BigInsights on Cloud: Where Critical Data Goes to Achieve Enterprise-Grade Security

Share this post:

IBM BigInsights on Cloud is an enterprise-ready Apache Hadoop® distribution designed to enable analytics on larger volumes of data more cost-effectively. Earlier in this interview series, Rohan Vaidyanathan, offering manager for BigInsights on Cloud, introduced the service (Part I) and explored specific use cases for big data projects (Part II). In Part III, Rohan is joined by Katherine Franklin, program director for security and compliance, to share some important security developments around BigInsights and other Cloud Data Services offerings.

In Part II of this series, you mentioned improved security of cloud-based services as one factor driving widespread adoption of these solutions. Given the recent news that BigInsights on Cloud has achieved compliance with top industry standards FISC, SOC2 Type 1 and ISO 27001, why should customers have greater confidence that they can trust BigInsights with their data?

Rohan: Hadoop is seen primarily as an analytics space, but increasingly companies also use it as an extension of their data warehouse and the core data management aspects within an enterprise. So, a lot of mission-critical data, a lot of secure data – PCI, PHI and PII – are landing in Hadoop and people want to analyze those kinds of data.

So, when you land this data on Hadoop, we need to take extra care to protect them, because while there are a variety of things you can do to secure data on Hadoop, at the end of the day, it’s open source. It doesn’t offer enterprise-grade security.

So that’s one of the reasons why BigInsights needs to follow some kind of a guideline as strong as ISO or SOC2, to make sure that we are doing the right things, not just to get a certificate or a stamp, but to really make sure that we are doing the right thing.

Katherine: First, let me distinguish between certifications and making our products more secure. IBM has a comprehensive security policy for the cloud. We focus our efforts on implementing our policy well, reviewing it often and continually improving both the features offered and our best practices for operating the services. So I like to differentiate between security and compliance.

For compliance, these certifications represent the external assessment that we are committed to doing. To me, it’s a measure of our commitment that we go to the additional cost and process associated with hiring an external auditor, and provide our customers with the reassurance that comes from a certification.

Now, granted, some of our competitors are doing the same, but not all of them, in the case of business intelligence, have been securing certifications like SOC2. ISO 27001 and SOC2 are both what are called horizontal specifications. They are generally applicable to a lot of different customers, in a lot of different industries, in a lot of different parts of the world, as opposed to something focused on specific industries such as healthcare data.

How important do BigInsights customers and prospects consider compliance with these types of industry standards to be?

Rohan: BigInsights on Cloud customers are primarily large enterprises in the banking, insurance, healthcare etc. We have a banking customer moving its enterprise data warehouse from on-premise to the cloud, into Hadoop and BigInsights. For them, meeting the SOC2 compliance standard is absolutely necessary to move data into the cloud, or anywhere else basically. They need SOC2 compliance to handle that kind of data.

We have another insurance customer who needs HIPAA compliance because they’re going to put that kind of data into a BigInsights cluster, and ISO is something we’re driving across all of Cloud Data Services.

So, providing certification on these standards, and more in the future, was always part of the product design due to the various industries and mission-critical systems we deal with.

Which industries are most concerned with the security of their cloud-based solutions?

Katherine: The short answer is ALL of them. For anybody who is serious about their data, one of the first questions you’ll hear from them around cloud is, “Is it safe?”

Our customers come to us with their personal, corporate or media experiences. They’ve heard about another vendor or company being hacked and/or the sensationalism of celebrity information being exposed on the Internet. Perhaps they’ve personally experienced identity theft. It all underscores their interest in security. But not all are experts or can afford to hire experts – that’s were compliance comes in and provides reassurance.

Security is the number one question from any serious customer, whether we’re hosting the data as a primary data source – as a data of record – or if we are caretakers of this data while they do some advanced analysis. They need to know that we’re a safe home for their data; that we are going to treat it with the respect and consideration that it deserves – as a valuable business asset for our customers.

Customers are looking for security of their data, and when you think of serious businesses, you may think mostly of banks, retail or healthcare facilities, but you should also be thinking about it in terms of anybody for whom data is their business, or anyone for whom data or analytics plays an important role in their business. We have seen interest from across all industries, geographies, etc.

Anyplace or anyone where numbers matter, and where data and analytics matter, you’re going to see the need to trust that we will keep their data safe, and that if there is an incident that we have the skills and ability to respond effectively.

Learn more about the security and compliance of our cloud offerings or get started with BigInsights on Cloud on IBM Bluemix today.

More Community stories
May 6, 2019

Use IBM Cloud Certificate Manager to Obtain Let’s Encrypt TLS Certificates for Your Public Domains

IBM Cloud Certificate Manager now lets you obtain TLS certificates signed by Let’s Encrypt. Let’s Encrypt is an automated, ACME-protocol-based CA that issues free certificates valid for 90 days.

Continue reading

April 30, 2019

Introducing IBM Analytics Engine v1.2 and Announcing the Deprecation of IBM Analytics Engine v1.0

We are excited to inform you about the new version of IBM Analytics Engine v1.2 that will be available starting May 15, 2019. Along with this release, Analytics Engine v1.0 will be retired.

Continue reading

April 16, 2019

Announcing the Deprecation of the Decision Optimization Beta Service

The End of Beta date for the Decision Optimization service is May 17, 2019. The End of Beta Support date is June 20, 2019.

Continue reading