At Gazzang, we have a mantra that borders on religious fanaticism.
“Customers First. Always.”
It’s the reason we can claim deep expertise in securing unique, enterprise-scale big data environments. It’s the reason we know cloud encryption better than anyone else. And it’s the reason no one on our customer support team owns a bed.
Customers also have a significant impact on our product development cycles. A perfect example being today’s exciting Gazzang CloudEncrypt™ announcement.
Gazzang CloudEncrypt was designed to meet specific customer use cases for securing sensitive data at every stage of the Amazon EMR process. This is a very different challenge than encrypting data on a persisted cloud platform like Amazon EC2, which can be done with readily available solutions like Gazzang zNcrypt and zTrustee.
CloudEncrypt offers encryption and key management in ephemeral, burstable Amazon EMR processes. The solution, which you can read about in great detail in this white paper, was developed at the request of a handful of Gazzang customers that had two very clear needs in common:
More detailed customer use cases are covered in the white paper, but the top three we’ve heard thus far are as follows:
Customer feedback is a part of everything we do at Gazzang. The ability to learn from and innovate in response to what we hear from the companies we serve is a badge of honor that we wear proudly.
As always, we welcome your feedback on Gazzang CloudEncrypt, your solution for securing sensitive datasets and outputs on Amazon EMR.
The countdown officially begins today for HIPAA Omnibus Rule Compliance, which includes important changes in the way the Department of Health and Human Services (HHS) handles breach penalties.
The new rules not only extend security and privacy requirements to business associates and contractors (such as billing companies and those that perform services on behalf of a health care provider), but they also give HHS greater discretion to impose substantial penalties, which in turn gives the agency increased leverage to obtain six- and seven-figure settlements to resolve potential penalty proceedings.
The rules go into effect today, but organizations have until September 23, 2013 to comply. Heed the warnings, don’t wait until it’s too late.
Encryption and key management both play a key role in achieving HIPAA compliance. They render Electronic protected health information (ePHI) unusable, unreadable, or indecipherable to unauthorized individuals. In the event of a data breach, encryption can help organizations protect sensitive PHI and may enable them to claim “Safe Harbor.”
Gazzang zNcrypt for Health Care™ can be applied easily, quickly, and economically as a solution for data privacy and security requirements defined within HIPAA and HITECH. Through AES-256 encryption, advanced key management, and process-based access controls, zNcrypt provides transparent data encryption for any database or application running on Linux, including big data environments.
Additionally, Gazzang zTrustee™ protects the Gazzang cryptographic keys with several layers of advanced techniques to ensure the key is only accessible by authorized parties.
For more information check out our HIPAA and HITECH Compliance Guide.
One of the dirty little secrets about security: there is simply no way to make your company impervious to a data breach. It’s almost a statistical certainty that you will, at some point or another, be hit with a security scenario that you’re not prepared for. That’s why security today is as much about damage control as it is about breach avoidance.
Consider the following:
· Most breaches aren’t that hard to execute
Attacks on corporate networks and data occur at alarming frequency. You might think that’s because attackers have become more sophisticated, but that's not necessarily the case. In fact, the most recent Verizon Security Breach study suggests a hacker with fairly rudimentary skills could’ve pulled off the majority of attacks in 2012.
And these attacks aren’t isolated to large banks and government entities – they’re pervasive across all industries. The bottom line is, if you have important data, chances are someone else thinks it’s important too -- and will do whatever it takes to get to it.
· Compliance mandates are limited and vague
U.S. compliance guidelines for data and cybersecurity are noticeably vague, leaving it up to corporations to determine best practices for maintaining the privacy and confidentiality of sensitive data. As a result, organizations typically do just enough to achieve compliance, when in fact, compliance with HIPAA, FERPA, FISMA, PCI and others, should actually be the low bar.
When it comes to sensitive data, you can never be too safe. Let’s say an email list gets breached. This isn’t regulated data. You’re not going to get fined for non-compliance, but PII is still compromised. This represents a significant failure on the part of the responsible corporation, one that ultimately leads to loss of customer trust.
· Big data is big business
It’s hard to have a conversation about technology where the phrase, “big data” doesn’t come up. For all the advantages associated with capturing large volumes of diverse data at high speeds, there’s an inherent risk in securing lots of sensitive data in massively distributed databases in the cloud. Each node -- and big data can have hundreds or even thousands – represents a point of failure where data can be accessed without authorization.
· Don’t forget about BYOD
Earlier this month, Google Chairman, Eric Schmidt announced there are 500 million Android devices worldwide, with 1.3 million new activations daily. There are about 365 million iOS devices in play right now, and a large percentage of those devices are infiltrating the workplace. In fact, 36% of all email is now being opened on a phone or tablet, many of which are accessing data inside your firewall.
Each of these phones, tablets and mobile devices represent potential security vulnerabilities. According to a site maintained by the US Department of Health and Human Services, 72% of data breaches dating back to 2009 stem from stolen, lost or improperly disposed of devices representing a total of 15.6 million individual health records. Device theft is pervasive, and the influx of mobile devices just presents more opportunity for sensitive regulatory and PII data to go missing.
· Security keys are being mismanaged
Another concern is around the management of cryptographic keys, SSL certificates and other “opaque” objects. With the trend toward IT hybridization, organizations are being buried by a virtual avalanche of encryption keys, data tokens, SSL certificates, passwords and more.
If any of these security objects fell into the wrong hands, there’s almost nothing in your corporate environment that wouldn’t be at risk. Surprisingly, not a lot of forethought goes into the security, management, provisioning and revocation of these keys. In fact, we often hear stories about systems administrators storing keys in boot files or easily accessible spreadsheets on their hard drives. Think about it this way: You wouldn't lock your car and leave the keys in the driver’s side door, would you?
The issues above only scratch the surface. There are still lingering questions and concerns about cloud security, authentication and ownership of data in SaaS applications to name a few more. On Wednesday, we'll look at some small things you can do that will have a profound impact on your data security profile. Stay tuned.
In the future, Ricky Tidwell, the really bright 8-year-old who lives down the street, will monitor your IT data for you. He’ll will discover, diagnose and report on any variety of events and behaviors captured via machine data. This includes configuration data, customer transactions, server data, security threats, key requests, compliance audit information, SaaS SLA’s, cloud performance details and much more.
But until Ricky is born, you’re just going to have to do it yourself. So use Gazzang.
Click here to view the video.
An interesting subplot of this burgeoning, “capture everything” big data culture, is whether a single, byte size piece of information really matters anymore. Big data, after all is really about big picture thinking. At a high level, it’s about how we assemble –on a massive scale– unrelated bits of information to better inform our worldview.
There’s a really good post from a Dark Reading column that calls into question whether organizations running big data applications are able to recognize the individual bits of information that may fall under HIPAA, FERPA, PCI, SOX and other regulatory guidelines.
“If this growing mass of data is becoming increasingly unstructured and accessed from an ever-distributed cloud of users and applications looking to slice and dice it in a million and one ways, how can they be sure they're keeping tabs on the regulated information in all that mix?”
While we recognize that encryption and key management are only part of a steady compliance diet, the importance of protecting sensitive bits of data, especially in a NoSQL data store, is critical.
Today Gazzang is working with several customers running big data apps in the U.S. and Europe. One of the primary reasons these companies turn to Gazzang is because we can help them secure those fine-grained bits of data in their Cassandra, Hadoop and MongoDB clusters.
For example, an organization that promotes personalized learning is using Gazzang zNcrypt™ to encrypt and secure student data. This sensitive information resides on a mix of NoSQL and RDBMS platforms and is subject to the Family Educational Rights and Privacy Act.
We are also working with a European postal service to ensure their sensitive customer data remains confidential when stored on MySQL and MongoDB platforms in the cloud. This is information that falls under EU Data Privacy regulations. See this blog from our partner, Chess iX for further details.
These organizations understand that when it comes to big data security and compliance, the devil truly is in the details.
The Payment Card Industry Data Security Standard (PCI DSS) is an industry-wide framework and compliance requirement for any company that stores, processes or transmits credit card data. The standard was developed by the major credit card brands, Visa, MasterCard, Discover and American Express, to increase controls around cardholder data and reduce credit card fraud via its exposure.
Gazzang zNcrypt uses industry-standard AES-256 encryption to secure cardholder data in centralized or massively distributed big data and cloud environments. Using zNcrypt, organizations can encrypt entire databases, individual tables or log files and tightly control access to the cryptographic keys. And because the encryption happens “on the fly,” as data is written to disk, the data is never exposed while at rest.
Our unique, process-based access controls protect sensitive cardholder data from unauthorized access. The cryptographic keys from Gazzang zNcrypt as well as those used in SSL transmissions, are managed with zTrustee. The universal, software-based key management solution features robust and configurable access control policies that meet PCI DSS requirements. Without access to keys, unauthorized users and applications have no way to decrypt cardholder data.
If data security is important to you, don't miss this webinar. 10gen is working with Gazzang to ensure your sensitive data is encrypted as it's written to MongoDB and your cryptographic keys remain safe and in full compliance with HIPAA, PCI-DSS, FISMA and other data security regulations. In this webinar, we'll share some real-life use cases of customers securing data in MongoDB, and we'll show you how to quickly install enterprise-class data protection in your environment.
Jared Rosoff, Director of Product Marketing and Technical Alliances at 10gen
Robert Linden, Senior Solutions Architect at Gazzang
David Tishgart, Director of Product Marketing at Gazzang
Data security, and issues around access to sensitive data in particular, are among the biggest barriers to widespread cloud adoption.
For all the enterprise benefits associated with cloud computing – improved IT resource management, more effective operations, high availability and performance – without strong data protection and access controls, the cloud could become an organization’s worst nightmare.
Gazzang zNcrypt™ protects your cloud environment from unauthorized access or attack and helps you fulfill data security compliance requirements for HIPAA, PCI-DSS, FISMA, SOX and more. Most importantly, zNcrypt gives you peace of mind, knowing the sensitive information stored in your cloud is encrypted.
Secure and manage your cryptographic keys from Gazzang or any other encryption utility with Gazzang zTrustee™, a software-based solution that stores and manages keys, certificates, configuration files, tokens and other opaque objects. This ultra-secure “vault” protects your valuable IT DNA with robust policy controls that ensure sensitive information is visible only to authorized parties, not your cloud or SaaS providers.
For organizations running big data jobs in the cloud on Amazon EMR, Gazzang CloudEncrypt™ is a unique solution that encrypts data through every phase of the Amazon EMR process and enables customers to maintain full control and ownership of the massive volumes of encryption keys generated.
Keep a close eye on your cloud with Gazzang zOps™, a big data-powered, SaaS-based solution for capturing, indexing and analyzing security data. With zOps, you can proactively monitor all zNcrypt and zTrustee-related activities including failed attempts to access secure data, encryption transactions, performance, key rotation and retrieval, key expiration and more.
This year alone the Personal Health Information (PHI) of more than 11 million Americans has already been compromised, according to news sources. While this figure is alarmingly high, the underlying yet more disturbing issue here is that almost every incident involving the loss of patient’s PHI could have been prevented if minimal security measures had been initially implemented. Quite often companies of every industry will look at IT security from a strictly financial point of view, and see a zero ROI, but the reality is that anytime an organization, especially in the healthcare industry, possesses Personally Identifying Information (PII) it comes with a very real security risk that needs to be addressed responsibly. The argument here is that the security of patient PHI should be a top priority and a high-level concern, as opposed to an unnecessary expenditure or an afterthought in the unfortunate, but not uncommon event that a breach does occur.
The necessity for sufficient data protection measures to be in place can be perfectly illustrated by the case of the 2009 Blue Cross Blue Shield of Tennessee (BCBST) data breach. While hacking is often viewed as the primary cause of data breaches, and frequently is, in this case BCBST had 57 hard drives physically stolen from one of their training facilities. Though it is uncertain exactly what all information was lost, within a year the company had spent more than $7 million dollars on everything ranging from providing no-cost credit monitoring for up to a million of their affected customers to the hiring of more than 700 IT employees just to assess what was missing. Another year later and estimated 5,000 hours of work, BCBST had completed their $6 million dollar project to encrypt all data at rest throughout their entire enterprise.
Not all security options are equal but when information absolutely needs to be protected encryption is your best bet. As the BCBST press release explains, encryption uses algorithms to convert readable text into an indecipherable format. Coupled with correct use of secure keys, allowing only authorized individuals to view the readable format, encryption can be used as your last line of defense. If all of your data is encrypted, it does not matter if the information is physically stolen or virtually hacked, the culprit will be left with nothing but useless lines of unreadable code. It should also be known that not all encryption efforts take two years and millions of dollars. While BCBST boasts of their accomplishment of no-performance-loss enterprise-wide encryption taking only two years to implement, there are now products emerging in the marketplace that can accomplish the same feat for a fraction of the time and cost. Gazzang can provide no-performance-loss, downloadable encryption software coupled with a patent-pending Key Storage System that can be up in running in few hours. It’s incredible what technology can do in a couple of years. Also, it won’t be a problem if you don’t have a few million dollars lying around – Gazzang software is sold as a subscription for $499 per year, per server.
Our charter at Gazzang is to promote and raise awareness of the ever-present issue of data security and to bridge the gap between enterprise features and affordability. For consumers, simply checking to see if organizations you interact with take adequate measures to keep your information private could save you from immeasurable amounts of frustration down the road. And for companies seeking to better protect their customers and clients, we’re working hard every day to make it as easy as possible for you to keep the private information of your trusting customers safe and secure without the hassles of expensive hardware or an army of IT consultants.
Sources and other helpful information: