New practical security approaches are required
I agree that “they probably have no idea of the security burden it will bring” and will end up with a lot of sensitive data that will lead to a security crisis:
1. I think a big data security crisis is likely to occur very soon and few organizations have the ability to deal with it.
2. We have little knowledge about data loss or theft in big data environments.
3. I imagine it is happening today but has not been disclosed to the public.
There is unfortunately a shortage in Big Data skills and an industry-wide shortage in data security personnel, so many organizations don’t even know they are doing anything wrong from a security and compliance perspective.
So we need to take a data-centric approach to Big Data security and I agree to encrypt “data to help protect it from attack.”
But unfortunately Hadoop only offers file layer encryption. This approach with coarse-grained encryption is old school security and will not provide the needed balance between security, regulatory compliance and data insights, since the whole data file is either encrypted or decrypted and wide open to attackers.
We also know that “homomorphic encryption” is a very interesting research area but unfortunately not a viable solution any time soon.
I agree with CSA which “advises wrapping NoSQL databases in a secure middleware layer to shield direct access to the data.” since most Big Data platforms are lacking the security that we find in traditional database environments.
I think that new practical security approaches that provide fine-grained encryption or data tokenization are required. Today, vendors such as Teradata, Hortonworks, and Cloudera, have partnered with data security vendors to help fill the security gap. What they’re seeking is advanced functionality equal to the task of balancing security and regulatory compliance with data insights and “big answers”.
Ulf Mattsson, CTO Protegrity
Biting the hand that feeds IT
