Big Data Insights from the Gartner Security & Risk Management Summit
A great place for CISOs, CTOs, CIOs, and Security and Risk professionals in IT and Compliance to learn about best practices and strategies to maintain cost-effective security and risk programs is the Gartner Security & Risk Management Summit, held annually in Washington DC. HP Security Voltage was at the event held this past June 8-11, and had many great conversations around data security. Data security is on a lot of Security and Risk professional’s minds due to the almost every day headlines of crippling data breaches that can not only cost companies an extraordinary amount of money, but damage their brand and lose trust with customers.
Over the duration of the show, HP Security Voltage did an anonymous industry survey with over 200 participants. The survey questions ranged from whether or not the attendee’s company is currently using sensitive data such as PCI (payment card industry) data or PII (personally identifiable information) to whether or not their company is planning a Big Data or cloud data project using sensitive data. The data from all the questions is interesting, however it is this last question I want to focus on for today’s blog (More of results of the survey will be shared in a separate blog post).
Many in attendance were very interested in Big Data, in particular how to secure it. According to SINTEF, a large, independent research organization in Scandinavia, a full 90 percent of all the data in the world has been generated over the last two years. Hadoop, the open source software that enables distributed processing and storage of large data sets across computer clusters, was on the tip of a lot of tongues.
Hadoop allows structured or unstructured data to be processed faster and more efficiently, with ample storage capabilities. This data can then be analyzed and processed in ways never thought possible. There is one drawback, though. The open source nature of Hadoop has few built in security layers and businesses are left on their own to secure their data.
Back to our industry survey question, “Are you currently planning any Big Data projects involving sensitive data?”
Of those asked, 41% answered they are deploying these projects now: Another 8% answered they were beginning Big Data projects, but would not begin those projects for several months. Of those responding, 42% answered they were not currently planning on any such projects, with 1% responding with a no, and would never start a project. Lastly, 13% responded they did not know.
Two notes on the results: the question was framed around Big Data projects involving sensitive data. Sensitive data can be loosely defined as information that is not for public consumption, that is regulated, that if revealed, can cause major damage to individuals, businesses, brand and reputation. That quickly calls to mind payment or credit card data, but what about identifying information such as contact information, identification cards and numbers, address information and birth dates? These types of personally identifiable information need to be protected from outside eyes.
Sometimes enterprises do not realize that Big Data projects involves these types of sensitive data. The time to start implementing security protocols to protect this data is in this planning stage, before the data is collected and stored (and discovered by hackers).
The second note is 8% are planning Big Data projects involving sensitive data, yet are putting the projects off for months. There have been some high profile headlines involving companies that were hacked and lost sensitive data as they were slowly rolling out (or planning to roll out) their security initiatives. Remember, it is not a question of “if” you will be hacked, but when.
The last thought is this; the best way to protect sensitive data in Big Data projects, not just at rest, but in use, in transit, and in storage, is through data-centric security. This approach “de-identifies the data”, with surgical precision, down to the field and sub-field level, so that analytics usually can be performed directly on the protected data, without decryption required. But when a breach happens, the sensitive data is only surrogate values, so useless to data thieves.
Find out more about Data-Centric Protection for Sensitive Data in Hadoop