The insights gained from Big Data analytics can be incredibly valuable to a business. Yet, every new data stream creates a new potential attack vector, making classic perimeter defences obsolete and leaving the organisation vulnerable. In the past, data security executives and data scientists had to choose between analytics and security but now – particularly with stringent privacy regulations that have come in to play – there isn’t a choice to make. So, how do companies overcome this and make sure that quality data analysis doesn’t suffer at the hands of security?
How is data viewed
The impact Big Data has had for businesses cannot easily be quantified. It has helped many produce a roadmap to improve efficiency as well as improve services and products for their customers – something which is difficult to put a price tag on. By harvesting these large data sets, companies no longer need to rely on a gut feeling when making business decisions. Instead, by using analytics, they can gain insights, view patterns, make connections and understand human behavioural interactions in a tangible way. For organisations today, the science of data has become critical for business operations in this digital age.
Over the past decade, Big Data has become big business with the Big Data Analytics market set to reach $103 billion by 2023. Big Data is everywhere - on-premise, in the cloud, streaming from sensors and devices - making it a valuable commodity for all companies that either use, store or transfer data.
Because organisations have begun shifting large quantities of data outside the standard perimeter, connecting into digital infrastructures like the cloud and IoT devices, without realising, this web of connectivity has spiralled out of control. Sensitive data moves throughout not only the organisation’s online network, but also outside to partners, suppliers and other third parties. The problems organisations then face is that if sensitive data is sent to third parties, there are no guarantees that they are protecting this critical information. This creates a complex web of connections that has placed sensitive data at serious risk. And, considering 78 per cent of organisations have experienced a successful cyberattack in the last 12 months, data security can no longer be overlooked.
Therefore, the processing and security of Big Data should be discussed as part of the wider business digital strategy, rather than security being viewed as a separate, siloed entity.
Data is interesting but why protect it?
For businesses to gain value from Big Data analytics, it needs to become monetised and therefore, the more value that is created, the more sensitive the data becomes. Herein lies the problem as cybercriminals want to extract this information for their own financial gain. In the first six months of 2019 we’ve seen their successful attempts and roughly 4.1 billion records have been exposed or stolen through cyberattacks. Data analysts and engineers have a duty to protect this information just as much as the organisation’s security team, especially considering that much of data collected by companies today is sensitive personal information. Bad actors know the worth of data in the underground economy and organisations need to understand the threats to data are very real - and costly.
Having the ability to remediate the latest cyberthreats is not the only concern for a business as they will need to be compliant against industry regulations and data privacy laws that require the protection of sensitive data. Failure to comply and the company will face serious fines that could range in the millions. The European General Data Protection Regulation set the precedent for what is expected by organisations when it comes to protecting sensitive customer data but if credit card information is being processed, then PCI DSS compliance is also required. These are just two examples, as there are multiple regulations that need to be adhered to depending on where the company operates or who the information relates to. Because of this, organisations are seeking solutions that address cross-regulatory compliance concerns while protecting the data in its entirety.
Getting security in place
In order to protect complex online environments - and the residing data – it’s best to implement a data-centric security strategy which is based on two principles. Firstly, protect the data at the earliest point, which may seem obvious but is often not routinely done by organisations. If sensitive data is secured from the offset the moment it is collected, there is less risk that information is shared in its unprotected form. The second is only de-protecting data when absolutely necessary. If individuals or applications need to view a piece of protected sensitive data in plain text, then only do so when it’s essential. This harks back to principle one where data is always protected. Historically, data has been easier to analyse and process in a its raw form, but this should be avoided in the modern data security landscape. There are solutions that enable secure data processing and analysing with very little operational impact.
Organisations should invest in a solution that utilises tokenisation as this will secure the data during the analytics process by substituting a sensitive data element with a non-sensitive equivalent (known as a token). By tokenising critical information, data analysts can extract insights without the risk of exposing personal, confidential data. This eliminates one of the prime issues with classic security solutions that attempt to build a wall around infrastructure, rather than protect sensitive data wherever it goes.
By adopting this kind of ‘data-centric’ security strategy, enterprises can protect sensitive information within big data analytics environments, without impacting the ability to use the data in existing applications and systems. There is also the bonus of complying with regulatory mandates, without prohibiting or restricting access to certain datasets containing sensitive information.
Ultimately, data has the potential to make or break an organisation; it can be a great tool but only when it’s truly protected.
Felix Rosbach, Product Manager for Enterprise Data Security, comforte AG