With Big Data in the Cloud it seems impossible to secure data, drive compliance, survive audits, mitigate risks and involve third parties to leverage high value customer and corporate data. It seems impossible to implement governance systems around access and control when people and workflows and systems are all being outsourced and infrastructure is being outsourced and systems are being abstracted and security has been virtualized and outsourced.
All of this presents a massive realization that the only solution is data-centric security, classifying data, networks and redesigning the system.
As Guerra is no doubt aware there are many challenges with data lakes not least of which are technological. PKI and XACML have been tried before and have proved challenging. For XACML read here, For PKI read here. In a nutshell the complexities and cost of implementation made them impossible to scale.
Of course it is not surprising that these technologies would be proposed, as there hasn’t really been a valid alternative, at least until now. As Steve Jones, Strategy Director, Big Data & Analytics, Capgemini points out “The data lake approach avoids the costs and performance lags of the other approach, which are associated with enriching every single piece of data with the right metadata”.
But what if there was a technology that existed today that could automatically assign, as part of the data lifecycle, metadata to every piece of data generated on the Internet with close to zero compute, network and storage overhead? And that the metadata was cryptographically linked to the underlying data such that anyone could verify the properties without relying on a centralized trusted authority?
This was our vision behind creating KSI – to build a new standard for data by replicating the functionality of PKI – without using keys and eliminating the complexity and cost of key-management. Such “keyless signatures” can be applied to any type of electronic data from a consumer “click” event to a large-scale weapons system such that the signatures are portable across organizational and service provider boundaries. It IS possible to enrich every piece of data and provide attribution – that every event on the Internet can be attributed back to a source, whether human or machine.
The technology is extremely simple to understand and requires knowledge of only hash-values and binary trees. Every second a federated and distributed binary tree is generated using hash-values of data generated around the globe within that second.
The root is calculated and “published” in a distributed “calendar” database that ever subscriber has a copy of. For every hash-value entered into the tree the unique hash-chain (or series of hash-values that allow the root hash-value to be recreated) is returned back and stored as the signature. With access to the public “calendar” database anyone, anywhere can receive data and verify the signature time, identity and integrity without reliance on a central trust authority.
This is data-centric security at Internet Scale
Every piece of data on the Internet can be attributed back to a source, whether human or machine enriching the entire world’s dataset with new metadata properties.
The implications for government, advertising, financial services, telecommunications and cybersecurity are profound. By integrating KSI into networks every component, configuration, and digital asset generated by humans or machines can be tagged, tracked, and located with real-time verification no matter where that asset is transmitted or stored.
Complete transparency and accountability can be achieved. In Estonian Government networks today every document and event is automatically signed generating an independent audit trail for citizens, who can choose to trust their government but they can also verify what happened to their data independently from those administering it.
For cloud computing
True dynamic attestation can be achieved. Real-time assurance that the state of your virtual environment is in the correct state independently from the cloud service provider.
Modern security solutions such as firewalls and sandboxing search for vulnerabilities but they can’t guarantee their absence. – and when it only takes one vulnerability to succeed the odds will always be overwhelmingly in favor of the attacker. KSI allows for different assumptions – by real time monitoring of the integrity of you network you can assume compromise. When malware infects a crucial network or system component, the changed state of the asset provides a real-time alert, which can then be investigated, audited, and/or behavior stopped, putting the odds back in favor of defense. With this real-time awareness, real-time incident response, real-time data-loss prevention, it is possible to detect and react to any misconfiguration, network and/or component/application failure.
For Big Data Governance
MIT’s Sandy Pentland and Microsoft’s Craig Mundie and Telefonica’s Jose Luis Agundez have all argued for a rethink in data privacy laws, that the traditional approach of legislating data collection and retention needs to be replaced by legislating data usage. KSI allows for exactly that – by tagging all data at source, consumers can specify how their data can be used via policies and service providers and their customers such as ad exchanges can be audited with forensic certainty such that those responsible for managing that data are in compliance with laws and the polices of their consumers.
There is a compelling need for a new approach to security and governance on the Internet. KSI offers the promise of attribution – enriching all data with a new form of metadata such that all activity can be attributed back to a source and time – paving the way for a new level of security, transparency and accountability.