Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

1/30/2012
11:53 PM
50%
50%

Big Data Could Create Compliance Issues

The bigger data sets grow, the harder compliance could become

Just like "the cloud" of 2009 and 2010, this year's red-hot buzz term bandied about by executives who may or may not have clue what it means is 'big data.' But just as 2011 saw the world wrap its head around the cloud, the time is coming when technology around big data will gain traction, understanding and deployments. And when it does, infosec professionals need to be ready for the security and compliance complications that it could potentially introduce.

So what exactly is big data? In a nutshell, it's a data set that's too big to be crunched by traditional database tools. Whether it is from scientific or environmental sensors spewing out a cascade of data, financial systems producing a mounting cavalcade of information or web and social media apps that create a snowballing mass of records, big data is typically classed as such if it maintains three essential dimensions. They're what Gartner's Doug Laney, then of META Group, back in 2001 called the 3Vs of data management: volume, variety and velocity. The first one's obvious, clearly something wouldn't be called big data if there wasn't a heck of a lot of it. But big data is also a swarm of unstructured data that has got to be fast to store, fast to recover and, most importantly, fast to analyze.

"While many analysts were talking about, many clients were lamenting, and many vendors were seizing the opportunity of these fast-growing data stores, I also realized that something else was going on," Laneywrote recently in a retrospective on that first report. "Sea changes in the speed at which data was flowing mainly due to electronic commerce, along with the increasing breadth of data sources, structures and formats due to the post Y2K-ERP application boom were as or more challenging to data management teams than was the increasing quantity of data."

When Landoll first wrote about the 3Vs 11 years ago, it was mostly addressing the data management challenges that had contributed to the evolution of data warehousing. These types of data stores gain their value mainly through analysis--which is why data warehousing and business intelligence had gone hand-in-hand for years before 'big data' became common parlance. Speculatively speaking, the benefits of analyzing big data include the ability to make better business decisions and reduce waste in vertical markets such as the public and health care sectors. According to a study by MGI, even retailers properly utilizing Big Data can increase their operating margin by a whopping 60 percent.

Whether big data is going to reside in the data warehouse or some other more scalable data store still remains up in the air. One thing is for certain, though, big data is not easily handled by the relational databases that the typical DBA is used to wrangling within the traditional enterprise database server environment.

"What’s emerging is a new world of horizontally scaling, unstructured databases that are better at solving some old problems. More importantly, they’re prompting us to think of new problems to solve whose resolution was never attempted before, because it just couldn’t be done," say the authors of the Accenture Technology Vision 2012 report released last week. "We foresee a rebalancing of the database landscape as data architects embrace the fact that relational databases are no longer the only tool in the toolkit."

The question for security professionals, of course, is if this growing mass of data is becoming increasingly unstructured and accessed from an ever-distributed cloud of users and applications looking to slice and dice it in a million and one ways, how can they be sure they're keeping tabs on the regulated information in all that mix?

"Organizations aren’t realizing the importance of such areas as PCI or PHI and failing to take necessary steps because it is flowing with other basic data," says Jon Heimerl, director of strategic security for Solutionary. "Mainly, big data stores are leading organizations to not worry enough about very specific pieces of information."

Joe Gottlieb, president and CEO of Sensage, says that the healthcare example is one of the most important for compliance executives as they examine how big data creation, storage and flow works in their organizations.

"The move to electronic health record (EHR) systems driven by HIPAA/HITECH is causing a dramatic increase in the accumulation, access and inter-enterprise exchange of PII," he says. "For the largest healthcare providers and payers, this has already become a big data problem that must be solved to maintain compliance."

While the prospect of proving compliance even within massively muddled big data stores , the slow development of laws and regulations may work in favor of CISOs trying to get a bead on big data.

"From a compliance perspective, many of the laws and regulations have not addressed the unique challenges of data warehousing. Many of the regulations don’t address the rules around protecting data from different customers at different levels," says Tom McAndrew, executive vice president of professional services at Coalfire. "For example, if a database has credit card data and healthcare data, does PCI and HIPAA apply to the entire data store, or only the parts of the data store that have the data. The answer is highly dependent on your interpretation of the requirements and the way you have implemented the technology."

Similarly, social media applications that are collecting tons of unregulated, yet potentially sensitive data, may not yet be a compliance concern. But they are still a security problem that if not properly addressed now may be regulated in the future.

"Social networks are accumulating massive amounts of unstructured data--a primary fuel for the big data problem, but they are not yet regulated so this is not a compliance concern but remains as a security concern," Gottlieb says.

According to McAndrew, security professionals concerned about how things like Hadoop and NoSQL deployments are going to affect their compliance efforts need to take a deep breath and remember that the general principles of data security still apply.

"t really starts with knowing where you data resides. The good news is that with the newer database solutions, there are automated ways of detecting data and triaging systems that appear to have data they shouldn’t," he says. "As you get your organization to map and understand your data, look for opportunities to automate and monitor compliance and security through data warehouse technologies. Automation has the ability to decrease compliance and security costs and get higher levels of assurance that you know where your data is and where it is going."

In addition to understanding where the important data sits, organizations also need to think about finding ways to segregate, which will make the deployment of security measures such as encryption and monitoring more manageable.

"After organizations better understand their data, they need to take important steps to segregate it. The more data you silo as high-level, the easier it will be to protect and control it," Heimerl says. "Smaller sample sizes are easier to protect and can be monitored separately for specific necessary controls."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
T3ddyB4x
50%
50%
T3ddyB4x,
User Rank: Apprentice
2/1/2012 | 5:45:10 AM
re: Big Data Could Create Compliance Issues
For many of us in the industry, I think at one point we all hoped that the SIM/SEIM vendors would help out with this issue, but their consistent Achilles heel was the fact that they didn't actually natively generate any of the data they were analyzing. -That left a lot to be desired in the areas of accuracy and usability, two major foes to friction-less compliance reporting.--

There's been a few recent announcements by companies like eEye and Sourcefire that are, in my view, promising - their platforms are analyzing heaps of natively generated security data via their integrated data warehouses.-The ability to create action from various inputs (missing patches, open ports, available exploits, type of machine, etc.) is where security will meet business intelligence.-

I'm sure there are others as well, and the big 3/4/5 (however many there are now) security vendors can't be far behind.

Great article. I hope to see more coverage on this topic of "big security data". --
Ericka Chickowski
50%
50%
Ericka Chickowski,
User Rank: Moderator
1/31/2012 | 8:15:04 PM
re: Big Data Could Create Compliance Issues
Apologies, Doug. Just fixed it. Thanks!
Doug Laney
50%
50%
Doug Laney,
User Rank: Apprentice
1/31/2012 | 2:22:35 PM
re: Big Data Could Create Compliance Issues
As a courtesy, here's the original piece I wrote on the 3Vs 11 years ago: http://blogs.gartner.com/doug-... --Doug Laney, VP Research, Gartner, @doug_laney
Doug Laney
50%
50%
Doug Laney,
User Rank: Apprentice
1/31/2012 | 2:21:37 PM
re: Big Data Could Create Compliance Issues
Doug Laney (not Landoll). Thanks for the mention tho!-
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1842
PUBLISHED: 2020-02-18
Huawei HEGE-560 version 1.0.1.20(SP2); OSCA-550 and OSCA-550A version 1.0.0.71(SP1); and OSCA-550AX and OSCA-550X version 1.0.0.71(SP2) have an insufficient authentication vulnerability. An attacker can access the device physically and perform specific operations to exploit this vulnerability. Succe...
CVE-2020-8010
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains an improper ACL handling vulnerability in the robot (controller) component. A remote attacker can execute commands, read from, or write to the target system.
CVE-2020-8011
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains a null pointer dereference vulnerability in the robot (controller) component. A remote attacker can crash the Controller service.
CVE-2020-8012
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains a buffer overflow vulnerability in the robot (controller) component. A remote attacker can execute arbitrary code.
CVE-2020-1791
PUBLISHED: 2020-02-18
HUAWEI Mate 20 smartphones with versions earlier than 10.0.0.185(C00E74R3P8) have an improper authorization vulnerability. The system has a logic judging error under certain scenario, successful exploit could allow the attacker to switch to third desktop after a series of operation in ADB mode.