By Larry Warnock, CEO of Gazzang
I’m not a politician. Not even close. But if I could put some laws in place for big data security, I would. I’m a CEO, a husband and a father. And while the benefits of big data are impressive, the risks of unsecured data scare me to no end.
These days, it’s almost surprising to have a customer conversation where the subject of big data doesn’t come up. Thanks to open source databases and file systems like Hadoop, Cassandra, MongoDB and others, organizations can now harness the exabytes of unstructured information created by mobile devices, social media, log files, emails, images and video, and use it to perform real-time analytics.
The thing about big data is that it’s yielding huge results for companies that use it to influence better product development, customer service and user engagement.
Not surprisingly while everyone is busy talking about and investing in big data management, storage and analytics tools, the elephant in the room is big data security. No one is taking responsibility for the massive volumes of social security numbers, email addresses, phone records, health records and intellectual property flying around in the cloud. Those are my children’s emails and education details. My wife’s social security number and health records. Yours too.
It’s time for someone to ask the most important big data question – what would happen if this information got into the wrong hands and was used for unauthorized purposes?
Think it can’t happen to you? Last year, dozens of companies like Stratfor, Sony and Epsilon – all of whom failed to encrypt their sensitive data – took severe hits to their brands and combined to lose billions of dollars in revenue and the trust of their customers. Just this April, more than 500,000 Medicaid client and children’s health insurance records were stolen from a Utah database. It’s time to accept the fact that your data will almost certainly be compromised at some time in your life. The question is, how can we limit the value of the information to the person intercepting it?
Set Big Data Security Rules
While IT organizations have spent a great deal of time and money on perimeter-based security tools such as firewalls, these solutions can’t prevent unauthorized access to data once a criminal or hacker has breached the network.
The following five rules should be applied to all big data projects:
- Make security a priority before starting a big data project. Security should be a key consideration during the design and implementation phases of any big data project. Saving it for later is a risky, and in many cases, expensive proposition.
- Protect the cryptographic keys and store them separately from the data.
Make sure your key is not exposed within the configuration file or on the very server that stores the encrypted data. Storing the cryptographic keys on a separate, hardened server – either on-premises or in the cloud – is a best practice for keeping data safe and an important step in regulatory compliance.
- Secure the data at rest. Require that all big data – especially sensitive information – remains encrypted whether stored on a disk, on a server or in the cloud, regardless of whether the cloud is inside or outside the walls of your organization.
- Control access by process, not job function. Just because a user has operating system-level access to a specific server does not mean he or she needs – or should have – access to the big data stored on that server.
- Create trusted applications and stacks to protect data from rogue users. Encrypt more than just the data and harden the security of your overall environment – including applications, services and configurations. This protects sensitive information from both malicious users and rogue employees.
Whether you are using MongoDB, Cassandra, Hadoop or another big data store, it’s time to secure your data – my family’s personal life – and help us all rest easier each night.
Larry Warnock is CEO of Gazzang, a provider of cloud-based encryption and key management solutions. Gazzang’s Encryption Platform for Big Data features advanced key management and access controls that help ensure your big data projects meet the most stringent security and compliance requirements. For more information, visit www.securingbigdata.com.
“Control access by process, not job function”
Valid advice. Personal customer information needs to be kept under lock and key. You don’t want to give customers any opportunity to doubt your ability to protect their information.