WIXLIB

WHITE PAPERHow Identity ManagementSolves Five HadoopSecurity RisksWWW.CENTRIFY.COM

How Identity Management Solves Five Hadoop Security RisksContentsExecutive Summary3With Big Data Comes Big Responsibility4Five Key Security Risks Associated with Hadoop—and How to Avoid Them7The Centrify Solution10Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unlessotherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places andevents depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address,logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility ofthe user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into aretrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or forany purpose, without the express written permission of Centrify Corporation. Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in anywritten license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks,copyrights, or other intellectual property.Centrify, DirectControl and DirectAudit are registered trademarks and Centrify Suite, DirectAuthorize, DirectSecure and DirectManage are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows,Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United Statesand/or other countries.The names of actual companies and products mentioned herein may be the trademarks of their respective owners.2 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVEDWWW.CENTRIFY.COM

WHITE PAPERExecutive SummaryThe growth of big data over the last several years has been explosive and the rapid adoptionof big data solutions will continue through the foreseeable future. This shouldn’t come as asurprise considering the value proposition of enabling organizations to analyze their mostimportant data. Hadoop is the most significant technology in this big data revolution, andorganizations adopting Hadoop stand to reap great rewards. Retail companies, for example,can benefit from this deep analysis of data to personalize every customer experience,anticipate outcomes, and assist in targeting the right prospect with the right offer at theright time.The benefits of deploying Hadoop are significant, but with any infrastructure that stores anorganization’s most valuable data, it’s essential that businesses are aware of the potentialsecurity risks and take adequate steps to address them. And the first step is to implementeffective identity management.3 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVEDWWW.CENTRIFY.COM

How Identity Management Solves Five Hadoop Security RisksWith Big Data ComesBig ResponsibilityA September, 2014 HarvardBusiness Review article titled“The Danger from Within” estimatedThe ever-increasing amount of personal customer information and critical corporate datameans cyber attacks—both from within and outside the organization—can cause significantlymore damage than ever before.that over 80 million insider cyberAccording to the Ponemon Institute, the average cost of cyber crime for U.S. retail storesattacks take place in the US everydoubled in 2014 to an annual average of 8.6 million per company. For financial services andyear, equating to costs in the tens oftechnology companies, costs increased to 14.5 million and 20.8 million, respectively.billions of dollars.Whether on purpose or by accident, insiders are probably the weakest link in your organization,and the most likely culprit in any scenario that ends in data loss. In fact, many of today’s mosthigh-profile breaches—while engineered by outsiders—are launched using the credentials ofan insider. In the era of big data, securing information and the technologies that process it hasnever been more critical.Hadoop TechnologyAs web data has exploded and grown beyond the ability of traditional systems to process it,Hadoop has emerged as the de facto standard for storing, processing and analyzing hundredsof terabytes of big data.In its report on the Hadoop Market, Allied Market Research forecasts that the global Hadoopmarket will grow at a compound annual growth rate of 58.2% between 2013 and 2020. Globalmarket revenue, estimated at 2.0 billion in 2013, is predicted to grow to 50.2 billion by 2020.OverviewDFS Block 1Datadata data data datadata data data datadata data data datadata data data datadata data data datadata data data datadata data data datadata data data dataDFS Block 1DFS Block 1MapDFS Block 2DFS Block 2MapReduceDFS Block 2Resultsdata data data datadata data data datadata data data datadata data data datadata data data datadata data data datadata data data datadata data data dataMapDFS Block 3DFS Block 3image courtesy of Apache Software Foundation4 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVEDWWW.CENTRIFY.COM

WHITE PAPERHadoop enables distributed parallel processing of huge amounts of data across inexpensive,industry-standard servers that also store the data, and can scale without limits. No data is toobig for Hadoop. And in an environment where more data is created every day, Hadoop enablesorganizations to derive significant, meaningful value out of once unusable information.The Hadoop environment is essentially a distributed database with a built-in computationalcluster used to analyze data that came from many different sources, most often in search ofpatterns of behavior or risk. It can be used to tackle any number of big data business needsacross a variety of industries including financial services, retail, national security, entertainmentand many more.The rapidly growing popularity of Hadoop speaks volumes to the value it delivers organizations.But high-value data carries a high-risk potential. Today, big data is a prime target for securitybreaches because of the large volumes of valuable information it encompasses—including PII,PCI, HIPAA and other federally regulated data.Hadoop Brings Significant Benefits, but ImplementationMust be StrategicHadoop environments have typically been set up by business analysts or developers as amechanism to respond to questions posed by individual departments. Because it was originallydesigned for use on a private network by a limited number of designated users, security wasnot a primary consideration.Developers have since enhanced the technology with components that allow it to be deployedin secure mode—incorporating Kerberos to authenticate from one node to the next, andencryption for data transport between nodes.But enterprise-wide adoption still requires a strategic and adequately cautious approach:Organizations must configure Hadoop in secure mode before it enters production. Bydefault, Hadoop runs in non-secure mode, and while businesses can set up an MIT Kerberosenvironment to ensure that each user and service is authenticated, implementing thissystem is typically a time-consuming, multi-step process that’s prone to error. Moreover, itcreates a parallel identity infrastructure, redundant to most organizations’ Active Directoryenvironments—which already provide Kerberos authentication capabilities.Organizations must strictly control user access. Granting the right users access to thenodes in the cluster requires identity and access management. But many Hadoop adminsare unfamiliar with centrally managing user accounts and their access to the cluster. Andcentralized access management is essential. Many organizations have hundreds or thousandsof nodes inside multiple Hadoop clusters that, when managed manually, would require a useraccount to be set up on each individual node.And that’s not a one-time exercise—the Hadoop ecosystem is constantly changing as newapplications, interfaces and analysis engines become available, each with new and differentmethods of user access. Management becomes even more complex when corporate andregulatory security requirements dictate that authentication and access controls must beconsistently applied to each new interface.5 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVEDWWW.CENTRIFY.COM

How Identity Management Solves Five Hadoop Security RisksOrganizations must control administrative privileges within the cluster. In order tosecurely move to production, IT must centralize controls over privileged user access. AssigningIT admins specific privileges across the cluster allows local root accounts to be locked down.In order to protect the jobs submitted by users and client applications, as well as the datathey access, security staff must have verifiable control over IT staff access to and privileges formanaging clusters. But such control and visibility is a challenge and businesses remain hardpressed to find a simple way to manage these privileges across the distributed Hadoop cluster.Securing Hadoop With YourCurrent Identity Management InfrastructureSecurity-adept organizations are leveraging their existing Active Directory infrastructure, skillsets and management processes to address a number of key Hadoop security concerns. Theintegration of Hadoop clusters and their supporting applications into Active Directory canprovide centralized identity management that further enables the adoption of a true, crossplatform privilege management and auditing solution across Hadoop clusters, nodes andservices. Leveraging existing Active Directory accounts to log in secures Hadoop environmentsand assists in proving compliance in a repeatable, scalable and sustainable manner—andwithout deploying and managing a new identity infrastructure.Once cluster nodes are integrated with Active Directory, only the addition of new serviceaccounts is required for automated authentication from one node to the next. Active Directoryauthentication also allows for single sign-on for Hadoop administrators and end users, whichhelps to reduce Hadoop deployment and management costs and increase worker productivity.An identity management infrastructure makes it easy and cost effective for Hadooporganizations to: Deploy Hadoop clusters in Secure Mode by leveraging Active Directory’s Kerberos capabilities for secure mode and automating the configuration of Hadoop service accounts Simplify and standardize identity and access management, leveraging Active Directorygroup-based access controls for Hadoop cluster access management Automate manual, error-prone processes used for on-going management of secure userand application access to Hadoop clusters and between Hadoop services Allow only authorized administrators to manage the Hadoop cluster Remove anonymity in the processing of Hadoop jobs by attributing privileged actions to anindividual6 2015 CENTRIFY CORPORATION. ALL RIGHTS RESERVEDWWW.CENTRIFY.COM