Today’s top CIOs need to look around the corner of security. There is an agility of thinking, strategy, insight and philosophy needed to navigate Big Data Security waters.
Davi Ottenheimer is EMC Senior Director of Trust, has more than twenty years’ experience managing global security operations and assessments, including a decade of leading incident response and digital forensics. He is co-author of the book “Securing the Virtual Environment: How to Defend the Enterprise Against Attack,” published in May 2012 by Wiley.
An expert in compliance, he was a qualified PCI DSS and PA-DSS assessor (QSA and PA-QSA) with K3DES, and former Board Member for the Payment Card Industry Security Alliance and the Silicon Valley chapters of ISACA and OWASP. He is a frequent top-rated public speaker and has been quoted or written articles on security, risk management and compliance for publications including Compliance Week, Search Security, Bank Info Security, Network World, Red Herring, Chain Store Age, Inc, Reuters and SC Magazine.
He formerly was responsible for security at Barclays Global Investors (BGI), the world’s largest investment fund manager (now BlackRock). Prior to BGI he was a “dedicated paranoid” at Yahoo! and responsible for managing security for hundreds of millions of mobile, broadband and digital home products. Davi received his postgraduate academic Master of Science degree in International History from the London School of Economics.
He has a great presentation on the topic from the 2014 RSA conference here Securing the Big Data Ecosystem
We reviewed the following topics related to Big Data Security as it relates to:
- Cars and Airplanes
- Small Pox and Cholera
- Waste Water Analysis of Cities
- Looking for Needles within Needles
- Appropriate perimeter defense
- How a CIO can review Big Data systems along a maturity curve of three steps:
- Artisan – craftsman products
- Industrial – Cheaper, faster, more accessible
- Environmental – inexpensive and available
Big Data PCI Compliance – Key Steps
- Building Perimeters
- Davi shares the importance of checklists versus intelligent analytics of threats
- Logging is essential –Must have a great jump box
- Be careful with automation without – rogue process controls
- Must have “command review” capability
- Authentication is the weakest step now for Big Data Security
- One must be able to identify rogue processes
- Functionality of Hadoop and replication raises High Availability capabilities
- Adding PCI controls of tighter Authentication since Authentication is the key
- Put processing on existing infrastructure for better performance
Big Data Security is a concern because of 1) Insider Threats and 2) Management Threats
The focus becomes as much about surveillance since impersonalization is the chief exposure to system security. The ‘bad actor’ can impersonate a trusted person for example with Top Level access to key systems.
We dive into many concepts related to why you can’t limit gathering data and at the same time expect to find security correlations between system systems or people. You will learn why Data De-Identification is so important to understand with Big Data Security? And why it doesn’t work!
- The relationship of cholera and big data [:08]
- Looking for the needle within the needle [2:33]
- ERM (Easy Routine & Minimal judgment) vs. the ICEA (or IKEA) model [4:30]
- “…But in your presentation, you were saying from this IKEA model that you really need a lot of data points because you’re never sure of the correlations between the different end points…” [5:25]
- “…I’ve found that one of the struggles is, the answers are right there for you if you just open your mind a little bit, open your eyes you can find the answers you’re looking for. They’re staring you in the face.” [7:28]
- “So the question is can you get to a model where when you’re in an emergency state, people are dying, can you open up and look at information necessary?” [8:26]
- “Ultimately, maybe you would have to break it down to an actual individual level. In theory would you have to be able to go that close down to have an appropriate perimeter?” [9:09]
- The control systems of cars vs. airplanes [10:15]
- The Checklist concept – Travel in a car like people fly on a plane [12:30]
- How can a CIO handle the risk inherent with governing the data, not only on their own networks, but data that’s distributed? [13:20]
- The 3 phases of vendors [14:54]
- How can a CIO evaluate which phase a vendor is in, in order to make an informed decision? [16:44]
- “I don’t want to be a car mechanic I just want to drive the car.” [18:31]
- “What has prompted you to look at the technical parts of this and develop these analogies, or metaphors with disease?” [19:45]
- A Runaway Process [21:00]
- De-Identification – “FEW CHARACTERISTICS NEEDED” – Latanya Sweeney, 2000 [22:40]
- “I think the real risk is, we don’t want to be the miasma folks” [26:38]
- Monitoring daily behaviors – a city by city analysis of waste water [27:53]
- “Don’t look at anything because it’s better to have no knowledge than have the risk of someone using for bad, or evil”[30:21]
- Passing a PCI Audit [30:28]
- The best place to learn more about Davi (http://www.flyingpenguin.com) [35:00]
- Hypervisor – Securing a virtual environment [35:33]
- Insider threat vs. Management threat [37:29]
Love this episode? Leave a Review
If you haven’t already, please make sure you leave us a review on iTunes.
About Bill Murphy
Bill Murphy is a world-renowned IT Security Expert dedicated to your success as an IT business leader.
Connect With Us On Social Media
Join The CIO Innovation Mastermind Community
We invite the top 20% of Business IT Leaders for my CIO Innovation Mastermind Events group to participate in monthly discussions on things like VR, AI, and other disruptive & emerging technologies. If you want to become a member, email Chief of Staff, Jamie Luber Jluber@redzonetech.net for more information.