Big Data Security and Privacy



Similar documents
BUSINESS ASSOCIATE AGREEMENT

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Secure Data Transmission Solutions for the Management and Control of Big Data

Who Am I? Mark Cusack Chief Architect 9 years@rainstor Founding developer Ex UK Ministry of Defence Research InfoSec projects

Sample Business Associate Agreement Provisions

BUSINESS ASSOCIATE AGREEMENT HIPAA Omnibus Rule (Final Rule)

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA

Law Firm Cyber Security & Compliance Risks

HIPAA PRIVACY AND SECURITY AWARENESS

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Security Information Lifecycle

BUSINESS ASSOCIATE AGREEMENT. Recitals

Iowa Student Loan Online Privacy Statement

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

Check In Systems. Software Usage Agreement

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

THE DARWINISM OF BIG DATA SECURITY THROUGH HADOOP AUGMENTATION SECURITY MODEL

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

DISCOVERING AND SECURING SENSITIVE DATA IN HADOOP DATA STORES

Hadoop. MPDL-Frühstück 9. Dezember 2013 MPDL INTERN

White Paper. Document Security and Compliance. April Enterprise Challenges and Opportunities. Comments or Questions?

Document Imaging Solutions. The secure exchange of protected health information.

Strategic Plan On-Demand Services April 2, 2015

NOTICE OF PRIVACY PRACTICES OF THE GROUP HEALTH PLANS SPONSORED BY ACT, INC.

Achieving Compliance with the PCI Data Security Standard

Ensure PCI DSS compliance for your Hadoop environment. A Hortonworks White Paper October 2015

INDUSTRY BRIEF DATA CONSOLIDATION AND MULTI-TENANCY IN FINANCIAL SERVICES

M E M O R A N D U M. Definitions

Big Data, Big Risk, Big Rewards. Hussein Syed

PRV - Reporting a Health Insurance Portability Accountability Act (HIPAA) Incident to the Contract Administration Office (CAO)

PCI Compliance for Cloud Applications

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Cloud security architecture

Privacy & Security Matters: Protecting Personal Data. Privacy & Security Project

Infomatics. Big-Data and Hadoop Developer Training with Oracle WDP

IBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems

White Paper. HIPAA-Regulated Enterprises. Paper Title Here

Fighting Cyber Fraud with Hadoop. Niel Dunnage Senior Solutions Architect

Why Encryption is Essential to the Safety of Your Business

SUPPLIER SECURITY STANDARD

HIPAA Compliance & Privacy. What You Need to Know Now

PCI Compliance: How to ensure customer cardholder data is handled with care

Deploying Hadoop with Manager

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Privacy & data protection in big data: Fact or Fiction?

Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate

Sample Business Associate Agreement (4. Other Bus. Assoc., Version )

Anatomy of a Health Care Data Breach (a.k.a. Breaches, Breaches, and More Breaches)

SAMPLE BUSINESS ASSOCIATE AGREEMENT

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

Managed File Transfer

Threat Modeling a SharePoint Application: An exploratory exercise in preventing data breaches and theft.

Protecting Privacy & Security in the Health Care Setting

Privacy Policy. Introduction. Scope of Privacy Policy. 1. Definitions

Compliance Management, made easy

Overview of the HIPAA Security Rule

Secure Thinking Bigger Data. Bigger risk?

Chicagoland Burger Build Off Privacy Policy

TAMING THE BIG CHALLENGE OF BIG DATA MICROSOFT HADOOP

Best Practices for a Healthcare Data Breach: What You Don t Know Will Cost You

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

Reining In SharePoint

Healthcare Insurance Portability & Accountability Act (HIPAA)

White paper. The Big Data Security Gap: Protecting the Hadoop Cluster

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

My Docs Online HIPAA Compliance

SaaS. Business Associate Agreement

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Securing SharePoint 101. Rob Rachwald Imperva

EXHIBIT 2. CityBridge Privacy Policy. Effective November 4, 2014

BUSINESS ASSOCIATE AGREEMENT

When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs

How to Secure Your SharePoint Deployment

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

HIPAA and HITECH Compliance for Cloud Applications

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

DHHS Information Technology (IT) Access Control Standard

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

Cloud Computing: Legal Risks and Best Practices

COMPLIANCE ALERT 10-12

Privacy Policy Version 1.0, 1 st of May 2016

Checklist for HIPAA/HITECH Compliance Best Practices for Healthcare Information Security

MASSIVE NETWORKS Online Backup Compliance Guidelines Sarbanes-Oxley (SOX) SOX Requirements... 2

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

From Terabytes to Exabytes, A paradigm Shift in Big Data Modeling, Analytics and Storage management for Healthcare and Life Sciences Organizations

Identifying Broken Business Processes

Contact: Henry Torres, (870)

HIPAA Security Rule Compliance

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

HIPAA BUSINESS ASSOCIATE AGREEMENT

Secure Cloud Computing Concepts Supporting Big Data in Healthcare. Ryan D. Pehrson Director, Solutions & Architecture Integrated Data Storage, LLC

Transcription:

Big Data Security and Privacy Kevin T. Smith, Novetta Solutions AFCEA CyberSecurity Symposium 2014 June 25, 2014 Ksmith <AT> Novetta.com KevinTSmith <AT> Comcast.Net

Big Data With the increase of computing power, electronic devices & accessibility to the Internet, more data than ever is being produced, collected and transmitted. Interesting Facts*: Facebook Collects 250 Terabytes a Day Digital Data Production worldwide doubled in 2009 to 1 zettabyte (1 million petabytes) Worldwide digital production is expected to reach 7.9 zettabytes in 2015 And 35 Zettabytes in 2020 Organizations have recognized the power of data analysis, but are struggling to manage the massive amounts of information they have. *Stats from Thompson Reuters & InfoQ, http://www.infoq.com/news/2013/12/hadoopusage

Securing Big Data Why Should We Care? Regulatory, Access Control & Releasability Concerns Regulatory - Many Organizations required to enforce access control & privacy restrictions on data sets (HIPAA, Privacy Laws) or face steep penalties and fines Access Control - U.S. Government organizations are required to provide access control based on Need-to-Know, & Formal Authorization Credentials Releasability - Big Data brings new challenges related to data management & organizations are struggling to understand what results they can release without unintentionally disclosing information Insider Threat / Threats on Availability How do you control access to your analytics? Many deployments are unsecured Your data is only a distributed delete away Mismanagement of Data Sets & Breaches are Costly AOL Research Data Valdez Incident Listed as one of CNN/Money s Dumbest Moments in Business : $5M Settlement + $100 to each member at the time + $50 to any member concerned Netflix Contest & Anonymized Data Set Class Action Lawsuit, $9M Settlement Playstation (2011) Experts predict costs to Sony between $2.4 and $2.6 Billion *Ponemon Institute, Cost of Data Breach Study: Global Analysis, May 2013

What makes Securing Big Data Different? Unique Challenges to Big Data Analytics Distributed Security: When Data and Processing are distributed to a cluster, there are lots of moving parts to secure related to confidentiality, integrity, and availability. This often leads to complexity related to the development & configuration of security on these systems. Combination of Different Sources: Big Data Analytics Solutions are great at bringing many data sources together & doing analytics on their combination. Given that each data source may have its own access control security policy, how do you enforce security policies on the combination of these data sources? Aggregation & Differential Privacy: When you combine different sources of data, you may discover connections between those data sources that may disclose more information that you intended, potentially violating access control and privacy policies. Unintended Deduction from Large Data Sets: Data sets are typically so large, that it is often difficult to determine what may be deduced from them that may disclose sensitive information.

Deduction & Differential Privacy Example Could a data analyst working for Commissioner Gordon deduce that Batman is Bruce Wayne?

To Complicate the Matter Most Data Analytics Tools were designed without Security In Mind. Example: Apache Hadoop Originally No Security Model No authentication of users or services Anyone can submit arbitrary code to be executed Anyone could add data to or delete data from, or read data from distributed file system You could write a service that impersonated a Hadoop service. Later, after authorization was added, user impersonation = command line switch 2009 Yahoo! Security Retrofit Resulting Security Model is Complex Configuration is Complex No Data at Rest Encryption Kerberos-Centric Limited Authorization Capabilities Easy to Mess Up if You Don t Know What You are Doing Things Are Changing, But They are Changing Slowly! An Alphabet Soup of Secure Distributions, Vendor Add-Ons & Security Focused-Companies Companies releasing Hadoop Distros are taking Security Seriously (See recent press releases - Cloudera: Gazzang, HortonWorks XASecurity) Much activity in open source movements like Project Rhino & projects like Apache Sentry

All Security Needs to be Policy-Driven

Air Gap & Isolation Approaches - Network Isolation in various forms is used in lieu of security in closed networks - Import/Export is problematic - Accidents may still happen - Does not solve issues related to diff. privacy AuthZ issues

Augmenting Analytic Security with Other Tools Ex: Apache Accumulo Find your analytics tools limitations & complement your solution with other tools and libraries. Example here shows building a security layer over Hadoop Cell-Level Access Control via visibility By default, uses its own db for users & credentials Can be extended in code to use other Identity & Access Management Infrastructure

Differential Privacy & Deduction Many approaches are in the Academic Sphere Cynthia Dwork from Microsoft Research is one of the leading researchers Lots of University Work Lots of Math involved. I m involved in more practical solutions (but no Math) Determining Access Control Policies up Front & Applying that Policy Determining Entities that Should not Resolve (Batman + Bruce Wayne) & including this in the security of the system Sometimes this involved an aggregation filter component to prevent the resolution of entities We will still need to follow the academic research in this area.

Final Thoughts General Guidance Every Security Approach Is Different Security is a Journey, Not a Destination Know Your Security Requirements Understand your security requirements & policies related to access to data Know The Security Policies of Your Data: Understand the security policies of your data so that you can enforce them Know Your Tools & Their Limitations Understand, from an in-depth perspective, how to successfully meet your security goals Understand the limitations of your tools & augment your solutions with other approaches Understand the Unique Challenges of Big Data Security Combination of Different Sources & Resulting Policies Aggregation and Differential Privacy (Netflix Contest) Unintended Disclosure (The Batman Problem)

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information