1. Big Data Security Issues in Cloud Management

2. BDWG Big Data Working Group Researchers 1: Data analytics for security 2: Privacy preserving 3: Big data-scale crypto 4: Top 10 https://basecamp.com/1825565/projects/511355-big-data-working

3. Big Data Security/Analytics (now) Variety of Data, Security Intelligence Security Information and Event Management (SIEM) (mid-2000) Alarm Correlation Intrusion Detection Systems (1990) Network flows, Host Intrusion Detection logs, etc. The Road to Better Situational Awareness

4. What is new in Big Data Analytics? Traditional Systems  More rigid, predefined schemas  Data gets deleted  Complex analyst queries take long to complete Big Data Promise  Structured and unstructured data treated seamlessly  Keep data for historical correlation (e.g., 10 years)  Faster query response times Hadoop is de facto open standard for big data at rest

5. Security Intelligence Big Data Cyber-Data Logs, events, network flows, user id. & activity, etc Analytics Models, Baselining Feature extraction Anomaly detection Context (external sources of information) Dashboard Security analyst (human) looks at indicators Correlates with external sources of info to detect attacks

6.  In 2014 >60% of respondents installed tools to gain a better view of what is on their network  Examples:  Database Activity Monitoring (DAM)  Monitors administrator activity, unusual database reads/updates, event aggregation, correlation and reporting  Identity Access Management  Risk-Management control room  Security Information and Event Management (SIEM) Industry is Interested in Security Intelligence

7. 1.Communication protocols 2.Data-centric security 3.Big data privacy 4.Key management 5.Data integrity and poisoning concerns 6.Searching / filtering encrypted data 7.Secure data collection/aggregation 8.Secure collaboration 9.Proof of data storage 10.Secure outsourcing of computation Initial Set of Topics in Crypto

8. Searching and Filtering Encrypted Data subset, and range queries on encrypted data” EncrypterDecrypter SKPK Filtering Token

9. Secure data collection  How to make collection of data private as well as authenticated? Can verify signature came from a group member Cannot infer which member In case of dispute, a trusted third party can trace the signature to an individual

10. Secure data filtration Blogs Net Traffic News Feed Cloud Secret Criteria Obfuscate Garbled Filter Encrypted Filtered Data Decrypt Filtered Data Garbled Filter

11.  Computing on Authenticated Data  A signature scheme such that it is possible to derive signatures on “related” data from a signature on the original document  For example, deriving signatures on a redacted version of a document, without knowing the signing key Data Integrity and Poisoning Concerns

12. Proof of Data Storage  “PORs: Proofs of Retrievability for Large Files” by Juels and Kaliski  “Compact Proofs of Retrievability” by Shacham and Waters File F; N N = pq f = F mod φ(N) random g g F mod N Check if g f = g F mod N F

13. Top 10 Challenges Identified by BDWG Copyright 2013 FUJITSU LIMITED 13 1)Secure computations in distributed programming frameworks 2)Security best practices for non-relational datastores 3)Secure data storage and transactions logs 4)End-point input validation/filtering 5)Real time security monitoring 6)Scalable and composable privacy-preserving data mining and analytics 7)Cryptographically enforced access control and secure communication 8)Granular access control 9)Granular audits 10)Data provenance

14. Secure Computation in Distributed Programming Frameworks Threats/Challenges: Malfunctioning compute worker nodes Access to sensitive dataPrivacy of output information Current Mitigations: Trust establishment: initiation, periodic trust update Mandatory access control Privacy preserving transformations Copyright 2013 FUJITSU LIMITED 14

15. Security Best Practices for Non Relational Data Stores Threats/Challenges: Lack of stringent authentication and authorization mechanisms Lack of secure communication between compute nodes Current Mitigations: Enforcement through middleware layer Passwords should never be held in clear Encrypted data at rest Protect communication using SSL/TLS Copyright 2013 FUJITSU LIMITED 15

16. Secure data storage and transaction logs Threats/Challenges: Data Confidentiality and Integrity AvailabilityConsistencyCollusion Current Mitigations: Encryption and SignaturesProof of data possessionPeriodic audit and hash chainsPolicy based encryption Copyright 2013 FUJITSU LIMITED 16 How do we secure infrastructure for big data storage management?

17. End-point Input Validation / Filtering Threats/Challenges: Adversary may tamper with device or software Adversary may clone fake devices Adversary may directly control source of data Adversary may compromise data in transmission Current Mitigations: Tamper-proof Software Trust Certificate and Trusted Devices Analytics to detect outliersCryptographic Protocols Copyright 2013 FUJITSU LIMITED 17

18. Cryptographically Enforced Data Centric Security Threats/Challenges: Enforcing access controlSearch and filterOutsourcing of computation Integrity of data and preservation of anonymity Current Mitigations: Identity and Attribute-based encryptions Encryption techniques supporting search and filter Fully Homomorphic Encryption Group signatures with trusted third parties Copyright 2013 FUJITSU LIMITED 18

19. Data Provenance Threats/Challenges: Secure collection of data Consistency of data and metadata Insider threats Current Mitigations: Authentication techniquesMessage digests Access Control through systems and cryptography Copyright 2013 FUJITSU LIMITED 19 How do we keep track of complex metadata?