The Rise of the Machine, Big Data’s Next Hurdle

For those expecting a Terminator-esque diatribe warning you about the evils of ‘machine’ autonomy you’re in the wrong place. For a security professional, I am perhaps the least suspicious and prone-to-conspiracy person I know. Even my Sister and Brother-in-law are worse, but they are a lawyer and Scottish respectively so their paranoia is expected.

After reading Daniel Burrus’s articles ‘Big Data Is Already Producing Big Results‘ and ‘Create an Integrated Big Data Strategy To Increase Sales Now‘ it occurred to me that while Big Data has no place in security beyond forensics (in my opinion), the security OF the big data itself is critical. So is the integrity and availability of it.

The concept of Confidentiality, Integrity and Availability (CIA) has been around almost as long as I have, but only with the advent of big data and real-time analytics does it truly come into its own.

Everyone trying to sell you something – which is everyone – is looking at big data, or more specifically, how to collect the data in first place, and what to DO with it once they’ve got it.

Scenario: You’re out shopping with your wife when suddenly you are barraged by lingerie offers, as your spending habits over the last few months have been recorded and instantly regurgitated by hopeful vendors. Your wife has no lingerie…

Morality aside, this is a gross invasion of his privacy (loss of confidentiality). Now image if that data was actually inaccurate (loss of integrity), I’m sure his wife would be very understanding, right? As for availability, that’s the vendor’s problem so I don’t care much.

Now, let’s take this even further. In ‘The Internet of Things‘, soon everything from your home security to your dog will be online. Your location, your travel plans, your favourite everything will be known by someone, or someTHING, somewhere. The amount of information being collected is growing, quite literally, exponentially. The trend is also to automate as much as possible, so for example, if no-one’s home, the oven should not be on. Do we really want ALL of these decisions made without human interaction?

I personally love the way things are going. Instant access, always-on, functionality, convenience etc. But I am prepared to pay the price for this, the currency of which is measured in terms of the loss of both my privacy, and potentially, my personal safety. The data is online, if someone really wants it, they can get it, then do things with it I don’t even want to contemplate.

Big Data is not evil, data just is, it’s the use to which the data is put that defines good or bad. Businesses have been very quick off the block to define the profit-making contexts within real-time data analysis, but so far I haven’t seen much in the way determining what’s right and wrong. Or whether or not we even have a choice to take part in it.

The generations born prior to 1990 are most likely the ones holding this trend back, so we’re the one’s who’d better write the policies, and put the checks and balances in place, because the Millennials are too busy posting pictures of their junk.

Privacy

How Much Privacy is Too Much?

Thanks to the more unscrupulous vendors, security is becoming as complex as the law. Privacy therefore is at the top of the list of sticky topics because it also involves both the law and security. More countries are effecting privacy laws than ever before, but just like in a regular business, functionality and security must be balanced to be effective.

I’m not going to list all of the ongoing privacy issues in the press, but the biggest two currently are; the Prism/whistleblowing/NSA scandal, and the EUs Data Protection Directive. While worlds apart in their impact and aims, they still raise a question that I’ve not seen addressed very often. Probably because there is no one right answer, but the question of how much privacy is too much should not be ignored or any semblance of balance is impossible. Also, it seems that unless we’re bashing the perceived bullies (Government, big business), there’s not much interest in this side of things.

So, Prism, summarised and paraphrased, is an anti-terrorism program that has unprecedented access to enormous amounts of personal data.

Proponents state that it’s necessary for national security, opponents state that it’s an abuse of power / attack on civil liberties and so on. But who’s right? If you choose a side – and to the extreme – you are either saying it’s OK for the Government to do whatever it takes to defend its people, and that the end justifies the means, or you’re saying that an individuals right to privacy outweighs the security of a nation. Clearly both of these positions are nonsense, but what is the right answer? It has to be somewhere in between., right?

However, to get the middle, both sides need to accept responsibility; Government for not becoming Big Brother-esque, and individual citizens for paying the price in personal privacy for the freedoms and conveniences we frequently take for granted.

For example, if you ask any victim of a terrorist attack, a hate crime, harassment, or a stalker-ex, whether or not they would have traded complete loss of privacy to avoid their pain, and I think the answer is a given.

However, now ask ME whether or not I would entirely relinquish MY privacy to prevent this from happening to someone else – which I would do in a heartbeat -, and you now have the gist of why this issue is so contentious (some are already calling it – terribly un-originally – Prism-gate). People want security, but they don’t want to accept the cost for it, which in todays plugged-in/online/Internet/information age, that cost is their privacy.

As for the EU Data Protection Directive, that’s about the far less glamorous subject of making sure organisations protect the data in their possession, and while less life-threatening, leads to the same question. This time it’s about [for example] the ability of an organisation to sell you stuff that you want, or didn’t even know you wanted but now you can’t live without (like the iPhone). They want to sell you stuff, you want your data protected or removed altogether.

Personally I want organisations to know EXACTLY what I like and don’t like. That way I’ll get less spam and pop-up ads regarding adult nappies/diapers and erectile dysfunction, and more on amazing gadgets and toys that will make my life complete. This requires absolutely enormous amounts of data, and is a true use of Big Data.

Not everyone agrees.

However, WE choose to plug in, we’re not forced. I have Linkedin, Facebook, Twitter, and more online bank / credit card accounts than I know what to do with. Sadly the accounts are mostly empty, but that’s not the point, which is why I have chosen these methods of communication and convenience to make my life better. Which they do…vastly.

We are not owed this functionality, we have a choice to use it or not. If you want it, you must pay for it.

How many of you read the privacy notices, or terms & conditions when you sign up for online services? No, me either, so I’m not going to complain if they go ahead and do exactly what they told me they were going to do.

I cannot speak to the law or politics, nor can I wax philosophically on human nature, but what I can talk to is personal accountability. You are owed nothing, except that which you earn. From your income, to your rights, to your karma, you get back what you put in. So perhaps what we should all do instead of complain, or demand that heads roll, is be a little more circumspect in our online interactions:

  1. Don’t post inappropriate comments on FB/Twitter or ANY form of social media or email. Assume that this information will NEVER go away;
  2. Limit your online banking and purchasing to known-good sites, check for HTTPS in the URL (secure transmission) , and CHOOSE A GOOD PASSWORD!;
  3. Make sure ALL of your online credit card / bank accounts have fraud and theft protection;
  4. Sign up for credit and identity monitoring services (I have two running, one US and one UK);
  5. Read the Terms & Conditions!;
  6. Do not even TAKE revealing or compromising pictures of yourself, or others, on any online-capable device …EVER (I think if I was to do that it would qualify as an offence against humanity, or maybe even a WMR (Weapon of Mass Revulsion));
  7. When you’re done with an online vendor, delete the account, and write to them invoking your right to erasure;
  8. Read my blog! 🙂

Personally, I LOVE the fact that London is full of cameras, I’m doing nothing wrong, and I feel better about my wife being out when it’s dark. I don’t care if some spotty geek in Fort Mead, MD is reading my personal email, or my FB posts, I’m not being seditious, or inappropriate, and if they derive pleasure reading about my wife and me discussing our 2012 taxes, good luck to him/her.

I want safety in the streets, safety for my country, AND the convenience of all that being online gives me, and if my privacy is the price I must pay, so be it. I trust the ‘official’ watchers infinitely more than the criminals or terrorists, but it’s MY responsibility to give NO-ONE access to more than I can afford to lose.

[If you liked this article, please share! Want more like it, subscribe!]

Don’t Get Me Started On ‘Big Data’

Wikipedia describes big data as; “…a collection of data sets so large and complex that it becomes difficult to process using on-hand database management tools or traditional data processing applications.

So why complicate the already difficult concept of developing an effective security program with a huge lump of data you can neither store, nor put to good use yourself?

I’m not against big data per se, there are some very relevant areas where it’s actually required; weather forecasting, social analytics, brain mapping, economics etc, but in security?  I don’t think so.

Security must be simple to be effective, and less is almost always more.  Good security is baselined, white listed, known good and so on, big data can only be effective when your end goal remains somewhat static.  I very much doubt either the bad guys, or your business will stay still long enough put the results of the big data mining efforts to good effect.

Also, and I’m far from being a conspiracy theorist (I’m just not suspicious enough), but I can’t help but think the ones who really benefit are the those who already have the storage, the bandwidth, and the exiting data mining tools to make it effective, AND are looking for more business.  Security must begin with a business need, then a requirement for specific functionality, it is not falling for a sales pitch or a perceived competitive edge based on the latest buzz-phrase.

Instead of trying to understand your security posture with big data, consider the following;

  1. What kind of sensitive or business relevant data do you have?
  2. Where is it?
  3. Which applications or people access this data?
  4. Do you REALLY need all of the data you have?
  5. Is your EXISTING security programme as effective as it could be?

If you don’t know the answer to ALL of these questions, you should start there.  This doesn’t even qualify for ‘You can’t manage what you can’t measure.’, this is ‘You can’t protect what you don’t even know you have.’

Maybe, years down the road, when your security programme is a well oiled machine, and your Governance department is the paragon of business-to-IT communications, then, and only then, should you consider something as advanced as this.  Though I seriously doubt it even then.

[If you liked this article, please share! Want more like it, subscribe!]