June 14, 2017

The data security mess

A large fraction of my briefings this year have included a focus on data security. This is the first year in the past 35 that that’s been true.* I believe that reasons for this trend include:

*Not really an exception: I did once make it a project to learn about classic network security, including firewall appliances and so on.

Certain security requirements, desires or features keep coming up. These include (and as in many of my lists, these overlap):

More specific or extreme requirements include: 

I don’t know how widely these latter kinds of requirements will spread.

The most confusing part of all this may be access control.

Further confusing matters, it is an extremely common analytic practice to extract data from somewhere and put it somewhere else to be analyzed. Such extracts are an obvious vector for data breaches, especially when the target system is managed by an individual or IT-weak department. Excel-on-laptops is probably the worst case, but even fat-client BI — both QlikView and Tableau are commonly used with local in-memory data staging — can present substantial security risks. To limit such risks, IT departments are trying to impose new standards and controls on departmental analytics. But IT has been fighting that war for many decades, and it hasn’t won yet.

And that’s all when data is controlled by a single enterprise. Inter-enterprise data sharing confuses things even more. For example, national security breaches in the US tend to come from government contractors more than government employees. (Ed Snowden is the most famous example. Chelsea Manning is the most famous exception.) And as was already acknowledged above, even putting your data under control of a SaaS vendor opens hard-to-plug security holes.

Data security is a real mess.

Edit (July 10, 2017): Matt Asay evidently agrees with this post, specifically in the context of Hadoop. :)

Comments

4 Responses to “The data security mess”

  1. Light-touch managed services | DBMS 2 : DataBase Management System Services on June 14th, 2017 9:23 am

    […] Security and data privacy are ongoing (and increasing) concerns. […]

  2. Generally available Kudu | DBMS 2 : DataBase Management System Services on June 16th, 2017 11:52 am

    […] Security is an ever bigger deal. […]

  3. Jerry Leichter on June 20th, 2017 6:24 am

    (I’m going to have to be vague because of the nature of the issues.)

    I’ve been involved in producing responses to security questions and requirements from customers for many years. A couple of things characterize these interactions:

    1. Almost all the requests completely miss the point. They ask for things that, if they had them, would not actually help their security; and they regularly miss very obvious issues.
    2. There are very few standards in this area, so pretty much every response has to be created ab initio.
    3. Where standard are emerging, they are longer, more detailed, more painful to fill in than the usual round of questions – but no better in actually protecting anything.
    4. There’s little correlation between the quality of the security questions raised and the objective importance one might reasonably assign to security given the nature of the business, the kind of data it deals with, and the kind of data the system being purchased will deal with.
    5. Pretty much every security requirement can be, and regularly is, worked around, waived, or just plain ignored when someone has decided the deal is going to go through.

    I will say that there’s been a change in roughly the last year or so. For the first time, I’ve seen serious analyses of software, with carefully thought out issues raised and real requirements for fixes/ameliorations/ways to reasonably manage around things that can’t realistically be dealt with directly. The flood of serious security problems that have become public is finally beginning to have an impact in actual policy and implementation. It can make my job harder, but it’s good to see.

  4. Notes on data security | DBMS 2 : DataBase Management System Services on August 10th, 2017 5:15 am

    […] In June I wrote about burgeoning interest in data security. I’d now like to […]

Leave a Reply




Feed: DBMS (database management system), DW (data warehousing), BI (business intelligence), and analytics technology Subscribe to the Monash Research feed via RSS or email:

Login

Search our blogs and white papers

Monash Research blogs

User consulting

Building a short list? Refining your strategic plan? We can help.

Vendor advisory

We tell vendors what's happening -- and, more important, what they should do about it.

Monash Research highlights

Learn about white papers, webcasts, and blog highlights, by RSS or email.