October 1, 2013 Comments Off on Big Data security and privacy risk podcast
I recently participated in a podcast sponsored by Edward Haletky at The Virtualization Practice.
My co-panelists (Edward, Iben Rodriguez @iben, Mike Foley @mikefoley) and I discussed many aspects of the inherent security and privacy risks that enterprises and the general public alike are encountering with Big Data. You can find a recording of the podcast here.
August 4, 2013 Comments Off on Introducing a half-day Big Data security training class
Beginning on September 20, I’ll be teaching a half-day Big Data security Webinar. These classes will take place once a month, and will cover the following topics:
Big Data information categories
- Document store
Big Data security requirements
- Legal and regulatory
- Internal guidelines
- Industry standards
- User access
Big Data security risks
- Meta data
- Distributed processing (e.g. MapReduce, Hadoop, and Cassandra)
- Overt attacks
- Covert attacks
Best practices for securing Big Data
- Setting realistic security goals
- Reducing surface area for attacks
- Protecting physical assets
- Safeguarding the network
- Encrypting data
- Data obfuscation via tokenization and masking
- Retiring data
To allow for maximum student interaction, classes will be limited to 10 people. You can register here
May 9, 2013 Comments Off on Data never really disappears, particularly when it’s supposed to
If you have a teenage son or daughter, you may be familiar with an app called ‘Snapchat’. Its claim to fame – that is, until earlier today – is that it deletes all messages (text, photo, or otherwise) within a few seconds, thus keeping sensitive information safe from the prying eyes of parents, police, marketers, and all sorts of other nefarious characters.
But lo and behold, as it turns out, Snapchat actually doesn’t delete the data after all. Instead, it’s simply moved to a hidden directory, where with proper time and tooling, it can be recovered. You can read all about it here.
Whether or not you’re prone to sharing too much information, the takeaway from this little debacle is that data never really goes away, especially once a smartphone gets involved – not to mention the cloud. Keep that in mind the next time you’re tempted to use technology to record, say, or write something that you don’t want anyone else to see or hear.
February 16, 2013 Comments Off on Teaching a workshop entitled “Foundations of Big Data from A to Z”
Recently, I blogged about a talk I’m giving in Boston at the Conference on Big Data Security. I’m happy to announce that I’ll also be teaching a comprehensive one-day workshop on Big Data. Here’s what I’ll be covering on Tuesday, July 16:
- A realistic, vendor-agnostic overview of the current Big Data security landscape
- Big Data information management categories including: in-memory databases, key/value stores, graph databases, and file/object repositories
- Examination and explanation of the most widespread technologies such as Amazon Web Services, Big Table, and Hadoop
- Understanding how all of these disparate solutions co-exist without security chaos
- Pinpointing the intrinsic non-technical security risks present in a big data environment: regulatory, legal, industry, and Service Level Agreements
- Creating a “defense-in-depth” approach to protecting Big Data for your shop
- Real-world scenarios on what works and why
If you’re interested, you can register here.
February 11, 2013 § 1 Comment
I’m looking forward to my speaking engagement at the Conference on Big Data Security this July in Boston. I’ll be talking about how to keep your Hadoop environment safe and secure. In particular, I’ll be discussing:
- The key diverse technologies contained within a typical Hadoop environment
- Current and trending security risks characteristic in Hadoop implementations
- Setting and attaining realistic goals
- Contrasting open-source vs. proprietary Hadoop security tools
- Protecting your Hadoop landscape through controlled access
- Inherent differences safeguarding data-at-rest vs. defending data while in motion
I hope you can join me there – it should be a very interesting conference.
December 11, 2012 Comments Off on Two recent examples of international suspicion of U.S. cloud computing providers
I’m fortunate to attend and speak at many cloud computing and Big Data events all around the world. I also work with large global corporations and governments to help design and deploy these types of environments. I really enjoy getting to meet such a diverse array of people.
Whenever I give a talk about the potential for cloud computing, I notice – without fail – one common thread among all of these audiences: vast misgivings about cloud computing solutions provided by American corporations. The perception is that the U.S. government will – as a matter of course – intercept, amass, and analyze all transactions, stored information, and network traffic for these cloud environments. Even if routine analysis isn’t being performed, these audiences figure that it only takes a phone call from a U.S. government representative for these cloud providers to “open the kimono”, without telling the customer of course. We’ve already seen examples of these back doors – consider how AT&T opened their network to comprehensive and clandestine monitoring by the NSA.
The people who share these concerns with me aren’t drug kingpins, terrorists, or Washington lobbyists. They’re executives and technology leaders at very reputable global powerhouses that are operating under strict fiduciary and regulatory guidelines. I know for a fact that these reservations – particularly of the PATRIOT Act – are costing American businesses money.
Many people have told me that they go out of their way to store their data in non-U.S. cloud providers, and that they don’t even trust an American cloud provider that’s storing data in Europe or Asia.
Two stories in the news recently highlight the international resistance to American-based cloud computing vendors. In the first case, the British government barred Amazon and Google from participating in the UK’s G-Cloud platform initiative. Service features, enterprise-readiness, and other factors appear to be behind this decision, but a major concern also appears to be
Many of these cloud services store initial data in Europe but then back it up to somewhere where the laws are different and you can’t do that
Coincidentally, a couple of days later we learned of a report that indicates that
U.S. legal state of affairs implies that the transition towards the cloud has important negative consequences for the possibility to manage information confidentiality, information security and the privacy of European end users in relation to foreign governments
At first glance, all of this may be perceived as simply an issue between the American government and the rest of the world. But dig a little deeper and you’ll soon realize that any government has the potential to snoop on information stored within or passing through its borders, or maintained by a firm under its jurisdiction.
Doubt me? How do you feel about hosting your most sensitive data on third party servers based in Shanghai? This problem will only become more prominent in coming years, as more applications and related data move to the cloud, and globalized technology providers try to meet this demand.
What’s the solution? That’s a topic for another time.
September 14, 2012 Comments Off on Three free password strength web sites
As our data increasingly moves online, creating, managing, and using passwords is more important than ever before. Getting a password stolen – or decrypted by an unauthorized third party – can be very painful. Things are much worse if your broken password unlocks lots of doors. For this reason, it’s extremely unwise to use the same password for different websites, since a breach at one site exposes you everywhere. With this in mind, it’s smarter to create distinct passwords for each web site, application, email service, and so on. However, given the proliferation of online resources, many people must manage dozens of different logins, and some have many more. For example, I maintain nearly 200 different passwords.
When it comes to setting up passwords, there’s a perception that a strong password is hard to create – and even more difficult to remember. This is why I use a third party password management tool. There are many on the market, but I like Callpod Keeper. It’s up to you to set a master password, but once you’ve done that Keeper will generate passwords for each site you visit. Another choice is to simply create your own passwords on a site-by-site basis and store them in Keeper.
Regardless of where and how you create your password, it’s natural to wonder how secure it is. Believe it or not, it will often take a brute force decryption attack longer to break an easy-to-remember phrase than a short, unmemorable, cryptic password. To help you gauge the relative strengths of your passwords, take a look at each of these helpful sites:
1. How Big is Your Haystack? This site is from Gibson Research, provider of many excellent networking and security utilities.
2. Dropbox’ zxcvbn password strength estimator. This utility was created as a companion piece to a really well written blog post. I like how this utility shows you play-by-play of how a brute force attack might be launched against your password.
3. How Secure is My Password? Color-coding (red is bad, green is good) adds a nice visual effect that tells you how long it will take to break your password.
As you experiment with these sites, I recommend trying a variety of passwords and phrases. Don’t forget to thrown in special characters, uppercase, numbers and so on.