#18 – HOW A KID’S ELEPHANT BECAME YOUR NEXT INFORMATION SECURITY NIGHTMARE – JOHN MILLICAN

John Millican pixIn The Beginning

To quote Charlie Brown, “Aaaaaaaaaaaargh!”  Haven’t we learned anything?  The mantra for years has been to build security in at the beginning not the end. 

The Internet is a classic case. It is a myth that the ARPANET from which the Internet was derived was designed to survive a nuclear attack.  Nonetheless, it is true that it was designed to withstand substantial losses of the underlying network.  However, data security was not a concern so the Internet has no security considerations built into its basic design.  What’s the result?  The Wild, Wild West with hackers, attackers and spies.  We have been sticking our fingers into the dike ever since.

ALONG COMES BIG DATA
Now along comes a new technology.  One that businesses need and want badly.  Big Data. 

So what is Big Data?  It is an ecosystem of hardware, data, and software designed to handle extreme volumes of data of disparate types in an agile and affordable manner.  Well, that just sounds like a database doesn’t it?  In a sense it is.  But, it is an extension beyond the traditional relational databases because it also handles non-structured data such as audio, video, clickstreams, sensors, log files, etc.  It is the ability to be able to collect and make available for analysis the quintillion bytes of data that are generated everyday quickly and affordably that sets Big Data apart.

SO WHERE DOES THE STUFFED ELEPHANT COME IN?
The answer to that comes from the evolution of one of the primary Big Data tools, Hadoop.  Hadoop started as an open source search engine developed by Doug Custings and Mike Cafarella.  Hadoop was named after Doug’s son’s stuffed elephant.  So how does that make it my “next information security nightmare”?  Well, it doesn’t.  But, it made for a great title, and it also got us to Big Data’s origins. 

THE EVOLUTION OF THE LIZARD BRAIN
Hadoop was an evolutionary system, and like the lizard brain at the base of our brains, there’s another piece of revolutionary software at the base of Hadoop called MapReducer.

MapReducer was developed by Google to help it index the trillions of pages in the Web.  Since Hadoop was intended to be an open source search engine, it made sense to incorporate the MapReducer concepts into it.

PUTTING IT ALL TOGETHER
Astute readers may have inferred the origin of our security problems from the paragraph above.  I wasn’t one of them.  Someone had to point it out to me so I will share what was pointed out to me. 

What was Google trying to index?  URLs.  And, what is a common characteristic of URLs?  They are public.  Google and Hadoop at its beginning were unconcerned about securing the data because it was not private or sensitive to begin with.

BIG DATA’S BIG CHALLENGES
So what are the inherent information security challenges of the evolved beast known as Hadoop?  There are several. [1]

  • Computing distributed across thousands of nodes leads to complicated environments that are difficult to secure.
  • Data can be fragmented across many servers leading to even greater complexity.
  • Rudimentary data access controls limit the ability to control the granularity of access rights to the data.  Big Data does not have any role-based access controls.
  • Node-to-node communication is not encrypted.
  • There are no facilities to protect data stores, applications or core Hadoop features.

STAY TUNED FOR MORE
So there you go.  From to stuffed elephants to your next big information security nightmare because another opportunity to build security in at the beginning was missed.  Please look for my next post when I will look at the challenges in more depth and examine some possible remedies.

[1] “The Big Data Security Gap-Protecting the Hadoop Cluster”,  Zettaset, http://www.zettaset.com/info-center/datasheets/zettaset_wp_security_0413.pdf

Bio:

John Millican is a business-first manager with strong experience in driving value to the enterprise through IT and Information Security (IS). His experience is divided between positions in both industry and third party IT service and Information Security provision.

John developed and led the global Information Security team for Expedia Inc. as its Chief Information Security Officer and was VP of IT Operations for Hotwire.com. He also founded and led a twelve person independent IT/ Information Security service provider. Clients and employers have ranged from small wholesale/distributors to regional financial institutions and Fortune 1000 Internet-based companies.  John’s most recent efforts have been focused on assisting clients with implementing Information Security programs, obtain ISO 27001 certification and to implement continual improvement methodologies within their organizations.

He is a Certified Information Systems Security Professional (CISSP) and was the first person to be certified by the SANS Institute for its core security programs – Windows Security, Unix Security, Intrusion Detection Analyst, Incident Handling and Firewall Analyst.  Additionally, he was co-author of the SANS Security Essentials Toolkit.

John has a Bachelor of Science in Business Administration degree from the University of Akron.

 


[1] “The Big Data Security Gap-Protecting the Hadoop Cluster”,  Zettaset, http://www.zettaset.com/info-center/datasheets/zettaset_wp_security_0413.pdf

Leave a Reply

Your email address will not be published. Required fields are marked *