The Big Deal With Big Data: New Security Tools Are Needed

Transcription

1 Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY Phone: Fax: The Big Deal With Big Data: New Security Tools Are Needed Law360, New York (July 6, 2015, 10:17 AM ET) What s the big deal with big data? In the rapidly expanding landscape of Internet-based data analytic services, the majority of companies with a significant online presence have either already asked this question or will be asking it in very near future. But what exactly is big data? Big data is defined by the Cloud Security Alliance as the massive amounts of digital information companies and governments collect about human beings and our environment. [1] More robust definitions also include the acquisition and analysis of such large and complex data sets from Internet-based technologies. Big data is typically unformatted, nonuniform and was long thought by companies to be of no value because the size and structure of the data exceeded the processing capacity of conventional database systems. Indeed, until the last few years the technology needed for companies to analyze and evaluate big data was nonexistent. Hillary Preston Recent technological advances and cloud computing services have made big data manipulation and analysis an important business tool for both large and small organizations. Big Data analytics now offer companies the opportunity to evaluate and discover patterns in diverse data types for myriad commercial purposes through a variety of platforms. What was once thought by companies to be the fragmented digital waste left over from a consumer s visit to an online website can now be used for spotting business trends, combating crime and various other predictive analytics. The total amount of big data generated by companies and governments is expected to double every two years, from 2,500 exabytes in 2012 to more 40,000 exabytes in 2020[2]. Regarding the importance of big data in today s marketplace, a May 2014 White House report entitled Big Data: Seizing Opportunities, Preserving Values, stated that, [b]ig data will become an historic driver of progress, helping our nation perpetuate the civic and economic dynamism that has long been its hallmark. As useful as the collection and analysis of big data appears for companies, consumer groups and privacy advocates have become equally concerned regarding the need for legal restrictions on its collection, use and retention. As more consumer information is digitized and collected by today s businesses, the potential for cybersecurity attacks has also increased.[3] With the growing use of cloud-based platforms and the increasing frequency of high-profile data breaches, the security of big data in the cloud is an emerging area of concern for both business and consumers alike. The May 2014 White House report

2 reflects this in emphasizing that the social and economic value created by big data should be balanced against privacy and other core values of fairness, equity and autonomy. Challenges of the Three V s : Variety, Volume, Velocity Variety, volume and velocity are three terms commonly utilized to characterize big data, each of which contribute to the security challenges companies and analytics provides face related to the management of big data. The first of the terms, variety, refers to the multiple classes or data types captured across a company s given enterprise. At any given time, a company may be simultaneously collecting and/or storing data sets from multiple business areas (e.g. confidential sales data, employee personal information, proprietary research results) in various formats. Because each set of data originates from a different source, it will also likely have its own distinct access restrictions and security policies. Thus, while the ability to collect numerous types of data increases a company s analytical capabilities, having such varied data feeds also increases the challenges faced by companies to appropriately balance security and access control measures with their need to extract and analyze meaningful data. The second V, volume, as evident from its name, is inherent in the definition of big data and references the volume of data companies collect and store in big data repositories. As previously discussed, big data often includes the collection of company data from numerous sources in various formats. While an increase in the number of distinct data sources collected by a company broadens its ability to access various analytics, such massive collections of data also potentially increases the number of targets cyberattackers can use to gain access to a company s confidential data. In other words, the more data collected the more potential targets for breach. Velocity is not just the third V of the big data trilogy, but it designates the speed at which the data is acquired. The streaming nature of data acquisition adds additional complexity to big data security. Companies and analytics service providers are not only forced to keep up with the speed of the cloud to facilitate effective product offerings, but they are also racing to stay ahead of cybercriminals and ensure data safety. Because variety, velocity and volume each drive the value of big data, all three must be considered to effectively secure data. Big Data Has Outpaced Traditional IT Security While businesses often use big data for marketing and research purposes, many do not have the security assets needed to keep such data safe. As can be imagined, large quantities of consolidated data can be extremely tempting for cybercriminals, especially when such data may contain a company s proprietary information and trade secrets or customer financial data. Data security breaches can result in serious legal consequences and reputational damage for companies, often more severe than those caused by breaches of traditional data. For example, the data breach of Target Corp., the consumer products giant, was estimated to have cost the company more than $1 billion in fines and remedial damages in addition to the unquantified damage to the company s reputation.[4] According to a 2012 "Data Breach Investigations Report" by Verizon, 91 percent of breaches led to compromises of data within days or less, where as 79 percent took a week or more to discover.[5] As evident by these statistics, the continued expansion of big data usage appears to be outpacing traditional security mechanisms and firewalls, which are designed for small-scale static data and may potentially become inadequate to thwart complex big data security treats. However, due to the infancy

3 of the development of big data security regimes, companies are often left searching for guidance for big data management. Nevertheless, rising expectations for corporate data security in conventional data processing make understanding the collection, processing and security of personal information paramount. In February 2014, the National Institute of Standards and Technology published the Framework for Improving Critical Infrastructure Cybersecurity. While the NIST Framework provides traditional guidance for data collection and combating cybersecurity and data breaches, it does not specifically address the myriad of issues unique to big data collection and management. In the absence of mature tools for securing big data, companies should endeavor to keep all data as safe as possible. Whether self-managed or managed by a third-party provider, companies should develop internal processes to understand all data types collected and used in their business operations. In light of the lack of standardized best practices for big data management, at a minimum companies should consider the following NIST guidance when evaluating their respective data collection, use and privacy policies: Privacy and civil liberties implications may arise when personal information is used, collected, processed, maintained, or disclosed in connection with an organization s cybersecurity activities [,] activities that bear privacy or civil liberties considerations may include: cybersecurity activities that result in the over-collection or over-retention of personal information; disclosure or use of personal information unrelated to cybersecurity activities; cybersecurity mitigation activities that result in denial of service or other similar potentially adverse impacts...to address privacy implications, organizations may consider how[] their cybersecurity program might incorporate privacy principles such as: data minimization in the collection, disclosure, and retention of personal information material related to the cybersecurity incident; use limitations outside of cybersecurity activities on any information collected specifically for cybersecurity activities; transparency for certain cybersecurity activities; individual consent and redress for adverse impacts arising from use of personal information in cybersecurity activities; data quality, integrity, and security; and accountability and auditing. While companies typically collect at least limited data from their own customers, more traditional big data management and analytic services are generally provided by third-party providers. If a third party provides big data management products and/or services to a company, including collection, storage and/or analysis, it is critical for a company/subscriber to ensure that such providers have satisfactory data protections in place. Companies using cloud providers for big data management and analytics should consider at a minimum negotiating the following data safety provisions in their respective service agreements: Ownership: Contracts for big data cloud-based services should establish ownership of the data at the inception of the project. Ownership should be negotiated by the parties at the onset of the contracting process, as well as the guidelines for return or destruction of such data upon termination of the applicable services agreement. Access Control: Companies should ensure they are developing a robust access control policy that limits access to its data. While seemingly obvious, contract provisions that restrict access to a company s data to persons solely on a need to know basis are not always standard. Companies should further inquire whether access to their data is monitored in real time. To the extent feasible, companies should require such real-time data monitoring to reduce the risks of prolonged data breaches. Additionally, for both self-managed and third-party subscription-

4 based big data management, companies should ensure implementation of continuous monitoring of all users accessing their data and require rights to review such logs. Security Audits: Companies should also insist that their respective service providers perform intermittent internal security audits of their data management systems and/or allow the company to engage independent third-party auditors. Awareness of cybersecurity attacks requires continuous collection and review of audit information. As stated by the Cloud Security Alliance, [a]udit information is crucial to understanding what happened and what went wrong. It is also often necessary for a company s compliance with industry regulations. Because of the importance of security audits, some security professionals recommend including liquidated damages provisions in subscription and services agreements if appropriate security standards are not met. Companies should further require that providers enter into ongoing covenants to provide reports regarding compliance with industry-based security frameworks (e.g. ISO 27001, AICPA SOC2). In-house management of big data is often a viable option, but it too presents increasing risk. Numerous requirements ranging from compliance with multijurisdictional data privacy regulations and network and data encryption standards are just a few of the complex challenges companies must fully appreciate when self-managing big data. To mitigate these risks, companies that manage their own big data project should consider integrating and/or enhancing the following mechanisms in their big data management strategies: Data Encryption/Anonymization: Prior to data being uploaded to the cloud for storage or analysis, it should be anonymized so that any personal identifiers belonging to individuals should be removed from the data sets. A subset of big data data mining, privacy preserving data mining, also known as PPDM, is a recently developed strategy designed to safeguard sensitive information from unsolicited or unsanctioned disclosures, while preserving the utility of the data collected from consumers. According to guidance provided by the Institute of Electrical and Electronics Engineers in its 2014 white paper entitled Information Security in Big Data, the hallmarks of PPDM includes (1) shielding sensitive raw data such as an individual s phone number and social security number from direct use in data analytics, and (2) excluding from sensitive analytical results from use if their disclosure will result in privacy violations. Companies should seek PPDM methods for data analytics when feasible. Data encryption is also essential prior to uploading and/or analyzing big data in the cloud. Network and System Encryption and Security: While encryption of internal networks and systems may appear obvious, the sheer volume of data hosted on the computers of companies who collect consumer data places additional emphasis of the need for improved security and encryption of both software and hardware systems hosted on internal company networks. At a minimum, companies should ensure that all servers hosting big data are secure, that all networked software and patches are up to date and that only secure and/or commercial versions of open-source software are used, if any. Additionally, companies should limit administrative privileges to their big data to a small group of users. Logging: Logging of user access to company data and systems is also highly recommended. It is important to recognize that cyberattacks may not always originate from outside a company s firewalls. While research suggests that most security breaches are detected by third parties and

5 not the affected companies, it has reported that up to 84 percent of such breaches could have been discovered by reviewing available systems logs.[6] Monitoring access to a company s systems by logging both internal and external users may help reduce the possibility of a data compromise. Such access logs should be audited regularly to determine if any malicious operations have been performed or if any malicious users are manipulating company data. While the above recommendations are not intended to be exhaustive, they should provide a good baseline for integrating security at the core of all big data management strategies. By Hilary Preston and Lavonne Hopkins, Vinson & Elkins LLP Hilary Preston is a partner in Vinson & Elkins' New York office. Lavonne Hopkins is an associate in the firm's Houston office. The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice. [1] Cloud Security Alliance, Expanded Top Ten Big Data Security and Privacy Challenges, April [2] [3] [4] [5] [6]