Make Big Data protection part of the process, not an afterthought
My colleague at SAP, David Jonker, describes Big Data as ‘the new oil that can fuel economic growth’ and says that as such, hackers are staking their claim and trying to steal it. He warns that data breaches are increasing on a daily basis and are ‘well-funded, carefully targeted and planned out’, the cost of which is measured in millions of euros and considerable reputational damage.
What do we need to protect? How do we protect it?
In a recent interview, technology journalist David McClelland asked me to talk about the big deal around security and Big Data.
I believe there are several aspects we need to consider when we think about privacy – and security. We need to distinguish here. Privacy is about keeping individually identifiable or sensitive information exactly that – private. Where content is king here, content and CONTEXT are King Kong! You can put so much contextual information on a simple online deal: basic data, like customer name, address, credit card information etc, but also real-time information such as where the buyer is, favorites, what the individual is also looking for, age, behavior, and much more. All to make personalized offers – and sell more – and I don’t mean necessarily to the same customer. This is a great business model for a lot of companies but it is tricky at the same time, because it has big potential to become a compliance issue, when all this information is stored, enriched and shared. Not to mention whether this is in conflict with what we, as individuals, really want…
Privacy relates to security, but it is not the same. Companies need to protect their core processes, including business-critical information. These challenges are not new in the era of big data – there’s the threat of data theft, destruction and criminal data manipulation. But it’s the sheer scale of the data available these days that’s making it an increasingly attractive target for attackers.
So security can’t be an afterthought any more. From project outset, we have to take a more holistic view of protecting data. We need to incorporate this holistic approach into our security concepts and the entire IT landscape. We should protect the technologies we employ for aggregating and integrating data, the software and hardware infrastructure used for storing and housing it, the business applications, and the tools we analyze data with.
People, processes and technology
Companies must also intensify security collaboration with their software and hardware vendors, as well as international bodies that are working on security topics. We won’t ever have a one-fits-all bullet-proof vest to arm us against all forms of data attack in the net, so we need to start treating data security as a process, rather than a status.
As well as attacking the technology, hackers are heavily using vulnerabilities in human nature to gain access to data. So we have to systematically train people and make them aware of the threats. We must remain proactive with techniques and technologies we have and keep working at it to secure our business critical information.
Calling time on hackers with the right level of encryption
It’s worth considering what hardware firms can do to help secure data. By using hardware-enabled encryption, it’s possible to encrypt more data, faster and with longer keys to make it more secure.
While it may well be possible to encrypt data that would remain uncrackable for as long as the known universe has existed, that’s unlikely to be necessary. The level of encryption should be sufficient to make it not worth the hacker spending time on it – and this is possible to do.
Another security method is data tagging, whereby data can only be processed in its home location. So if data is stolen, it’s rendered useless in any other environment.
Intel has also been working on creating ‘hardware we can trust’ that can check that all software is ‘known good’ software. They see this ‘white-listing’ approach as crucial to creating an end-to-end holistic security environment. It sounds to me like we’re all on the same page in believing in security as a policy that should be designed in from day one – and not follow on as an afterthought.
To hear more thinking on ways of safeguarding Big Data, watch the Run Simple Show – Big Data Security Part 2: Protecting your data at http://virtualrunsimpletour.com/runsimpleseries
I agree that "We won’t ever have a one-fits-all bullet-proof vest to arm us against all forms of data attack."
I recently read the Gartner Report "Big Data Needs a Data-Centric Security Focus" concluding "In order to avoid security chaos, Chief Information Security Officers (CISOs) need to approach big data through a data-centric approach.
The good news is that Big Data distributions, like <removed by Moderator>, recently started to include the type of advanced security features that Gartner is recommending, including dynamic masking, fine grained encryption, and data tokenization.
Read more about this at <removed by Moderator>.
Ulf Mattsson, CTO Protegrity