simplify and secure your hadoop environment with hortonworks and centrify

Copyright © 2015 Centrify Corporation. All Rights Reserved. 1

Simplify and Secure Your Hadoop Environment with Hortonworks and Centrify

Satish Veerapuneni Senior Product Manager, Centrify

Vinod Nair Senior Manager, Hortonworks

© Hortonworks Inc. 2011 – 2015. All Rights Reserved

Hadoop for the Enterprise: Implement a Modern Data Architecture with HDP

Customer Momentum

•  437 customers (end of Q1 2015)

Hortonworks Data Platform •  Completely open multi-tenant platform for any app &

any data. •  A centralized architecture of consistent enterprise

services for resource management, security, operations, and governance.

Partner for Customer Success •  Open source community leadership focus on

enterprise needs •  Unrivaled world class support

•  Founded in 2011 •  Original 24 architects, developers,

operators of Hadoop from Yahoo! •  650+ Employees •  1100+ Ecosystem Partners


Hadoop for the Enterprise Hortonworks. We do Hadoop.


Traditional systems under pressure

Challenges •  Constrains data to app •  Can’t manage new data •  Costly to Scale

Clickstream

Geolocation

Web Data

Internet of Things

Docs, emails

Server logs

2012 2.8 Zettabytes

2020 40 Zettabytes

LAGGARDS

INDUSTRY LEADERS

1

2 New Data

Business Value

ERP CRM SCM

New

Traditional


Hadoop emerged as foundation of new data architecture

Apache Hadoop is an open source data platform for managing large volumes of high velocity and variety of data •  Built by Yahoo! to be the heartbeat of its ad & search business

•  Donated to Apache Software Foundation in 2005 with rapid adoption by large web properties & early adopter enterprises

•  Incredibly disruptive to current platform economics

Traditional Hadoop Advantages

ü Manages new data paradigm

ü Handles data at scale ü Cost effective ü Open source

Traditional Hadoop Had Limitations " Batch-only architecture " Single purpose clusters, specific

data sets " Difficult to integrate with

existing investments " Not enterprise-grade

Application

Storage HDFS

Batch Processing MapReduce


Security in HDP Making Hadoop Enterprise Ready


Hadoop exacerbates the security challenge

New Security Requirements •  Provide consistent and

granular access control to data for each application on top of Hadoop

•  Enable complete & comprehensive definition and application of policy across all the different access types

•  Must retain privacy and security despite ability to infer knowledge from co-existing & unstructured data

AN

ALY

TIC

S

Data Marts

Business Analytics

Visualization & Dashboards

AN

ALY

TIC

S

Applications Business Analytics

Visualization & Dashboards

°

°

°

°

°

°

°

°

°

°

°

°

°

°

°

°

°

°

°

°

°

°

°

°

°

°

°

°

°

°

HDFS (Hadoop Distributed File System)

YARN: Data Operating System

Interactive Real-Time Batch Partner ISV Batch Batch MPP

EDW

Clickstream

Web & Social

Geoloca7on

Sensor &

Machine

Server Logs

Unstructured

SOU

RC

ES

Existing Systems

ERP CRM SCM


HDP Security: comprehensive, complete and simple Security in HDP is comprehensive and complete for Hadoop

Administration Central management & consistent security

Authentication Authenticate users and systems

Authorization Provision access to data

Audit Maintain a record of data access

Data Protection Protect data at rest and in motion

•  HDP ensures comprehensive enforcement of security policy across the entire Hadoop stack

•  HDP provides functionality across the complete set of security requirements

•  HDP is the only solution to provide a single simple interface for security policy definition and maintenance


HDP Security: comprehensive, complete and simple

In order to protect any data system you must implement the following

Administration Central management & consistent security

Only HDP delivers a single administrative console to set policy across the entire cluster

Apache Ranger, Centrify

Authentication Authenticate users and systems

Integrate with existing AD and LDAP authentication for perimeter and project access

Apache Knox, Native Kerberos, Centrify

Authorization Provision access to data

Work within all Apache projects to provide consistent authorization controls


Audit Maintain a record of data access

Maintain a record of events across all components that is consistent and accessible


Data Protection Protect data at rest and in motion

Wire and storage encryption in Hadoop. Refer partner encryption solutions for more advanced needs

HDFS, Partner Encryption

Centrify IAM for Hadoop


•  Introduction

•  IAM Challenges

•  Centrify Solution

•  Demo

•  Case Study

Agenda


Active Directory

ID

Centrify: Unified Identity Management

CLOUD (IaaS & PaaS)

CLOUD (SaaS)

MOBILE

DATA CENTER SERVERS

DATA CENTER APPS

by Red Hat

DESKTOPS

ID

ID

ID

ID

ID

ID

ID

ID

ID ID

ID

ID

ID ID

ID

ID

ID

ID

ID

ID

ID

ID

Software and Cloud Service

ID

ID

ID ID ID

ID


Centrify: Summary

Addressing two major IT challenges: the shift to cloud and mobile and security as the perimeter dissolves

Unique portfolio that unifies identity across cloud, mobile and data center — for end users and privileged users

11 year enterprise security company with over 450 personnel, global sales and support

Trusted technology with 5,000+ customers – ~50% of Fortune 50 – and 97% retention rate

Strategic alliances with Microsoft, Apple, AVG and Samsung; 250+ reseller partners


Automotive & Energy Technology & Telecom Retail & Internet

Banking & Finance Pharma & Health Defense & Government

Our largest customers are using Centrify IAM for Hadoop

3 Pharma

Companies

2 Energy

Companies

14 Worldwide Telcos

& Technology

4 U.S. Retailers

2 Major U.S.

Federal Agencies

15 Financial Services

Companies

IAM Challenges


1. Leverage Existing Identity Infrastructure

Most Enterprises have Active Directory and want to leverage it for Hadoop Deployments Hadoop has rapidly evolving Applications, Enterprises want a consistent IAM mechanism across all the Applications


2. Regulatory compliance

Hadoop concentrates data from across the business making it a high value target Most will be required to meet one or more regulations

•  PCI-DSS •  Sarbanes Oxley •  HIPAA •  FISMA •  FERC NERC •  Monetary Authority of Singapore


3. IT Management

IT staff should have access to manage Hadoop clusters in Production IT require privileges to manage Hadoop IT don’t need access to the data (PCI DSS)

Centrify IAM for Big Data


Centrify IAM for Hadoop

1.  AD-based IAM for Hadoop environments

2.  Role-based privilege management

3.  Session auditing for regulatory compliance

Securing & simplifying Hadoop by using enterprise-grade identity & access management


1. AD-based IAM for Hadoop environments •  Integrate Hadoop into enterprise-grade AD •  Simplify AD integration for multiple Hadoop clusters •  Give IT and end users a single Active Directory login

•  SSO user access via Kerberized SSH, Web •  SSO for other Applications – via Standards Based PAM/NSS, LDAP, SAML,

Kerberos or Plugins

Production/Departmental Clusters

PuTTY Kerberized ssh

WinSCP Kerberized scp

Browser


2. Role-based privilege management

Help Enforce least-privilege for access •  Centralized role-based privilege

management •  Eliminate use of root privileges for all but

break glass scenarios •  Per command privilege elevation or

whitelisted restricted shell

•  Example Roles •  Data Scientist – read / write access to their

scripts •  IT Admins – limited privileges to manage

config files and restart services •  Hadoop Admins – grants privileges of

ambari, hdfs account

Network Monitoring Privileged Access Security

Perimeter Firewall

DATA CENTER SERVERS

CLOUD (IaaS & PaaS)

DESKTOPS

root root

local root

root root

Oracle domain


3. Session auditing for regulatory compliance

Fully audited user access to Hadoop clusters

•  Satisfies regulatory mandates including PCI, HIPAA & SOX

•  Record user session activity •  Centralized audit stores for session

recordings •  Ensure accountability through correlated

activity across the cluster

Network Monitoring Privileged Access Security

Perimeter Firewall

Report and Reply

Privileged Sessions

DATA CENTER SERVERS


Hortonworks and Centrify – Better Together

Access

PROVIDES

•  Integration w/ LDAP •  Kerberises Service

Accounts •  Simple Management

per Cluster

EXTENDS

•  LDAP to Complex AD

Environments •  Kerberos for User Access •  Delegated Management for

Multiple Clusters Auth •  Data Level Access

Control •  LDAP lookup for

Users / Groups

•  Role-based Access Controls to OS

•  LDAP to Complex AD Environments

Audit •  Captures all Activity inside Hadoop

•  Session Monitoring and Recording at OS Level


Centrify IAM for Big Data Customer Case Study

•  Require secure access to Hadoop & AD is the company standard for user identity management

•  Compliance required for SOX

•  Privileged access visibility is required for regulatory compliance

Problem

•  Centrify Server Suite (CSS): Enterprise Edition

•  Integrates Hadoop into AD for identity, access and privilege management

•  Least privilege access to sensitive data & session recording

•  Leveraged existing investment, tools, process and skillsets with Active Directory

•  Addressed SOX compliance requirements

•  Improved visibility of access, entitlements and activity

Solution Benefit


Resources & Next Steps

More info http://www.centrify.com/solutions/data-center/big-data-security/ http://www.centrify.com/products/centrify-server-suite.asp

Request a trial http://www.centrify.com/free-trial

Chalktalks, webinars, whitepapers and collateral http://www.centrify.com/resources


Thank You


Cautionary Statement Regarding Forward-Looking Statements

This presentation contains forward-looking statements involving risks and uncertainties. Such forward-looking statements in this presentation generally relate to future events, our ability to increase the number of support subscription customers, the growth in usage of the Hadoop framework, our ability to innovate and develop the various open source projects that will enhance the capabilities of the Hortonworks Data Platform, anticipated customer benefits and general business outlook. In some cases, you can identify forward-looking statements because they contain words such as “may,” “will,” “should,” “expects,” “plans,” “anticipates,” “could,” “intends,” “target,” “projects,” “contemplates,” “believes,” “estimates,” “predicts,” “potential” or “continue” or similar terms or expressions that concern our expectations, strategy, plans or intentions. You should not rely upon forward-looking statements as predictions of future events. We have based the forward-looking statements contained in this presentation primarily on our current expectations and projections about future events and trends that we believe may affect our business, financial condition and prospects. We cannot assure you that the results, events and circumstances reflected in the forward-looking statements will be achieved or occur, and actual results, events, or circumstances could differ materially from those described in the forward-looking statements. The forward-looking statements made in this prospectus relate only to events as of the date on which the statements are made and we undertake no obligation to update any of the information in this presentation. Trademarks Hortonworks is a trademark of Hortonworks, Inc. in the United States and other jurisdictions. Other names used herein may be trademarks of their respective owners.

simplify and secure your hadoop environment with hortonworks and centrify

Software

hortonworks data platform

rights reserved hadoop

variety of data

specific data

new data paradigm handles

enterprise hortonworks

new data costly

rights reserved security