The Inner Circle

  • 1.  Obfuscation to protect Big Data indices?

    Posted Jun 01, 2020 12:14:00 PM
    A stealth mode startup briefed me on a solution to use an obfuscation technology to protect sensitive information in Big Data implementations as opposed to encryption.  The tradeoff is that it is not as secure as encryption, but it essentially performs as well as cleartext and allows all the necessary searching and reporting functionality.  The rationale is that where encryption is not practical, this is a superior alternative to cleartext. What do you think about that approach and what criteria would you use to measure its worth as a risk management mitigation? Spoiler alert, it isn't ROT13 :)

    ------------------------------
    Jim Reavis CCSK
    Cloud Security Alliance
    Bellingham WA
    ------------------------------


  • 2.  RE: Obfuscation to protect Big Data indices?

    Posted Jun 02, 2020 07:57:00 AM
    My sense is there are likely numerous use cases and hence appetite for an easy/cheap to implement "middle ground" solution, between "no particular protection at rest" and "we're using crypto" (at a price point much closer to the former than the latter).  The sweet spot use case for those with higher risk appetite might be where there are significant sanctions, fines or downside for data breaches, but where crypto as a method is not specifically mandated.

    In a data lake scenario, there could be data zones where this technique would be considered "sufficient" to avoid casual snooping by less trusted insiders.

    In terms of worth, old school risk managers in big co's will get there by applying a company specific risk event "probability vs impact" matrix to a particular use case and seeing which dollar loss quadrant they land in.  Of course, this implies a use case and deployment scenario.  But if you can go from the 1,000,000USD+ bucket down to the 100,000USD then it would raise enough eyebrows to be taken seriously.

    Thanks,
    Penvt







    ------------------------------
    Craig Balding
    CSA Enterprise Security Specialist
    Owner at Resilient Security Ltd
    ------------------------------

    Original Message


  • 3.  RE: Obfuscation to protect Big Data indices?

    Posted Jun 02, 2020 01:28:00 PM
    I think this is a pretty good take and I agree that it could be useful in dissuading at attacker that isn't going to make a serious investment to overcome defenses.  I would imagine in scenarios where a major breach that could result in significant fines occurs, a regulator might say anything other than encryption shows a lack of due care, but I really don't know what the relative costs are between encryption and obfuscation in this scenario.  Thanks!

    ------------------------------
    Jim Reavis CCSK
    Cloud Security Alliance
    Bellingham WA
    ------------------------------

    Original Message


  • 4.  RE: Obfuscation to protect Big Data indices?

    Posted Jun 06, 2020 05:24:00 AM
    I'm going to call it as a doubtful choice. Since there is no cost difference between encrypted storage and unencrypted storage, that won't drive the product forward. Unless they can show a significant enough cost saving in the same way in processing time and power for processing between secured by encryption and an encrypted obfuscated data repository then they might have a case. Since if said data might be at compliance risk with GDPR then that cost differential is going to have to be steep

    I can't imagine any privacy or security expert coming up with enough use cases to warrant it. On the surface looking at it from the POV of a traditional data centre maybe there are a few edge cases. I see none in the cloud right now. Since consistency and manageability is a key part of any governance and management platform I doubt it's going to see much interest to a lot of organisations. It's providing another level of complexity, creating exceptions which typically are the failure points in systems

    It's a no from me

    Cheers
    Peter

    ------------------------------
    Peter McLarty
    Senior Consultant
    Telstra Purple
    ------------------------------

    Original Message


  • 5.  RE: Obfuscation to protect Big Data indices?

    Posted Jun 06, 2020 08:54:00 AM
    That's a fair response too, particularly the point about compliance risk, it needs to be a meaningful cost difference.  A side note, but in some ways related, did you see that IBM announced a fully homomorphic encryption developer kit?  This still seems to be largely impractical, but maybe it is closer than I think.  The first demonstration was 11 years ago, a month after we launched CSA.

    https://devops.com/ibm-releases-fully-homomorphic-encryption-toolkit-for-macos-and-ios-linux-and-android-coming-soon/

    ------------------------------
    Jim Reavis CCSK
    Cloud Security Alliance
    Bellingham WA
    ------------------------------

    Original Message


  • 6.  RE: Obfuscation to protect Big Data indices?

    Posted Jun 09, 2020 01:32:00 AM
    This sounds rather like technology we saw nearly 10 years ago from the likes of CipherCloud et. al. which offered indexable "encrypted" data - they could demonstrate G-Mail [SalesForce or a similar application] direct access with unreadable data, unless you viewed it via "your" (actually their) proxy, which understood the data fields and held your encryption keys.   Thus you could still ask the application to sort and search.

    ------------------------------
    Paul Simmonds
    CSA UK Chapter
    ------------------------------

    Original Message