Getting to grips with Big Data security

"It's not just the new-found availability of that data and the fact that the tools are still very immature," Steve Totman, director of strategy and data integration at Syncsort insists, adding "but also the potential sensitivity of the information hidden inside that data that can now be discovered, that brings security challenges."

No security program can be complete without knowing where the risks are and where the potential for threats may lie.

Indeed, working with Big Data implies that you're collecting and maintaining vast quantities of often customer-oriented data, for long periods of time. In the past, enterprises might have only saved certain information such as name, credit card information, shipping address, and purchase history.

With the emergence of Big Data analytics systems, much more information is collected and analysed in order to refine targeted marketing and sales efforts.

"Often this information is collected from social media tools, including TripIt, Foursquare, Facebook and LinkedIn," according to Scott Register, senior director of product management at Ixia Network Visibility Systems. "This vast information repository gives financially-motivated hackers a larger target to exploit in order to steal identities, open false accounts, or target individuals for highly refined spear-fishing attacks." Or, as the chief security officer at Tenable Network Security, Marcus J Ranum, rather starkly puts it: "Aggregating large amounts of information into a single system will result in storage savings and administrative savings in return for having it all in a nice single place where it can all be stolen at once."

Ranum observes that more often than not security doesn't get designed into such aggregations and consequently security gets worse. With IBM estimating that 90 per cent of the world's data has been created in the last two years alone, that's a staggering rate of data creation and capture and one that quite markedly changes the data security environment completely.

"A single data set may demand different storage requirements and access from many parts of the world," Matt Torrens, Director at SproutIT explains. "For example, data accessed most frequently may need to be housed in Tier1 storage environments conversely, archived data that is barely ever required, may be placed on lower tier storage, to save on cost. Unfortunately, lower tier storage very often is bundled with lower levels of security and privacy controls."

The biggest challenge of all, perhaps, is that security all too often conflicts with a need for high performance and flexibility. "The purpose of Big Data is at odds with that of security," Raistrick states. "Big Data is all about flexibility, speed of access and volume whereas security is focused on visibility, control and protection."

That leaves us with the biggest question of them all in need of answers: how can the enterprise best mitigate against Big Data insecurity? According to Stephen Keenan, vice president of Verizon in the UK and Ireland, it comes down to the criticality of discovering and identifying all data within the enterprise, at rest or in transit.

"No security program can be complete without knowing where the risks are and where the potential for threats may lie," Keenan explains, suggesting that when considering Big Data quantities enterprises should ask themselves three basic questions: Where is the data? What is the discovered data and to whom does it belong? How is this identified data used and why is it important? Which will all sound very familiar to anyone with a smidgeon of knowledge of the IT Security business.

Indeed, it's true to say that dealing with Big Data security issues really doesn't involve anything to revolutionary, rather it's a matter of implementing principles and frameworks already deeply rooted in data governance strategy and not merely relying on products or tools. "Caution should be exercised to ensure that the performance and agility of Big Data solutions are not restricted," warns Sean Narayanan, chief delivery officer with iGATE, who recommends a balanced approach that involves the following as key guiding principles:

1) Evaluate the security capability of Big Data in relation to business analytics.

2) Define the privacy rules for Big Data implementations.

3) Implement the right product sets and measures to keep data secure by knowing exactly who has access to what data, including all suppliers and third parties.

4) Ensure that the data is indeed authenticated so that no third-party has purposefully or accidentally changed any content.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.