Update Q&A Extended
Holistic Approach Needed for Big Data Security
Organizations must focus on more than technology to safeguard big data, says Verizon Wireless' Wilco van Ginkel, co-chair of the Cloud Security Alliance's Big Data Security Working Group.
February 01, 2013
What do internal auditors need to tell their CEOs and board directors about safeguarding big data?
That safeguarding big data takes a holistic, business- and risk-driven approach, like we have seen for decades with safeguarding non-big data. However, big data does bring new security challenges to the table, such as the fact that most existing security solutions we use in the non-big data world might not work in a big data environment, simply because of the massive scale, speed, and variety of data. Most existing security solutions were not built with big data in mind. Another security challenge that becomes more eminent than ever is privacy. The fast-increasing amount of personal-related data produced and consumed around the planet adds to the privacy debate. International alignment and legislation around privacy is needed.
How is big data changing how organizations manage IT security?
There are two sides of the coin here: One side is the security of the different big data domains, like the platform, the architecture, operations, privacy, staff, and data storage. The other side is using big data analytics to get better information out of all that big data, which — hopefully — will lead to better insights and decision-making. The former has some overlap with existing IT security capabilities, but a lot is relatively new and under development. The latter also is in its relative infancy.
Does the scale and complexity of big data make security an uphill battle for organizations?
The past has proven that IT security is hard. Securing big data doesn't make that easier, although big data also provides an opportunity in the field of big data security analytics. As with IT security, the questions for big data will be: Which responsibilities can we outsource, under which constraints/conditions? Which big data is considered important enough to be secured? For example, instead of trying to build out your own big data platform, use big data capabilities in the cloud. Another reason to consider this is that (1) most organizations don't have the required big data security skills anyway, and (2) offloading this to somebody else frees up resources to deal with the information coming from the big data analytics.
How can IT and security professionals communicate these highly technical security threats to decision-makers in their organization?
First of all, although today the focus is on technology and technical security issues around big data — and they are important — big data security is not just a technical challenge. Many other domains are also involved, such as legal, privacy, operations, and staffing. History is about to repeat itself, as we have seen with IT security in the past. Big data started with a primarily technical-oriented approach, evolving into a business risk-oriented approach, in which a sensible risk management methodology is key. Not all big data is created equal, and depending on the data security requirements and risk appetite/profile of an organization, different security controls for big data are required.