This weekend, I'm hosting a core conversation session at SXSW, titled, "Dear Taco Vendor, how are you securing my data?" When I submitted the topic, I thought the session would generate some good conversation, and maybe even make some people think. MAYBE. Mostly though, I loved the clever title (kudos to my wife for coming up with it) that combines one of my favorite foods with one of my favorite topics.
The gist of the session was this. Do you really know what you're getting when you trade your email address, scan your phone or provide any other type of personal information in exchange for free stuff? Where does this data go and how is it secured? Is it at risk for theft?
I work at a cyber-security company, so I'm not naive to the fact that there are certain dangers that come as a result of the wonderfully ubiquitous "series of tubes" that is the Internet. At Gazzang, we often deal in hackers, rogue employees, and vulnerabilities in modern data architectures like NoSQL and Hadoop. Our goal is to help companies keep sensitive data from being exposed. But In researching my session topic, I was amazed at how easy it is to expose someone's very personal identity simply by having access to their email address.
Toss a few bucks to a data aggregator, and there's almost nothing you can't find online. For example, a quick search of my gmail address turned up my birthdate, last four residences with property values, the names of all my closest relatives, a ton of photos, my work history and links to pretty much everything I've said or done on social networks.
So much for an email address not constituting personally identifiable information.
My SXSW session isn't going to focus on whether shady people can access your sensitive data simply by knowing your email address. It's clear that they can. Instead, I want to focus on what that revelation means in a broader context:
Also, we can talk about tacos.
I hope you'll join me this Saturday at 3:30pm at the Sheraton.
Data-at-rest encryption is essential. It's a requirement for meeting compliance regulations like HIPAA, PCI, SOX and FERPA and is one of the most effective methods for protecting sensitive, business-critical information. What you may not realize is that - in addition to providing an "insurance policy" against data theft - encryption can also be an important revenue driver. More on that in a moment.
IBM Informix customers now realize the benefits of data encryption and key management from Gazzang, the leader in big data security. Gazzang's software suite has recently completed Informix certification. That means users of the hybrid database system can secure sensitive SQL and NoSQL data at rest with near zero performance impact to disk i/o or CPU utilization.
Gazzang does not require users to modify their Informix database nor the applications above it, and the encryption can be deployed on each datanode within minutes using standard DevOps scripts from Chef and Puppet. The solution supports a range of database types including SQL and MongoDB and currently encrypts more NoSQL and Hadoop environments than any other vendor.
How it works
Gazzang zNcrypt™ is a "virtual encrypted filesystem" that shims in at the Linux kernel and is transparent to the database and applications that sit above the filesystem. Data is encrypted "on the fly" as it's written to disk and decrypted when called back by the application. The solution leverages process-based access controls (ACLs) that ensure only authorized, trusted processes can access the data. By restricting data access to certain processes rather than users or roles, you can prevent super users like root from accessing data they don't necessarily need to see.
Gazzang zTrustee™ is a software-based key manager that secures and manages the keys separate from the encrypted data. This helps ensure a data breach doesn't also result in the loss of the encryption key. Remember, encryption is only as strong as the security of the encryption key. A compromised or weak key is all that's necessary for an unauthorized user or hacker to decrypt and access your sensitive data.
The Gazzang key manager allows the data owner to wrap several layers of policy around the key to prevent unauthorized access. For example, you can set limits on how many times a key can be retrieved or set a specific window of time at which the key might be available. A unique function of zTrustee is the ability to allow people to authorize or deny key retrievals. These individuals can only determine whether a key should be released, but never actually see the key. You can learn much more about zTrustee by visiting: http://www.gazzang.com/ztrustee-use-cases
Why encrypt Informix?
Earlier in this blog, I mentioned at-rest encryption is mandatory for meeting certain compliance requirements. But if you're using Informix to manage data on behalf of your end customers, chances are they're expecting you to encrypt everywhere and anywhere as well. We work with a number of companies that tell us they could neither have won new business had they not encrypted customer data.
Let us show you how we can help encrypt your Informix data, whether it's in a public, private or hybrid cloud or on premise. Shoot us an email at email@example.com or register for a complimentary demo and trial.
SXSW Interactive is chock full of folks the Wall Street Journal calls “some of the most social, tech-savvy and innovative early adopters you’ll meet.” The best of these digital professionals are also security-&-privacy minded, and we aim to keep these issues at the forefront with our curated list of the best data security sessions at “South By” - including session-specific hashtags for everyone participating from back home. Although, if you don’t attend, how will you visit the Bitcoin ATM?
First, though a couple of tips regarding PII & PCI for attendees:
Free food, free beer, free t-shirts, and more can all be had at SX in exchange for just tweeting, checking in, sending a text, posting a selfie, etc. Because - of course - attendees’ personally-identifiable information (PII) is a coveted “product” of the show. For an in-depth discussion of this phenomenon and its repercussions, attend the session “Dear Taco Vendor, How Are You Securing My Data?” with Gazzang Director David Tishgart. As part of the “Core Conversation > Social and Privacy” track on Saturday, March 8th, he’ll cover what data is being collected, where it’s being stored, who’s buying, and who’s selling - and who is accountable for the whereabouts of your PII. #Data4Food.
Only 11% of companies actually comply with all aspects of the PCI-DSS standards and SX startups probably represent more the Wild West than average. Before you consider handing over your card details (or your API keys) to that lovely new friend you met at SX, refresh your memory regarding the 12-step program that makes for strong payment data security, for your systems and theirs. Lucky for you, we just collaborated with DataStax (of Cassandra database fame) on a walk-through regarding achieving compliance with your new app: Enabling PCI-DSS Compliance on DataStax Enterprise.
Whether you are headed to Austin next week or just want to get a glimpse of what’s in store, here are our top picks for data security pros. We’ve included session-specific Twitter hashtags so you can live vicariously through attendees’ tweets, even if you can’t make it to Austin.
Friday, March 7th
Saturday, March 8th
Sunday, March 9th
Monday, March 10th
Tuesday, March 11th
Tweet at us and let us here at Gazzang know which sessions you have on your "can't miss" list for this year's South By Southwest.
The who's who of Big Data were out in full force at Strata last week, and like the fall Strata/Hadoop World event in New York, the Santa Clara showcase did not disappoint.
Allow me to share a few thoughts, straight from the Gazzang booth, which occupied prime real estate right by the food and beverage area:
1) The hype around big data has died down… a lot. Svetlana Sicular of Gartner famously (or infamously) noted early last year, big data is descending into the "Trough of Disillusionment." While that sounds awful on the surface, it's actually a sign of a maturing market. It means all the talk and chest-beating about big data is waning, and the actual tools and technologies associated with the space are starting to yield results.
The sessions at this year's conference bore that out. In past events, sessions were dominated by "how-to's" on the latest big data platforms and applications. This year, we heard more from customers and consumers of big data. Sure, you expect to see organizations like Comcast, Netflix and Twitter at Strata, but how about the inventor of ollie, a popular skateboarding trick that I nearly killed myself trying to pull off in the mid 80s?
One session that particularly stood out was GE's talk on the Industrial Internet. Want a use case for big data, and Hadoop in particular? Look no further than how GE is enabling industrial devices (turbines, jet engines, locomotives) to connect and report back on their health, so no machine ever has to be taken offline. It's amazing to think about where this might lead.
2) The shift from big data hype to production is good for Gazzang as well. While we love to engage with organizations as early as possible in the big data buying process, the fact is that most companies don't think about data security until they start to work with sensitive, production-stage data. In years past, we'd get asked questions about whether we integrate with Hadoop, Cassandra, Mongo, Couch and Riak (by the way, the answer is yes, we do). This year, we heard from dozens of attendees about in-flight big data projects that require at-rest security. Quick shout out to our partners, Rackspace, Cloudera, Hortonworks, Pivotal, DataStax, MongoDB, sqrrl, IBM, Amazon, Basho, Couchbase and Intel for sending them our way.
3) Speaking of partners, Gazzang made and participated in a number of announcements related to our work with Big Data and Cloud leaders:
Our goal is to provide customers with the most comprehensive and proven data security solutions no matter what big data platform(s) they choose. I believe our depth and breadth of experience in these environments is critical to Gazzang being recognized as "The Big Data Security Experts."
4) What good is a trade show without any fun? For the entire run of the show, the Love Potion Amphora Art/Music Bus (yes, a real thing) was parked right behind our booth. Imagine trying to hold a deep conversation about filesystem encryption with THIS over your shoulder. Despite the distraction, we did manage to make some waves of our own, and we even walked away with an award, courtesy of our friends at Forbes.
Looking forward to seeing you all back in New York later this year.
What if I told you there’s an easy way to drastically decrease your security risk? No tricks involved.
If you are a SaaS provider, you can share encryption key management responsibility with your customer - the data owner - and give them the ability to revoke the key at anytime. Sounds simple enough, right? Here's why this works.
Offering encryption as a value-added service on top of your application makes a strong statement about the importance you place on protecting customer data. It can be what differentiates an enterprise application from a standard one, and it's likely a requiement if you ever want to work with banks or healthcare organzations.
However, if you also have full control of the encryption keys, that puts an unnecessary management burden on your security team and leaves customer data at risk of being accessed by an unauthorized party. The organization that manages and sets the encryption key policies can ultimately deem who and what can access the data. So, keeping customer privacy and confidentiality in mind, consider whether your employees need to access customer data outside of the few circumstances where it's necessary to perform their job. What happens when a key is misplaced or falls into the hands of a rogue employee? What happens if a subpoena is issued for the encrypted data? How can you be certain your key service meets customer SLAs and compliance?
Do you want that liability? Do your customers want you to have that liability?
One way around all this is to put your customer's encryption keys in an escrow service. Together you can determine what data the SaaS application needs access to and set policies accordingly. If there's concern over data breach, unauthorized access or the customer simply wishes to discontinue the service, they have the option to shred or revoke the key, rendering the data benign and completely useless.
We provide this service to a variety of SaaS companies today, and we can do it for you too.
In my role as implementation engineer at Gazzang, I'm often asked to install and configure our data security solutions on Cassandra and DataStax Enterprise environments. In fact, those database systems are among the fastest growing in our customer base.
Protecting sensitive data in NoSQL is critical. The good news is it's not that difficult. We always recommend encrypting data at rest and practicing good key management, but here are a few other security best practices you should consider:
As a best practice, make sure that the Cassandra/Datastax Enterprise process on each node has been isolated by running under its own user(s) and group(s).
System monitoring tools are great for monitoring the health of your cluster, but be aware to take the necessary precautions to secure the monitoring client in such a way that it can't cause trouble. Even if you think your cluster is locked down, check it again.
Take backups of the Cassandra SSTable files regularly, and make sure to take the necessary precautions in order to secure them. It only takes one backup to fall into the wrong hands to cause damage.
I hope these tips help you stand up a more secure Cassandra environment. For any other questions, please don't hesitate to contact us at firstname.lastname@example.org.
We talk to hundreds of companies each week, all of whom have one objective in common: growth. They call to see if our data security solutions 1) will work in their environment, and 2) are affordable. About half the time, it’s someone from the C-suite on the line (that’s typical for start-ups) and the other half of the time, it’s someone from IT or Engineering. Often there’s no budget line item pre-approved, and there’s a startling pattern we’ve observed - which can mean the difference between success and frustration.
Strangely enough, disruptive young companies with business-savvy leaders obtain funding for data security at a higher rate than their (often more technical) shopping peers from midsized companies. Counterintuitive, right?
So a start-up VP of Operations or CTO/CIO builds a business case for obtaining budget for data security - and gets what s/he wants. A company twice or even ten times the size has Data professionals, or Software Developers/Architects do the shopping - and they are less likely to propose a business upside from an investment in data security. The tech-savvy shoppers get shot down more often.
So here’s what we’ve seen work: an unassailable business case for data encryption and key management. We see successful leaders make this work every day, and we’ll net it out for you on one whiteboard, because it’s not as complicated as the rocket science you’re usually up to.
You are going to need to collect 3 pieces of data from people in other departments (key advice: go over the head of anybody who can’t or won’t help you with this, because company growth is everyone’s job, getting MORE important the higher up you go).
Ask your finance department for your average new ACV (annual contract value).
Ask your sales department how many customers they won last year.
Ask your sales department how many customers they COULD have won last year if they HADN’T lost some on data security concerns.
Now here’s the simple math, with an example.
Above, you can see that - without a strong answer on data security - company ACME wins a baseline amount of revenue from new customer acquisitions in a year:
Revenue (baseline) = ACV x NCAb
With sample numbers - an ACV of $10,000 and a baseline New Customer Acquisition count of 100 - the baseline Revenue is $1 Million.
So then let's say Sales gets back to your data request eagerly, saying they could win 7% more opportunities if they could address prospective customers' data security concerns.
That would mean that - if your proposal for encryption with key management were accepted - ACME could grow its revenue like this:
Acquiring a higher number (107) of new customers helps yield a higher revenue of $1,070,000.
So, if we’re talking a growing business needing 1 server of sensitive data encrypted, and encryption keys managed in a way that will pass the security audits of even the most sophisticated large customers, the cost associated with that incremental $70,000 of revenue is only $7200 (through Gazzang).
And here’s the Return on Investment calculation:
ROI = (added revenue)/(cost of that added revenue)
With the sample numbers above, ROI = 9.72 or 972%. Which is like handing someone $1, and them handing you back $9.72. Voila!
So there it is, a business case your CFO will appreciate. And one s/he might even fund without further delay, so you can put in place strong encryption and key management this quarter - with which to go win more customers and grow your company!
Of course, if YOUR calculation isn’t this straightforward, give us a call at 512-904-0217. Clearly it’s our job to help you make your business case.
"All databases can be hacked… every piece of technology is hackable. So knowing that, how do you want to protect that data?"
Pop quiz: On which TV show was the aforementioned statement recently made?
Trying to determine whether the field you work in has hit the national zeitgeist? A good barometer is whether Daily Show host, Jon Stewart is talking about it. On Tuesday, Stewart dedicated the entire interview segment to Theresa Payton, former White House CIO and author of the book, "Privacy in the Age of Big Data."
Great interview with interesting points and questions about data collection and retention:
Payton also points out that citizens should be far more concerned about privacy and security breaches due to hack than from a government program, echoing statements our CEO, Larry Warnock made last week.
Check out the full interview below.
We're gearing up for the DataStax Partner Showcase this evening in San Jose where the topic of big data security continues to be popular. DataStax is at the forefront of NoSQL platform providers when it comes to security, adding authentication, auditing and client-to-node encryption to popular Apache Cassandra database. Also at the event, is our newest data security partner, Cloudwick, the leading big data systems integrator. You can read more about today's partnership announcement at this link: http://www.prweb.com/releases/2014/01/prweb11510686.htm
As part of the relationship, we trained more than 50 Cloudwick engineers and consultants on installing, operating and managing Gazzang data security solutions for DataStax Enterprise. We've also licensed Gazzang to Cloudwick Labs to develop best practices and reference architectures – all designed to help enterprises protect sensitive big data while maintaining high performance within their DataStax Enterprise environment.
This means, all enterprises have a dependable integration partner in Cloudwick that can not only migrate and manage their data from Oracle SQL, but also ensure sensitive information – medical records, payment card data, corporate intellectual property and personally identifiable information on behalf of clients – remains secure and confidential.
As Mani Chabbra, Cloudwick CEO put it, "In the last year we have seen a rapid acceleration of enterprise database migration projects from Oracle SQL to DataStax Enterprise NoSQL. As a provider of big data systems integration to Bank of America, Visa, Intuit, JP Morgan, Home Depot, Wal-Mart, Comcast, T-Mobile and 3M, we understand the criticality of protecting big data and have found success doing this for the enterprise with Gazzang.
For more on data security solutions for DataStax Enterprise visit: http://gazzang.com/solutions/securing-big-data/datastax-enterprise
In Larry's words:
If there is a silver lining to the NSA story, it’s that it brings visibility to the issue of data security. SaaS applications—where software and data is centrally hosted in the cloud—and physical devices like servers, notebooks and cell phones can collect and store data at an unprecedented scale. This data comes in all shapes and sizes, so it’s important to understand what technologies exist to secure the data and how policies are defined and enforced to protect it.
A Mandate For Encryption - It’s time to stop talking about the NSA and shift the conversation to how we can all be better stewards of our customers’ sensitive business data—from collection and analysis to storage and beyond.
Read the whole story by visiting ReadWrite: http://readwrite.com/2014/01/16/nsa-scandal-encryption-enterprise-data-security
For more on easy to deploy cloud encryption, visit http://gazzang.com/products/product-overview.