Sqrrl Blog

May 27, 2014 3:05:00 PM

Rebalancing the Security Equation

by Joe Travaglini, Director of Product Marketing

There is no secure perimeter.

With the dawn of phenomena such as Cloud Computing and Bring Your Own Device (BYOD), it is no longer the case that there is a well-defined perimeter to secure and defend. Data is able to flow inside, outside, and across your network boundaries with limited interference from traditional controls. The "trusted zone" as we know it is a thing of the past.

Furthermore, Big Data is all about breaking down silos and gathering disparate data sources with various security and compliance requirements into a shared platform. While this enables building new types of applications and analytics, it also compounds the risks of data loss events, given the extra gravity these platforms command. In other words, Big Data amplifies the stakes of security.

How will you address this issue? It requires rethinking the approach. We need to embrace the chaos and change the security equation entirely.  If we can't adequately protect the data, why not let it protect itself?

A New Security Paradigm

Data-Centric Security describes the philosophy that all data has embedded within it information that specifies policy, access, and governance.  A core principle of the Big Data movement brought a fundamental change to the flow in the data-application lifecycle (i.e., "move the application to the data", instead of the other way around), and Data-Centric Security involves a similar inversion.  Rather than building layer upon layer of rules and protections, and funneling everything through multiple checkpoints to enforce security procedures, Data-Centric Security yields a hardened ecosystem with self-contained policy and distributed enforcement.

DCS Reference Architecture
DCS Reference Architecture

 

Sqrrl Leads the Charge

Sqrrl Enterprise is the only Big Data platform with comprehensive, end-to-end Data-Centric Security, designed from the very beginning and shipped on day one. We believe that a Data-Centric Security offering should include:

  • Fine-grained, cell-level security enforcement – the independent access validation of every field of data stored in the system, individually
  • Data labeling capability – the ability to assign visibility labels to data that specify access policy, using a set of rules
  • Policy specification capability – the ability to grant individual or groups of users entitlements to view data that has a particular set of visibility labels
  • Encryption, at-rest and in-motion – ensuring that data is always protected cryptographically, whether resident on disk or traversing the network
  • Secure search – ensuring that data is easily retrievable, and that this convenience does not provide a source of data leakage
  • Auditing – recording every client operation taken against the system

 

Data-Centric Security in Action - Labeling Engine

To demonstrate one of the many Data-Centric capabilities in Sqrrl Enterprise, let's take a look at an example of writing a labeling rule using the Labeling Engine. Consider the following JSON document:


{
 “user-id” : “bob5678”,
 “mailbox” :
 {
   “name” : “Bob E. Example”,
   “address” : “bob@example.com”,
   “num-messages” : “3”,
   “messages” :
   [
     {
       “message-id” : “99074”,
       “message” :
       {
         “from” : “Alice E. Example <alice@example.com>”,
         “subject” : “Party on Sunday”,
         “importance” : 1,
         “body” : “Do not forget our party on Sunday”
       }
     },
     {
       “message-id” : “129434”,
       “message” :
       {
         “from” : “Dr. Bob Doctor <drbob@example.com>”,
         “subject” : “Test Results”,
         “importance” : 10,
         “body” : “Everything came back OK.\n\nI will see you in the office on Friday.”
       }
     },
     {
       “message-id” : “653812”,
       “message” :
       {
         “from” : “Richard T. Lawyer <rlawyer@example.com>”,
         “subject” : “Deposition”,
         “importance” : 7,
         “body” : “You need to schedule your deposition.”
       }
     }
   ]
 }
}

Let’s say you want to flag the messages that have the highest importance as veryimportant. With the Label Engine, the following rule would achieve that goal:

APPLY veryimportant to //mailbox/messages[**]/message WHERE CHILD importance >= 10

Our rules syntax uses XPATH-like expressions to match portions of a document.  In this case, we want to tag the items in the mailbox-->messages-->message hierarchy that have a child field called 'importance', and the value of that field is greater than or equal to 10.  After running this rule, the JSON in the Figure above would be transformed to the following:

… snipped …
     {
       “message-id” : “129434”,
       “message@[veryimportant]” :
       {
         “from” : “Dr. Bob Doctor <drbob@example.com>”,
         “subject” : “Test Results”,
         “importance” : 10,
         “body” : “Everything came back OK.\n\nI will see you in the office on Friday.”
       }
     },
… snipped …

Having a way to automatically assign and manage visibility labels on data is a key part to a Data-Centric Security solution. Combined with our Policy Engine, which allows for point-in-time assignment of user entitlements that correspond to access to these data labels, you can begin to see the power and flexibility for defining extremely fine-grained, expressive security characteristics.

Learn More

If you want to learn more about Sqrrl's approach to Data-Centric Security, stay tuned for our Whitepaper coming out soon!

Request a Demo

Topics: Big Data, Blog Post, Big Data Security, Sqrrl Enterprise