Target’s board is the latest to elevate the urgency and importance of addressing security and governance. Their decision to terminate their CEO earlier this week has many global auditing and management consulting firms pivoting to draft new cyber security and data protection strategies to deliver above and beyond the best practices they previously recommended, which primarily focused on compliance and risk mitigation.
Simultaneously with the increased concern on corporate governance there is continuous pressure from corporate innovation officers and CMOs to open up their vast data repositories from social networking, customer and supply chain sources to monetize this data via APIs and application development with ecosystem partners.
Big Data governance and security are the biggest gap in satisfying these conflicting needs. Over the last year, we have listened carefully to our government and multi-national telecommunication and cloud customers who are increasingly challenged to solve governance and security needs as well as new cloud orchestration, compliance, audit, and risk challenges.
For Big Data, traditional governance and security solutions fall short, not because of a lack of compliance metrics, but instead due to a lack of visibility and trust of customer, corporate, and government data-level transformations.
The default position of the industry has been to add additional layers of perimeter security and focus on confidentiality. What is being completely missed is Integrity, both of the underlying data and the processes that are used to ingest, transform and analyze that data. Information security is traditionally considered a triad of Confidentiality, Integrity, and Availability (CIA)
What is often overlooked is that Integrity and Confidentiality are opposite problems and the same tools cannot be used to address both. Consider a crime in the physical world: the more witnesses there are to that crime the stronger the Integrity of the evidence. Yet the more witnesses there are the less Confidentiality can be assured. With only two parties present, it becomes ‘your word against mine’.
So while the industry begins to applaud Google and Facebook for increased transparency via issuing ‘transparency reports’, these gestures are simply not enough when trust in the messenger issuing those reports is being demanded. What is needed is Integrity and in fact, for Google and Facebook, with this demand for increased accountability and transparency lies one of the greatest data monetization opportunities in history.
Addressing Integrity through widely witnessed verifiability
Guardtime’s KSI is a form of meta-instrumentation that validates the integrity of assets and their transformation processes without disclosing the underlying contents . This meta-instrumentation allows anyone internal or external to the organization to verify integrity and thus can used to uniquely tag, track, and differentiate massive data repositories with meta-information at the data level that remains persistent for the lifetime of the data. This instrumentation is essential and is a must-have critical feature for data intended for large-scale analytics; especially when public and non-public data is combined from data lakes and data silos.
Guardtime for Platforms
Guardtime’s Platform Workflow Component (PWC) can be used to create and manipulate massive scale delivery workloads to the cloud with low latency for end to end chain-of-custody, creating immutable records associated with workload management that can be independently verified by the customer, service provider, regulator or developer. Applications for Guardtime’s PaaS level component include API delivery, secure development operations (SecDevOps), SaaS application delivery and verification and schedule, audit and compliance management with easy to understand, non-expert dashboards, interfaces, and generation of management level reports.
Guardtime for Audit and Risk Compliance
Supporting signing, validation, scheduling and reporting for literally any kind of log file format available today, Guardtime’s Audit and Risk Compliance Component (ARC) imparts robust authentication capabilities to audit and log activities. Authenticity, identity, and time information can be stored in the file or object itself, and/or escrowed to a Network Operations Center/Security Operations Center (NOC/SOC) environment in accordance with regulatory compliance requirements for NIST best-practices for independence of auditability. Further, independent verification of these logs can be accomplished without disclosing the underlying specifics of the log file. In this way, long-term retention of log files can be trusted in repositories responsible for their archive. Combined with Guardtime’s SOC, tamper and integrity failure events associated with these logs can be cross-correlated with other network, M2M, virtualization, or user activities.
Integrity (or lack thereof) is the big gaping hole for addressing the dual concerns of corporate governance and data monetization through APIs. The traditional approach of adding layers of perimeter security and encryption are completely inadequate and new tools, such as Guardtime KSI are needed. When implemented into big data governance and security platforms boards will get the governance and accountability they demand and big data applications can be built with security and auditability integrated by design.