By: Jonathan Lewis, director of product marketing, SSH Communications Security

Jonathan Lewis

Jonathan Lewis

In part one of “Encrypting the Wave of Big Data” we discussed the rise of Big Data and the security risks associated with this growth. Administrators may be aware of the problem, but stymied by how difficult the problem is to solve.

Part of the issue in deploying a centralized identity and access management to (potentially) millions of machine-based identities is the challenge of implementing change on system that’s already up and running. When the complexity of migrating an environment without interrupting the system in progress is taken into consideration, it’s understandable that enterprises haven’t rushed to get started. Yet the clock is ticking, and the longer the period of inaction stretches on, the higher the risk becomes.

Homegrown Access Control

So how are system administrators currently keeping track of the authentication keys used to secure M2M communications? Many use spreadsheets or write homegrown scripts for controlling distribution, monitoring and taking inventory of deployed keys. As one can imagine, this approach allows many keys to fall through the cracks. Processes for ensuring identities are removed when unneeded are commonly lacking. There may be no regular scanning; so unauthorized back doors can be added without the organization knowing.

Organizations risk more than hacker attacks by neglecting M2M security. They also flout industry standards and federal regulations that demand centralized control of the identities that access sensitive data, including finance, healthcare, telco and others. Since these are all industries in the midst of a drive to build Big Data infrastructures to capitalize on user trend data, by failing to secure their M2M connections adequately, they run the risk of failing audits and getting slapped with fines.

Best practices

To address these risks, administrators and IT staff should take the following steps:

  • Discover: Data center administrators, security teams or identity and access management staff often lack transparency into where identities are stored, what information those identities are permitted to access and what business processes they’re supporting.
  • Monitor: Admins should monitor to determine which identities are in active use and which are associated with inactive users or processes. The good news is that in many enterprises, unused – and therefore unneeded – identities usually are the vast majority. Once these unused identities are located and removed, the scope of the overall effort is reduced significantly.
  • Manage: Implementing centralized control over adding, changing and removing machine identities is the next step. This step enables policy-based governance over how the identities are used, ensures no more unmanaged identities can be added and provides verifiable proof of compliance.
  • Remediate: With visibility and control established, identities that are needed but are in violation of policy can be updated to conformance without disrupting ongoing business processes. For example, a machine identity might be supporting an active process, but have a higher level of privilege than is needed for the task.

The tools and processes supporting these best practices provide risk mitigation and compliance on an ongoing basis. The goal is to stop thinking of security as a one-time event, and more as a process the organization must adhere to on a constant basis.

Looking forward

The advent of Big Data has opened up a spectrum of new business possibilities within a staggering number of industries. In the mad dash to capitalize on these opportunities, organizations are failing to adequately secure M2M communications, leaving them vulnerable to theft, hacker breaches and hefty fines from failed audits. To comply with new regulations and industry standards and protect against breaches while bringing Big Data under a sound identity and access management umbrella, organizations should give these best practices close consideration.

 

269 queries. 0.691 seconds.