Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1
Big Data and its Real Impact on Your Security & Privacy Framework:
Erik LuysterborgPartner, DeloitteEMEA Data Protection & Privacy leaderPrague, SCCE, March 22nd 2016
A Pragmatic Overview
1. Understanding Big Data
© 2016 Deloitte Belgium - European Privacy Academy 2
2
Understanding Big Data Definition & Characteristics
3© 2016 Deloitte Belgium - European Privacy Academy
“Big Data is the collection of large and complex data sets that are difficult to process using “traditional” database management tools or data processing applications. Big Data is the new “raw material of
business”.” – The Economist
BUT
As Dan Ariely, Professor at Duke University said “Big Data is like teenage sex: everyone talks about it, nobody really knows how to do it, everyone thinks everyone else is doing it, so everyone claims they are
doing it.”
Understanding Big Data Definition & Characteristics
4© 2016 Deloitte Belgium - European Privacy Academy
Big Data generally refers to a set of technologies and initiatives involving data that is too fast changing (velocity), massive (volume) or too diverse (variety) for conventional technologies, skills and infrastructure to
handle efficiently.
90% of the data in the world today has been created in the last 2 years Velocity• Batch to streaming data
Every day, we create more then 2,5 quintillion bytes of data Volume• Terabytes to Zettabytes
Diversity of data sources and formatsVariety• Structured to Semi-Structured to Unstructured
Analytics on almost all types of data
Virtualization architecture
Often distributed large-scale (cloud)
infrastructures
3
• No “one to one” relationship of server to data storage
Reliance on virtualization architecture, needed to be able to draw from large content stores and archives as a single global resource
• Big Data environments often rely on distributed large-scale (cloud) infrastructures
a diversity of data sources and a high volume + frequency of data migration between different (cloud) environments
Understanding Big DataA different set up
5© 2015 Deloitte Belgium
Understanding Big DataBig Data Analytics
6© 2015 Deloitte Belgium
Collecting, organizing and
analyzing
Large sets of data
To discover patterns and other useful information
Better decisions
Competitive advantage
4
Understanding Big DataAnalytics Opportunities
7© 2015 Deloitte Belgium
Big Data Analytics represents tremendous opportunities, both for the private and public sector… :
• As a business asset: can serve to understand customers at a whole new level.
• To improve health care: can help deliver effective health care to patients faster and earlier (e.g. predictive medicine).
• To improve service: analytics can be used by governments to improve their citizens’ experience with administration by anticipating their needs.
• To strengthen security : Potential for new security insights and enhanced detection and prevention systems
provided that the challenges and risks are properly mitigated…
Profile
Geo-localisation
Email content
Online surveys
Browser history
…
Understanding Big Data Gathering information
8© 2015 Deloitte Belgium – European Privacy Academy
5
Example:
Many apps request the user’s location in order to give more accurate search results (e.g. nearest restaurant or shop of a certain company)
Example:
The content of the emails sent and received through Gmail are scanned by an automated software of Google. This information is then combined with other information of the Google profile of the users to display more relevant ads.
Understanding Big DataGathering information
9© 2015 Deloitte Belgium – European Privacy Academy
Geo-localisation
Email content
Example:
Data gathered through online surveys are used by companies to gain more insight about their clients (e.g. average age of people consuming their products)
Example:
Several service providers combine the browsing history of an individual user with the knowledge gathered about other users following a similar browsing path to give more accurate search results or advertising (e.g. Amazon and FNAC’s books’ suggestions, YouTube’s videos’ suggestions, etc)
Example:
data about the purchases made by a customer with its loyalty card, sensors in a car to determine the driving style of an individual, etc.
Understanding Big Data Gathering information
10© 2015 Deloitte Belgium – European Privacy Academy
Online surveys
Browser history
Other sources
6
Big Data in perspective: General Data Protection Regulation Understanding Big Data
© 2016 Deloitte Belgium - European Privacy Academy 11
Privacy by Design
Privacy by Default
Privacy Impact
Assessment
Records of Processing Activities
Data Security of Processing
Breach Notification
Data Protection
Officer
2. Big Data vs. Security & Privacy
© 2016 Deloitte Belgium - European Privacy Academy 12
7
Big Data vs. Security & PrivacyPrivacy Challenges
13© 2015 Deloitte Belgium
Outsourcing/Transfers
Accuracy
Transparency
Big Data
User Rights
Privacyby
Design
Lawfulness
Creating entirely new challenges we have not encountered before:
• Data linkages: Powerful analytics solutions can link data sets to reveal someone’s lifestyle, consumer habits, social networks and more – even if no single data set reveals this personal information.
• Profiling: the use of identifiable data to profile individuals in order to analyze, predict and influence their behaviour.
Big Data vs. Security & PrivacyPrivacy Challenges
14© 2015 Deloitte Belgium
8
Big Data vs Security & PrivacySecurity Challenges
© 2015 Deloitte Belgium 15
Access to huge volumes Difficult to protect and monitor
Complex environments Lack of granular audit trails
Variety of data Difficulty to verify access
BIG DATA TRADITIONAL SECURITY
• Big Opportunities: Big Data is now often regarded as most critical enterprise asset, focusing attention on performance and collection of data, not security.
• Big Attackers: Big Data attracts a new class of hackers & attacks. Threat landscape has altered radically.
Big Data vs. Security & PrivacySecurity Challenges
16© 2015 Deloitte Belgium
9
Big Data vs. Security & PrivacyOpportunity example
17© 2015 Deloitte Belgium
Using Big Data to analyse, predict and prevent security incidents
Potential for new insights and enhanced detection and prevention systems through continual adjustment and
effectively learning “good” and “bad” behaviours
Big Data provides the opportunity to consolidate and analyse logs automatically from multiple sources rather
than in isolation
Big Data vs. Security & PrivacyChallenge example
18© 2015 Deloitte Belgium
Securing the organisation and customers’ information
Encryption and access controls based on data attributes rather than storage environment
Information classification and data ownership become more critical
10
3. Conclusive remarks
© 2016 Deloitte Belgium - European Privacy Academy 19
• The Big Data security challenges will require a more agile security governance model including:
• More attention to detail :A holistic privacy/security strategy
• A migration from point products to a more unified security architecture
• Open and scalable Big Data security tools and approach
• A strengthening of SOC’s (Security Operations Centre) data science skills
• A more extensive leverage on external threat intelligence
• A more pragmatic focus on (breach) incident as well as identity and access management
Conclusive remarks
From a classic data protection governance model to an agile one…
20© 2015 Deloitte Belgium
11
• In addition, a more agile governance model should address the main privacy challenges of Big Data:
• Invest in IT security governance, not only security products
• Manage the security/privacy paradox and use an integrated security/privacy approach (e.g. monitoring versus anonymization)
• Clearly define privacy (and security) responsibilities
• Ongoing monitoring and audits (eg privacy impact assessments)
• Focus on the obtaining consent of the data subject: opt-in, not opt-out
• Make sure that processing remains compatible with purpose of collection(eg “secondary use” issue)
• Engage in harmonization and standardization
• Transparency towards data subject regarding its (GDPR) rights
Conclusive remarksFrom a classic data protection governance model to an agile one…
21© 2015 Deloitte Belgium
Conclusive remarksA holistic risk based approach across the (big) data lifecycle
22© 2016 Deloitte Belgium - European Privacy Academy
Inconsistent methods
Distributed storage
Accidental loss
Inappropriate third-party controls
Partial deletion
Accidental deletion
Sp
eci
fic r
isks
Inappropriate classification
Inappropriate security controls
Data distributed across network
Unnecessary retention
Improper duplication
Theft or breach
Improper access/sharing
Unnecessary retention
Misuse
Collection Storage Use SharingRetention & Destruction
Da
ta li
fecy
cle
• Classify: Inconsistent/unclear data classification scheme to understand the type of data that exists throughout the organization
• Discover: Insufficient understanding of where data is stored and how it is used
• Control: Lack of user awareness of individual and organizational responsibilities surrounding data protection
• Access: Unauthorized access to data across the data lifecycle
• Audit: Insufficient capability to audit the usage of data or monitor the effectiveness of implemented controls
Ge
ne
ral r
isks
• Effective data protection looks across the data lifecycle to allow an enterprise to tailor policy in a way that keeps information safe, yet available to those authorized to access it.
• Without knowing the lifecycle of data flowing through your organisation, it is impossible to be sure that it is all managed appropriately.
• Creating a personal data inventory and/or personal data flow maps will allow to understand and analyze the scope of privacy in your organization.
12
Thank you for your attention Any questions ?
23© 2016 Deloitte Belgium - European Privacy Academy
Erik LuysterborgPartner, CIPPBE Cyber Risk Services LeaderEMEA Data Protection & Privacy Leader
[email protected]: + 32 2 800 23 36Mobile: + 32 497 51 53 95
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries and territories, Deloitte brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte’s more than 200,000 professionals are committed to becoming the standard of excellence.
This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication.
© 2016 For information, contact Deloitte Belgium
© 2016 Deloitte Belgium - European Privacy Academy 24