Gazzang’s customers are obviously passionate about cybersecurity. So they generate and manage more cryptographic objects and cybersecurity secrets than the norm. This means they run an *above-average* risk of losing track of “cryptographic collectibles” - which could leave everyone in a world of hurt.

This month we’re giving them a central administrative user interface from which to:

  • Take stock of what they have (including keys, certificates, passwords, etc.)
  • Drill down to a list of what’s encrypted where, and what’s not
  • Stay one step ahead of expiring certificates (that could otherwise cause outages)
  • Double-check what processes can access the clear text version of encrypted data
  • Review the governance policies (like retrieval limits or trustee votes) currently in force upon any asset

We might use a term like ‘certificate management,’ or ‘centralized cryptographic framework,’ or ‘security platform,’ to describe our new zTrustee Management Console. But - no matter what we call it - the point is that it’s all been built to help you, the busy IT professional with a passion for data security.

Who’s especially going to like this?

    • Anyone who pulls reports on (or must audit) data you’ve said you’re encrypting
    • Leaders who’ve experienced turnover of operational staff (a little institutional knowledge can go a long way, right?)
    • Those who’d otherwise get midnight calls about expired certificates & the like

What all can be deposited, secured and then reported in the new zTrustee Management Console? Think of zTrustee like a “virtual safe deposit box” for all your cybersecurity and cryptographic collectibles:

  • SSL certificates (really any X.509 certificates)
  • Encryption keys (especially - but not limited to - zNcrypt encryption keys)
  • SSH public/private keys (pick your poison: RSA/DSA etc.)
  • API keys
  • Java KeyStores for Hadoop and Cassandra
  • GPG key trust databases
  • Passwords and passphrases
  • Configuration files
  • Directory structures
  • Plus files of any type, like a spreadsheet tracking stock option grants to various employees, the recipe for New Coke, and other things that should be kept away from the public

What does it look like?


zTrustee Management Console View
Fig1. - Overview of a sample organization’s crypto collectibles
zTrustee Virtual Safe Deposit Box
Fig2. - Sample list of items placed in zTrustee “virtual safe deposit box”
zTrustee Deposit Detail
Fig3. - Sample zTrustee deposit detail


How can you get your hands on all this? Gazzang customers can just log a support ticket for a zTrustee 3.6 upgrade so you can install the browser-based zTrustee Management Console. Not a Gazzang customer yet? Request a demo today and you can be encrypted tomorrow.

Can’t Miss Security Sessions at the 2014 OpenStack Summit

The OpenStack Summit kicks off in Atlanta in just a few weeks. From implementation and provisioning to architecting and securing OpenStack architectures, the conference is jam-packed with incredible content. While we know you can’t catch everything, here are our picks for “can’t miss” sessions for the security-minded professional.

While at the Summit, make sure to swing by the Gazzang booth #E23, to learn more about data security on OpenStack.

Gazzang fully supports OpenStack and offers encryption and key management for organizations running GlusterFS-backed OpenStack clouds.

According to the Ponemon 2013 Cost of Data Breach Study, the average cost of a breach is $188 per exposed record for U.S.-based organizations. The number by itself doesn’t seem so bad, but when you consider the Target breach impacted more than 70 million customers, it’s easy to see how those numbers quickly add up and why the data breach insurance market is surging.

In fact, according to Marsh LLC, a New York insurance brokerage firm that tracks the market, the number of cyber insurance policies sold to retailers, hospitals, banks and other businesses jumped 20 percent last year. This indicates heightened concern about data breaches and increased demand for risk management across a range of industries.

Cyber/data breach insurance provides support following a data breach, in some cases helping businesses keep the lights on in the face of escalating costs. It can cover:

  • Hiring a computer forensics investigator to determine root cause and assess damage
  • Contracting a data privacy attorney to help navigate data privacy laws
  • Notifying affected customers, employees or other constituents
  • Offering credit monitoring services and establishing a call center
  • Hiring a third party public relations and crisis management firms
  • Lawsuit costs and damages
  • Regulatory fines and penalties
  • Business interruption expenses

So the big question is, what does it cost?

In 2012, Gartner, Inc., reported that cyber insurance premiums ranged from $10,000 to $35,000 for $1 million in coverage. According to Chris Heuman, practice lead at RISC Management & Consulting, premiums are determined by a variety of factors including:

  • Amount of data - Policies are frequently tiered based on numbers of records under management. Expect your costs to rise as you accumulate more information about each customer and *also* as you acquire more customers.
  • Security policies, risk assessments and data protection – As part of the initial application process, insurers will send a security survey (expect at least 30 questions) asking about a company’s current security policies. It will address training, vulnerability assessment, disaster recovery and encryption processes.

“It’s important to get your shop in order before requesting a quote,” Heuman says. “If you don’t have these policies in place, and try to build them as you complete the security survey, carriers will notice and will send up a red flag.”

Previous incidents – If an organization has had a previous incident, filed a claim with another carrier that included fines or settlements or is currently being investigated for a breach, costs will be very high, if a policy is approved at all.

Here are a few tips from Heuman as you evaluate data breach insurance policies:

  • Get multiple quotes – Breach insurance is still relatively new and carriers are just learning how to price it. As a result, quotes can vary significantly from one provider to the next.
  • Look for a carrier that knows your industry – Too often, health care organizations are getting policies that were written for shops that deal with PCI-DSS and vice versa. The language in the policy needs to reflect the language of your industry.
  • Review policy limits and exclusions – Read the fine print. Many policies claim to cover forensics, and they do up to a point. The issue is that coverage may only account for a small fraction of the actual cost of the service. Another thing to look for are exclusions that might void the policy if an employee does something illegal or if a compliance regulation is broken. Bottom line is to make sure the policy limits don’t negate the value of your policy.
  • Check your business associates agreements – Many business associates agreements now include indemnification clauses, and organizations frequently sign them without knowing what they mean, thereby accepting unnecessary risk. Be sure to check your policies and understand the scope of your liability.

Here at Gazzang, we’ve heard of companies who got discounts on data breach insurance due to having strong encryption in place, coupled with remote key management (meaning the keys are purposefully separated from the encrypted data). Just always bear in mind that - no matter what costs can be defrayed by insurance - there’s no substitute for proactive data security. No matter what coverage (if any) you purchase, always follow data security best practices including assessing risk, training employees on constant vigilance, and making use of all the security policies and solutions you’ve actually selected.

For more on this topic, check out:

Friday, 18 April 2014 11:58

Google gives us all another reason to encrypt

Written by

At Gazzang, we’re huge fans of data encryption. We don’t need regulations requiring us to encrypt. We simply believe that it’s in the best interest of everyone to secure the information that powers their business.

But for those that are still on the fence about encryption, here’s yet another incredible reason to encrypt:

According to the Wall Street Journal, Google is considering boosting the search ranking of websites that encrypt. And Wired agrees, saying It's Time to Encrypt the Entire Internet.

So think of all the time, energy and dollars that your company spends on search engine optimization (SEO). Now consider that Google may in fact boost the ranking of your competitor’s brand – pushing much more traffic to them – simply because they encrypt and you do not.

As NetworkWorld put it, “Placing encrypted sites higher in the mix would serve as a signal of its (Google’s) own on the importance of security, amid concerns over cyberattacks and government surveillance.”

Let’s face it. Encryption too effective to ignore and super easy to deploy. If you’ve been waiting for that last benefit to push you over the edge – it’s officially here. Trust me, your marketing department will thank you for it.

Tuesday, 15 April 2014 14:42

No Heartbleed Here

Written by

While organizations spend the next few days and weeks patching OpenSSL vulnerabilities, the realization is setting in that we may never know the full extent of the damage caused by Heartbleed. What we do know is Gazzang services were not impacted by the bug. 

HeartKeyAlthough Heartbleed was only announced in early April, it has actually been present in OpenSSL versions dating back to March 2012. This means hackers have had ample time to steal certificates and other sensitive information. Making matters worse, it’s nearly impossible for companies to know whether their web communications have indeed been compromised.

Should I worry about my Gazzang zNcrypt keys being exposed?

No. Gazzang zNcrypt keys are encrypted client-side, so a compromise of the zTrustee server using Heartbleed would never expose any zNcrypt keys. Furthermore, while we use SSL for data-in-transit encryption, the payload of data between client nodes and zTrustee is encrypted with strong crypto libraries like GPG underneath OpenSSL. So we’re doubling up the encryption, just for instances like this.

Like many other websites, we have already patched our zTrustee SaaS servers for the Heartbleed vulnerability. We also encourage customers who haven’t already done so to upgrade to the latest operating system version and deploy those OS patches as well.

What exactly is being exposed?

When exploited by a hack, Heartbeat (the name of the transport layer security extension where the bug was found) dumps whatever data might reside in the memory of client/server communications in small 64k chunks. Normally this traffic is encrypted, but the bug actually compromises the secret keys, usernames and passwords that protect this data. Leaked keys can lead to insecure web certificates, which could indirectly lead an attacker to usernames and passwords, payment card details, cookies -- essentially any information submitted by other users of the service.

How can I protect my organization against future threats like Heartbleed?

One of the reasons this bug is so widespread is because it exploited a vulnerability in the popular and highly regarded OpenSSL crypto library. In other words, it went after the very service layer that untold numbers of companies use to protect against hackers. Where many of these companies went wrong is they relied on that single layer of security to protect against a network attack.

Multi-factor authentication, which requires a second piece of information to allow access to an account, is one way users can protect email access and other sensitive account information. So in addition to upgrading, patching and maintaining the latest versions of your OS and software, another way to protect your company’s data is to deploy multiple layers of cryptography.

I mentioned earlier that we use GPG in addition to SSL for data-in-transit encryption. As another example, our customers use Gazzang zNcrypt to encrypt their data and protect that data by disallowing unauthorized people and processes to access it. The encryption key is then encrypted itself and stored in the zTrustee key manager (along with the master). The data owner can then set a broad range of configurable policies governing who or what can access those keys.

The important thing to remember is that security needs to be applied in layers, and a single layer is never enough. A useful tool to check your SaaS vendors’ security is Qualsys SSL Labs test.

What can I do as a consumer?

To start, here are a couple of lists spotlighting companies that use the TLS Heartbeat extension. The best advice is to change your password if a service you use is listed as vulnerable.

Wednesday, 09 April 2014 00:00

CloudEncrypt: Securing Data in the Public Cloud

Written by
CloudEncrypt: Securing Data in the Public Cloud

Data security is often cited as the primary reason enterprises are hesitant to move sensitive workloads to the cloud. Concerns range from, “I’m not sure my team is knowledgeable enough about cloud data security practices” to “How am I supposed to trust my cloud provider’s most junior employee (whom I’ve never laid eyes on)?”

Gazzang CloudEncrypt was designed for exactly the purpose of putting those fears to rest, ensuring the security of your sensitive workloads from the moment that a cloud image boots up and scaling as business needs warrant. CloudEncrypt is a portfolio of products designed for Amazon Web Services (AWS) to help organizations realize the enormous benefits of the cloud and maintain a secure, compliant, production-ready environment. Users get pre-packaged security, no matter where their sensitive data gets put in the AWS cloud.

“We are excited to see Gazzang expand their CloudEncrypt product offering to further complement AWS’ enterprise security capabilities, making it easier for customers to confidently deploy mission critical applications on AWS,” said Terry Wise, Director of Worldwide Partner Ecosystem, Amazon Web Services, Inc.

The Gazzang CloudEncrypt portfolio includes:

Gazzang CloudEncrypt for Amazon EC2 - With a few clicks, AWS users can launch a secure Ubuntu image and select from a variety of databases including MongoDB, MySQL and PostgreSQL (Hadoop and Cassandra are coming soon). Each image defaults to superior security configurations upon boot, making it easier for a user to spin up new instances and add them to an existing cluster.

CloudEncrypt for Amazon Elastic Beanstalk - AWS users can now make use of the “elastic” part of cloud computing without compromising on data security. Security is applied automatically as new resources spin up as needed, for auto-scaling, load balancing, and availability reasons.

CloudEncrypt for StarCluster - Allows organizations such as research institutions to deploy secure, large-scale compute clusters on Amazon EC2 using StarCluster to run sensitive workloads in the public cloud. This product also includes master node encryption, slave node encryption and GlusterFS encrypted secure share.

CloudEncrypt for Amazon EMR - Ensures that any data put through MapReduce jobs are protected - all the way from your datacenter, to S3, to any AWS node in an hdfs cluster, and back to your datacenter.

Learn more about CloudEncrypt

Monday, 07 April 2014 11:24

Performance tuning Cassandra on AWS

Written by

At a recent San Francisco Cassandra Meetup, we talked about speed for over an hour. But you can get the gist in about 10 minutes by grabbing the deck I presented. While it may be fun and games to talk about speed when it relates to motorcycles, super cars or jet planes, when you are talking about performance tuning your Cassandra cluster it is not a trivial task. You need to tune at all the layers, the DataStax layer, the AWS layer and the core filesystem layer.

We started the discussion with the AWS configurations we’ve seen perform best in real life for running Cassandra. There are a LOT of choices you can make when spinning up AMIs for any cluster, and I shared the OS and hardware choices we’d recommend: Amazon i2 instances have I/O performance that is off the charts.EddieatMeetup

We also covered tuning of Cassandra itself, and of tuning the file system. What steps you take - in what order - matter a lot when you’re trying to capture every ounce of speed. Always baseline before you tune, then tune, then test after tuning. Make sure your results are repeatable at least 3 times before making business decisions based on your data.

The audience seemed particularly interested in the AWS tools you can use to benchmark raw file system I/O and to stress test in the AWS environment. Because I’ve seen these contaminate test results, I highly recommend you note factors like time of day and when the cache was last cleared before starting any test.

And - of course - I presented stress testing results for reading and writing encrypted vs. unencrypted data, running on both Elastic Block Storage (EBS) and Solid State Disk (SSD) storage. The net of this was that data security and high performance can absolutely co-exist, even and especially in the Amazon public cloud. Check out the test results yourself in my deck, and those results can be tuned even further. Feel free to share with any skeptics at your organization who are arguing to shortcut data security on the false premise of a huge performance hit.

BONUS for you:

Don’t have time to do a lot of tuning from scratch? In the spirit of open source code, I’ve posted on github a performance-tuning script we built specifically for Cassandra running on Amazon Linux. Even if that’s not your exact environment, I encourage you to grab it and tweak it for your own needs. Why reinvent the wheel, right?

The benefits can be downright game changing. With your infrastructure hosted in a public cloud, your technical personnel can be redeployed to focus on supporting your business objectives vs. maintaining and optimizing a server farm. You’ll see a nice reduction in CAPEX as well.

And because public cloud resources can be provisioned on demand, your can easily add more compute capacity when you need it most. Think a retailer during the holidays or an accounting firm in early April.

Businesses that are agile and efficient can respond to the marketplace quicker, at lower operating costs, and with more resources deployed to meet customer needs. But according to 451 Research's recent survey (Hosting and Cloud Study 2014), only 7 percent of organizations in North America defaults to the cloud for new application development. So why don’t more companies leverage the compute power of the cloud?

Well, for starters, since your data and applications now exist outside of your office, there’s always a concern about where the data is and who can see it. Does it meet compliance? Can it be compromised? Over 25 percent of the 451 Research survey respondents note that security issues is the number one reason to hold off on cloud adoption.

These concerns are valid and that's why you should make sure that when you look to the cloud, you look for a security solution that provides not only data encryption, but allows you to manage your own encryption keys - something Gazzang has built its security suite around.

Gazzang CloudEncrypt enables Amazon Web Services (AWS) cloud customers to realize the benefits of the public cloud with a portfolio of encrypted machine images. That means when you “spin up” a cloud image, it’s fully encrypted at boot, the encryption keys are secure and in your control, and a number of other security best practices and settings are preconfigured. It’s all done for you, so you can spend more time working and less time worrying about which ports to open and close.

And CloudEncrypt is elastic, just like AWS, so as when you need more compute resources, just provision more CloudEncrypt instances through the AWS Management console. Each new image comes with the exact same security configuration making it easy to grow your secure cloud.

Suddenly those clouds don’t look so threatening, do they?

Few companies are enjoying a better run of news right now than Cloudera. In mid-March the big data bell cow announced $160 million in funding led by T. Rowe Price. Less than two weeks later, Intel’s mega investment of $740 million is still a popular topic around our company’s water cooler (yes, we have a water cooler). 

The company’s latest salvo happened this morning while most of the west coast was still asleep. Today Cloudera announced the general availability of Cloudera 5, the solution that will drive what Cloudera refers to as the enterprise data hub. In short, the hub is a centralized platform where companies can store, process, and analyze all of their data and run any variety of projects. The idea being to make it easier to store everything and then use the data when they need it. 

Cloudera and Gazzang have a longstanding partnership with several mutual customers including Kaiser Permanente and Western Union. We are pleased to be able to announce our foundational zNcrypt and zTrustee encryption and key management solutions are now C5 certified. In addition, Gazzang is one of only a handful of Cloudera partners that have a parcel available for customers to download through Cloudera Manager, so installation is fast and easy regardless of the size of the environment. That means whether your C5 deployment is 10 nodes or 10,000 nodes, each encrypted node is as easy to spin up as the next, and all communicate seamlessly with our software-based key manager. 

The bottom line is companies that must meet a compliance requirement like HIPAA or PCI-DSS - or have some other obligation to protect sensitive data - can continue to feel confident that the business-critical information resident in their enterprise data hub is secure at rest and protected against unauthorized access or attack. 

Beyond certification and automated deployment, we’re also watching the Intel investment with great interest. I’m not going to speculate on what this investment means for either company. Plenty has already been written about it. What’s undeniable though is that software that integrates with or runs on Cloudera now should also be optimized to take advantage of Intel hardware. The good news for customers is we're already ahead of the game.

Gazzang’s big data encryption solution, zNcrypt, was designed to leverage the Intel AES-NI encryption instruction set that can be found on most Intel Xeon and Core i7 processors. We’ve done extensive testing, and when running Gazzang in a well configured Hadoop environment on Intel hardware, customers often see the performance impact of encryption dip into the low single digits on a percentage basis. Check out our Hadoop performance guide to learn more.

Gazzang also leverages Intel technology to generate strong encryption keys. As you know, data encryption really only works if your keys are well protected and separated from the encrypted data. Equally important to how you store your keys, is how they’re generated. A strong key requires good random numbers. The greater the randomness the harder the key is to break. Our encryption solutions leverage the Intel RDRAND Instruction set, Intel’s digital random number generation hardware, to create powerful 256-bit keys that our customers rely on to protect their most sensitive data. 

Together with Cloudera and Intel, Gazzang is able to deliver enterprise big data and cloud security that installs in minutes, runs at peak performance and protects your most important business asset… your data. 

Tuesday, 04 March 2014 15:04

Talking Data Privacy at SXSW

Written by

This weekend, I'm hosting a core conversation session at SXSW, titled, "Dear Taco Vendor, how are you securing my data?" When I submitted the topic, I thought the session would generate some good conversation, and maybe even make some people think. MAYBE. Mostly though, I loved the clever title (kudos to my wife for coming up with it) that combines one of my favorite foods with one of my favorite topics. 

The gist of the session was this. Do you really know what you're getting when you trade your email address, scan your phone or provide any other type of personal information in exchange for free stuff? Where does this data go and how is it secured? Is it at risk for theft?

I work at a cyber-security company, so I'm not naive to the fact that there are certain dangers that come as a result of the wonderfully ubiquitous "series of tubes" that is the Internet. At Gazzang, we often deal in hackers, rogue employees, and vulnerabilities in modern data architectures like NoSQL and Hadoop. Our goal is to help companies keep sensitive data from being exposed. But In researching my session topic, I was amazed at how easy it is to expose someone's very personal identity simply by having access to their email address.  

Toss a few bucks to a data aggregator, and there's almost nothing you can't find online. For example, a quick search of my gmail address turned up my birthdate, last four residences with property values, the names of all my closest relatives, a ton of photos, my work history and links to pretty much everything I've said or done on social networks. 

So much for an email address not constituting personally identifiable information. 

My SXSW session isn't going to focus on whether shady people can access your sensitive data simply by knowing your email address. It's clear that they can. Instead, I want to focus on what that revelation means in a broader context: 

  • Do we need to reset our expectations on privacy, or is that a defeatist attitude?
  • When you give any information to a 3rd party, what should their obligations be to keep it private?
  • How can the public influence vendors to change the way they store and exchange data?
  • What needs to happen (if anything) to change public behaviors around freely sharing sensitive data?

Also, we can talk about tacos.

I hope you'll join me this Saturday at 3:30pm at the Sheraton.

Page 1 of 18