As a business intelligence or enterprise data warehouse professional, you have a lot on your plate! Big data and business intelligence require that all the traditional stuff – data integration, data quality, data modeling, data governance, and reporting – continues to get done, and you have to continually educate business customers that big data does not somehow magically eliminate the need for the ‘ilities’ of data warehousing. You need what Tom Davenport, author of Competing on Analytics: The New Science of Winning, calls data defense and offense.
In highly regulated industries such as financial services, insurance, telecom, retail, or healthcare, you need to completely take on the mantle of data defense that Davenport advocates. Regardless of whether you are doing traditional BI or utilizing big data innovation, you need to ensure data governance, security, protection, privacy, and regulatory compliance.
Those of you with enterprise data warehouses and big data instances know that they represent a major source of business risk. For this reason, you have likely taken steps to protect the sensitive data flowing into your enterprise data warehouse and big data systems, deploying native access controls and encryption to ensure only authorized users can see sensitive protected data. This is clearly a necessary and good first step.
For regulated industries, however, platform centric, simple access controls and disk or volume level encryption are not enough. Simple access control does not police those with privileged administrative rights. The business risks of internal misuse, in a world of social engineering make these logon accounts a target for those trying to steal information from your organization. External bad actors targeting your organization know that the business intelligence (BI) infrastructure represents the “crown jewels” of your information assets and will spend months stealing these privileged credentials until they have in the clear access to everything in your data warehouse. This means that you need to move from protecting system access to protecting the data itself.
Native security alone is not enough, providing capabilities that are relevant to a broad range of its customers, but for those in regulated industries, they do not go far enough.
While native security allows you to encrypt the disks as a whole with Full Disk Encryption (FDE) and control access to it at the disk controller level, the reality is that this only protects against the disk drives themselves being removed from the secure data center. Bad guys are using your employees with privileged administrative access to get into your systems, through phishing and other forms of social engineering. This is far easier than trying to break all the intrusion protection and encryption that you have deployed. The whole game changes if hackers can pass as one of your employees with administrative or other clear text full access to the data. Simply encrypting data does not provide enough protection.
The 2016 Data Breach Investigations Report from Verizon showed that internal breaches now account for 50 percent of data losses but protecting data from internal misuse – something privacy regulations demand – requires more the data warehouse vendors natively provide. Simply limiting access does not provide enough protection. Using encryption to provide only coarse-grained protection does not provide enough risk mitigation to respond to today’s internal and external threats. Instead it makes sense to adopt two principles:
Segregation of Duties
To avoid conflicts of interest, those that need to see sensitive data in the clear should not be able to control access rules and those that manage the data (DBA’s, system admins, etc.) should not be able to view particularly sensitive data fields in the clear.
Business users should only see sensitive data that they need to perform their role (need to know) and nothing more.
This should be your goal in a regulated industry. You should ensure that you protect all data flowing into your data warehouse and that only authorized users with a legitimate need can see sensitive data – database and IT administrators should not qualify. Taking this step means that even a hacker with compromised system admin credentials will be limited in their ability to access sensitive data in the clear, and that internal users can only see the sensitive data that they need, and are authorized to see, to perform their jobs.
Users must be authorized and have fair and legitimate reason to process sensitive personal information. When protecting sensitive data, we need to ensure the data warehouse still works for advanced analytics or customer service support. Clearly, some should be able to see only de-identified or aggregated data only, not the sensitive data that it is built upon. When done correctly, this essential added layer of protection can be applied very transparently to authorized users and business processes.
If you are looking for more details on protecting your enterprise data warehouse, we have put together an executive brief, "De-risking Your Enterprise Data Warehouse." Check it out and let us know what you think!