights reserved. COMPANY CONFIDENTIAL 2015 Dataguise, Inc.
Confidential and 33
DATAGUISE
Complete DgSECURE
visibility of access and use of an enterprises sensitive
assets
AUDIT

Sensitive Data Element Types

Pick from pre-defined set of
sensitive data policies (PII, PCI,
HIPAA, PHI etc.)
Augment with additional user-
defined custom policies

Complete audit trail of all use activity

2014 Dataguise Inc. All rights reserved. COMPANY CONFIDENTIAL 2015 Dataguise, Inc.
Confidential and 34
 DgSecure Monitor

2016 Dataguise, Inc. Confidential and Proprietary 35

 DATAGUISE DgSECURE
Seamless Integration with Hadoop, Databases or File System

Proactively Discover Sensitive Data and Secure it with

Appropriate Remediation Polices with Actionable
Compliance Intelligence
SUPPORTING THE DATA
GOVERNANCE PROCESS

2015 Dataguise, Inc.

2016 Dataguise, Inc. Confidential and Proprietary Confidential and Proprietary 36
Rapid Breach Detection

Precisely focused on monitoring sensitive data

Where are the sensitive content & how many (density)
How is it protected
What data is accessed
Who is accessing it
Across all enterprise repositories
Hadoop and Cassandra
Cloud Support (S3 and Blob)
Continuous, near-real-time anomaly behavior detection
Using machine learning to build user profile
Complex Event Processing to detect breach
Out of the box templates

2016 Dataguise, Inc. Confidential and Proprietary 37

Dataguise DgSecure Monitor

Why DgSecure
Monitor
Alerting and Monitoring solutions today have no
knowledge of sensitivity of data
Dataguise Discovery can detect sensitive data
within files and directories
Combining Discovery with Alerting & Monitoring
o Discovery provides sensitivity of files and directories
o Alerting and Monitoring on Hadoop events
o Combining ONLY alerting and Monitoring on sensitive files and
directories is extremely powerful
o Focused and actionable alerts

2016 Dataguise, Inc. Confidential and Proprietary

Dataguise DgSecure Monitor - Flow
Generate Alerts on Sensitive Data
breach
Hadoop Cluster DgSecure
Alert Dashboard

Log Appender
List DgSecure Monitor
Copy
Execute
Engine
Delete
Update
DG
Metadat
Users generate events a

Dataguise discovery results and

Alert Policies

2016 Dataguise, Inc. Confidential and Proprietary

DgSecure Landing - Dashboard

2016 Dataguise, Inc. Confidential and Proprietary 40

DgSecure Landing - Dashboard

2016 Dataguise, Inc. Confidential and Proprietary 41

DgSecure Monitor Alert Rules

2016 Dataguise, Inc. Confidential and Proprietary 42

DgSecure Monitor - Alerts

2016 Dataguise, Inc. Confidential and Proprietary 43

DgSecure Monitor - Backend

2016 Dataguise, Inc. Confidential and Proprietary 44

Alerts

2016 Dataguise, Inc. Confidential and Proprietary 45

Alert Polciy Definition

2016 Dataguise, Inc. Confidential and Proprietary 46

 DgSecure Hive Atlas Ranger Integration

2016 Dataguise, Inc. Confidential and Proprietary 47

Hive Agent Atlas Ranger

2016 Dataguise, Inc. Confidential and Proprietary 48

Hive Agent Atlas Ranger

2016 Dataguise, Inc. Confidential and Proprietary 49

Hive Agent Atlas Ranger

2016 Dataguise, Inc. Confidential and Proprietary 50

Hive Agent Atlas Ranger

2016 Dataguise, Inc. Confidential and Proprietary 51

Hive Agent Atlas Ranger

2016 Dataguise, Inc. Confidential and Proprietary 52

Hive Agent Atlas Ranger

2016 Dataguise, Inc. Confidential and Proprietary 53

Hive Agent Atlas Ranger

2016 Dataguise, Inc. Confidential and Proprietary 54

 Thank You!

2014 Dataguise Inc. All rights reserved. COMPANY CONFIDENTIAL