Data on the rise: 4 new challenges security must master

You’ve likely heard that 90% of the world’s data was created over the last two years.  This phrase, often quoted, sometimes attributed, is passing through the public consciousness, on its way to becoming trivia.  Before its reduced to a ‘fun fact’ I offer it as a cautionary tale.  The author’s favorite fictional detective once said “There is nothing more deceptive than an obvious fact.”  I invite the reader to turn this ‘obvious fact’ around and project it forward into the future.  If true, the world’s data will grow tenfold in the next two years, and a hundredfold in the next four.

The reasons for the rise, and its continuation, should be self-evident.  Data is perceived as an asset, and one that holds valuable information.  Big data has led to the development of new tools and new fields of analytics (which in turn creates more data) from which ever more valuable information is being gleaned.  From an economic point of view the big data market was worth $49 billion in 2019 and is expected to grow to $103 billion by 2023.  Abstractly, one should expect market forces to drive the growth of any monetizable commodity.

Risks

The rise of data poses several challenges for information security; here are just a few.

Protecting the asset The ‘obvious fact’ is the asset under protection is growing.  In 2012, the world’s data was expected to approach 40 zettabytes by 2020, and a recent study predicts 175 zettabytes by 2025, just five years hence.  More to the point, the proportion of data requiring protection is growing faster than the digital landscape itself, from less than a third in 2010, to an estimated 40% by 2020.

A number of factors contribute to the growth of raw data, from social media to digital transformation to innovation.  For example, 3D radiology has increased file size by a factor of 20, over 2D radiology, and autonomous vehicles are expected to generate 3TB of data per hour, or just under one GB each second.  Analytics, turning raw data into valuable information, is still in its infancy.  Research suggests that only a tiny fraction of data is analyzed, but the big data growth figures (above) suggest explosive interest.

The data under protection today is just the tip of the iceberg.  In terms of raw data, security should partner with IT and understand the data storage, archival, and backup strategies with data’s growth trajectory top of mind.  Analytics will both increase data demand and generate even more information.  Inputs are likely to include customer privacy and financial data, and results will be both sensitive and valuable.  Analytical environments should be assessed and managed from the perspective of data risk.

Data in motion Data is on the move and that movement is expected to continue.  A 2018 IDC White Paper on the topic describes data location in three broad categories.

• The Core: Once the exclusive province of the enterprise data center, the core is increasingly the cloud, whether public, private or hybrid). Predictions call for more data in the public cloud than in endpoints by 2020, and for more data in the public cloud than in traditional data centers by 2021.
• The Edge: Be it the branch, the retail outlet, or the geographically removed office, the edge is a location in transition. In some cases, virtualization is moving edge data back to the core.  At the same time, the proliferation of embedded devices (cameras, POS terminals, payment systems, etc.) is generating more data at the edge than ever before.
• The Endpoint: Again, a blurred distinction, but upwards of 150 billion connected devices are expected by 2025, most of which will be generating data, and that in real time. The mobile device, it almost goes without saying, is the favored device for consumer generation and consumption of data (81% of Americans now own a smartphone), but this category also includes tablets, wearables, personal computers, and the internet of things — devices that may not store, or process, but certainly generate a great deal of data.

Security should emphasize (i.e. recruit/retain/develop) application security expertise as business responds to the endpoint’s significance as a business channel.  Endpoint development is an area of compelling security challenges as development cycles are short and platform security controls cannot be assumed.  Security should conduct aggressive risk assessments on the edge as the evolution towards greater services and faster response drives local analysis, requiring greater computing power and increased data retention. 

As for the cloud…

Third parties The cloud, viewed simply, is just someone else’s data center.  Managing security in the cloud means managing risk in a third-party environment and leveraging the controls on offer.  For security, the cloud is an exercise in third-party (risk) management and information security will need to develop a very active third-party management skillset.

On the subject of third-parties, consider too that some of an organization’s service providers hold data that is, or will be, of analytical interest.  Service providers will be called on to:

• increase their own level of analysis
• provide a greater level of access to data they hold
• make that data available to their clients

Data analyzed at the third-party will likely increase in value, necessitating enhanced controls.  Greater access is, of course, an issue of identity and access management, while greater availability will mean increased data flows requiring a re-evaluation of connectivity controls.  Security should have a care for each of these outcomes, and third-party data custodians in general.

Complexity Data science describes big data characteristics with nouns starting with the letter V.  The three most important are volume, variety, & velocity (but there are others) and collectively they describe the complexity of big data and how it differs from previous concepts of data management.

• Velocity: It is difficult to prioritize the security concerns around big data’s characteristics, a case could be made for each of them, but I think the first must be velocity.
  • There is a general data processing risk should the enterprise generate data faster than it can consume it – before it is archived or lost due to storage constraints (i.e., analysis gap).
  • To information security, the risk is greater: Should analysis fall behind, indicators are produced too late for preventative action, or worse, too late for timely incident response.
• Variety: Data is being generated outside the traditional data center (at the edge and the endpoint) and from a new variety of sources. Unstructured data makes up 80% or more of enterprise data and is growing at a rate of 55% to 65% a year.  Securing application data (as opposed to traditional transactional databases) will take on new importance.  The attack surface is both growing and changing.
• Volume: The security concern here is straightforward: The raw asset under protection is growing.

Suggestions & opportunities

The future’s challenges, and the potential rewards, require mastering the data at our disposal. Just as business is leveraging analytics to create value, information security can, and must, do the same. Here are three ways security can change its relationship with data.

Data science Data science brings a new generation of analytical skills and technologies to add to the information security toolbox.  Many are designed for use with very large data sets.  A few examples:

• Data mining to simplify data sets and find patterns
• Machine learning to draw new insights from (very) large data sets
• Predictive analytics to prioritize, or enrich, security controls
• A spectrum of technologies to offset the shortage of experience and qualified resources, from user-friendly, accessible programming languages and specialty code for statistics to the unrealized potential of artificial intelligence

Threat intelligence Threat intelligence is a well-understood discipline, but tends to depend on security control data and commercial feeds.  As data grows, each enterprise creates a treasure trove of data it could, and should, analyze.  Security should expand the scope of threat intelligence beyond its own controls and examine all the data at its disposal, including user behavior, network data flows, and the business applications it protects.  Threats, after all, can be anywhere. 

Data protection A data protection program should be judged by its strength and simplicity, not by its size and complexity.  The ideal data protection strategy would have a single set of strong default controls (authentication, encryption, etc.) applied to all data, eliminating the need for classification and labels.  Data governance would require only a lifecycle policy and a declassification (release) process.  Employee training, project requirements, and IT operations would all be identical, and straightforward: If the data is here, its protected, no exceptions. 

If this seems a trifle naïve, its intended to make a point: Data protection should be simple to explain, easy to implement, and as strong as you can make it.