Big Data security and privacy risk podcast

October 1, 2013 Comments Off on Big Data security and privacy risk podcast

I recently participated in a podcast sponsored by Edward Haletky at The Virtualization Practice.

My co-panelists (Edward, Iben Rodriguez @iben, Mike Foley @mikefoley) and I discussed many aspects of the inherent security and privacy risks that enterprises and the general public alike are encountering with Big Data. You can find a recording of the podcast here.

Introducing a half-day Big Data security training class

August 4, 2013 Comments Off on Introducing a half-day Big Data security training class

Beginning on September 20, I’ll be teaching a half-day Big Data security Webinar. These classes will take place once a month, and will cover the following topics:

Big Data information categories

  • Relational
  • Columnar/analytics
  • Key/value
  • Document store
  • Graph
  • XML
  • NoSQL

Big Data security requirements

  • Legal and regulatory
  • Internal guidelines
  • Industry standards
  • Privacy
  • User access

Big Data security risks

  • Meta data
  • Outsourcing
  • Distributed processing (e.g. MapReduce, Hadoop, and Cassandra)
  • Overt attacks
  • Covert attacks

Best practices for securing Big Data

  • Setting realistic security goals
  • Reducing surface area for attacks
  • Protecting physical assets
  • Safeguarding the network
  • Encrypting data
  • Data obfuscation via tokenization and masking
  • Retiring data

To allow for maximum student interaction, classes will be limited to 10 people. You can register here

10 simple things you can do to strengthen your online privacy

June 13, 2013 Comments Off on 10 simple things you can do to strengthen your online privacy

It’s been a very disheartening couple of weeks for people concerned with protecting personal information. From the US Supreme Court’s ruling about routine DNA collection to the ongoing revelations about the NSA Prism program, it’s easy to feel helpless in the face of such massive data collection. And while the amount of surveillance – from governments, corporations, and even nosy individuals – is likely to increase, there are a few basic things you can do to help safeguard your data from others.

  1. Reduce your activity on social networks. Did you know that banks routinely check out your FaceBook profile? And now the IRS has joined the party.
  2. Encrypt important files. TrueCrypt is an excellent choice for this essential task.
  3. Use a secure search engine. Google is very clear about how it stores your search history. If this bothers you, take a look at DuckDuckGo and ixquick.
  4. Use a more secure browser. Chrome is a good choice, but there are additional offerings out there. You can expect this market to heat up in the wake of all these snooping disclosures.
  5. Clear your browser cookies regularly. Many web sites inspect these cookies to get a much better idea of your browsing history.
  6. Use TOR or a VPN. These options both offer greatly improved communication security. TOR is easy to set up and use, too.
  7. Create multiple email addresses. There’s no reason to route everything through a single address. Instead, consider setting up different accounts at various providers.
  8. Put your phone in airplane mode when you’re not using it. Your phone constantly transmits details about your location back to your service provider. If you’re not actively using it, why broadcast that information?
  9. Pay cash. Do you really need to charge that burger?
  10. Be stingy with what you share. It may sound anachronistic in this age of updating FaceBook with every trivial aspect of life, but consider simply entering less data about yourself online. For example, there’s no reason for you to provide an e-commerce site with your home, work, and mobile phone numbers.

I’ll be adding more tips to the list, so if this topic interests you be sure to check back here from time to time or follow me on Twitter at @RD_Schneider.

Data never really disappears, particularly when it’s supposed to

May 9, 2013 Comments Off on Data never really disappears, particularly when it’s supposed to

If you have a teenage son or daughter, you may be familiar with an app called ‘Snapchat’. Its claim to fame – that is, until earlier today – is that it deletes all messages (text, photo, or otherwise) within a few seconds, thus keeping sensitive information safe from the prying eyes of parents, police, marketers, and all sorts of other nefarious characters.

But lo and behold, as it turns out, Snapchat actually doesn’t delete the data after all. Instead, it’s simply moved to a hidden directory, where with proper time and tooling, it can be recovered. You can read all about it here.

Whether or not you’re prone to sharing too much information, the takeaway from this little debacle is that data never really goes away, especially once a smartphone gets involved – not to mention the cloud. Keep that in mind the next time you’re tempted to use technology to record, say, or write something that you don’t want anyone else to see or hear. 

Teaching a workshop entitled “Foundations of Big Data from A to Z”

February 16, 2013 Comments Off on Teaching a workshop entitled “Foundations of Big Data from A to Z”

Recently, I blogged about a talk I’m giving in Boston at the Conference on Big Data Security. I’m happy to announce that I’ll also be teaching a comprehensive one-day workshop on Big Data. Here’s what I’ll be covering on Tuesday, July 16:

  • A realistic, vendor-agnostic overview of the current Big Data security landscape
  • Big Data information management categories including: in-memory databases, key/value stores, graph databases, and file/object repositories
  • Examination and explanation of the most widespread technologies such as Amazon Web Services, Big Table, and Hadoop
  • Understanding how all of these disparate solutions co-exist without security chaos
  • Pinpointing the intrinsic non-technical security risks present in a big data environment: regulatory, legal, industry, and Service Level Agreements
  • Creating a “defense-in-depth” approach to protecting Big Data for your shop
  • Real-world scenarios on what works and why

If you’re interested, you can register here.

Speaking about enhanced security capabilities for Hadoop

February 11, 2013 § 1 Comment

I’m looking forward to my speaking engagement at the Conference on Big Data Security this July in Boston. I’ll be talking about how to keep your Hadoop environment safe and secure. In particular, I’ll be discussing:

  • The key diverse technologies contained within a typical Hadoop environment
  • Current and trending security risks characteristic in Hadoop implementations
  • Setting and attaining realistic goals
  • Contrasting open-source vs. proprietary Hadoop security tools
  • Protecting your Hadoop landscape through controlled access
  • Inherent differences safeguarding data-at-rest vs. defending data while in motion

I hope you can join me there – it should be a very interesting conference.

Two recent examples of international suspicion of U.S. cloud computing providers

December 11, 2012 Comments Off on Two recent examples of international suspicion of U.S. cloud computing providers

I’m fortunate to attend and speak at many cloud computing and Big Data events all around the world. I also work with large global corporations and governments to help design and deploy these types of environments. I really enjoy getting to meet such a diverse array of people.

Whenever I give a talk about the potential for cloud computing, I notice – without fail – one common thread among all of these audiences: vast misgivings about cloud computing solutions provided by American corporations. The perception is that the U.S. government will – as a matter of course – intercept, amass, and analyze all transactions, stored information, and network traffic for these cloud environments. Even if routine analysis isn’t being performed, these audiences figure that it only takes a phone call from a U.S. government representative for these cloud providers to “open the kimono”, without telling the customer of course. We’ve already seen examples of these back doors – consider how AT&T opened their network to comprehensive and clandestine monitoring by the NSA.

The people who share these concerns with me aren’t drug kingpins, terrorists, or Washington lobbyists. They’re executives and technology leaders at very reputable global powerhouses that are operating under strict fiduciary and regulatory guidelines. I know for a fact that these reservations – particularly of the PATRIOT Act – are costing American businesses money.

Many people have told me that they go out of their way to store their data in non-U.S. cloud providers, and that they don’t even trust an American cloud provider that’s storing data in Europe or Asia.

Two stories in the news recently highlight the international resistance to American-based cloud computing vendors. In the first case, the British government barred Amazon and Google from participating in the UK’s G-Cloud platform initiative. Service features, enterprise-readiness, and other factors appear to be behind this decision, but a major concern also appears to be

Many of these cloud services store initial data in Europe but then back it up to somewhere where the laws are different and you can’t do that

Coincidentally, a couple of days later we learned of a report that indicates that

U.S. legal state of affairs implies that the transition towards the cloud has important negative consequences for the possibility to manage information confidentiality, information security and the privacy of European end users in relation to foreign governments

At first glance, all of this may be perceived as simply an issue between the American government and the rest of the world. But dig a little deeper and you’ll soon realize that any government has the potential to snoop on information stored within or passing through its borders, or maintained by a firm under its jurisdiction.

Doubt me? How do you feel about hosting your most sensitive data on third party servers based in Shanghai? This problem will only become more prominent in coming years, as more applications and related data move to the cloud, and globalized technology providers try to meet this demand.

What’s the solution? That’s a topic for another time.

Three free password strength web sites

September 14, 2012 Comments Off on Three free password strength web sites

As our data increasingly moves online, creating, managing, and using passwords is more important than ever before. Getting a password stolen – or decrypted by an unauthorized third party – can be very painful. Things are much worse if your broken password unlocks lots of doors. For this reason, it’s extremely unwise to use the same password for different websites, since a breach at one site exposes you everywhere. With this in mind, it’s smarter to create distinct passwords for each web site, application, email service, and so on. However, given the proliferation of online resources, many people must manage dozens of different logins, and some have many more. For example, I maintain nearly 200 different passwords.

When it comes to setting up passwords, there’s a perception that a strong password is hard to create – and even more difficult to remember. This is why I use a third party password management tool. There are many on the market, but I like Callpod Keeper. It’s up to you to set a master password, but once you’ve done that Keeper will generate passwords for each site you visit. Another choice is to simply create your own passwords on a site-by-site basis and store them in Keeper.

Regardless of where and how you create your password, it’s natural to wonder how secure it is. Believe it or not, it will often take a brute force decryption attack longer to break an easy-to-remember phrase than a short, unmemorable, cryptic password. To help you gauge the relative strengths of your passwords, take a look at each of these helpful sites:

1. How Big is Your Haystack? This site is from Gibson Research, provider of many excellent networking and security utilities.

2. Dropbox’ zxcvbn password strength estimator. This utility was created as a companion piece to a really well written blog post. I like how this utility shows you play-by-play of how a brute force attack might be launched against your password.

3. How Secure is My Password? Color-coding (red is bad, green is good) adds a nice visual effect that tells you how long it will take to break your password.

As you experiment with these sites, I recommend trying a variety of passwords and phrases. Don’t forget to thrown in special characters, uppercase, numbers and so on.

Where Am I?

You are currently browsing the security category at rdschneider.

%d bloggers like this: