Upload
michael-owen
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
NIST Big Data Public Working Group
Security and Privacy Subgroup PresentationSeptember 30, 2013
Arnab Roy, Fujitsu Akhil Manchanda, GENancy Landreville, University of MD
Security and Privacy
Overview
2
• Process• Taxonomy• Use Cases• Security Reference
Architecture• Mapping• Next Steps
3 Security and Privacy
Process
The CSA Big Data Working
Group Top 10 S&P
Challenges
Googledoc with
initial set of topics
and solicitation of use cases
Taxonomy of topics
Input from
Reference Architecture Group
Security Reference Architectu
re overlaid on RA
Mapping use cases
to the SRA
Editorial phase
Current Working
Draft (M0110)
Security and Privacy
CSA BDWG: Top Ten Big Data Security and Privacy Challenges10 Challenges Identified by CSA BDWG
4
Public/Private/Hybrid Cloud5, 7, 8, 9
1, 3, 5, 6, 7, 8, 9, 10
4, 8, 9
4, 1010
2, 3, 5, 8, 9
Data Storage
1) Secure computations in distributed programming frameworks
2) Security best practices for non-relational datastores
3) Secure data storage and transactions logs
4) End-point input validation/filtering
5) Real time security monitoring6) Scalable and composable
privacy-preserving data mining and analytics
7) Cryptographically enforced access control and secure communication
8) Granular access control9) Granular audits10) Data provenance
Security and Privacy
Top 10 S&P Challenges: Classification
5
Infrastructure
security
Secure Computations in Distributed Programming Frameworks
Security Best Practices for
Non-Relational Data Stores
Data Privacy
Privacy Preserving
Data Mining and Analytics
Cryptographically Enforced Data Centric
Security
Granular Access Control
Data Manageme
nt
Secure Data Storage and Transaction
Logs
Granular Audits
Data Provenance
Integrity and
Reactive Security
End-point validation and
filtering
Real time Security
Monitoring
Security and Privacy
PrivacyCommunication Privacy
Data ConfidentialityAccess Policies Systems
Crypto Enforced
Computing on Encrypted DataSearching and Reporting
Fully Homomorphic Encryption
Secure Data Aggregation
Key Management
Provenance
End-point Input ValidationSyntactic Validation
Semantic Validation
Communication Integrity
Authenticated Computations on Data
Trusted Platforms
Crypto Enforced
Granular Audits
Control of Valuable AssetsLifecycle Management
Retention, Disposition, Hold
Digital Rights Management
System Health
Security against DoSConstruction of cryptographic protocols proactively resistant to DoS
Big Data for SecurityAnalytics for Security Intelligence
Data-driven Abuse Detection
Event Detection
Forensics
Taxonomy
7 Security and Privacy
Use Cases
• Retail/Marketing– Modern Day Consumerism– Nielsen Homescan– Web Traffic Analysis
• Healthcare– Health Information Exchange– Genetic Privacy– Pharma Clinical Trial Data Sharing
• Cyber-security• Government
– Military– Education
Security and Privacy
Ma
na
ge
me
nt
Se
cu
rit
y &
P
riv
ac
y
8
Big Data Application Provider
Visualization Access
AnalyticsCuration Collection
System Orchestrator
DATASW
DATASW
INFORMATION VALUE CHAIN
IT V
AL
UE
C
HA
IN
Data
C
on
su
mer
Data
P
rovid
er
Horizontally Scalable (VM clusters)
Vertically Scalable
Horizontally Scalable
Vertically Scalable
Horizontally Scalable
Vertically Scalable
Big Data Framework ProviderProcessing Frameworks (analytic tools, etc.)
Platforms (databases, etc.)
Infrastructures
Physical and Virtual Resources (networking, computing, etc.)
DA
TA S W
10 Security and Privacy
Interface of Data Providers -> BD App Provider
S&P Consideration Health Info Exchange Military UAV
End-Point Input Validation
Strong authentication, perhaps through X.509v3 certificates, potential leverage of SAFE bridge in lieu of general PKI
Need to secure sensor to prevent spoofing/stolen sensor streams
Real Time Security Monitoring
Validation of incoming records. May need to check for evidence of Informed Consent.
On-board & control station secondary sensor security monitoring
Data Discovery and Classification
Leverage HL7 and other standard formats opportunistically, but avoid attempts at schema normalization.
Varies from media-specific encoding to sophisticated situation-awareness enhancing fusion schemes.
Secure Data AggregationClear text columns can be deduplicated, perhaps columns with deduplication.
Fusion challenges range from simple to complex.
11 Security and Privacy
Next Steps
• Streamline content internally– Consistent vocabulary– Fill up missing content– Discuss new content– Streamline flow across sections
• Synchronize terminology with D&T and RA subgroups
Big Data Application Provider
Dat
a Co
nsum
er
Dat
a Pr
ovid
er
Big Data FrameworkProvider
End-Point Input ValidationReal Time Security MonitoringData Discovery and ClassificationSecure Data Aggregation
Privacy preserving data analytics and disseminationCompliance with regulations such as HIPAA
Govt access to data and freedom of expression concerns
Data Centric Security such as identity/policy-based encryptionPolicy management for access control
Computing on the encrypted data: searching/filtering/deduplicate/fully homomorphic encryptionGranular auditsGranular access control
Securing Data Storage and Transaction logsKey ManagementSecurity Best Practices for non-relational data storesSecurity against DoS attacksData Provenance