Interview: Reiner Kappenberger, HP Security Voltage on Security Checklist for Data Architectures

We discuss securing data-at-rest and data-in-motion, security recommendations for data architectures, trends, advice, and more.

Twitter Handle: @hey_anmol

Reiner Kappenberger
is Global Product Manager for HP Security Voltage. Reiner has over 20 years of computer software industry experience focusing on encryption and security for big data environments.

His background ranges from device management in the telecommunications sector to GIS and database systems. He holds a Diploma from the FH Regensburg, Germany in computer science.

First part of interview

Second part of interview

Here is third and last part of my interview with him:

Anmol Rajpurohit: Q9. How do the Security implications vary for data in-motion vs data at-rest?

data-breach Reiner Kappenberger: Many may still think that data at rest encryption solves data privacy problems. The bottom line is that it solves only a fraction of the risk and compliance problem, leaving gaping holes in security that malware will exploit. The majority of today’s data breaches use malware to attack the gaps between storage protection and actual use or transit of the data. There are many instances of major data breaches where data at rest encryption has been in place and the data at rest solutions did nothing to protect the data.

Data at rest encryption protects from theft of data at a server level — at rest, when powered off — not at the application or in transmission, or in use. So if a cloud or enterprise application is executing with data protected at rest, then that same data is typically decrypted at the disk or database layer before it’s presented to the network, up to and into the application running in the cloud or enterprise or Hadoop.

Newer, secure, proven, innovative approaches are being adopted by leading banks, telcos, credit card processors and issuers, healthcare entities, government agencies and even industry regulators: they are all embracing data-centric security. Data-centric security protects the data across its lifecycle — from capture, in motion, at rest, and even in use.

AR: Q10. What approach do you recommend for evaluating the Security aspect of a data architecture?

RK: Market solutions for Hadoop security are beginning to emerge, delivering data masking features that make it possible to obscure sensitive data. But whether you leverage a commercial solution or create a homegrown approach, I suggest the following five steps to identify what needs protecting and apply the right techniques to protect it—before you put Hadoop into production.

  1. First, take an inventory of all the data you intend to store in your Hadoop environment.
  2. Next, perform threat modeling on sensitive data. The goal of threat modeling is to identify the potential vulnerabilities of at-risk data and to know how the data could be used against you if stolen.
  3. Then, identify the business-critical values within sensitive data. It’s no good to make the data secure if the security tactic also neutralizes its business value.
  4. After that, apply tokenization and format-preserving encryption on data as it is ingested. This is particularly suited for Hadoop because they do not result in collisions that prevent you from analyzing data.
  5. Lastly, provide data-at-rest encryption throughout the Hadoop cluster. When hard drives age out of the system and need replacing, encryption of data-at-rest means you won’t have to worry about what could be found on a discarded drive once it has left your control. This step is often overlooked because it’s not a standard feature offered by Hadoop vendors.
AR: Q11. What is the best advice you have got in your career?

never-give-upRK: The best advice I ever got was to never give up. Often times there are challenges in what we do and people frequently come back with “this cannot be done”. One has to find a way to help others understand that there is a different approach possible.

AR: Q12. What changes do you expect in the Data Security arena over the next 2-3 years?

future-trendsRK: The growth of data is not stopping; in fact as new technologies such as Internet of Things continue to grow, we can expect the huge explosion of data to continue. And, along with that is the growth in sensitive data – data that must be protected by enterprises while they continue to execute their business processes. All of this data presents opportunity for analytics and so we expect the continued accelerated use of Hadoop and Big Data technologies. At the same time, data thieves will continue to grow more sophisticated as the value of sensitive data on the black market increases.

Additionally the movement of applications into the cloud is creating additional challenges for companies as they must give their data to other companies and hope it is correctly protected. The ability to still control the real data vs. the de-identified data will drive additional changes in organizations and how they view data security.

AR: Q13. What key qualities do you look for when interviewing for Data Security related positions on your team?

leadershipRK: Product Management is a role where one carries the responsibilities for many activities in the organization but has no control over the delivery itself. So the ability to influence others is important. For good product management to be successful it is good to have worked in a similar product environment, yet less important to have the same product experience.

AR: Q14. On a personal note, we are curious to know what keeps you busy when you are away from work?

RK: For me, it is enjoying the great outdoors, where we usually hike and kayak as much as possible. Viewing and enjoying the scenery from mountains, dessert and ocean is something my family enjoys as much as possible, driving in our RV with our dog.