The Most Secure Big Data as a Service Security

The public cloud promises many benefits, but there is significant work required to make cloud environments “production-ready.” While spinning up a cloud service can be (relatively) easy, making it secure, adding encryption and integrating with enterprise monitoring systems are often major hurdles. From acquiring specialized skills, developing monitoring processes and keeping current with the ever-changing stream of patches and updates…it can take a month to develop a secure cloud environment. ADA offers the most secure Big Data as a Service available. All of our solutions are fully-managed, monitored 24 x 7 – and include comprehensive security controls available. All of our solutions are fully-managed, monitored 24 x 7 – and include comprehensive security controls.

Built for Security and Compliance

ADA is designed and optimized to meet the most advanced data security requirements for physical security, network security, data protection, monitoring, and access controls. ADA’s unique architecture and focus on security from the very beginning ensured that compliance certification was straightforward. We did not have to re-engineer old systems or change our architecture to meet strict enterprise standards. ADA was designed for security from the ground-up.

Recognized Expertise

Our team includes recognized security leaders, and industry-leading expertise. ADA’s platform and services have passed rigorous third party audits. ADA is recognized for its security expertise and ‘above and beyond’ compliance with industry best practices and certifications. Throughout our journey, we’ve also relied on trusted partners to help guide our best-in-class security strategy.

ADA manages every aspect of cloud security, from technology implementation to the right processes for software development, release and operations.

SECURITY OPERATIONS AND COMPLIANCE

Best-in-Class Security Operations: ADA has a dedicated team that is continually monitoring our service to ensure the safety and privacy of your data. Our security team consistently monitors all access to the service looking for anomalies that could point to unauthorized access. We also subscribe to industry-standard security vulnerability assessments and ensure that these security flaws are addressed on your behalf.

LAYER 1: PERIMETER SECURITY

ADA solutions only run on cloud providers with the most comprehensive physical security and compliance controls available. Typical perimeter security is the digital equivalent of high “wall,” often referred to as a “walled garden.” The current recommended way to create a “walled garden” in the cloud is to start with a VPC in AWS or a VNET in Azure and set the security rules to ensure that all traffic in and out is only through expected channels (ports) from expected sources. All resources are within that walled garden, with no public IP addresses. This is very secure, but also can be a challenge for loading data and enabling user access – both of which need to be done on an ongoing basis in analytics projects.

LAYER 2: USER AUTHENTICATION

With good perimeter security in place, user authentication is the next critical piece. Most organizations already have internal user directories, such as Active Directory. However, cloud providers (AWS, Azure) have their own Identity and Access Management (IAM) mechanisms. Cloud provider components (eg AWS Redshift) mostly integrate with their IAM but some do not: AWS Redshift, for example, only integrates with AWS’ IAM for management and loading functions.

LAYER 3: END TO END ENCRYPTION

Most on-premises data stores (file servers, databases) do not have encryption turned on unless they are forced to by regulation, e.g., PCI or HIPAA. That’s due to extra work required for authentication, and a perception that internal systems are kept secure by physical security. The best practice however is encryption all the time, for any system in the cloud or on-premises.

While cloud providers like AWS and Azure provide the tools to build end-to-end encryption, it is up to the development teams to use these tools correctly and effectively. That is often where organizations fall short in “DIY” projects. Organizations choose ADA because our solutions are built from the ground-up for security. Our fully-managed platform includes 24 x 7 monitoring, and enterprise-grade functions for security and encryption.

Why is Encryption so Challenging for Data the Cloud?

Ensuring that data heading for the cloud is always encrypted — while in motion or at rest — is a complicated logistical problem. The user in charge of loading data needs to ensure that movement to the cloud occurs via a secure channel. Once the data reaches the cloud, it needs to be encrypted again prior to landing in the cloud object store, which is typically where most data is stored. Within the cloud, as users move data out of the cloud object stores (eg, to other processing engines or lower latency storage) data needs to be encrypted once again. Each of these encryption keys needs to be managed and secured.

It’s also critical to keep communications private for tools accessing the cloud – typically business intelligence, analytics or data management tools. Most tools that reside on-premises typically connect to other on-premises data sources. Since both the tool and the data are on the same local network establishing a secure connection is often not a high priority. This changes when tools are on-premises and the data is in the cloud. Connections between the tool and the cloud must be secure. Obviously, data privacy is critical. However, other communication (queries, etc.) between the tools and cloud is just as important. For example, a proprietary scoring algorithm should be treated with the same high-level of security as the data.

ADA’s Approach: Automatic Encryption

Encryption is so important that ADA believes it should be built-in. Users should not even have to think about it. If end-to-end encryption is built-in, nothing is left to chance. No user can make a choice or mistake that results in a major security exposure. This end to end encryption starts with the ADA Gateway. It establishes a secure connection with your secure ADA cloud. ADA configures cloud solutions so that only approved ADA Gateways can connect. All data and communications must flow through the Gateway. That means everything that traverses this connection get encrypted. All tools must connect via the ADA Gateway.

Once data is loaded to the cloud, ADA ensures that all stored (persisted) data is encrypted. The keys that are used for encryption for data “at rest” are further encrypted by a master key that resides in an HSM, a hardware security module that safeguards and manages digital keys. This ensures the integrity of the encryption keys.

LAYER 4: DATA AUTHORIZATION

The previous layers discussed provide platform-level security. Data access; however, typically needs to be more fine-grained. Users with access to the platform should not necessarily be able to access all the data. The ADA service includes capabilities to apply role-based authorization for data and metadata. Users can be assigned to groups, which drive what data each individual user can view or manipulate. This can be set at a high-level of just files or tables, or at a much more granular column and row level. The choice is up to each organization.

LAYER 5: LOG AND AUDIT EVERYTHING

Multiple layers of security still can’t protect companies from every potential situation, in the cloud or on-premises. A user can still share their login credentials (explicitly or accidentally) or they could leave a session open on an unlocked device. This is why ADA ensures that all activity within our solutions is logged in detail.

Every activity, at every layer of the ADA platform, is automatically logged and securely stored. This includes the cloud layer, the infrastructure layer and the data management layer. Each action, whether it is done by a human user or a system component, is logged and aggregated into in single, central, searchable repository.

ADA’s centralized logging is important for our security services and operations. Log data is fed through our SIEM, a security information and event management system, that supports our security operations team. If our SIEM or other security processes detect an anomaly or intrusion attempt, it responds appropriately based on the type of event detected. This log data is also critical for any forensics or audit operations.

As a cloud vendor, ADA is uniquely prepared for enterprise security assessments, with an industry-leading service architecture, processes and personnel. During deployment, ADA documents processes for incident mitigation and collaborating with an organization’s security team for user access management and related functions. Like any safety net, optimally these functions never get used, but they are critical to have for a production-grade system.

Disaster Recovery and Contingency Planning

For our disaster recovery and business continuity efforts, ADA has a comprehensive contingency plan, which identifies specific technical, operational and business functions along with associated contingency requirements.

We also provide recovery objectives, restoration priorities, and related documentation relative to contingency roles and responsibilities. ADA’s detailed disaster recovery and business continuity plan ensures minimal disruption to critical business processes.

SECURITY IS A COLLABORATIVE PROCESS

A successful and secure cloud solution deployment requires close collaboration between an organization and service provider. ADA understands the importance of a process and program that covers everything — from governance and compliance to cloud user access. ADA offers documentation, expertise and collaboration to ensure that you have the highest-level of security available in the cloud.