top 5 big data vulnerability classes
TRANSCRIPT
-
7/28/2019 Top 5 Big Data Vulnerability Classes
1/18
Big Data Security
Top 5 Security Risks and
Recommendations
-
7/28/2019 Top 5 Big Data Vulnerability Classes
2/18
Agenda
Key Insights of Big Data Architecture
Top 5 Big Data Security Risks
Top 5 Recommendation
-
7/28/2019 Top 5 Big Data Vulnerability Classes
3/18
Big Data Architecture
Key Insights
Distributed Architecture & Auto Tiering
Real Time, Streaming and Continuous
Computation
Adhoc Queries
Parallel and Powerful Computation
Language
Move the Code, Not the data
Non Relational Data
Variety of Input Sources
-
7/28/2019 Top 5 Big Data Vulnerability Classes
4/18
Distributed Architecture(Hadoop as example)
Data Partition, Replication
and Distribution
Auto-tiering
Move theCode
-
7/28/2019 Top 5 Big Data Vulnerability Classes
5/18
Real Time, Streaming and Continuous
Computation
Real
timeVariety of
Input
Sources
AdhocQueries
-
7/28/2019 Top 5 Big Data Vulnerability Classes
6/18
Parallel & Powerful Programming
Framework
Example:
16TB Data
128 MB Chunks
82000 Maps
Java vs SQL / PLSQL
Frameworks: MapReduce
Storm Topology
(Spouts & Bolts)
-
7/28/2019 Top 5 Big Data Vulnerability Classes
7/18
Big Data Architecture
No Single Silver Bullet
Hadoop is already unsuitable for many Big
data problems
Real-time analytics Cloudscale, Storm
Graph computationo Giraph and Pregel (Some examples graph
computation are Shortest Paths, Degree ofSeparation etc.)
Low latency queries
o Dremel
http://giraph.apache.org/http://giraph.apache.org/ -
7/28/2019 Top 5 Big Data Vulnerability Classes
8/18
Top 5 Unique Security Risks
Insecure Computation
End Point Input Validation and
Filtering Granular Access Control
Insecure Data Storage and
Communication
Privacy Preserving Data Mining and
Analytics
-
7/28/2019 Top 5 Big Data Vulnerability Classes
9/18
Insecure Computation
Sensitive
Info
Information Leak
Data Corruption
DoSHealth Data
Untrusted
Computation program
-
7/28/2019 Top 5 Big Data Vulnerability Classes
10/18
Input Validation and Filtering
Input Validationo How can we trust data?
o What kind of data is untrusted?
o What are the untrusted data sources?
Data Filtering
o Filter Rogue or malicious data
Challengeso GBs or TBs continuous data
o Signature based data filtering has limitations
How to filter Behavior aspect of data?
-
7/28/2019 Top 5 Big Data Vulnerability Classes
11/18
Granular Access Controls
Designed for Performance, no security in
mind
Security in Big Data still ongoing research
Table, Row or Cell level access control gone
missing
Adhoc Queries poses additional challenges
Access Control is disabled by default
-
7/28/2019 Top 5 Big Data Vulnerability Classes
12/18
Insecure Data Storage
Data at various nodes, Authentication,
Authorization & Encryptions is challenging
Autotiering moves cold data to lesser secure
mediumo What if cold data is sensitive?
Encryption of Real time data can have
performance impacts Secure communication among nodes,
middleware and end users are disabled by
default
-
7/28/2019 Top 5 Big Data Vulnerability Classes
13/18
Privacy Preserving Data Mining and
Analytics
Monetization of Big Data generally involves
Data Mining and Analytics
Sharing of Results involve multiple
challengeso Invasion of Privacy
o Invasive Marketing
o
Unintentional Disclosure of Information Examples
oAOL release of Anonymzed search logs, Users can
easily be identified
o Netflix faced a similar problem
-
7/28/2019 Top 5 Big Data Vulnerability Classes
14/18
Top 5 Recommendations
Secure your Computation Code
Implement access control, code signing, dynamic
analysis of computational code
Strategy to prevent data in case of untrusted code
Implement Comprehensive Input Validation
and Filtering Implement validation and filtering of input data, from
internal or external sources
Evaluate input validation filtering of your Big Data
solution
-
7/28/2019 Top 5 Big Data Vulnerability Classes
15/18
Top 5 Recommendations
Implement Granular Access Control
Review Role and Privilege Matrix
Review permission to execute Adhoc queries
Enable Access Control
Secure your Data Storage and Computation Sensitive Data should be segregated
Enable Data encryption for sensitive data
Audit Administrative Access on Data Nodes
API Security
-
7/28/2019 Top 5 Big Data Vulnerability Classes
16/18
Top 5 Recommendations
Review and Implement Privacy Preserving
Data Mining and Analytics Analytics data should not disclose sensitive
information Get the Big Data Audited
-
7/28/2019 Top 5 Big Data Vulnerability Classes
17/18
Thank You
About iViZ
http://www.ivizsecurity.com/blogs
http://www.ivizsecurity.com/blogshttp://www.ivizsecurity.com/blogs -
7/28/2019 Top 5 Big Data Vulnerability Classes
18/18
http://i.stack.imgur.com/H0df6.jpg
http://www.cs.colorado.edu/~kena/classes/5448/s11/presentations/hadoop.pdf
http://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-Data-Breach-Report-2012.pdf
http://www.slideshare.net/outerthought/big-data
http://www.indefenseofdata.com/data-breach-trends-stats/
http://www.thebigdataguide.com/2012/06/how-does-mapreduce-work.html?view=flipcard
http://www.cs.colorado.edu/~kena/classes/5448/s11/presentations/hadoop.pdf
http://i.stack.imgur.com/H0df6.jpghttp://www.cs.colorado.edu/~kena/classes/5448/s11/presentations/hadoop.pdfhttp://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-Data-Breach-Report-2012.pdfhttp://www.slideshare.net/outerthought/big-datahttp://www.indefenseofdata.com/data-breach-trends-stats/http://www.thebigdataguide.com/2012/06/how-does-mapreduce-work.html?view=flipcardhttp://www.cs.colorado.edu/~kena/classes/5448/s11/presentations/hadoop.pdfhttp://www.cs.colorado.edu/~kena/classes/5448/s11/presentations/hadoop.pdfhttp://www.cs.colorado.edu/~kena/classes/5448/s11/presentations/hadoop.pdfhttp://www.thebigdataguide.com/2012/06/how-does-mapreduce-work.html?view=flipcardhttp://www.thebigdataguide.com/2012/06/how-does-mapreduce-work.html?view=flipcardhttp://www.thebigdataguide.com/2012/06/how-does-mapreduce-work.html?view=flipcardhttp://www.thebigdataguide.com/2012/06/how-does-mapreduce-work.html?view=flipcardhttp://www.thebigdataguide.com/2012/06/how-does-mapreduce-work.html?view=flipcardhttp://www.thebigdataguide.com/2012/06/how-does-mapreduce-work.html?view=flipcardhttp://www.thebigdataguide.com/2012/06/how-does-mapreduce-work.html?view=flipcardhttp://www.thebigdataguide.com/2012/06/how-does-mapreduce-work.html?view=flipcardhttp://www.indefenseofdata.com/data-breach-trends-stats/http://www.indefenseofdata.com/data-breach-trends-stats/http://www.indefenseofdata.com/data-breach-trends-stats/http://www.indefenseofdata.com/data-breach-trends-stats/http://www.indefenseofdata.com/data-breach-trends-stats/http://www.indefenseofdata.com/data-breach-trends-stats/http://www.indefenseofdata.com/data-breach-trends-stats/http://www.indefenseofdata.com/data-breach-trends-stats/http://www.slideshare.net/outerthought/big-datahttp://www.slideshare.net/outerthought/big-datahttp://www.slideshare.net/outerthought/big-datahttp://www.slideshare.net/outerthought/big-datahttp://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-Data-Breach-Report-2012.pdfhttp://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-Data-Breach-Report-2012.pdfhttp://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-Data-Breach-Report-2012.pdfhttp://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-Data-Breach-Report-2012.pdfhttp://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-Data-Breach-Report-2012.pdfhttp://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-Data-Breach-Report-2012.pdfhttp://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-Data-Breach-Report-2012.pdfhttp://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-Data-Breach-Report-2012.pdfhttp://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-Data-Breach-Report-2012.pdfhttp://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-Data-Breach-Report-2012.pdfhttp://www.cs.colorado.edu/~kena/classes/5448/s11/presentations/hadoop.pdfhttp://www.cs.colorado.edu/~kena/classes/5448/s11/presentations/hadoop.pdfhttp://i.stack.imgur.com/H0df6.jpghttp://i.stack.imgur.com/H0df6.jpg