There was lots of buzz about big data at RSA Conference, especially in terms of the essential role that big data analytics increasingly plays in detecting data exfiltration and other security issues. Using big data for security is clearly a significant opportunity. But the security and privacy of big data is equally important and yet got much less attention. These concerns did come up in the Tuesday afternoon panel on big data, during which Rick Mogull of Securosis articulated the distinction between securing big data and using big data for security. But for me the most striking insight about the security and privacy issues for big data was in the discussion that Hugh Thompson and Dan Gardener had during the Friday afternoon “Hugh Thompson Show”.
Dan was explaining the ways in which our decision-making tends to be unconscious and therefore how difficult it is for us to really understand how we make decisions. Our behavior reveals our preferences and predicts our decisions more accurately than what we say. So as more of what we do is available on-line, analysis of the patterns in what we buy, what sites we visit and so on will give reliable and predictive insights regarding each of us. These insights derivable from the big data about us may well be more accurate predictors of our behavior than our own views of ourselves. They can be used by cybercriminals in crafting social engineering attacks that target our revealed preferences, blind-siding us because of the discrepancy between our stated preferences and the revealed preferences the attacker sees.
What does this discrepancy imply in terms of strategies for securing big data? Technologies such as encryption that create self-defending but searchable data are critical. But most important is to have a well-governed security system, continuously checking that the most effective security tools and processes are in place both within and across organizations. Such a system is the equivalent of the meta-cognition, the “turning attention back on itself”, as Dan put it, that enables us to recognize our own blind-spots. Well-governed security policy, information-centric security controls, comprehensive security analytics and risk-based security decisions: these are the building blocks of the dynamic model that will enable us to ensure the privacy and security of our big data.