Sunday, October 09, 2016

New solutions on nonstop to protect your sensitive data - HPE SecureData Enterprise

For the past few decades, HPE Integrity NonStop systems have been the preferred mission critical computing platform in industries such as financial payments. The key reason for this is the mission critical computing features that NonStop systems offer which very few other platforms can match.

With a Massively Parallel Processing (MPP) architecture, that provides
- unmatched scalability, and
- an integrated software stack that builds high availability right up to the application layer,

NonStop offers unique benefits that has made it a platform of choice for the industry.

The IT systems supporting enterprises in industries such as payments, retail and healthcare contain and manage very sensitive information such as customers’ credit card numbers and personal information such as medical history.

A database containing millions of these customer records is an attractive target for malicious hackers, who try every possible means to steal the data and monetize it in various possible (and often creative) ways. Their success comes at an enormous cost if the target organization becomes a victim of such an attack.  Such organizations end up paying dearly in terms of regulatory fines, lost business, loss of reputation, customer compensation cost and so forth.

Various industry and government regulations have been in place and new ones are in the works which aim at protecting consumers from such breaches and guiding the industry towards implementing solutions and practices which mitigate these risks.

The Payment Card Industry Data Security Standard (PCI DSS) and General Data Protection Regulations (GDPR) are examples, but there are many others in different geographies and industries. The regulations are fairly comprehensive and cover all aspects of protecting sensitive data. It’s rather difficult to explain these regulations in a few lines but the overall philosophy is to:

• Protect the computing environment from external and internal attacks
• Protect the data throughout its life (at creation, as it traverses from one node to another, as it’s processed, and on media - whether live or archived)
• Implement strong authentication and access control measures
• Ensure adequate logging mechanisms to enable forensic analysis in case of a breach
• Document and enforce practices and policies; educate employees

Given the importance of data protection, NonStop has been offering security solutions for many years in order to enable you to meet these stringent security requirements using standards-based cryptography.

Beginning in early 2016, the HPE NonStop Enterprise Division (NED) launched several new products with an aim to provide additional modern, data protection solutions to NonStop customers. These are essentially two product suites:

• HPE SecureData Enterprise
• HPE SecureData companion products for NonStop

HPE SecureData Enterprise

HPE SecureData Enterprise is a unique, end to end data protection platform used by enterprises in a variety of environments. This product is offered by HPE Software group’s Data Security business unit formed with the merger of the erstwhile Atalla products group and Voltage Inc., which was acquired by HPE in early 2015.

The NonStop Enterprise Division (NED) and the HPE Data Security group have teamed up to offer HPE SecureData Enterprise to NonStop customers. In traditional data protection methods, customers employ different techniques for the different environments that the data passes through.

Examples are user access control, file encryption, TLS or SSH protocols for data in transit, disk/volume encryption for secondary storage etc.

Each of these may involve separate cryptography, hand-shake, key protection etc. and the data may be in the clear while in between the stages. Overall, this offers a piecemeal approach and not the best protection for your data.

HPE SecureData Enterprise approaches this topic from the perspective of data-centric security that comprehensively protects the sensitive data in an enterprise. Using a data-centric approach to security, the sensitive data is protected right where it is created, as it traverses through the network, while it’s processed/stored in different nodes, used in analytics and when it is archived. At all stages, the data is in encrypted or tokenized form such that, even if there is a successful breach, the data is unusable by the cyberattacker.

Figure 1 below compares the data-centric security offered by HPE SecureData to the traditional methods of data protection


Three key technology elements are at the core of this solution:
  1. HPE Format Preserving Encryption (FPE),
  2. HPE Secure Stateless Tokenization (SST), and
  3. HPE Secure Stateless Key Management.
1) HPE FPE is a technology used to encrypt data without changing its original format. While it provides the same encryption strength as the traditional encryption technologies do, the key advantage of FPE is that, because it preserves the data format through the encryption process,

- the database which stores the data or
- the applications which process it do not need to be modified, and
-  the majority of applications and processes operate on the data in its protected form—no decryption necessary for use.

This drastically brings down the cost and complexity of transforming an  existing solution from an unprotected to the protected form, and reduces the exposure of sensitive data to attack.

2) HPE SST is a related technology available in HPE SecureData, and is used to protect sensitive data elements in a file or a database by replacing them with tokens.

- HPE SST is recommended for use with Primary Account Numbers (PANs) used in payment cards.

In this solution, a token table consisting of a static, pre-generated table of random numbers, created using a FIPS-validated random number generator, resides on the platform.

A PAN, the data to be tokenized, uniquely maps to a token in that table but has no relationship to it. That token is stored in the system (in files and databases) in place of the PAN (plain data) which is now said to be "tokenized".

Only trusted applications are allowed to detokenize and derive the original PAN. Hence, in contrast to the traditional tokenization technologies where a separate “token vault” is maintained, the HPE SecureData solution has no token vault and hence no cost or management complexities associated with it, and no database or vault to be targeted for cyber-attack. Because the system does not store plaintext data in any form, it is outside the scope of PCI audit, thus greatly reducing the costs of PCI compliance. Moreover, token vaults grow in size with the amount of customer data maintained in them, which adds to the management complexities and challenges in scaling and application performance. An SST-based solution, in contrast, does not have these challenges and hence is highly scalable, typically yielding a strong ROI.

3) HPE Secure Stateless Key Management simplifies the key management needs of the HPE FPE solution through another landmark innovation. It securely derives the key on-thefly thereby greatly reducing the cost and complexities of key management. It can authenticate key requests using industry-standard identity and access management infrastructure such as LDAP or Active Directory.

HPE SecureData Enterprise provides a comprehensive data security solution across a crosssection of computing platforms commonly used in the industry. It is supported on traditional *NIX environments, IBM mainframe, HPE NonStop, open systems, cloud, mobile and Big Data environments such as Vertica, Hadoop, and Teradata. This breadth of support enables you to standardize on a single solution to address the data protection needs across your enterprise, which may use one or more of these platforms. Apart from protecting the data, HPE SecureData gives you immense benefits in terms of managing the cost and complexity of the solution and eliminating security weaknesses in the enterprise.



No comments: