BASEL BERN BRUGG DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. GENEVA HAMBURG COPENHAGEN LAUSANNE MUNICH STUTTGART VIENNA ZURICH
Big Data Privacy and Security FundamentalsFlorian van KeulenPrincipal ConsultantBDS – Cloud & Security
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
FlorianvanKeulenPrincipal Consultant– Cloud&Security
§ Über15JahreITErfahrung§ TrivadisSicherheitsbeauftragter(SiBe |SecurityOfficer)§ DisziplinManager“InfrastructureSecurity”§ ProgramManager“CloudComputing“
Erfahrung:
§ SecurityKonzept&Review,Azure PrivateCloudInfrastructure&RemoteApp Services(AxpoTrading)
§ Securing Azure IoT Infrastructure&Azuredeployment Automation(IWB)
§ SecurityKonzeptCloudCollaborationPlatform ImGesundheitswesen
§ SecurityReviewRemoteAccess &VDIUmgebung,PrivatBank
Spezialgebiet:
§ Cloud- undInfrastructureSecurity§ Identity- undAccessManagement§ RemoteAccessLösungen§ CloudSicherheitsberatung§Datenschutz undInformationssicherheitsmanagement
§ Sicherheitskonzeption undAnalysen§MicrosoftAzureSecuritySolutions
…NeueUmgebungenbergennichtnurRisiken,sondernauchSicherheits-opportunitäten,wenn mandamit richtig umzugehen weiss.Kritisch Hinterfragen,Umdenken,VerstehenundAdaptieren – BigData“sicher”nutzen! Florian v. Keulen
Weiteres:
§ Zertifizierter IT-Sicherheitsbeauftragter§ CloudRiskAssessments§ CloudReadinessAssessments§ IT-SiBe TätigkeiteninternundfürKunden§ BeratungfürIAMundIdentityFederationimCloudUmfeld
2
Agenda
1. BigData Privacy & Security - ChallengesWhat is BigData | Data Breaches | Motivation | Top Chellanges
2. Privacy & Data Protection RegulationPII | EU-GDPR | Privacy by Design
3. Security (Information Security)Security Controls | Best Practices
4. Putting it together
09.09.2016 TE 09.2016 - BigData Privacy & Security Fundamentals3
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
BigData Privacy & Security Challenges
4
Big Data Definition (4 Vs)
+Timetoaction?– BigData+Real-Time=StreamProcessing
CharacteristicsofBigData:ItsVolume,VelocityandVarietyincombination
09.09.2016 TE 09.2016 - BigData Privacy & Security Fundamentals5
DataAcquisition
DataSources
Governance
Organisation
InformationProvisioning Consumer
DataManagement
Trivadis Architecture Canvas for Analytical Applications
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
LegalComplianceQuality&Accountability Security&PrivacyMetadataManagement MasterDataManagement
ITOperations BusinessStakeholdersBICompetenceCenter
Un-/Semi- structuredData
StructuredData
Master&ReferenceData
MachineData
Content
Services(P
ush)
Conn
ectors(P
ull)
Stream
Batch/Bu
lk
Increm
ental
Full
RawDataatRest
StandardizedDataatRest
OptimizedDataatRest
DataLab(Sandbox)
DataRefinery/Factory
Virtualization
RawDatainMotion
StandardizedData inMotion
OptimizedData inMotion
Query
Service/API
Search
InformationServices
DataScienceTools
Dashboard
Prebuild&AdHoc BIAssets
AdvancedAnalysisTools
6
Big Data Ecosystem – many choices ….
09.09.2016 TE 09.2016 - BigData Privacy & Security Fundamentals7
Top 8 Laws of Big Data
1. The faster you analyze your data, the greater its predictive value
2. Maintain one copy of your data, not dozens
3. Use more diverse data, not just more data
4. Data has value far beyond what you originally anticipate
5. Plan for exponential growth
6. Solve a real pain point
7. Put data and humans together to get the most insight
8. Big Data is transforming business the same way IT did
09.09.2016 TE 09.2016 - BigData Privacy & Security Fundamentals
Source:thebigdatagroup.com
8
Data Breaches
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
http://w
ww.Con
jur.n
et/breache
9
Data Breaches
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
Verizon Data Breache Investigation Report
89% of breaches had a financial orespionage motive
No locale, industry or organization isbulletproof when it comes to thecompromise of data
New vulnerabilities come out every day63% of confirmed data breaches involvedweak, default or stolen passwords.
http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
10
Data Breaches
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
Verizon Data Breache Investigation Reporthttp://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
11
Motivation for Privacy & Security in BigData
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
The bigger your data, the bigger the target
Data theft is a rampant and growing area of crime
Stricter Data Protection bushed by regulations
The only real way to save money and keep security costs low is to take preventive steps to avoid common vulnerabilities and to minimize their impact.
care must be taken at every step of a big data project to ensure you don’t stumble into pitfalls which could lead to wasted time and money, or even legal trouble.
12
Top Ten Big Data Security & Privacy Challenges (CSA)
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
1. Secure computations in distributed programming frameworks
2. Security best practices for non-relational data stores
3. Secure data storage and transactions logs
4. End-point input validation/filtering
5. Real-Time Security Monitoring
6. Scalable and composable privacy-preserving data mining and analytics
7. Cryptographically enforced data centric security
8. Granular access control
9. Granular audits
10.Data Provenance
13
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
Top Ten Big Data Security & Privacy Challenges (CSA)
https://cloudsecurityalliance.org/media/news/csa-releases-the-expanded-top-ten-big-data-security-privacy-challenges/
14
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
Privacy &
Data Protection Regulations
15
„Privacy“ vs “Data Protection”?
BD-PSF - BigData Privacy & Security Fundamentals20.06.2016
Is there a Difference?
Yes:Country specific (US=Privacy ¦ EU = Data Protection)
Data Protection: Protect against unauthorised access
Data Privacy: authorized Access
Tecnical vs Legal
when does „Privacy“ apply?
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
Whenever data is: Collected
Processed
Stored
Which...… relates to a living individual person who can be identified by that data.
In “Data Protection” Regulations:“personal identifiable information” (PII)
“sensitive personal information” (SPI)
17
Personally Identifiable Information (PII)
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
… means data which relate to a living individual who can be identified
from those data, or
from those data and other information which is in the possession of the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
18
“Sensitive Personal Information” (SPI)
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
… is PII data, consisting of Information as to:
the racial or ethnic origin of the data subject,
his political opinions,
his religious beliefs or other beliefs of a similar nature,
whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
his physical or mental health or condition,
his sexual life,
the commission or alleged commission by him of any offence
19
National Data Protection Regulations
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
DE, AT and CH have similar national Data Protection regulations (BDSG / DSG)
Regulates protection of the persons privacy
Data protection principles must be met
Transfer to 3rd Party only with legal contract regulating the use of PII Data.
Fines are up to 300000 EUR, if not comply with law
20
National Data Protection Regulations
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
Data protection principles
Fair and lawful
Purposes
Adequacy not excessively
Accuracy
Retention
Rights of the Person
Security (Technical & Organisational Measures - TOM)
Transfer only with adequate level of protectionhttps://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/
21
EU GDPR – General Data Protection Regulation
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
A single law, the General Data Protection Regulation shall unify data protection within the European Union.
As a regulation it directly imposes a uniform data security law on all EU members.
The regulation aims to enhance privacy and strengthen data protection rights for EU citizens.
Agreed on may 2016 – Affective Mid 2018
22
EU GDPR – Key facts
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
Businesses not in EU still have to comply if data from EU Citizen is processedAppointment of a DPO will be mandatory
Mandatory Privacy Risk impact assessment (PIA)
Data Breach Notification requirements
Data Minimization (right to erasure)
Data security (integrity & confidentiality)
Data Processors (Provider) have direct legal obligations)Privacy by design(compliance with the principals of data protection)
Must “implement appropriate technical and organisationalmeasures” to ensure GDPR compliance
Finesupto20.000.000EURor4%ofcompaniesannualturnover
23
Privacy by Design (enisa)
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
https://www.enisa.europa.eu/publications/big-data-protection
26
Is there not a conflict?
TE 09.2016 - BigData Privacy & Security Fundamentals27 09.09.2016
8 Laws of Big Data1. Faster Analyzation
2. Maintain one copy, not dozens
3. more diverse data
4. Data has value far beyond…
5. Plan for exponential growth
6. Solve a real pain point
7. Put data and humans together to
get the most insight
8. Big Data is transforming business
Privacy by design1. Minimize
2. Hide
3. Separate
4. Aggregate
5. Inform
6. Control
7. Enforce
8. Demonstrate
Is there not a conflict?
TE 09.2016 - BigData Privacy & Security Fundamentals28 09.09.2016
8 Laws of Big Data1. Faster Analyzation
2. Maintain one copy, not dozens
3. more diverse data
4. Data has value far beyond…
5. Plan for exponential growth
6. Solve a real pain point
7. Put data and humans together to
get the most insight
8. Big Data is transforming business
Privacy by design1. Minimize
2. Hide
3. Separate
4. Aggregate
5. Inform
6. Control
7. Enforce
8. Demonstrate
Is there not a conflict?
TE 09.2016 - BigData Privacy & Security Fundamentals29 09.09.2016
8 Laws of Big Data1. Faster Analyzation
2. Maintain one copy, not dozens
3. more diverse data
4. Data has value far beyond…
5. Plan for exponential growth
6. Solve a real pain point
7. Put data and humans together to
get the most insight
8. Big Data is transforming business
Privacy by design1. Minimize
2. Hide
3. Separate
4. Aggregate
5. Inform
6. Control
7. Enforce
8. Demonstrate
Is there not a conflict?
TE 09.2016 - BigData Privacy & Security Fundamentals30 09.09.2016
8 Laws of Big Data1. Faster Analyzation
2. Maintain one copy, not dozens
3. more diverse data
4. Data has value far beyond…
5. Plan for exponential growth
6. Solve a real pain point
7. Put data and humans together to
get the most insight
8. Big Data is transforming business
Privacy by design1. Minimize
2. Hide
3. Separate
4. Aggregate
5. Inform
6. Control
7. Enforce
8. Demonstrate
Security controls
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
Top 10 best practices to enhance security and privacy of BigData (CSA):
1. Authorize access to files by predefined security policy2. Protect data by data encryption while at rest3. Implement Policy Based Encryption System (PBES)4. Use antivirus and malware protection systems at endpoints5. Use big data analytics to detect anomalous connections to cluster6. Implement privacy preserving analytics7. Consider use of partial homomorphic encryption schemes8. Implement fine grained access controls 9. Provide timely access to audit information10.Provide infrastructure authentication mechanisms
https://downloads.cloudsecurityalliance.org/initiatives/bdwg/Comment_on_Big_Data_Future_of_Privacy.pdf
32
Mitigation measures and good practices (ensia)
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
Strong and scalable encryptionEncrypt data in transit and at rest, to ensure data confidentiality and integrity.
Ensure proper encryption key management solution, considering the vast amount of devices to cover.
Consider the timeframe for which the data should be kept - data protection regulation might require that you dispose of some data, due to its nature after certain period of time.
Design databases with confidentiality in mind – for example, any confidential data could be contained in separate fields, so that they can be easily filtered out and/or encrypted.
33
Mitigation measures and good practices (ensia)
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
Application securityUse regular security testing procedures to re-assure the level of security, specially after patches or functionality changes.
Ensure tamper resistant devices to avoid misuse.
Ensure internal security testing procedures for new and updated components are carried out regularly; if it is not possible third party evaluations, audits and certification are key elements for the confidence and trust in products and actors.
Ensure procurement policies cover purchasing from authentic suppliers.
34
Mitigation measures and good practices (ensia)
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
Standards and Certification Use devices which comply with desired security standards.
Ensure obtained certification relates to the use of Big Data.
Secure use of Cloud in Big Data Ensure Big Data is included in the risk assessment for Cloud.
Ensure proper Service Level Agreements have been adopted.
Ensure proper resource isolation and exit strategies have been negotiated
35
Mitigation measures and good practices (ensia)
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
Source filtering Use devices with authentication capabilities to ensure that validation of endpoint sources is possible
Assign confidence levels on the endpoint sources
Re-evaluate confidence levels of the endpoints regularly, specially after patches or changes in firmware
If confidence in endpoint source
36
Mitigation measures and good practices (ensia)
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
Access control and authentication Use authentication and authorization to ensure that Big Data queries are executed by authorized users and entities only
Use components in the Big Data system that follow same security standards to maintain the desired level of security
Big Data monitoring and logging Enable logging on nodes participating in the Big Data computation
Enable logging on databases (relational or not) , as well as Big Data applications
Detect and prevent modification of logs
Regularly test the restoration of Big Data backups considering the vast amount of data being used in the system
37
Putting it Together
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
Privacy & Security an important subject
Each BigData Project has to take Security into account
As earlier as better – later changes are costiveNew EU-GDPR changes importance significant (and also the risk not to comply)
Traditional security controls apply also to BigData, but might be challengingSecurity Standards for BigData are slowly getting established
We have to look closely to technology vendors and their functionalities… compliance requirements might affect the vendor selection
39
Big Data & Data Science
TE 09.2016 - BigData Privacy & Security Fundamentals09.09.2016
Advanced Analytics§ Data Mining§ Semantic Web§ Visualisierung
Big Data & Data Scientist Trainings
Big Data Consulting & Managed Services
Large & Speedy Data§ Hadoop Ecosystem§ NoSQL DBs§ Event Hubs & Streaming Analytics§ Unified Query (RDBMS ó Big Data)§ DWH Archive§ Internet of Things
Big I Data I Warehouse§ Konvergenz BI & Big Data§ LDW Logical Data Warehouse
Big Data Privacy & Security
41
Session Feedback – now
TE 09.2016 - BigData Privacy & Security Fundamentals42 09.09.2016
Please use the Trivadis Events mobile app to give feedback on each session
Use "My schedule" if you have registered for a session
Otherwise use "Agenda" and the search function
If the mobile app does not work (or if you have a Windows smartphone), use your smartphone browser– URL: http://trivadis.quickmobileplatform.eu/
– User name: <your_loginname> (such as “svv”)
– Password: sent by e-mail...
Top Related