1. Understanding Big Data

Transcription

1 Big Data and its Real Impact on Your Security & Privacy Framework: A Pragmatic Overview Erik Luysterborg Partner, Deloitte EMEA Data Protection & Privacy leader Prague, SCCE, March 22 nd Deloitte Belgium - European Privacy Academy 2 Definition & Characteristics Big Data is the collection of large and complex data sets that are difficult to process using traditional database management tools or data processing applications. Big Data is the new raw material of business. The Economist BUT As Dan Ariely, Professor at Duke University said Big Data is like teenage sex: everyone talks about it, nobody really knows how to do it, everyone thinks everyone else is doing it, so everyone claims they are doing it Deloitte Belgium - European Privacy Academy 3 1

2 Definition & Characteristics Big Data generally refers to a set of technologies and initiatives involving data that is too fast changing (velocity), massive (volume) or too diverse (variety) for conventional technologies, skills and infrastructure to handle efficiently. Velocity 90% of the data in the world today has been created in the last 2 years Batch to streaming data Volume Every day, we create more then 2,5 quintillion bytes of data Terabytes to Zettabytes Variety Diversity of data sources and formats Structured to Semi-Structured to Unstructured Analytics on almost all types of data Virtualization architecture Often distributed large-scale (cloud) infrastructures 2016 Deloitte Belgium - European Privacy Academy 4 A different set up No one to one relationship of server to data storage Reliance on virtualization architecture, needed to be able to draw from large content stores and archives as a single global resource Big Data environments often rely on distributed large-scale (cloud) infrastructures a diversity of data sources and a high volume + frequency of data migration between different (cloud) environments 5 Big Data Analytics Collecting, organizing and analyzing Large sets of data Better decisions Competitive advantage To discover patterns and other useful information 6 2

3 Analytics Opportunities Big Data Analytics represents tremendous opportunities, both for the private and public sector : As a business asset: can serve to understand customers at a whole new level. To improve health care: can help deliver effective health care to patients faster and earlier (e.g. predictive medicine). To improve service: analytics can be used by governments to improve their citizens experience with administration by anticipating their needs. To strengthen security : Potential for new security insights and enhanced detection and prevention systems provided that the challenges and risks are properly mitigated 7 Gathering information Profile content Browser history Online surveys European Privacy Academy 8 Gathering information Geolocalisation Geolocalisation Many apps request the user s location in order to give more accurate search results (e.g. nearest restaurant or shop of a certain company) content The content of the s sent and received through Gmail are scanned by an automated software of Google. This information is then combined with other information of the Google profile of the users to display more relevant ads. European Privacy Academy 9 3

4 Gathering information Online surveys Data gathered through online surveys are used by companies to gain more insight about their clients (e.g. average age of people consuming their products) Browser history Several service providers combine the browsing history of an individual user with the knowledge gathered about other users following a similar browsing path to give more accurate search results or advertising (e.g. Amazon and FNAC s books suggestions, YouTube s videos suggestions, etc) Other sources European Privacy Academy data about the purchases made by a customer with its loyalty card, sensors in a car to determine the driving style of an individual, etc. 10 Big Data in perspective: General Data Protection Regulation Privacy by Design Privacy by Default Privacy Impact Assessment Records of Processing Activities Data Security of Processing Breach Notification Data Protection Officer 2016 Deloitte Belgium - European Privacy Academy Big Data vs. Security & Privacy 2016 Deloitte Belgium - European Privacy Academy 12 4

5 Big Data vs. Security & Privacy Privacy Challenges Accuracy Outsourcing/ Transfers Transparency Big Data User Rights Privacy by Design Lawfulness 13 Big Data vs. Security & Privacy Privacy Challenges Creating entirely new challenges we have not encountered before: Data linkages: Powerful analytics solutions can link data sets to reveal someone s lifestyle, consumer habits, social networks and more even if no single data set reveals this personal information. Profiling: the use of identifiable data to profile individuals in order to analyze, predict and influence their behaviour. 14 Big Data vs Security & Privacy Security Challenges BIG DATA TRADITIONAL SECURITY Access to huge volumes Difficult to protect and monitor Complex environments Lack of granular audit trails Variety of data Difficulty to verify access 15 5

6 Big Data vs. Security & Privacy Security Challenges Big Opportunities: Big Data is now often regarded as most critical enterprise asset, focusing attention on performance and collection of data, not security. Big Attackers: Big Data attracts a new class of hackers & attacks. Threat landscape has altered radically. 16 Big Data vs. Security & Privacy Opportunity example Using Big Data to analyse, predict and prevent security incidents Big Data provides the opportunity to consolidate and analyse logs automatically from multiple sources rather than in isolation Potential for new insights and enhanced detection and prevention systems through continual adjustment and effectively learning good and bad behaviours 17 Big Data vs. Security & Privacy Challenge example Securing the organisation and customers information Information classification and data ownership become more critical Encryption and access controls based on data attributes rather than storage environment 18 6

7 3. Conclusive remarks 2016 Deloitte Belgium - European Privacy Academy 19 Conclusive remarks From a classic data protection governance model to an agile one The Big Data security challenges will require a more agile security governance model including: More attention to detail :A holistic privacy/security strategy A migration from point products to a more unified security architecture Open and scalable Big Data security tools and approach A strengthening of SOC s (Security Operations Centre) data science skills A more extensive leverage on external threat intelligence A more pragmatic focus on (breach) incident as well as identity and access management 20 Conclusive remarks From a classic data protection governance model to an agile one In addition, a more agile governance model should address the main privacy challenges of Big Data: Invest in IT security governance, not only security products Manage the security/privacy paradox and use an integrated security/privacy approach (e.g. monitoring versus anonymization) Clearly define privacy (and security) responsibilities Ongoing monitoring and audits (eg privacy impact assessments) Focus on the obtaining consent of the data subject: opt-in, not opt-out Make sure that processing remains compatible with purpose of collection(eg secondary use issue) Engage in harmonization and standardization Transparency towards data subject regarding its (GDPR) rights 21 7

8 Conclusive remarks A holistic risk based approach across the (big) data lifecycle Effective data protection looks across the data lifecycle to allow an enterprise to tailor policy in a way that keeps information safe, yet available to those authorized to access it. Without knowing the lifecycle of data flowing through your organisation, it is impossible to be sure that it is all managed appropriately. Creating a personal data inventory and/or personal data flow maps will allow to understand and analyze the scope of privacy in your organization. Data lifecycle Specific risks General risks Retention & Collection Storage Use Sharing Destruction Inconsistent Distributed Improper Unnecessary Misuse methods storage access/sharing retention Inappropriate Data distributed Improper Accidental Partial deletion classification across network duplication loss Inappropriate Unnecessary Inappropriate thirdparty controls deletion Accidental Theft or breach security controls retention Classify: Inconsistent/unclear data classification scheme to understand the type of data that exists throughout the organization Discover: Insufficient understanding of where data is stored and how it is used Control: Lack of user awareness of individual and organizational responsibilities surrounding data protection Access: Unauthorized access to data across the data lifecycle Audit: Insufficient capability to audit the usage of data or monitor the effectiveness of implemented controls 2016 Deloitte Belgium - European Privacy Academy 22 Thank you for your attention Any questions? Erik Luysterborg Partner, CIPP BE Cyber Risk Services Leader EMEA Data Protection & Privacy Leader eluysterborg@deloitte.com Direct: Mobile: Deloitte Belgium - European Privacy Academy 23 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see for a more detailed description of DTTL and its member firms. Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte s more than 200,000 professionals are committed to becoming the standard of excellence. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte Network ) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication For information, contact Deloitte Belgium 2016 Deloitte Belgium - European Privacy Academy 24 8