Cloud Computing Experts Detail Big Data Security and Privacy Risks

by   |   June 20, 2013 6:41 pm   |   2 Comments

The 10 privacy and security challenges for big data and analytics systems cataloged in a new Cloud Security Alliance report.

The 10 Big Data Privacy and Security challenges for analytics systems cataloged in a new Cloud Security Alliance report.

The information security practitioners at the Cloud Security Alliance know that big data and analytics systems are here to stay. They also agree on the big questions that come next: How can we make the systems that store and compute the data secure? And, how can we ensure private data stays private as it moves through different stages of analysis, input and output?

It’s the answers to those questions that prompted the group’s latest 39-page report detailing 10 major Big Data Security and Privacy challenges facing infrastructure providers and customers. By outlining the issues involved, along with analysis of internal and external threats and summaries of current approaches to mitigating those risks, the alliance’s members hope to prod technology vendors, academic researchers and practitioners to collaborate on computing techniques and business practices that reduce the risks associated with analyzing massive datasets using innovative data analytics.

Related Stories

Cloud Security Alliance lists 10 big data security challenges.
Read the story »

7 best practices for companies managing customer data.
Read the story »

A starting guide to big data security in the cloud.
Read the story »

Opinion: A foundation or data security and privacy practices in the real world.
Read the story »

“People are working on these challenges, the technical people and the academics. But they haven’t talked to each other” as much as they should, said Arnab Roy, one of the report’s contributors, who works as  research staff member at Fujitsu Laboratories of America in Sunnyvale, Calif.  For example, Roy said, until recently, data encryption experts have not been communicating with experts at infrastructure companies. “People are realizing now that new solutions are needed, solutions that integrate the aspects of big data, to come up with comprehensive solutions,” he added.

“Comprehensive” is the operative word here. “As big data expands through streaming cloud technology, traditional security mechanisms tailored to securing small-scale, static data on firewalled and semi-isolated networks are inadequate,” the report states. Important changes in the computing environment include:

  • Multiple infrastructure tiers, both storage and computing, required to process big data.
  • New elements such as NoSQL databases that speed up performance but “have not been thoroughly vetted for security issues.”
  • Existing encryption technologies that don’t scale well to large datasets.
  • Real-time system monitoring techniques that work well on smaller volumes of data but not very large datasets.
  • The growing number of devices, from smartphones to sensors, producing data for analysis.
  • General confusion “surrounding the diverse legal and policy restrictions that lead to ad hoc approaches for ensuring security and privacy.”

The report calls out the need to secure the infrastructure of big data systems, from the infrastructure where computing and data storage occurs, to securing the data itself and ensuring that applications that access different, large, distributed datasets maintain proper access controls and the privacy of the data itself. There are also calls for ongoing system monitoring. (See chart at the top of this article for more. See “Spelling Out Privacy Risks in Data Analytics,” at the end of this article, for an excerpt from the report.)

Wilco van Ginkel, senior strategy at Verizon based in Amherst, Nova Scotia, is a co-chairman of the Cloud Security Alliance Big Data Working Group. He said the report released June 17 builds on work done last year to identify the top 10 concerns and is designed to spur action.

“What we hope for is that the vendors out there will step up to the plate,” he said.  “We see encryption is difficult on a large scale. How can we change that for big data?”

There is a tension for practitioners, he added. Before the big data movement, most of the datasets companies used were siloed. The business owner of each dataset was compliant with data management and regulatory policies. That new big data systems opens up those siloes and creates connections among different datasets creates a new dynamic.

“The combination of all the data puts it in a different perspective. The fact that you have access to all that data does not mean you are entitled to or must use all the data” for sentiment analysis or another use case, he said. “The way we can access the data, and correlate the data. That is really the ticking time bomb.”

Michael Goldberg is editor of Data Informed. Email him at

Spelling Out Big Data Privacy Risks

“Scalable and Composable Privacy-Preserving Data Mining and Analytics,” a section of the Cloud Security Alliance’s report on big data and analytics security and privacy challenges, notes that companies use data analytics for marketing purposes and can appear to be violating a consumer’s privacy, as in the case of Target identifying a teen’s pregnancy before her father knew about it, as reported by The New York Times.

Efforts to anonymize data for analytics are “not enough to maintain user privacy,” it adds.

Use cases: “User data collected by large organizations is constantly accessed by inside analysts as well as outside contractors and business partners. A malicious insider or untrusted partner can abuse these datasets and extract private information from customers.

“Similarly, intelligence agencies require the collection of vast amounts of data. The data sources are numerous and may include chat rooms, personal blogs and network routers. However, most data is innocent in nature and does not [need] to be retained, thereby preserving anonymity. Robust and scalable privacy-preserving mining algorithms increase the chances of collecting relevant information to increase everyone’s safety.”

Threat modeling: The report cites three major Big Data Privacy threats:

1. An insider in the company hosting the big data store “can abuse her level of access and violate privacy policies.”

2. “If the party owning the data outsources data analytics, an untrusted partner might be able to abuse their access to the data to infer privacy information from users.” This applies to using big data cloud services, “as the cloud infrastructure (where data is stored and processed) is not usually controlled by the owners of the data.”

3. Sharing data for research purposes represents another risk. “Ensuring that the data released is fully anonymous is challenging because of re-identification… the process by which anonymized personal data is matched with its true owner.”

Analysis: “To protect user privacy, best practices in the prevention and detection of abuse by continuous monitoring must be implemented,” the report notes. This means that “leakage of private information is controlled even if multiple databases are linked.”

Researchers are working on ways to improve privacy safeguards. One approach called differential privacy “defines a formal model of privacy” but carries the cost of additional computing resources and adds noise to data analytics results. “Another potential solution to outsourced computational resources is universal homomorphic encryption, which promised to provide data analytics while the outsourced data remains encrypted. The technology is currently in its infancy” but is a promising field for researchers, the report states.

Regulatory issues: While the report is focused on technical issues, the authors note that big data implementations must also follow user privacy regulations, which vary in Europe and the United States.

Tags: ,


    Posted June 21, 2013 at 12:33 am | Permalink

    Michael, you are right that security in the cloud is different than traditional security mechanism found in private infrastructure. Scalability was a huge problem we faced in developing our cloud data encryption solution. We have developed what you mention in the article “new solutions are needed.” We would love for a follow up article about companies like us that provide military grade data encryption and key management that enable organizations to securely move their sensitive data into the cloud and satisfying compliance. Please check us out at and let us know what you think.

  2. Kevin
    Posted June 7, 2014 at 6:53 am | Permalink

    Cloud computing and its security is top priory for any Data Centre and continues to improve as technology evolves.

    Once a company decides to make the switch they are submitting sensitive data outside the enterprise, which means it will bypass the physical, logical and personnel controls of the IT department of the company.

    This is a concern for all businesses.

Post a Comment

Your email is never published nor shared. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>