NIST Big Data Public Working Group

Security and Privacy Subgroup PresentationSeptember 30, 2013

Arnab Roy, Fujitsu Akhil Manchanda, GENancy Landreville, University of MD

Security and Privacy

Overview

2

• Process• Taxonomy• Use Cases• Security Reference

Architecture• Mapping• Next Steps

3 Security and Privacy

Process

The CSA Big Data Working

Group Top 10 S&P

Challenges

Googledoc with

initial set of topics

and solicitation of use cases

Taxonomy of topics

Input from

Reference Architecture Group

Security Reference Architectu

re overlaid on RA

Mapping use cases

to the SRA

Editorial phase

Current Working

Draft (M0110)

Security and Privacy

CSA BDWG: Top Ten Big Data Security and Privacy Challenges10 Challenges Identified by CSA BDWG

4

Public/Private/Hybrid Cloud5, 7, 8, 9

1, 3, 5, 6, 7, 8, 9, 10

4, 8, 9

4, 1010

2, 3, 5, 8, 9

Data Storage

1) Secure computations in distributed programming frameworks

2) Security best practices for non-relational datastores

3) Secure data storage and transactions logs

4) End-point input validation/filtering

5) Real time security monitoring6) Scalable and composable

privacy-preserving data mining and analytics

7) Cryptographically enforced access control and secure communication

8) Granular access control9) Granular audits10) Data provenance

Security and Privacy

Top 10 S&P Challenges: Classification

5

Infrastructure

security

Secure Computations in Distributed Programming Frameworks

Security Best Practices for

Non-Relational Data Stores

Data Privacy

Privacy Preserving

Data Mining and Analytics

Cryptographically Enforced Data Centric

Security

Granular Access Control

Data Manageme

nt

Secure Data Storage and Transaction

Logs

Granular Audits

Data Provenance

Integrity and

Reactive Security

End-point validation and

filtering

Real time Security

Monitoring

Security and Privacy

PrivacyCommunication Privacy

Data ConfidentialityAccess Policies Systems

Crypto Enforced

Computing on Encrypted DataSearching and Reporting

Fully Homomorphic Encryption

Secure Data Aggregation

Key Management

Provenance

End-point Input ValidationSyntactic Validation

Semantic Validation

Communication Integrity

Authenticated Computations on Data

Trusted Platforms

Crypto Enforced

Granular Audits

Control of Valuable AssetsLifecycle Management

Retention, Disposition, Hold

Digital Rights Management

System Health

Security against DoSConstruction of cryptographic protocols proactively resistant to DoS

Big Data for SecurityAnalytics for Security Intelligence

Data-driven Abuse Detection

Event Detection

Forensics

Taxonomy

7 Security and Privacy

Use Cases

• Retail/Marketing– Modern Day Consumerism– Nielsen Homescan– Web Traffic Analysis

• Healthcare– Health Information Exchange– Genetic Privacy– Pharma Clinical Trial Data Sharing

• Cyber-security• Government

– Military– Education

Security and Privacy

Ma

na

ge

me

nt

Se

cu

rit

y &

P

riv

ac

y

8

Big Data Application Provider

Visualization Access

AnalyticsCuration Collection

System Orchestrator

DATASW

DATASW

INFORMATION VALUE CHAIN

IT V

AL

UE

C

HA

IN

Data

C

on

su

mer

Data

P

rovid

er

Horizontally Scalable (VM clusters)

Vertically Scalable

Horizontally Scalable

Vertically Scalable

Horizontally Scalable

Vertically Scalable

Big Data Framework ProviderProcessing Frameworks (analytic tools, etc.)

Platforms (databases, etc.)

Infrastructures

Physical and Virtual Resources (networking, computing, etc.)

DA

TA S W

Security and Privacy

Big Data Security Reference Architecture

10 Security and Privacy

Interface of Data Providers -> BD App Provider

S&P Consideration Health Info Exchange Military UAV

End-Point Input Validation

Strong authentication, perhaps through X.509v3 certificates, potential leverage of SAFE bridge in lieu of general PKI

Need to secure sensor to prevent spoofing/stolen sensor streams

Real Time Security Monitoring

Validation of incoming records. May need to check for evidence of Informed Consent.

On-board & control station secondary sensor security monitoring

Data Discovery and Classification

Leverage HL7 and other standard formats opportunistically, but avoid attempts at schema normalization.

Varies from media-specific encoding to sophisticated situation-awareness enhancing fusion schemes.

Secure Data AggregationClear text columns can be deduplicated, perhaps columns with deduplication.

Fusion challenges range from simple to complex.

11 Security and Privacy

Next Steps

• Streamline content internally– Consistent vocabulary– Fill up missing content– Discuss new content– Streamline flow across sections

• Synchronize terminology with D&T and RA subgroups

12

Backup

Big Data Application Provider

Dat

a Co

nsum

er

Dat

a Pr

ovid

er

Big Data FrameworkProvider

End-Point Input ValidationReal Time Security MonitoringData Discovery and ClassificationSecure Data Aggregation

Privacy preserving data analytics and disseminationCompliance with regulations such as HIPAA

Govt access to data and freedom of expression concerns

Data Centric Security such as identity/policy-based encryptionPolicy management for access control

Computing on the encrypted data: searching/filtering/deduplicate/fully homomorphic encryptionGranular auditsGranular access control

Securing Data Storage and Transaction logsKey ManagementSecurity Best Practices for non-relational data storesSecurity against DoS attacksData Provenance