10 Recommendations for Securing Big Data in the Cloud

By Special Guest
Prat Moghe, Founder and CEO, Cazena
April 07, 2016

As enterprises consider augmenting or moving their big data clusters and data warehousing to the cloud, security and compliance remains a persistent concern. According to Gartner, however, only a small percentage of cloud security incidents to date were the cloud provider's fault, highlighting that this worry is largely misplaced.

This pattern isn’t expected to change. Gartner predicts that through 2020, 95 percent of cloud security failures will be the customer’s fault. Experts like U.S. CIO Tony Scott agree that public cloud offerings like Amazon Web Services (AWS) and Microsoft Azure are more secure than on-premises data centers. Even financial services companies, traditionally the most security-conscious, now utilize the public cloud.

Today, cloud providers at all levels (IaaS, PaaS, services, etc.) offer a rich array of security tools. But it is up to enterprises to fully utilize these capabilities. This presents challenges. It requires investments in resources and new skills to bridge the “uneven handshake” between the way on-premises enterprise IT systems work and the way the cloud works.

I recently sat down with Equifax CISO Susan Mauldin to discuss how to secure the cloud. She said, “CISOs are becoming more comfortable with cloud because there are controls available to us today that weren’t there years ago.” But cloud providers built these controls from a cloud-centric perspective, not an enterprise view. Enterprises need to ensure that the cloud services they select fit in with their existing systems, processes, management tools and security policies.

Here are 10 recommendations for ensuring security and compliance as enterprises migrate big data workloads to the cloud.

1. Lock down public cloud resources using gateway technology
Enterprises must avoid making cloud another silo with separate monitoring and security. To streamline the integration between on-premises systems and cloud services, consider installing a security gateway, a dedicated VPN tunnel between the enterprise and the cloud provider, to block all public access to your cloud except through the gateway. All access – whether it is data moving in or out, or analytic queries from tools – should go through this gateway.

2. Utilize single tenancy
Enterprises need the trust and control offered by a single tenant model (i.e. not shared with other users). There is a popular myth that public cloud is all “shared” and hence cannot be trusted. In reality, while physical infrastructure on the public cloud may be shared, there is a strong separation between resources at the virtual level. This logical separation can provide a single tenant cloud service.

3. Encrypt data in motion
Data movement to and from the cloud differs quite a bit from data movement within the enterprise, and requires different skills. Ensure all data moving in and out of the cloud is encrypted. Consider using IPSEC or SSL for encryption depending on your specific firewall configuration.

 4. Encrypt data at rest with HSM-based key management
All data at rest within the cloud should be encrypted. Consider using industry standard AES 256 encryption implemented in a hierarchical model. For example, if departments at your firm have their own data warehouses or big data clusters, you can allocate each one a separate cloud with an individual customer key. Secure keys using an HSM (hardware security module), either cloud-based or on-premise. No unencrypted keys should persist outside the HSM.

5. Segregate duties with role-based access control
Think of the cloud as a house with various rooms in which you want to restrict different users. For example, BI analysts can only query a cloud data warehouse, while data managers can load and administer data while IT can access system logs. A role-based access control system, similar to the access controls you have in the enterprise, must be layered on top of the cloud

6. Log and audit everything
All cloud service components at all layers should be logged. Log all infrastructure and data access, including data movement and supporting services. Further, these logs must be normalized across various data services. All logs must be aggregated into a centralized, indexed, searchable repository that is integrated or exported into enterprise log management systems.

7. Set up security monitoring and alerting
In addition to logging, all security events must be continually monitored for malicious or unauthorized activity. A separate risk dashboard and alerting function should keep your security group on top of the cloud platform. Additionally, all security events should be integrated within your existing SIEM environment.

8. Extend patching and vulnerability assessments beyond core infrastructure
While cloud infrastructure is regularly patched and assessed, it is important that the overall posture of your cloud match your enterprise policies. Since your users will access this cloud, think of the cloud asset as another enterprise asset; it must be subject to similar patching, assessment and mitigation processes.

9. Check for compliance certifications
Consider top cloud providers that provide strong compliance and security controls and have a wide range of compliance certifications. Typical certifications to look for include PCI DSS Level 1, SOC 2, ISO 27001, HIPAA, FedRAMP, FISMA, DIACAP and NIST. As you integrate with this cloud infrastructure, be sure that new any components you add, such as a gateway, are also certified.

10. Look to partners and technology to supplement internal skills
It is easy to get overwhelmed by the sheer number of security measures offered by cloud providers. For example, Azure and AWS offer hundreds of security tools and features. Enterprise IT teams may struggle to configure many of these because the cloud operates on a software-driven paradigm that differs significantly from the hardware-oriented data centers they are accustomed to.

With its favorable cost model, scalability and agility, the cloud is clearly the future of data analytics. Salesforce, Workday and other enterprise SaaS apps prove that the cloud can be plenty secure for mission-critical applications. Now is the time for IT teams to tackle security of analytic environments – the next frontier in the cloud.

About the author: Prat Moghe is a successful big data entrepreneur with nearly 20 years of experience inventing next-generation products and building strong teams in the technology sector. As SVP of strategy, products, and marketing at Netezza, Prat led a 400-person team that launched the latest generation Netezza appliance which led the market in price and performance. Netezza was acquired by IBM for $1.7B in 2010.

Edited by Ken Briodagh

Related Articles

Social impact of AI is emerging as hot topic at Fog World Congress 2018

By: TMCnet News    9/24/2018

Fog World Congress 2018 will feature diverse topics ranging from tutorials and research to the social impact of AI, autonomous robotics and blockchain…

Read More

This is Fog: Autonomous Mapping Robots at Fog World Congress 2018

By: Ken Briodagh    9/17/2018

Robots to create real-time maps of venue for Fog World Congress 2018 attendees, showcasing that fog computing systems from various domains can communi…

Read More

This is Fog: autonomous mapping robots in action at Fog World Congress 2018

By: TMCnet News    9/12/2018

Robots to create real-time maps of venue for Fog World Congress 2018 attendees, showcasing that fog computing systems from various domains can communi…

Read More

ParkMyCloud and CloudHealth Technologies Announce Integration for Cloud Cost

By: Ken Briodagh    9/6/2018

ParkMyCloud, Leader in Automated Cost Optimization, and CloudHealth Technologies, Leader in Hybrid Cloud Governance, Integrate to Provide End-to-End M…

Read More

Steve Wozniak to Offer Unique Perspective on Future Tech Trends at Fog World Congress

By: Ken Briodagh    9/5/2018

The upcoming Fog World Congress, taking place October 1 to 3, has just added Steve Wozniak to join the program for an interactive discussion that will…

Read More