The data security mess
A large fraction of my briefings this year have included a focus on data security. This is the first year in the past 35 that that’s been true.* I believe that reasons for this trend include:
- Security is an important aspect of being “enterprise-grade”. Other important checkboxes have been largely filled in. Now it’s security’s turn.
- A major platform shift, namely to the cloud, is underway or at least being planned for. Security is an important thing to think about as that happens.
- The cloud even aside, technology trends have created new ways to lose data, which security technology needs to address.
- Traditionally paranoid industries are still paranoid.
- Other industries are newly (and rightfully) terrified of exposing customer data.
- My clients at Cloudera thought they had a chance to get significant messaging leverage from emphasizing security. So far, it seems that they were correct.
*Not really an exception: I did once make it a project to learn about classic network security, including firewall appliances and so on.
Certain security requirements, desires or features keep coming up. These include (and as in many of my lists, these overlap):
- Easy, comprehensive access control. More on this below.
- Encryption. If other forms of security were perfect, encryption would never be needed. But they’re not.
- Auditing. Ideally, auditing can alert you to trouble before (much) damage is done. If not, then it can at least help you do proactive damage control in the face of breach.
- Whatever regulators mandate.
- Whatever is generally regarded as best practices. Security “best practices” generally keep enterprises out of legal and regulatory trouble, or at least minimize same. They also keep employees out of legal and career trouble, or minimize same. Hopefully, they even keep data safe.
- Whatever the government is known to use. This is a common proxy for “best practices”.
More specific or extreme requirements include:
- Security certifications.
- Ways for enterprises to always hold their own encryption keys, even for cloud data.
- Value/label-based security.
- Isolation of audit logs onto separate (and separately-protected) systems.
- Keeping data out of SaaS vendors’ control altogether.
I don’t know how widely these latter kinds of requirements will spread.
The most confusing part of all this may be access control.
- Security has a concept called AAA, standing for Authentication, Authorization and Accounting/Auditing/Other things that start with”A”. Yes — even the core acronym in this area is ill-defined.
- The new standard for authentication is Kerberos. Or maybe it’s SAML (Security Assertion Markup Language). But SAML is actually an old, now-fragmented standard. But it’s also particularly popular in new, cloud use cases. And Kerberos is actually even older than SAML.
- Suppose we want to deny somebody authorization to access certain raw data, but let them see certain aggregated or derived information. How can we be sure they can’t really see the forbidden underlying data, except through a case-by-case analysis? And if that case-by-case analysis is needed, how can the authorization rules ever be simple?
Further confusing matters, it is an extremely common analytic practice to extract data from somewhere and put it somewhere else to be analyzed. Such extracts are an obvious vector for data breaches, especially when the target system is managed by an individual or IT-weak department. Excel-on-laptops is probably the worst case, but even fat-client BI — both QlikView and Tableau are commonly used with local in-memory data staging — can present substantial security risks. To limit such risks, IT departments are trying to impose new standards and controls on departmental analytics. But IT has been fighting that war for many decades, and it hasn’t won yet.
And that’s all when data is controlled by a single enterprise. Inter-enterprise data sharing confuses things even more. For example, national security breaches in the US tend to come from government contractors more than government employees. (Ed Snowden is the most famous example. Chelsea Manning is the most famous exception.) And as was already acknowledged above, even putting your data under control of a SaaS vendor opens hard-to-plug security holes.
Data security is a real mess.
Edit (July 10, 2017): Matt Asay evidently agrees with this post, specifically in the context of Hadoop. 🙂
Comments
4 Responses to “The data security mess”
Leave a Reply
[…] Security and data privacy are ongoing (and increasing) concerns. […]
[…] Security is an ever bigger deal. […]
(I’m going to have to be vague because of the nature of the issues.)
I’ve been involved in producing responses to security questions and requirements from customers for many years. A couple of things characterize these interactions:
1. Almost all the requests completely miss the point. They ask for things that, if they had them, would not actually help their security; and they regularly miss very obvious issues.
2. There are very few standards in this area, so pretty much every response has to be created ab initio.
3. Where standard are emerging, they are longer, more detailed, more painful to fill in than the usual round of questions – but no better in actually protecting anything.
4. There’s little correlation between the quality of the security questions raised and the objective importance one might reasonably assign to security given the nature of the business, the kind of data it deals with, and the kind of data the system being purchased will deal with.
5. Pretty much every security requirement can be, and regularly is, worked around, waived, or just plain ignored when someone has decided the deal is going to go through.
I will say that there’s been a change in roughly the last year or so. For the first time, I’ve seen serious analyses of software, with carefully thought out issues raised and real requirements for fixes/ameliorations/ways to reasonably manage around things that can’t realistically be dealt with directly. The flood of serious security problems that have become public is finally beginning to have an impact in actual policy and implementation. It can make my job harder, but it’s good to see.
[…] In June I wrote about burgeoning interest in data security. I’d now like to […]