Everything in life has consequences, and that goes especially for data breaches. Big data holds a significant amount of information that can lead to the identification of individual users - this makes the privacy of users a primary concern and also means that the consequences of a breach can be even more damaging than usual.
Following a big data breach, not only does the aftermath serve to disrepute an organisation, but it can also have a negative impact from a legal stand point. A security breach will affect a significantly larger group of people; therefore, organisations have to ensure that they achieve the correct balance between the use of the data and their users' privacy.
This balance can be accomplished by combining a selection of best practices suitable for handling the security of big data, as discussed below with challenges that are commonly presented.
Anonymising your data
Before storing your data, it must be anonymised to a standard that's deemed acceptable so that any identifiers for individuals are completely removed. Encryption of the data is also very important, as removing the unique identifiers does not guarantee that the data will definitely remain unidentified.
Encrypting the data
One of the most secure ways to protect data is known to be encryption. However, it can also cause its own problems when it comes to storing data in the cloud. Since data can't be encrypted when sent to the cloud, in case the cloud needs to perform operations over the data, Fully Homorphic Encryption (FHE) should be used.
FHE is a way to bypass the problem. With it, cloud data is capable of performing operations over encrypted data resulting in new encrypted data being created.
Access Control and Ownership
Access control mechanisms play a very crucial part in maintaining the data security and protection. It is typical for operation systems and applications to provide the access control and to limit the access to the data. However, if the operation system is breached, the information is subsequently exposed. A better way to guard the data is with the use of encryption that can only be decrypted if the person trying to obtain access is permitted by an access control policy.
The exact ownership of the information should be ascertained when data is being held in the cloud. In the circumstance that the data is stored in the cloud, a trust boundary must be established between the data storage owners and the data owners. Yet another issue for big data and the control over it is that of the software. Software, such as Hadoop, that stores big data usually has the default setting of no user authentication being necessary.
This can present a major issue as it leaves the information exposed and vulnerable to the access of any unauthorised user. It is very important that organisations check the settings and make sure that some form of authentication is necessary before a user can access the information.
A standardised list of best practices does not yet exist for big data management, as it's still a relatively new idea, but this does not mean that you can't still take suggested steps to make sure you're keeping your data as secure as it can be:
- Extensively examine your cloud providers: when storing big data in the cloud, you need to know whether your provider has satisfactory protection mechanisms in place. Guarantee that the provider carries out intermittent security audits and agree on penalties in case appropriate security standards haven't been met.
- Generate a decent access control policy: generate policies that consent access to authorised users only.
- Guard the data: Both the raw data and the product from analytics should be protected. Encryption has to be used accordingly so that no sensitive data is leaked.
- Protect communications: Data in transit should be adequately protected to ensure its confidentiality and integrity.
- Use real-time security monitoring: Access to the data should be constantly monitored. Threat intelligence should be used to thwart unauthorised access to the sensitive data.
Big data is extremely useful to organisations, but also brings to focus some chief privacy issues; however, there are various steps that can be taken to manage the data in a secure way. By handling data with security at the core, organisations can keep themselves and their customers safe.
Guillermo Lafuente is security consultant at MWR InfoSecurity (opens in new tab)