Best Practices for protecting your Data Lakes

Data Lake Security

Introduction

Back in the days when the internet started to generate a wide variety of unstructured data, there was a need for a data container that could store bulk amounts of unstructured data without any defined schema. Data lakes were introduced to solve this problem as they had the capabilities to store structured, semi-structured, and unstructured data without schema definition.

IRM Consulting & Advisory | Your Cybersecurity Trusted Advisor

Currently, data lakes are the primary source of raw data storage in every organization. Data Lakes can easily contain up to petabytes of data. This data could come from multiple heterogeneous sources. Hence, data lakes act as a secondary storage device in a personal computer that can store multiple formats of data in their original form.

Data Lake Security

Data lakes are generally the central shared repositories for the entire ecosystem of an enterprise, which is why they need to be appropriately protected. Since the data in a data lake is gathered from multiple nodes, it is quite possible for the data lake in an organization to contain trade secrets, financial information, competitive strategies, or any other sensitive information. The flexibility of data lakes to store a wide variety of data also makes them vulnerable to security threats. The environment outside of the data lakes can be very dynamic and the applications feeding the data lakes can inject any sort of data into them.

The unique nature of data lakes to hold raw data can make maintaining their integrity and security extremely challenging, especially for risk-averse enterprises. Having said that, data lake security solutions have advanced to the point where you can have a properly secured data lake by practicing simple techniques. Listed below are some of these techniques:

IRM Consulting & Advisory | Your Cybersecurity Trusted Advisor

Vulnerability Management

This is a process of identifying and patching threats in a system that could lead to a potential data breach. An organization must have a proper vulnerability management plan consisting of scheduled threat identification tests, such as penetration testing. Furthermore, all the elements of the data lake environment should be updated as soon as the developers push a security patch.

Data Loss Prevention

Data prevention guidelines aim to prevent data loss at the time of any unforeseen event. All organizations should have persistent backups of their data lakes. The goal of data lake prevention plans is to maintain data availability across the entire enterprise infrastructure.

Authentication

Authentication controls are implemented to ensure only legitimate users have access to the data lake. Data lakes are the large dump of information, and they can contain private information of an organization. Therefore it is necessary to block the access of malicious users.

Authorization

Authorization deals with allocating privileges to authentic users. Data lake access and modification should be restricted based on the roles of the users within the organization. A clerk does not require full control over the data lake as his job title doesn’t concern much with the data lake.

Encryption

Encryption, in general, is a process of encoding data in scrambled form so that only authorized users can access it. By implementing encryption on data lakes, an enterprise can assure that if by any means a malicious user gets access to the data lake, then they won’t be able to get any information out of it.

Allocating Appropriate Resources

Misallocation of resources or hiring of the wrong professionals for work on the data lake of an enterprise can also result in security risks. Professionals tend to treat data lakes as a cheaper version of databases and attempt to handle data lake operations just like database operations.

Data Lake Security Plan

As the name suggests, a data lake security plan in an organization is an internal managerial plan that focuses on the improvement, maintenance, and compliance of data lake security. An optimal data lake security plan must cover the following challenges:

Data Access Control

Access management for a data lake can be pretty challenging since data lakes are based on the object storage model where maintaining the integrity of the data is not easy. Organizations can use higher-level tools, such as Okera, and Cazenna to assign granular permissions across the entire enterprise.

Data Protection

Encryption is a common technique of encoding data in an unreadable format. However, this can result in the enterprise’s applications crashing, since the format of data fields in data lakes changes during encryption. A company can avoid this by adopting more advanced techniques like tokenization, which is much more robust and reliable.

Data Lake Usage

Data in data lakes are channeled from various sources but at the end of the day, the data steward and the data owner are the two primary stakeholders. Both stakeholders need to uphold the company’s policies before making data available to the entire company.

Data Leak/Loss Prevention

In most cases, whether intentional or unintentional, data leaks are the result of insider activity. One way of reducing data leaks is by revoking access to data lakes from unconcerned employees.

Data Governance, Privacy, and Compliance

A company’s data management policy determines the responsibility level of the company. There should be appropriate rules regarding the maintenance of the integrity of data across the entire organization, as well as sanctions for those who disregard the company’s policy statement.

Zones Inside Data Lakes

IRM Consulting & Advisory | Your Cybersecurity Trusted Advisor

A zone inside a data lake can be referred to as a logical or physical separation. This strategy allows better handling and maintenance of the data inside data lakes. A generic 4 zone model is described below but you can modify it according to your needs:

Temporal Zone: for storing temporary data like streaming spools.
Raw Zone: for storing raw data. It is recommended that you encrypt or tokenize any sensitive information stored in this zone.
Trusted Zone: for storing confidential data that is verified by the company’s policies.
Clean Zone: for storing enriched and manipulated data.

Final Words

Data Lakes certainly provide a very flexible way of storing raw data, but they also carry some security challenges with them. Enterprises should be very careful while distinguishing data lakes from conventional ways of storing data like DBMS. Implementing and maintaining data access controls and policies are the keys to a secure and agile data storage platform, Data Lake.