A major concern for organizations building big data analytical ecosystems is data security. One flaw of Hadoop/MapReduce and many NoSQL databases is weak security.
Apache Accumulo is an open-source highly secure NoSQL database created in 2008 by the National Security Agency. It easily integrates with Hadoop, can securely handle massive amounts of structured and unstructured data - at scale cost-effectively - and enables users to move beyond traditional batch processing and conduct a wide variety of real-time analyses. Accumulo is a sorted, distributed key/value store based on Google's BigTable design. It is a system built on top of Hadoop, ZooKeeper and Thrift. Written in Java, Accumulo has cell-level access labels and a server-side programming mechanisms.
Accumulo offers "Cell-Level Security" - extending the BigTable data model, adding a new element to the key called "Column Visibility". This element stores a logical combination of security labels that must be satisfied at query time in order for the key and value to be returned as part of a user request. This allows data of varying security requirements to be stored in the same table, and allows users to see only those keys and values for which they are authorized.
Sqrrl Enterprise, developed by Sqrrl Data, is the operational data store for large amounts of structured and unstructured data. It is the only NoSQL solution that scales elastically to tens of petabytes of data and has fine-grained security controls. Sqrrl Enterprise enables development of real-time applications on top of Big Data. Sqrrl uses HDFS for storage; Accumulo for security/speed of access; Thrift API for interactivity; and works with map/reduce, visualizations, third party software, and existing schema explored databases.
The PwC 2012 Global State of Information Security Survey included more than 9,600 business and IT executives worldwide. The Security Survey revealed that 43 percent of global companies think they have an effective information security strategy in place and are proactively executing their plans, placing them in the category of information security “front-runners.
Twenty-seven percent of respondents identified themselves as “strategists” while the remaining identified themselves as “tacticians” and “firefighters” (15 and 14 percent respectively). The study, the largest of its kind, of more than 9,600 security executives from 138 countries found that 72 percent of respondents report confidence in the effectiveness of their organization’s information security activities - however confidence has declined markedly since 2006. The findings of the survey have helped carve a new definition of an information security leader. Even though 43 percent see themselves as “front-runners,” according to the survey only 13 percent made the “leader” cut. Those identified as leaders have an overall information security strategy in place, a CIO or executive equivalent who reports to the “top of the house,” measured and reviewed security policy effectiveness, and an understanding of the security breaches facing the organization in the past year.
According to the survey, the rise of cloud computing has improved but also complicated the security landscape. More than four out of ten respondents report that their organisation uses cloud computing: 69 percent for software-as-a-service, 47 percent for infrastructure-as-a-service and 33 percent for platform-as-a-service. Fifty-four percent of organizations say that cloud technologies have improved security; while 23 percent say it has increased vulnerability. The largest perceived risk is the uncertain ability to enforce provider security policies.
Key findings included:
1. Almost half of respondents see themselves as “front-runners”, and these companies approach Information Security differently.
2. Respondents are confident that their security activities are effective.
3. Security capabilities have been degrading since 2008.
4. Key areas of improvement include C-suite buy in and increased funding.
5. Asia races ahead while the world’s information security arsenals age.
According to PwC, an information security leader has the following traits:
1. The organization has an overall information security strategy in place.
2. The organization has a CIO or executive equivalent who reports to top management.
3. The organizations has actively measured and reviewed security policy effectiveness.
4. A organzation that has an understanding of the security breaches facing the organization in the past year.
Additional Selected Survey Highlights
1. 43% of respondents think their company has an effective information security strategy in place and are proactively executing their plans.
2. 72% of respondents report confidence in the effectiveness of their organization's information security activities
3. 43% of respondents say their company has a security strategy for employee use of personal devices.
4. 37% of respondents say they their company has a security strategy for mobile devices.
5. 32% of respondents say their company has a security strategy in place for social media.
Mobile data protection (MDP) systems attempt to protect business data privacy, comply with legal, regulatory and contractual requirements, and create structure for audits.
Vendors are beginning to provide solid solutions to help address endpoint security. But there’s no silver bullet – a multi-layered data protection strategy continues to be the best approach.
MDP software should provide centralized management, policy administration, monitoring, analytics, and reporting that delivers a complete view of an enterprise’s security posture.
A strong data protection strategy includes a data security plan and software to prevent the loss, theft and unauthorized access or transfer of confidential information by protecting sensitive data using in-depth security analysis, encryption, access control, user behavior monitoring, and policy-driven security.
MDP software should work across multiple platforms and provide proof that data is protected. The MDP system should secure data regardless of device, platform and where the data is stored, including movable storage systems in notebooks, smartphones, tablets, removable media, and cloud storage services.
Encrypting company data and securing mobile endpoints is important considering data breaches from lost or stolen mobile, tablet, laptop and removable devices. Organization data on a device is likely worth more than the device itself.
Access to corporate data must be secure while remaining easily accessible. Remote tools and technologies, such as OTA (over-the-air) virus protection distribution and upgrades, are effective ways to support a mobile workforce.
More employees are using their mobile devices for work. While organizations can lock down organization-owned mobile devices with policies and established technologies such as BlackBerry Enterprise Server, personally owned mobile devices require a new framework and policy structure.
Organizations must shift their security thinking, develop new policies and implement technologies that maintain enterprise security without degrading the experience that users value in these devices.
Personal mobile devices are easy to lose and for thieves to steal - along with all the sensitive enterprise data on them. Threats of mobile malware and malicious mobile applications are real.
Several security methods may be applied to ensure company documents and mobile devices stayed protected.
By applying data encryption devices can be secured against security breaches if ever lost or stolen.
Device-based security technologies such as password-based entry, remote lock/wipe, and built-in encryption may satisfy security requirements for some organizations. But for more-regulated industries or companies that handle sensitive data, a higher level of security assurance is needed.
Mobile technology vendors with good security platforms include: AirWatch, Citrix Systems, Good Technology, McAfee, MobileIron, and Sybase.
Organizations that want to allow employees to use their personal devices in the workplace must have a mobile policy. The first step is creating and executing organization rules for personally owned mobile devices.
Here are some simple suggested rules to start a mobile policy: