This section will be updated during the finalization of Volume 4.
The focus of the NBD-PWG Security and Privacy Subgroup is to form a community of interest from industry, academia, and government with the goal of developing consensus on a reference architecture to handle security and privacy issues across all stakeholders. This includes understanding what standards are available or under development, as well as identifying which key organizations are working on these standards.
The scope of the Subgroup’s work includes the following topics, some of which will be addressed in future versions of this Volume:
-
Provide a context from which to begin Big Data-specific security and privacy discussions;
-
Analyze/prioritize a list of challenging security and privacy requirements that may delay or prevent adoption of Big Data deployment;
-
Develop a Security and Privacy Reference Architecture that supplements the NBDRA;
-
Produce a working draft of this Big Data Security and Privacy document;
-
Develop Big Data security and privacy taxonomies;
-
Explore mapping between the Big Data security and privacy taxonomies and the NBDRA; and
-
Explore mapping between the use cases and the NBDRA.
While there are many issues surrounding Big Data security and privacy, the focus of this Subgroup is on the technology aspects of security and privacy with respect to Big Data.
1.3Report Scope
This section will be updated during the finalization of Volume 4.
In Volume 4 Version 1, the NBDPWG introduced the concept of a security and privacy fabric. The fundamental idea is that security and privacy considerations impact all components with the NBDRA. This version of the document extends and amplifies this concept.
In addition, rather than embracing a maturity model, a safety engineering approach is chosen. The threats to safety and privacy in Big Data are sufficiently grave, and teams involved in big data creation and analytics potentially so small, that a heavyweight, organizationally demanding framework seemed inappropriate for broad use. Other frameworks, both existing and under development, address that space for Big Data and IoT.
This document introduces complex topics. Some are new, others are older, but have resurfaced with greater urgency because Big Data amplifies effects and/or risks. Despite that, the single broadest objective is to offer a three-level safety rating for a Big Data system. This high-medium-low simplification is offered in a list form (Appendix []), though it can be implemented through semi-automated means; the latter are indicated but not proscriptive.
Big Data is not yet a mature technology, but it has clearly taken hold. Early standards work including the efforts of this Public Working Group, helped to focus attention on emerging risks as well as on the underlying technology.
Since the initial version of this document, recent developments – some refocusing the practice of software engineering on specific components such as scalability, others part of the steady march of technology – have impacted security and privacy. These include:
Additional Need: Need a couple of sentences to accompany each bullet below. Background here is to highlight differences from v1.
-
Risks for intentional / unintentional breaches of privacy or discrimination against protected groups through machine learning and “algorithmic reasoning”
-
Need for decentralization of high-risk data, particularly authenticating resources
-
Adoption and integration of safety engineering practices
-
Security in DevOps frameworks (“SecDevOps”)
-
Security and privacy practices in agile development
-
Collaborative use of software-defined networks to partition and protect data, application realms and physical infrastructure
-
Integral use of domain models to guide security and privacy practices
-
Blockchain and higher-granularity dynamic “smart contracts”
-
Cryptography and privacy-preserving methods
-
Big Data forensics frameworks must be co-engineered with security measures
-
Increased use of attributed based security
-
Provide a broadly usable self-assessment for conformance to Big Data security levels
-
Microservices and Security
1.4Report Production
This section will be updated during the finalization of Volume 4.
The NBD-PWG Security and Privacy Subgroup explored various facets of Big Data security and privacy to develop this document. The major steps involved in this effort included:
-
Announce that the NBD-PWG Security and Privacy Subgroup is open to the public in order to attract and solicit a wide array of subject matter experts and stakeholders in government, industry, and academia;
-
Identify use cases specific to Big Data security and privacy;
-
Expand the security and privacy fabric of the NBDRA and identify specific topics related to NBDRA components; and
-
Begin mapping of identified security and privacy use cases to the NBDRA.
This report is a compilation of contributions from the PWG. Since this is a community effort, there are several topics covered that are related to security and privacy. While an effort has been made to connect the topics, gaps may come to light that could be addressed in Version 2 of this document.
1.5Report Structure
This section will be updated during the finalization of Volume 4.
Following this introductory section, the remainder of this document is organized as follows:
-
Section 2 discusses security and privacy issues particular to Big Data.
-
Section 3 presents examples of security- and privacy-related use cases.
-
Section 4 offers a preliminary taxonomy for security and privacy.
-
Section 5 introduces the details of a draft NIST Big Data security and privacy reference architecture in relation to the overall NBDRA.
-
Section 6 maps the use cases presented in Section 3 to the NBDRA.
-
Appendix A discusses special security and privacy topics.
-
Appendix B contains information about cloud technology.
-
Appendix C lists terms and definitions relevant to Big Data security and privacy.
-
Appendix D contains the acronyms used in this document.
-
Appendix E lists the references used in the document.
Version Overview
Version 2 of the Big Data Security and Privacy (SnP) document reflects changes in the technology environment as well as ongoing work within the WG.
Specific objectives for this version include:
(The items in this list will be edited and incorporated into the text.)
-
Simplify document usability for novice implementers.
-
Expand the SnP framework depth by deeper cross-linking to related standards. [See possible template for this approach IEEE 1484.1)
-
See Cryptographic Technologies for Data Transformations. The V2 document is updated to reflect recent cryptology practices.
-
A safety framework is introduced, suitable for use by unaffiliated citizens, big data software architects and IT managers. (See IEC standards 61508. 61671, 62046, SC22 WG 23)
-
Explicitly provide for phase-specific guidance.
-
Provide Levels of conformance to Big Data SnP practices across SnP phases. Low, medium and high conformance levels (“Conformity Assessment” in the “NIST Roadmap for Improving Critical Infrastructure Cybersecurity”) are provided (similar to NIST 800-53).
-
Identify guidelines for integrating supporting Big Data systems dedicated to SnP (“Big Data SnP dogfood”).b (healthcare as strongest use case)
-
Incorporate SnP metadata-rich Big Data orchestration processes, enabled by tools such as Rundeck [2]. (Paired with the test bed demonstration.)
-
Include SnP dependency frameworks.
-
Reflect the growing importance of SnP aspects to the API-first and microservices design pattern. (Frank has some references from data type, RPCs & possibly API design; Bell Labs on provability of protocols)
-
Facilitate incorporation of SnP models for the software development life cycle. (Is there a LC for analytics?)
-
Draft a Big Data-annotated version of the NIST Privacy Catalog (see NIST 800-53, Appendix J).
-
Identify Big Data touchpoints for Privacy by Design, OECD and other external privacy guidelines.
-
Integrate models such as Sensing as a Service [3]
-
More directly address SnP issues with geospatial and mobile data [4].
-
Include software defined networks and other virtual network security concepts, as in NIST 800-125B [5].
-
Provide a deeper explanation of Application Provider SnP requirements.
-
Provide references to third party references on risks, verifiability and provenance for analytics that affect SnP. (Premise: Big Data amplifies an already known DC risk).
-
SnP risk frameworks for specific design patterns (excludes cloud): distributed computing, middleware (“enterprise service bus”), agent-based, recommendation engines, web portals fronting legacy applications.
-
More clearly identify where Big Data systems management intersects with SnP guidelines. The gold standard use case is the use of logging data for both operational intelligence and SnP, though the mapping is demonstrably nonorthogonal.
-
Identify weaknesses in the current RA and propose updates.
-
Depict policy and metadata orchestration using descriptions of test beds, such as developed at Indiana University.
-
“System Communicator” and FTC
-
API and OpenCL [6]
-
See NIST 800-113 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-183.pdf
Share with your friends: |