Security dangers in big data mining


The only time security is at the forefront in a big data project appears to be when the project is about security. Otherwise, security is most often an afterthought or done poorly.

On the security front, big data projects are proving incredibly advantageous for security organizations, such as the NSA, and protection industries, such as the anti-virus, anti-malware producers. An example of how well these types of projects have done to affect security can be found in an eWeek article describing the big data visualizations from Japan's National Institute of Information and Communications Technology and its Daedalus Cyber-attack alert system.

But when it comes to non-security focused data projects, security is missing or lacking, and the peril to us all grows.

In a USA Today essay, Laura Robinson, Chair of the Security for Business Innovation Council, beautifully outlined the security challenges found in big data use.

"When organizations amalgamate and process data at unprecedented volumes and speeds, it significantly increases the complexity of access governance, data protection and regulatory compliance," she wrote in that USA Today essay. "Risks include over-provisioning access, inadvertently exposing personally-identifiable information and transferring data outside of a required geographical location, to name a few."

To the uninitiated, big data seems like an entirely new thing; so does search. But that isn't the case. Robinson urges infosec teams to get involved from the start on big data projects and for security vendors to "ramp up their knowledge of big data technologies; monitor data access requests; make clear what can be shared and with whom; watch carefully for over-provisioning of access; and develop data-flow mapping as a core competency of the security team."

The importance of Robinson's advice cannot be overstated. We already routinely see data breeches harming millions of people, as we recently saw in a recent report from California State Attorney General Kamala D. Harris. That report detailed 131 data breaches reported to her office in 2012, showing that 2.5 million Californians had personal information put at risk through an electronic data breach. Big data projects will worsen such scenarios considerably.

"The recent breaches continue to demonstrate that current, traditional security technologies are ineffective, and businesses and governments agencies have to do more to protect sensitive customer information," said Dave Anderson, senior director at data-centric security and encryption company Voltage Security. "Encryption should be used as a key mechanism within a data-centric program, but encryption needs to be supplied at the data level itself, not only on the database, or disk level, which are again simply container solutions."

Certainly encryption is a good idea, but the security industry will likely need to provide more layers beyond encryption to achieve any semblance of reliable data protection.

"So while 2012 will be remembered as the year that big data entered the public lexicon, 2013 needs to be the year in which the security industry undertakes some important big data-related actions," says Robinson.

Here's hoping the security industry steps up its game--pronto.

For more information:
- see USA Today essay
- see the eWeek article

Related Articles:
Security flaws found in code library for encrypted VoIP calls
Mobile malware threats on the rise, find two reports
Crypto certificate stolen from Opera Software used to sign malware
8 risk management must-dos for 2013