ZoomLens - Loveland, Subramanian -Tackling Info Risk
Five_Big_Data_Security_Pitfalls
1. 5 Jeremy Stieglitz
Vice President, Product Management
FIVE BIG DATA SECURITY
PITFALLS TO AVOID AS
DATA BREACHES RISE
2. BIG DATA
can deliver big advantages. Platforms, including Hadoop and
NoSQL, can hand companies unprecedented analytics, significant
cost savings, and performance advantages over traditional architectures such as data ware-
houses and data marts. In addition, many web-based companies prefer NoSQL because of its
proven advantages in data flexibility, scalability and performance.
But big data also has a dark side that companies need to guard against. As big data technolo-
gies are deployed more frequently by a greater number of companies, many are not using a
consistent and comprehensive approach to identify their sensitive data and protect it from a
breach. Recent attacks on companies including Sony, Anthem, Target and JPMorgan Chase1
demonstrate how significant the financial impact of data breaches can be. To understand
where data is vulnerable and prevent against external and internal threats, companies need to
take a second look at how their data is secured.
Information security threats are real and changing rapidly with security organizations strug-
gling to keep up with the changing nature, complexity and scale of attacks. The high-profile
attacks of 2014 were proof points that the threat landscape is rapidly mutating as attackers
find even more devious ways to bypass security controls. Security and compliance managers
are focused on this rapidly evolving landscape and developing capabilities for handling new
threats.
This isn’t a straightforward task. Securing big data involves multiple barriers and challenges.
Transition speeds, data volume and the number of environments across large distributed
installations all continue to increase. The diversity of data sources and data types and the
streaming nature of data acquisition are also ramping up.
1 Credit Union Times, “10 Biggest Data Breaches of 2014,” Robert McGarvey–http://www.cutimes.com/2014/10/06/10-biggest-da-
ta-breaches-of-2014-so-far?page=11
FIVE BIG DATA SECURITY PITFALLS TO AVOID
AS DATA BREACHES RISE
DATAGUISE, INC.
2201 WALNUT AVE. STE 260
FREMONT, CA 94538
877.632.0522
1
3. Risks persist for the many companies that still rely on security measures such as perime-
ter-based security or stock data protection. These traditional solutions are designed for
static data so leave gaps in protection and expose sensitive data to potential threats.
What other pitfalls should be avoided when trying to protect big data? Here are five
common mistakes that leave companies at risk.
DATAGUISE, INC.
2201 WALNUT AVE. STE 260
FREMONT, CA 94538
877.632.0522
2
4. DATAGUISE, INC.
2201 WALNUT AVE. STE 260
FREMONT, CA 94538
877.632.0522
MANY1 organizations run Hadoop or NoSQL
databases in a trusted environment,
buried behind existing corporate security solutions and
firewalls. While this may provide a measure of protection
against external threats it creates dangerous vulnerabilities
to insider attacks. Companies using this approach should
consider implementing insider threat mitigation at both the
data and physical levels, also taking steps to protect
computers and servers. As recent attacks have proven, a
disgruntled employee with system access can cause
enormous damage to a company’s brand, customer trust
and financial bottom line.
RUNNING DATABASES IN A
“TRUSTED” ENVIRONMENT
3
!
5. DATAGUISE, INC.
2201 WALNUT AVE. STE 260
FREMONT, CA 94538
877.632.0522
HIGHER2 levels of access to sensitive data
translate into a higher potential for a
breach. Limiting employees to the amount of access they
need to do their jobs and organizing physical workspaces
with access barriers requiring the proper credentials are
important ways to reduce internal threats. Consider ratchet-
ing down access, limiting the number of “need to know”
employees who have access to conduct management,
monitoring and analytics.
LOOSE ACCESS
CONTROL
4
6. DATAGUISE, INC.
2201 WALNUT AVE. STE 260
FREMONT, CA 94538
877.632.0522
TRADITIONAL3 static data protection
solutions can leave
unencrypted/unmasked sensitive data exposed during
migrations out of secure storage volumes to networked
devices. This is an outdated technique for today’s enterprise
environments that increases exposure to both internal and
external threats, depending on where and how the data is
moved. Changing to a dynamic data protection strategy
allows organizations to apply rules based on user access
levels for the encryption or masking of data as it is being
accessed so sensitive data remains secure.
STATIC PROTECTION
SCHEMES
5
7. DATAGUISE, INC.
2201 WALNUT AVE. STE 260
FREMONT, CA 94538
877.632.0522
THREATS4 are now more granular, targeting
information at the data level. If
you don’t know where your sensitive data is, you cannot
protect it. Successfully securing data begins with knowing
the location and risk potential of the sensitive information in
big data repositories. This is the first step in planning and
developing compliance strategies to ensure PII readiness.
Continuously discovering and flagging sensitive data assets
is critical to define the requirements for compliance readi-
ness. It also helps to inventory and guard against inadvertent
exposures of duplicate data, particularly given the growing
challenge of copy data. With a strong discovery solution in
place, administrators should then filter data based on priority
in the following order: redact/delete, mask, encrypt, and
plaintext with strong access control. Without this approach,
sensitive data may go completely unprotected.
INADEQUATE SOLUTIONS FOR
DETECTING SENSITIVE DATA
6
8. DATAGUISE, INC.
2201 WALNUT AVE. STE 260
FREMONT, CA 94538
877.632.0522
ENTITLEMENT5
LACK OF ENTITLEMENT,
MONITORING AND AUDITING
and sensitive data
access auditing
provide fine-grained access visibility and help companies
deal with compliance and insider security threats. Faced with
a wide range of financial, privacy, and health information
regulations such as the Health Insurance Portability and
Accountability Act, European Privacy Directive, and the
Sarbanes-Oxley Act, companies are often “in the dark” about
who has accessed their sensitive data, how much, and how
often. In fact, several breaches have occurred through the
slow drip of incremental access. More effective activity
monitoring, as well as the ability to show and map who can
access what data over time, can mitigate these losses.
7
? ?
? ?
9. DATAGUISE, INC.
2201 WALNUT AVE. STE 260
FREMONT, CA 94538
877.632.0522
REMEMBER
basic security measures–including operating system
updates, third-party applications, anti-virus software,
and firewalls–are critical starting points of any corporate security strategy. These IT
security actions may be rudimentary but provide a necessary speed bump to incoming
threats, limiting the amount of data to what is necessary.
Big data is by definition “big” because of the large volume and vast range of information
types it contains as well as the speed at which it can be created, collected and analyzed.
These attributes present a double-edged sword. Big data can empower companies with
competitive advantages–but it also creates new and constantly evolving challenges for
securing the sensitive data it contains. IT professionals struggling to guard against data
breaches are often limited by legacy strategies that leave gaps and permit access to those
who shouldn’t have access.
In contrast, a data-centric security approach focuses on where threats can have an
impact–at the data level. By understanding where security infrastructure is fundamentally
weak and allocating resources accordingly, companies can detect, protect and audit their
sensitive data while complying with corporate and government mandates. This means
companies are able to leverage the power of big data while guarding against its dark side.
BEGIN WITH BASICS
AND BUILD FROM THERE
8