My sense is there are likely numerous use cases and hence appetite for an easy/cheap to implement "middle ground" solution, between "no particular protection at rest" and "we're using crypto" (at a price point much closer to the former than the latter). The sweet spot use case for those with higher risk appetite might be where there are significant sanctions, fines or downside for data breaches, but where crypto as a method is not specifically mandated.
In a data lake scenario, there could be data zones where this technique would be considered "sufficient" to avoid casual snooping by less trusted insiders.
In terms of worth, old school risk managers in big co's will get there by applying a company specific risk event "probability vs impact" matrix to a particular use case and seeing which dollar loss quadrant they land in. Of course, this implies a use case and deployment scenario. But if you can go from the 1,000,000USD+ bucket down to the 100,000USD then it would raise enough eyebrows to be taken seriously.
Thanks,
Penvt
------------------------------
Craig Balding
CSA Enterprise Security Specialist
Owner at Resilient Security Ltd
------------------------------
Original Message:
Sent: Jun 01, 2020 12:14:21 PM
From: Jim Reavis
Subject: Obfuscation to protect Big Data indices?
A stealth mode startup briefed me on a solution to use an obfuscation technology to protect sensitive information in Big Data implementations as opposed to encryption. The tradeoff is that it is not as secure as encryption, but it essentially performs as well as cleartext and allows all the necessary searching and reporting functionality. The rationale is that where encryption is not practical, this is a superior alternative to cleartext. What do you think about that approach and what criteria would you use to measure its worth as a risk management mitigation? Spoiler alert, it isn't ROT13 :)
------------------------------
Jim Reavis CCSK
Cloud Security Alliance
Bellingham WA
------------------------------