Big Data, Big Security: Defense in Depth

Especially in the age of big data, organizations need to keep in mind that security isn’t an end state or a one-off project. Instead, it’s a constant work in progress.

At the same time, it’s important to maintain the right mindset — that is, that while organizations obviously need to take a diligent, responsible approach to securing big data, their efforts shouldn’t be driven by fear. They simply need to adopt a data-centric approach to security.

Specifically, they need to employ three key types of security controls:

• Preventive: Securing the data itself prevents mistakes or cybercriminals from gaining access to the data; and if they did, the data would be rendered useless. This includes security controls such as encryption, data masking, and privileged user controls.

• Detective: Looking for anomalous behavior by, for instance, auditing database activity, monitoring systems throughout the big data environment, and providing compliance reports or alerts about potential problems.

• Administrative: Implementing tools that enable the processes and procedures for security, such as sensitive data discovery, privileged user analysis, configuration management, and encryption key management capabilities.

“A comprehensive data security approach ensures that the right people, internal or external, always receive access to the appropriate data and information at the right time and place, in the right channel,” says Neil Mendelson, vice president for big data and advanced analytics at Oracle.

“Defense-in-depth security protects organizational information assets by securing and encrypting data while it’s in motion and at rest. It also enables organizations to separate roles and responsibilities and protect sensitive data without compromising privileged user access,” Mendelson adds. “Furthermore, it extends monitoring, auditing, and compliance reporting across traditional data management to big data systems.”

Organizations are now in need of big data environments that include enterprise-grade authentication and authorization (Kerberos or LDAP and Apache Sentry project), and auditing that can be automatically set up on installation, greatly simplifying the process of hardening Hadoop.

“Businesses are finding that big data works best in an environment that combines Hadoop, NoSQL, and relational databases,” Mendelson says. “To realize a robust and successful big data strategy, it’s important to determine how to integrate these technologies under a big data technology platform.”

Such a platform is where the company governs all of its data and makes it securely available to the rest of the organization for use and analysis. The platform also includes the critical systems currently used to run the business.

Securing the big data life cycle requires the following security controls:

• Authentication and authorization of users, applications, and databases

• Privileged user access and administration

• Encryption of data at rest and in motion

• Data redaction and masking for non-production environments

• Separation of responsibilities and roles

• Implementing least privilege

• Transport security

• API security

• Monitoring, auditing, alerting, and reporting