An interesting subplot of this burgeoning, “capture everything” big data culture, is whether a single, byte size piece of information really matters anymore. Big data, after all is really about big picture thinking. At a high level, it’s about how we assemble –on a massive scale– unrelated bits of information to better inform our worldview.
There’s a really good post from a Dark Reading column that calls into question whether organizations running big data applications are able to recognize the individual bits of information that may fall under HIPAA, FERPA, PCI, SOX and other regulatory guidelines.
“If this growing mass of data is becoming increasingly unstructured and accessed from an ever-distributed cloud of users and applications looking to slice and dice it in a million and one ways, how can they be sure they're keeping tabs on the regulated information in all that mix?”
While we recognize that encryption and key management are only part of a steady compliance diet, the importance of protecting sensitive bits of data, especially in a NoSQL data store, is critical.
Today Gazzang is working with several customers running big data apps in the U.S. and Europe. One of the primary reasons these companies turn to Gazzang is because we can help them secure those fine-grained bits of data in their Cassandra, Hadoop and MongoDB clusters.
For example, an organization that promotes personalized learning is using Gazzang zNcrypt™ to encrypt and secure student data. This sensitive information resides on a mix of NoSQL and RDBMS platforms and is subject to the Family Educational Rights and Privacy Act.
We are also working with a European postal service to ensure their sensitive customer data remains confidential when stored on MySQL and MongoDB platforms in the cloud. This is information that falls under EU Data Privacy regulations. See this blog from our partner, Chess iX for further details.
These organizations understand that when it comes to big data security and compliance, the devil truly is in the details.
If data security is important to you, don't miss this webinar. 10gen is working with Gazzang to ensure your sensitive data is encrypted as it's written to MongoDB and your cryptographic keys remain safe and in full compliance with HIPAA, PCI-DSS, FISMA and other data security regulations. In this webinar, we'll share some real-life use cases of customers securing data in MongoDB, and we'll show you how to quickly install enterprise-class data protection in your environment.
Jared Rosoff, Director of Product Marketing and Technical Alliances at 10gen
Robert Linden, Senior Solutions Architect at Gazzang
David Tishgart, Director of Product Marketing at Gazzang
I would like to say that I was amazed at reading Bill Brenner's latest blog in CSO's online magazine this evening. Unfortunately, I'm not surprised at all. According to Bill, for the second year in a row, Verizon has released a report claiming that 79% of companies fail their initial PCI audits. Over confidence, complacency and misplaced priorities are listed as three possible reasons for widespread PCI non-compliance, as well as the fact that companies just can't figure out how to comply.
Four requirements of the PCI Standards are listed as being the toughest, which companies are struggling with. Those are: requirements 3 (protect stored cardholder date), 10 (track and monitor access), 11 (regularly test systems and processes), and 12 (maintain security policies), all of which are directly linked to protecting cardholder data.
Wow, these seem like four pretty important requirements. Let's look at just the first, "Protect stored cardholder data." Yep, pretty important. If you're a business storing customer's cardholder data, and it's not encrypted with AES 256 encryption and a state of the art encryption key management solution, then you are putting your brand (and your business) at huge risk. In my opening, I mentioned that I was not surprised that such a large percentage of companies are not PCI compliant. The reason I'm not surprised is that I just went through the process of changing my debit card number for the fourth time in a year due to fraudulent activity on my account.
Last November, my card number appeared to have been stolen from one of my favorite Tex-Mex restaurants in Houston. Once regular patrons began to figure out that the restaurant's IT system had been breached and their personal information had been stolen, word spread like wildfire and their 30-year old brand was drug through the mud like yesterday's enchilada. It nearly destroyed the family business. Take this micro-level example, and multiply it with the power of social media when assessing the risk to a nation-wide (or world-wide) brand.
Let's get back to basics, and protect the stored cardholder data as a top priority. There are now simple to implement solutions out there (we happen to sell one) which can provide the level of security necessary to protect your ... customer's data.
Merchants of the world...please...protect our stored cardholder data. Besides the fact that it's dangerous to your customers, it's also dangerous to your reputation and your brand. And really, don’t make me learn to make my own enchiladas.
Link to article referenced: http://blogs.csoonline.com/1718/verizon_companies_still_stink_at_payment_card_security