“Collecting more and more unstructured data will open up another whole degree of attractiveness and may well lead to attackers seeing value in a form not previously recognised by the organisation that owns the data.”
So says Sean Newman, Field Product Manager, EMEA, Sourcefire. For more than a year, Middle Eastern businesses have been told that they can glean valuable business insight from collecting and analysing unstructured data. However, in a rush to collect all of this data, some firms haven’t yet thought about the security implications that this may have for their networks.
According to Irfan Verjee, Senior Manager, Cisco Consulting Services, Emerging Markets, there are big questions surrounding the security and privacy of the unstructured data the organisations are clamouring to get a hold of. This, coupled with employees using free cloud services such as Dropbox to store and share files, has created an environment where malicious files could easily find a way into a corporate network.
“As we move into an information-driven global economy, with over 50 billion devices connected by 2020, networks must be able to rapidly respond to attacks while maintaining availability and reliability. Rather than succumb, networks must be able to absorb attacks and remain operational, much in the same way the human immune system functions in the presence of infections,” he explains.
According to Cisco’s recent 2013 Annual Security Report in the Middle East and Africa, the highest concentration of online security threats come from legitimate destintations visited by mass audiences, such as major search engines, retail sites and social networks.
And given that these sorts of destinations are where social analytics and Big Data programmes are getting their data from, this could present a real problem for the enterprise interested in Big Data, Irfan says.
The risks could be avoided, however, as long as there are clear policies on what sort of data is collected and retained. Chet Wisniewski, Senior Security Advisor, Sophos, says that, all too often, marketing and sales teams are holding onto useless data that could ultimately do more harm than good.
“So many times you talk with an organisation, and their marketing or sales teams are collecting enormous amounts of personally identifiable information on the off chance it might come in handy in the future. Organisations should have clear policies on what type of data their departments are allowed to gather, how it must be stored and secured and for how long they should keep the information before it is securely erased,” he explains.
That said, according to Sudheer Subramanian, Senior IT Solutions Manager, Huawei Enterprise Middle East, there isn’t actually that much risk associated with simply collecting lots of data. He says that the real risks come when businesses try to use that data without screening it properly first.
“We believe that having an increased volume of collected data does not necessarily have to result in higher levels of data vulnerability. If the right technology framework is in place, organisations can stay protected regardless of how much data they are collecting,” he explains.
“One of the concerns we see today is in regards to the actual use of data, with some organisations putting themselves at risk by not adequately screening the collected data prior to use in other parts of the business. Examining the source of third-party data is equally important as different entities have their own level of security protection. In the context of Big Data, taking the time to make such assessments can be challenging as organisations acquire increasing amounts of information from an expanding list of sources.”
Laurence James, Products, Solutions and Alliances Marketing Manager, NetApp, echoes Subramanian’s point about examining data before it gets put into use: “The security analysis process must take account of legal, compliance and regulation requirements as the implications of deriving new information from multiple data sources can result in the unexpected sensitivities that were not considered at the outset,” he says.
Most organisations dabbling in Big Data do consider the source of the data before putting it to use. Indeed, for most security experts in the Middle East, the collection of data isn’t the biggest issue. Instead, they say that companies could be at greater risk once they have accumulated these vast libraries of data, as such large data stores make for the perfect cyber-criminal target.
“The consolidation of data such as security metadata, log files, and customer information into single, large-scale storage silos is a frightening proposition. While organistions are doing this in order that they may have a single data store that can then be subjected to analysis, what they are unknowingly doing is creating a prime target for attackers,” says Nicolai Solling, Director of Technology Services, Help AG.
“Organisations without sufficient in-house processing capabilities and skills may even rely on third-party providers that offer analytics services. It is only logical that attackers will focus their efforts on targeting these providers.”
Atif Kureishy, Big Data Spokesperson, Booz Allen Hamilton, shares these concerns. He also explains that companies without the propery security tools in place to protect such large amounts of data may be at risk not just from cyber-criminals, but from competitors or even law-enforcement agencies.
“Without the proper data-level security, businesses run the risk of exposing sensitive information to competitors or violating regulatory and compliance acts associated with information protection (e.g. PII). Without the proper fine-grained security controls in place, adversaries may gain access to an organisation’s Big Data environment, then can easily move laterally across the various data sets, taking inventory without ever needing to escalate their privileges. Having a robust security architecture that protects more than just the perimeter is necessary to protect against these targeted attacks,” he says.
When it comes to protecting the data you’ve already accumulated, however, the tables are somewhat turned. According to Sophos’ Wisniewski, it’s the structured data that will act as the biggest lure to cyber-criminals, as this is the data that will be most use to them.
“In my experience, structured data is more likely to be attacked, while unstructured data is more likely to contain sensitive information that no-one was aware was buried in there. They both present risks, but with limited time and money, most organisations should focus on the known sensitive information first,” he says.
Jatin Sahni, VP, Large Enterprise and Business Solutions Marketing, du, however, disagrees. He claims that, because it is so difficult to limit internal access to unstructured data — due to the very nature of unstructured data — this is the part of the Big Data pie that will pose the greatest risks for organisations.
“Traditionally, companies have struggled with manually enforcing authorisation protocols and accountability in their efforts to mitigate threats. In the current scenario, however, it seems that unstructured data poses a bigger threat than structured data, due to the complexity in automating access control processes, even though most companies keep spending considerable sums on data storage systems. Without adequate safeguards in place, unstructured data pose a threat of being misused within an organisation,” he says.
Help AG’s Solling takes a similar stance. He believes that it is logical to assume that, the more information an organisation has, the larger the risk associated with that information will be.
“Research firms IDC, Forrester and Gartner are all in agreement that unstructured data already accounts for at least 80 percent of all enterprise data. Gartner further predicts that data will grow by 800 percent over the next five years, with 80 percent of that growth coming from unstructured sources, such as emails, texts, pictures, log data, social media data and XML files. Unless properly managed, organisations can stand to suffer significant impact if this is the target of a data breach,” he says.
There are a number of tools available to organisations wishing to secure their Big Data. Huawei’s Subramanian suggests that traditional software tools and virus-scanners make up the front line in protecting digital assets, but on the organisational level, security solutions become much more niche. Whatever an organisation chooses to go for, though, there’s no doubting that the security implications of Big Data need to be considered.