100 Best Practices in Big Data Security and Privacy

‘Big data’ refers to the massive amounts of digital information companies and governments collect about human beings and our environment. Experts anticipate that the amount of data generated will double every two years, from 2500 exabytes in 2012 to 40,000 exabytes in 2020.  Security and privacy issues are magnified by the volume, variety, and velocity of big data.  As big data expands through streaming cloud technology, traditional security mechanisms tailored to secure small-scale, static data on firewalled and semi-isolated networks offer inadequate protection.

Recently our Big Data Working Group led by Sreeranga Rajan and Daisuke Mashim released the “Big Data Security and Privacy Handbook: 100 Best Practices in Big Data Security and Privacy,” outlining the 100 best practices that should be followed by any big data service provider to fortify their infrastructure. The handbook presents 10 compelling solutions for each of the top 10 challenges in big data security and privacy, which the working group previously identified in the 2012 CSA documenttitled “Top Ten Big Data Security and Privacy Challenges.”

New Security Challenges
It is not merely the existence of large amounts of data that creates new security challenges. In reality, big data has been collected and utilized for several decades. The current uses of big data are novel because organizations of all sizes now have access to the information and the means to collect it. In the past, big data was limited to very large users such as governments and big enterprises that could afford to create and own the infrastructure necessary for hosting and mining large amounts of data. These infrastructures were typically proprietary and isolated from general networks. Today, big data is cheaply and easily accessible to organizations of all sizes through public cloud infrastructure.

Software infrastructure developers can easily leverage thousands of computing nodes to perform data-parallel computing. Combined with the ability to buy computing power on-demand from public cloud providers, the adoption of big data mining methodologies is greatly accelerated. Large-scale cloud infrastructures, diversity of data sources and formats, the streaming nature of data acquisition and high-volume, inter-cloud migration all play a role in the creation of unique security vulnerabilities.

Big Data Best Practices
Now that we have enormous amounts of data and know the security and privacy risks it presents, what can enterprises do to secure their information? This CSA handbook provides a roster of 100 best practices, ranging from typical cybersecurity measures, such as authentication and access control, to state-of-the-art cryptographic technologies. In each section, CSA presents 10 solutions for each of the top 10 major challenges in big data security and privacy. Each section addresses what is the best practice, why these security measures are needed and should be followed and how they can be implemented.

Read the entire “Big Data Security and Privacy Handbook: 100 Best Practices in Big Data Security and Privacy” handbook. Learn more about CSA.

Ryan Bergsma, Research Intern, CSA

[Cloud Security Alliance Blog]

Important Security News Flash Regarding SSH Vulnerabilities

The SSH protocol that is embedded on Unix, Linux, Mainframe, and Windows 16 Servers – in additional to Switches, Routers, IOT devices, etc. can be compromised by bad actors with access to keys. This is also true for anyone deploying applications in the cloud.

The SSH protocol creates an encrypted tunnel providing users with root level access. In the wrong hands, misuse of the SSH protocol have led to disastrous consequences. Here is why:

Encrypted SSH traffic cannot be monitored by existing tools. DLP, SIEM’s, Firewall’s etc. do not work
SSH Key’s don’t expire – a key created 20 years ago still works today.
SSH Keys are often copied and shared, creating a challenges to tie back who did what and when
SSH Tunneling (just what the name implies) facilitates a security loophole
Bad actors operating within this security blind spot can bypass security controls, install software, transfer data, and delete their activity.

Recommended Course of Action

Review and apply the NIST 79666 white paper recommended guidelines to prevent security breaches.

FURTHER READING

Stay on top of vulnerabilities with (ISC)2’s members-only resource for researching and tracking vulnerabilities and mitigating risks – Vulnerability Central.

Create your customized dashboard today.

By Thomas MacIsaac, Vice President, Eastern US and Canada, SSH Communications Security

[(ISC)² Blog]

New E-book Spells Out GEIT Implementation

Technology can be a double-edged sword for business. On the one hand it can provide extraordinary advantages, and on the other it can present potential risks. A new ISACA e-book, Getting Started With GEIT: A Primer for Implementing Governance of Enterprise IT, spells out how to get greater efficiency and effectiveness out of IT assets and make sure their use is aligned with larger, enterprise-wide strategic aims.

The 52-page book details how implementing a Governance of Enterprise IT (GEIT) system can provide numerous benefits to a business, including lower costs, increased control, improved resource efficiency and effectiveness, and better strategic alignment and risk management.

The book (free to ISACA members, $15 for non-members) is aimed at professionals who are new to GEIT and those who are implementing a GEIT system.

GEIT For Lower Capital Costs, Greater Innovation
A strong GEIT system can translate into lower costs for capital, along with other benefits such as greater organizational innovation and entrepreneurship. It can also mean paying lower interest in the capital markets.

While a well-implemented GEIT system can bring major benefits, poorly implemented GEIT will fail to deliver those benefits while wasting the resources required for implementation. To address that concern Getting Started With GEIT spells out the specific steps needed for a successful implementation that meets enterprise goals and delivers value.

7 Steps to Implement GEIT
What is particularly helpful about the step-by-step approach is that practitioners can implement some quick-hit improvements and realize much of the value from GEIT without having to become a framework expert.

The guide includes the 7 steps to implement GEIT and supports them with examples of benefits to help gain senior leadership buy-in. It also presents specific objectives for executing technology projects and managing technology investments.

The 7 GEIT implementation steps include:

  1. Initiate the program
  2. Define problems and opportunities
  3. Define a roadmap
  4. Plan the program
  5. Execute the plan
  6. Realize benefits
  7. Review effectiveness

Every chapter includes a checklist of action items to help with the implementation of each step. An example of this comes at the end of the first chapter, which explains what GEIT is and the how-tos for creating a business case and obtaining buy-in:

“Determine which benefit(s) of GEIT are most appealing to the organization. Document why this is most appealing and what additional benefits may be realized from implementing GEIT in the enterprise.”

As a convenience, all of these action items have been gathered into a single document that is available for download below. As part of the e-book release ISACA is also offering a quick reference infographic detailing key points from each of the five chapters, which is also available below.

Getting Started With GEIT Extras
The e-book concludes with two detailed case studies on applying GEIT to two scenarios, including a manufacturing enterprise using GEIT to evaluate stakeholder requirements and determine how to best satisfy them. The other scenario has a large multinational enterprise that wants to ensure its rapid expansion and adoption of advanced IT delivers the expected value and manages significant new risk.

Finally, the book includes a section of tips for conducting effective GEIT implementation interviews for a strong starting point in the GEIT implementation work.

To download or purchase Getting Started With GEIT: A Primer for Implementing Governance of Enterprise IT e-book click here. To download the accompanying action item checklist click here. For the quick reference infographic, click here.

Peter Tessin, Technical Research Manager, ISACA

[ISACA Now Blog]

Cloud Security Alliance Big Data Working Group Releases ‘100 Best Practices in Big Data’ Report

The Cloud Security Alliance (CSA), today announced the release of the new handbook from the CSA Big Data Working Group, outlining the 100 best practices in big data security. The Big Data Security and Privacy Handbook: 100 Best Practices in Big Data Security and Privacy strives to detail the best practices that should be followed by any big data service provider to fortify their infrastructure. The handbook presents 10 compelling considerations for each of the top 10 challenges in big data security and privacy, which the group previously outlined in the Top Ten Big Data Security and Privacy Challenges white paper.

The term “big data’” refers to the massive amounts of digital information companies and governments collect about human beings and their environment. The amount of data generated is expected to double every two years from 2500 exabytes in 2012 to 40,000 exabytes in 2020. Large-scale cloud infrastructures, diversity of data sources and formats, the streaming nature of data acquisition and high-volume, inter-cloud migration all play a role in the creation of unique security vulnerabilities.

“This is an important initiative for the cloud community as new security challenges have arisen from the coupling of big data with public cloud environments. As big data expands through streaming cloud technology, traditional security mechanisms tailored to secure small-scale, static data on firewalled and semi-isolated networks are inadequate,” said J.R. Santos, Executive Vice President of Research for the CSA. “Security and privacy issues are magnified by this volume, variety and velocity of big data. This handbook serves as a comprehensive list of best practices for companies to use when securing big data.”

The handbook provides a roster of 100 best practices, ranging from typical cybersecurity measures, such as authentication and access control, to state-of-the-art cryptographic technologies. It addresses why these security measures are needed as well as how they can be implemented.

For more information on the Cloud Security Alliance, please visit our website. To download the new best practices handbook visit https://cloudsecurityalliance.org/download/big-data-security-and-privacy-handbook/.

About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.

Contacts
Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunictions.com

[Cloud Security Alliance Research News]

Process Improvement for Management of IT-related Processes

Most organizations have objectives for quality and improvement. Enterprises want employees to continually look for opportunities that fuel effectiveness and strengthen the company. The improvement theme is both a nice to have and a basis to survive, providing a direction to get better and a model for personal behavior and work culture. The basic improvement model is one of common sense, similar to those used in psychology and coaching. It can be teamed with any process reference model.

The improvement model has evolved over time with influences from many thought leaders, good practices and industries, including Dr. Edwards Deming, a key influence with the Plan-Do-Check-Act (PDCA) cycle (preferred over Guess-Do-Pray-Hope); John Kotter with organizational change; international standards such as those from the International Organization for Standardization (ISO), ISO 90001 for Quality, ISO 20000 for IT Service Management, ISO 27001 for IT Security; COBIT, ITIL, the National Institute of Standards and Technology (NIST) and Project Management Body of Knowledge (PMBOK), all of which incorporate or support improvement themes; and, Six Sigma programs, which have an improvement phase and so should you.

How do you do it? You can hire a Six Sigma person or you can do it yourself. It’s not difficult. For most of you, read a book or gain some awareness. ISACA offers a book titled COBIT® 5 Implementation in the COBIT product family. While the focus is on implementing governance of enterprise IT, one could add an alternative title:  Process Improvement for Management of IT-related Processes.

The book highlights a cycle of phases and component parts, all building on good practices. The 7 phases of the COBIT® 5 Implementation lifecycle include:

  1. What Are the Drivers?
  2. Where Are We Now?
  3. Where Do We Want To Be?
  4. What Needs To Be Done?
  5. How Do We Get There?
  6. Did We Get There?
  7. How Do We Keep the Momentum Going?

Each phase is supported by 3 components:  program management (PM), change enablement (CE) and continual improvement (CI). This is a good practice approach.

As an example, the components of the first 3 phases include:

  1. What are the drivers?
    1. CI – Recognize the need to act
    2. CE -Establish a desire to change
    3. PM – Initiate a program
  2. Where we are today?
    1. CI – Assess the current state
    2. CE – Form a team
    3. PM – Define opportunities or challenges
  3. Where do we want to be?
    1. CI – Define the target state
    2. CE – Communicate the desired outcome
    3. PM – Define a roadmap

Each component has suggested or potential key activities, inputs and outputs. Warning:  If you miss addressing any of these phases or components, or get overly creative with the order, you might increase the risk of failure. Like software, avoid customization.

Where to Start?
Where to start? Pain points and triggers are obvious. To gain a quick win and show how it is done, consider focusing on one process—your favorite process.

The COBIT 5 Implementation book gives you a starting place—allowing you to move forward with confidence on a solid foundation. Think of it as a playbook or recipe. Project managers like the 3 components as they address areas of frequent challenge, such as change enablement. Copy and save this model into your head and project templates.

COBIT 5 Implementation offers all of us consistent context and structure for current or potential activities. It contributes to the success of you and your team. The focus is on people—all of us; up, down and across the organization in any business line.

Editor’s note:  John Jasinski holds all ISACA certifications and certificates and teaches COBIT. He is an ISACA member and has been an active volunteer at local and international levels since 2006. COBIT 5 Implementation is available as a free PDF download for ISACA members. The printed hard copy is available from the ISACA bookstore. John suggests you buy a bunch and share them with your team. COBIT is currently celebrating its 20th anniversary. Learn more here.

John Jasinski, CGEIT, CRISC, CISA, CISM, ITIL, Business Process Consultant

[ISACA Now Blog]

English
Exit mobile version