A majority of big data originates beyond enterprise walls and systems of records (SOR). This data streams in from corporate websites; it emanates from machines and sensors; and in still other cases, it’s captured from the internet. Since so much internet and Internet of Things (IoT) data enters the enterprise from the outside, sites increasingly will look to public cloud providers to assist in the capture, exploitation, and safety of this data. This makes data security a central concern.
Security and governance are still largely discussions for SOR data, but they should also be discussed for unstructured payloads of big data. If cloud services providers are storing this data, IT should be evaluating these providers’ security practices, in addition to the providers’ data storage, preparation, and analytics capabilities.
“The first questions that CIOs ask us is where their stored data is located, whether we have global data centers, and if the data center that their data is being stored at is local to them,” said Beth Weeks, senior vice president of engineering at Zilliant, which specializes in B2B sales analytics. “CIOs also want to know what the data center’s security and compliance policies are.”
There are layers of security questions beyond this, such as what the flows of the data are into the cloud service, and from the cloud service to the enterprise. “Data encryption is a frequent topic of discussion,” said Weeks. “Enterprises want to know that their data is protected, that it is encrypted when it is at rest in the data center, and that data is encrypted whenever it is sent and received.”
Not having this assurance can be costly in dollars and in goodwill. For example, in June 2015, the records of four million current and former federal workers were compromised by Chinese hackers, and the costs to taxpayers in just notifying and protecting potential victims of the compromise was estimated at $21 million.
“Being aware (so as to prevent a data breach) is always the first step,” said Kevin Prince, (now former) chief technology officer of SilverSky, a provider of cloud-based security solutions, in a piece for IT Business Edge. “Taking a layered security approach and looking for the policies, procedures, and solutions that can best mitigate security threats is best.”
Zilliant’s Weeks says that, as a part of their due diligence, most prospective clients ask how her firm audits its security. “They want access to our security reports, and they also want to know the frequency at which we perform security audits,” she said. A baseline security audit that clients usually ask for is the SSAE 16 audit, which replaced the standard SAS 70 audit beginning in 2011, and is now considered as the authoritative guidance for reporting on service organizations. “Clients and prospects also want to see our penetration and vulnerability testing results,” Weeks said. “And they want to know how frequently we administer these tests.”
In addition to this due diligence, I asked Weeks what other steps organizations should be taking to ensure that their big data and analytics in the cloud are secure.
“If they are in a multi-tenant hosting environment in the cloud, clients should ensure with their service provider that their data is separately maintained and that there is no merger or passing of this data to others who might be on the service,” said Weeks. “They should also remember that there is other information besides their data that need to be secured at the provider’s data center, such as special project documentation that is independent of the stored data, but equally sensitive.”
Note: TechRepublic and ZDNet are CBS Interactive properties.