Interview: Reiner Kappenberger, HP Security Voltage on Data-Centric Security for Big Data

We discuss HP Security Voltage growth story, HP acquisition, assessing the state of current security standards, and the need for “data-centric” security.

Twitter Handle: @hey_anmol

Reiner Kappenberger
is Global Product Manager for HP Security Voltage. Reiner has over 20 years of computer software industry experience focusing on encryption and security for big data environments.

His background ranges from device management in the telecommunications sector to GIS and database systems. He holds a Diploma from the FH Regensburg, Germany in computer science.

Here is my interview with him:

Anmol Rajpurohit: Q1. What does HP Security Voltage do? How and when did the focus shift from emails security to data security?

hp-voltageReiner Kappenberger: We provide data-centric security and stateless key management solutions that help organizations combat new security threats and address compliance by protecting structured and unstructured data as it is used across data centers, public and private clouds and mobile devices.

We were founded in 2002 with the vision of commercializing identity-based encryption (IBE), and that’s how HP SecureMail (then called Voltage SecureMail) came about. Email was, and of course still is, a highly exploitable source of sensitive data, and SecureMail grew to be one of the world’s most popular email encryption solutions.

Since then, we’ve listened to customers and “followed the data” if you will, across technical platforms like the cloud and Hadoop, and across vertical applications like mobile and online payments. Healthcare has also been a key area because personal health information (PHI) is increasingly being shared over various platforms. Sensitive data is everywhere and we have a responsibility to protect it.

AR: Q2. Since the recent acquisition by HP, what role does the technology and expertise of HP Security Voltage play in the HP Atalla portfolio?

hp-atallaRK: HP Attala and HP Security Voltage now combine to protect the world’s most sensitive data. We drive leadership in data-centric security and protect the world’s largest brands. The HP Atalla/HP Security Voltage difference is we have the widest variety of use cases, are well-supported and widely proven. We are Standards-based (ANSI, NIST, IEEE, KMIP) and offer a full breadth of platforms

HP Attala and HP Security Voltage provide a full umbrella of data protection use cases; PCI compliance/ scope reduction, data de-identification and privacy, and collaboration security.

AR: Q3. As a seasoned security expert, how do you evaluate the current security standards defined by organizations such as ANSI, IEEE, IETF, NIST, etc.? How well do these standards address the various aspects of today's security challenges? To what extent are these standards currently implemented across enterprises?

nistRK: The standards organizations you listed above have focused for a long time on regular encryption problems. NIST in particular is working Format Preserving Encryption (FPE) into those standards. This is important because they are recognizing the need for adding the next generation of encryption as a standard so that companies can operate with a more granular set of encryption that wasn’t available before.

The good news is, the standards have been recognized widely and today almost all companies utilize some form of the existing standards available to them (i.e. SSL).

threatHowever as the threat profile has changed over the last decade companies are turning to the newer forms such as FPE that are being recognized and help them achieve a broader sense of security that does not interfere with their regular business operations while avoiding the overhead of traditional encryption.

HP Security Voltage solutions reduce the risks associated with theft of sensitive and private information, support privacy guidelines including PCI DSS, HITECH, U.S. Data Breach Disclosure laws and European Data Privacy directives.

AR: Q4. What do you mean by adopting a "data-centric" security approach? How is that different from the traditional approach towards security?

data-centric-securityRK: Data exists in three basic ways - at rest, in use, and in motion. Our data-centric approach is in contrast to traditional network-based approaches to security, which haven’t responded directly to the emerging need for data-centric security that neutralizes the effects of a data breach through protection of sensitive data at the field-level.

With data-centric security sensitive field-level data elements are replaced with usable, but de-identified, equivalents that retain their format, behavior and meaning. This means you modify only the sensitive data elements so they are no longer real values, and thus are no longer sensitive, but they still look like legitimate data.

data-protectionThe format-preserving approach can be used with both structured and semi-structured data. This is also called “end-to-end data protection” and provides an enterprise-wide solution for data protection that extends into Hadoop and beyond the Hadoop environment. This protected form of the data can then be used in subsequent applications, analytic engines, data transfers and data stores.

A major benefit is that a majority of analytics can be performed on de-identified data protected with data-centric techniques–data scientists do not need access to live payment card, protected health or personally identifiable information in order to achieve the needed business insights.

Second part of the interview

anmol-rajpurohitAnmol Rajpurohit is a software development intern at Salesforce. He is a MDP Fellow and graduate mentor at UCI-Calit2. He has presented his research work at various conferences including IEEE Big Data 2013. He is currently a graduate student (MS, Computer Science) at UC, Irvine.