informa
Commentary

Security Surveys: Read With Caution

I’m skeptical of industry surveys that tell security practitioners what they already know. Don’t state the obvious. Tell us the way forward.

Last week, a number of industry publications, including Dark Reading’s sister site Information Week, ran a story about the security risks of Big Data.

Specifically, the articles warned, Big Data systems are loaded with sensitive data and potential security exposures. They cited a SANS Institute survey of 206 companies. Of those polled, 43% of respondents were from companies with 10,000 or more employees and 53% said they held positions in their organization’s IT security operation.

Among the survey highlights:

  • 73% said they use Big Data applications "to store personal data on customers" 
  • 72% said they store such important business data as employee records (64%), intellectual property (59%), and payment card information (53%).

As for the security exposures, the specifics are unclear. There’s an overall warning about the risk of exposure, but few specifics are listed.

I’ve long trusted the SANS Institute. Its surveys are generally useful, and its Internet Storm Center site is required reading for anyone whose job is to stay abreast of security threats. Some great minds work for the organization. But I find this survey hard to swallow.

I could harp on the lack of actual news, because journalists have been chronicling the risks of Big Data for a couple years now (For example, this CSO article from 2012). But I’ve also seen enough to know that repeating warnings is important because companies often don’t get the message the first few times.

No, my problem is that this survey was sponsored by Cloudera, a supplier of Hadoop and other Big Data technologies. Hadoop is often cited as a major tool for managing Big Data securely, and it’s in Cloudera’s best interests to get behind a report saying Big Data security is precarious. For the company, this revelation carries the potential for sales across its product line.

I’ve been skeptical of vendor-sponsored security surveys for a long time. The bias is strong right out of the gate. If the SANS polling had produced a more muted threat scenario, I have to suspect the sponsors wouldn’t be happy. If everything is stable, why invest in more security technology?

Fortunately, the writer of the Information Week article didn’t stop with the raw survey results. He tied the “news” in with some perspective that came out of a panel discussion at the recent Hadoop Summit. The article quotes Anil Varma, VP of data and analytics for Schlumberger, who said imposing user access controls based on identity and roles is one way to improve big data security. Varna also said, "The next two to three years will be really important on that (data governance).” Due to worries over security, a lot of data still hasn't been brought in, he added.

For those running Big Data systems, there’s an expanding wealth of information out there to help assess the risks and take protective measures. I’m particularly interested in case studies where security practitioners outline how they’re using Big Data. Many such articles, including this one I wrote two years ago, focuses on how Big Data is used as a security tool itself. A 2012 paper from the Cloud Security Alliance (CSA) on the “Top 10 Big Data Security and Privacy Challenges” is still useful for assessing the big picture.

And while I’m skeptical of vendor-sponsored studies measuring how big a threat Big Data users face, I do like when vendors focus instead on raw security tips, like this “Six Security Tips for Retailers in the Age of Big Data” article from IBM’s Security Intelligence site. Articles like these offer far better guidance than a survey that states the obvious. Don’t tell us what we already know. Tell us the way forward.

Recommended Reading: