Problem solve Get help with specific problems with your technologies, process and projects.

Businesses look for tech solutions to big data security issues

The growing adoption of big data analytics applications is complicating data security challenges -- and creating a need for new security strategies.

Toward the end of the 1990s, the European Union passed the Data Protection Directive, which essentially declares privacy a human right. The law presented a major data management challenge to multinational corporations: how to manage data sets across jurisdictional boundaries that have a range of privacy laws and still take advantage of expanding data analysis capabilities.

Businesses are still grappling with the issues created by the EU's directive and other regulations -- and now the considerations they have to weigh have evolved into big data security issues. Even companies that operate entirely within the U.S. must navigate a maze of state-level and industry-specific privacy regulations that make data management and analysis more difficult tasks. But in order to become more data-driven and embrace the benefits of big data analytics, organizations must find a way to manage their data in accordance with all relevant privacy regulations without making the data inaccessible and unusable.

"This is the next wave," said Peter Guerra, who leads a team of data scientists at consultancy Booz Allen Hamilton Inc. "We had nothing -- now we have all the big data technologies, and now people are starting to try to figure out how to manage all this data. There are some techniques to deal with that, but a lot are not ubiquitous."

More than slamming the door

One way to avoid big data security problems is to control access. Guerra said for a lot of companies, that simply means limiting the number of people who can view data sets. But that isn't always workable, given current analytics trends. Many organizations are looking for technology that lets business users perform their own analyses and share the results with co-workers. Limiting access to entire data sets cuts against that approach.

Instead, companies could base access limits on data attributes. For example, a financial services company may be able to structure access privileges so a sales manager can see the ZIP codes of customers to plan direct mail campaigns without giving him access to their Social Security numbers or other sensitive information. A business could also put in place field-level access control based on customer locations in order to handle regional differences in privacy laws.

But Guerra said implementing controls based on identity management and data segmentation can be technically challenging, which is holding back adoption.

"What we're seeing is a lot of uncertainty around how to manage data, especially around multinational companies," he said. "As businesses start to adopt these big data technologies and move them more to the core of their enterprise, when that maturity starts happening on a more broad scale, I believe they're going to need to be able to segment their data."

Don't get greedy about data

You need to understand the data you're collecting and why you're collecting it -- not at a source level but at a field level.

Alex Moss, partner, Conventus

It's a common trope today that data is an asset. And if something has value, why wouldn't you want more of it? That notion, combined with the plummeting cost of storage, has prompted many companies to start storing every bit of data they can get their hands on for possible analytics uses.

But businesses shouldn't simply collect and store data without thinking about what they'll ultimately use it for, said Alex Moss, a partner at information security consulting firm Conventus. Data might have value when it's put to use, Moss said -- but it can create compliance risks when it's just hanging around in systems.

The federal Health Insurance Portability and Accountability Act (HIPAA) requires strong protections for storing medical information. Similarly, the Graham-Leach-Bliley Act imposes rules for controlling access to financial data. Failure to comply with these and other privacy regulations can result in major penalties. Businesses that blithely vacuum up data might end up storing protected information without even knowing it.

"You need to understand the data you're collecting and why you're collecting it -- not at a source level but at a field level," Moss said. "People need to understand the risk associated with owning data."

To anonymize or not to anonymize?

One way to limit big data security issues is to anonymize data sets by removing key pieces of data from records, making it impossible to directly identify individuals. Martin Hack, president and CEO of big data analytics software vendor Skytree Inc., said that accomplishes two things. If done properly, it can help organizations stay on the right side of privacy regulations. It can also help ensure that customers feel comfortable with how their data is being used.

But not everyone thinks anonymization of data is fully effective. Booz Allen Hamilton's Guerra said researchers have shown it's possible to take anonymized data sets and cross-reference them with publicly available information to de-anonymize records. That particularly can be a problem in analyzing health information. An organization can be fined by the federal government under HIPAA for letting potentially identifiable data sets out of its possession, even if no actual harm comes to the patients involved.

"I don't know that anonymization is the best way to protect that data. There are ways to potentially trace back," Guerra said.

Driving force: Data breach or culture?

Unfortunately, it sometimes takes a data breach for organizations to start taking privacy and security seriously. For example, Conventus' Moss said retail giant Target didn't have a chief information security officer on staff prior to its recent data breach, which exposed the bank and credit card information of millions of customers.

Data breaches have been increasing rapidly in recent years. For example, the IBM X-Force 2012 Annual Trend and Risk Report showed that the number of reported breaches more than doubled from 2009 to 2012. There were more than 1,500 instances of personally identifiable information being lost, stolen or exposed in 2012, according to the report.

But in general, Moss thinks breaches aren't the defining factor in whether an organization takes big data security issues seriously. Ultimately, he said, it's a matter of culture.

"Those that haven't had a breach and aren't putting a focus on security -- there are some that never will," he said. "But then there are others that understand there's a risk."

Ed Burns is site editor of SearchBusinessAnalytics. Email him at and follow him on Twitter: @EdBurnsTT.

Dig Deeper on Customer analytics

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What are your tips for dealing with big data security issues?
I agree that "You need to understand the data you're collecting and why you're collecting it -- not at a source level but at a field level," and we know that currently organizations are desperately looking for effective ways to comply with new stringent privacy regulations.
Modern granular data security approaches can provide a balance between privacy, compliance and data insight. Traditional field level access control is not sufficient to meet this challenge.
A key to the answer is to look at the structure within each sensitive data field. Different use cases need to see different parts of the data field. This dynamic data masking can be reversible or non-reversible to provide the right balance between privacy, compliance and data insight.
I found some good news in an interesting report from the Aberdeen Group that revealed that "Over 12 months, data tokenization users had 50% fewer security-related incidents (e.g., unauthorized access, data loss or data exposure than tokenization non-users". Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data. The name of the study is "Tokenization Gets Traction".
I also reviewed one offshoring project in Europe that addressed the challenge to protect sensitive information about individuals in a way that even satisfied the European Cross Border Data Security requirements. This included incoming source data from various European banking entities, and existing data within those systems, which would be consolidated in one European country. The project achieved targeted compliance with EU Cross Border Data Security laws, Datenschutzgesetz 2000 - DSG 2000 in Austria, and Bundesdatenschutzgesetz in Germany by using a data tokenization approach, protecting the data fields before sending and storing it in the cloud.
Ulf Mattsson, CTO Protegrity
One of the most common causes of data getting in the wrong hands is the loss of mobile devices that often contain a frightening amount of private information. I want to share a protection option that worked for me. Tracer tags ( let someone who finds your lost stuff contact you directly without exposing your private information. I use them on almost everything I take when I travel like my phone, passport and luggage after one of the tags was responsible for getting my lost laptop returned to me in Rome one time.