Category Archives: Publications

Big Data: security, privacy, and compliance

Big data offers us big potential, for both benefits and risks. Although it has great appeal, we need to strike a healthy balance – to achieve maximum benefit for an acceptable level of risk. Security, privacy, and compliance considerations and solutions should be integral to any big data project.

Security

The value of your data and insight grows as your volume does. Big data aggregates significant volumes of information, which leads to an increased interest from attackers and impact if compromised. Aggregation can be due to the accumulation of data or by associations the data enables.

Infrastructure, systems, applications, databases, processes, transactions and audit logs must all be properly secured; limiting access and rights to only those allowed. You must maintain the confidentiality, integrity, and availability of your critical data, against both external and internal threats.

Security needs to be supported by an ability to audit use and deal with misuse, including incident investigation, digital forensics, disciplinary action, and communications plan. You need to be prepared for the worst.

Privacy

The associations that big data helps us make can also lead to more personal intrusion than might be understood or accepted. Analysing medical history, browsing and buying patterns, communications metadata, and other data sets, can provide quite a complete view of private lives.

When developing a system that will process large volumes of records, especially if they are sensitive, you should also involve your security, data protection, legal, risk and audit staff. Consider creating a privacy impact assessment and security plan prior to finalising any designs or going live.

Recent research and regulator opinion suggest that pseudonymous data should be treated as identifiable, rather than truly anonymous. Your privacy approach needs to be properly understood and demonstrable.

Compliance

When exploring a new idea for growing, combining or manipulating data, you need to be mindful as to whether you need additional consent, as the data you wish to use may have been provided for a different purpose. Having data for one reason, doesn’t automatically allow reuse for another.

Data protection law can be both complex and disparate, especially in an international context, and you may find there are challenging and conflicting requirements. Potential obligations, e.g. the right to be forgotten, also need to be considered in the design and build of any big data system.

Be mindful that as well as rules governing the collection and processing of data, there are others that may require you to disclose information, be it to the data subject, law enforcement or other authorities.

Although big data warrants a cautious approach, security, privacy, and compliance obligations should not temper your ambition to deliver such a project, as they should provide a robust capability to support it not sink it.

Gareth Niblett Chairs the Information Security Specialist Group of BCS, The Chartered Institute for IT; provides security, privacy and compliance advice through Blackarts Limited; and tweets as @garethniblett

This post originally appeared in the Media Planet Big Data Report which is available as a download (1MB PDF).

Mobile Computing: Securing your workforce

The following introduction was published as the foreword to the BCS eBook on Mobile Computing: Securing your workforce:

“It’s been less than 3 decades since the first commercial handheld cellular phone hit the market. Costing some $3,995, and likened to a brick, it immediately gained a long waiting list. Price and size has come down in the intervening years, and popularity has soared. The technology has moved from analogue to digital and the handsets can now do so much more than make and receive voice telephone calls.

We’ve seen the introduction of short message service (SMS), multi-media message service (MMS), PDA functions (address book, calendar, notes), email, browsing (WAP through to modern browsers), full Internet access and applications. Each new capability has opened up additional potential exposures for users.

Modern smartphones combine elements of mobile phone, personal digital assistants (PDA) and laptop into a small, easily lost or stolen, high value device. With e-wallets, NFC, tablets, etc. as well as storing more and more confidential information as storage capacity grows, its value – and impact when lost – increases even more.

Phones are not the only devices we’re mobile with either. PDAs, laptops, tablets all add to the complexity, as does the growth in employees using their own devices and bringing them into the enterprise. Organisations need to cope, educate and secure.

Although manufacturers, operators, OS/Application vendors and businesses try and control and/or secure their platforms, there are limits to what is technically possible and acceptable to users. Many people are no longer content with a device that cannot perform the functions or run the applications they see other do. Indeed, some will take exception to any level of control/security and ‘jailbreak’ or ‘unlock’ their devices so that they can run what they want on whatever network is available.

Whatever portable device you use, this eBook contains some useful advice to consider – to help improve your mobile security.”

The eBook is available online for preview and order via:

http://www.bcs.org/category/16307