cloud-banner

David Tishgart

David Tishgart

AUSTIN, Texas, April 30, 2014 Gazzang, the big data and cloud security experts, today announced that it has been named a 2014 “Cool Vendor in Big Data” by Gartner, Inc.* Gazzang is one of four innovative vendors cited in the report and the only security vendor named. Gartner subscribers can download the full report at this link.

The enterprise adoption of new big data platforms like Hadoop, MongoDB and Cassandra is driving greater demand for massively scalable, high-performance security solutions that protect data at rest and help meet compliance. Gazzang’s encryption and key management solutions are purpose built for these new data structures, with fast and easy deployment and the ability to scale as organizations grow their big data environments and transition projects from development into production. 

“Gazzang allows organizations to enjoy all the performance benefits of big data, while ensuring sensitive information -- including medical records, payment card data, corporate intellectual property and personally identifiable information -- remains secure and confidential,” said Larry Warnock, CEO of Gazzang. “We’re thrilled to be named a Cool Vendor in Big Data by Gartner, a recognition that confirms not only our approach, but the importance of encryption and key management to the overall success of big data projects.” 

Gazzang big data and cloud security solutions include: 

  • Gazzang zNcrypt™ - High-performance transparent encryption for data at rest. The solution encrypts data at each node and can be deployed easily with common DevOps tools. Gazzang zNcrypt also includes process-based access controls to ensure only authorized system functions can gain access to the encrypted data. 
  • Gazzang zTrustee™ - Software-based key manager that enables the data owner to set and enforce a variety of configurable policies for encryption key access. zTrustee can also protect other digital security artifacts including SSH keys, SSL certificates, tokens and passwords, and features a single, unified interface for monitoring the status of these security objects. 
  • Gazzang CloudEncrypt™ helps organizations maintain secure, compliant, production-ready environments in Amazon Web Services (AWS). Users get flexible, elastic, pre-packaged security, no matter where their sensitive data moves in the Amazon cloud. Available for Amazon EC2, AWS Elastic Beanstalk, Amazon EMR and StarCluster.

Gazzang supports major open source and big data platforms and partners with leading vendors including Basho, Cloudera, Couchbase, DataStax, Hortonworks, IBM, MapR, MongoDB, Pivotal and Sqrrl. 

For more information on Gazzang’s solutions for Big Data, visit: http://gazzang.com/solutions/securing-big-data

Disclaimer: Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

*Gartner “Cool Vendors in Big Data” by Frank Buytendijk, Hideaki Horiuchi, Nick Heudecker, Merv Adrian, Angela McIntyre, Nick Ingelbrecht, April 28, 2014.


CloudEncrypt: Securing Data in the Public Cloud

Data security is often cited as the primary reason enterprises are hesitant to move sensitive workloads to the cloud. Concerns range from, “I’m not sure my team is knowledgeable enough about cloud data security practices” to “How am I supposed to trust my cloud provider’s most junior employee (whom I’ve never laid eyes on)?”

Gazzang CloudEncrypt was designed for exactly the purpose of putting those fears to rest, ensuring the security of your sensitive workloads from the moment that a cloud image boots up and scaling as business needs warrant. CloudEncrypt is a portfolio of products designed for Amazon Web Services (AWS) to help organizations realize the enormous benefits of the cloud and maintain a secure, compliant, production-ready environment. Users get pre-packaged security, no matter where their sensitive data gets put in the AWS cloud.

“We are excited to see Gazzang expand their CloudEncrypt product offering to further complement AWS’ enterprise security capabilities, making it easier for customers to confidently deploy mission critical applications on AWS,” said Terry Wise, Director of Worldwide Partner Ecosystem, Amazon Web Services, Inc.

The Gazzang CloudEncrypt portfolio includes:

Gazzang CloudEncrypt for Amazon EC2 - With a few clicks, AWS users can launch a secure Ubuntu image and select from a variety of databases including MongoDB, MySQL and PostgreSQL (Hadoop and Cassandra are coming soon). Each image defaults to superior security configurations upon boot, making it easier for a user to spin up new instances and add them to an existing cluster.

CloudEncrypt for Amazon Elastic Beanstalk - AWS users can now make use of the “elastic” part of cloud computing without compromising on data security. Security is applied automatically as new resources spin up as needed, for auto-scaling, load balancing, and availability reasons.

CloudEncrypt for StarCluster - Allows organizations such as research institutions to deploy secure, large-scale compute clusters on Amazon EC2 using StarCluster to run sensitive workloads in the public cloud. This product also includes master node encryption, slave node encryption and GlusterFS encrypted secure share.

CloudEncrypt for Amazon EMR - Ensures that any data put through MapReduce jobs are protected - all the way from your datacenter, to S3, to any AWS node in an hdfs cluster, and back to your datacenter.

Learn more about CloudEncrypt

Tuesday, 15 April 2014 14:42

No Heartbleed Here

While organizations spend the next few days and weeks patching OpenSSL vulnerabilities, the realization is setting in that we may never know the full extent of the damage caused by Heartbleed. What we do know is Gazzang services were not impacted by the bug. 

HeartKeyAlthough Heartbleed was only announced in early April, it has actually been present in OpenSSL versions dating back to March 2012. This means hackers have had ample time to steal certificates and other sensitive information. Making matters worse, it’s nearly impossible for companies to know whether their web communications have indeed been compromised.

Should I worry about my Gazzang zNcrypt keys being exposed?

No. Gazzang zNcrypt keys are encrypted client-side, so a compromise of the zTrustee server using Heartbleed would never expose any zNcrypt keys. Furthermore, while we use SSL for data-in-transit encryption, the payload of data between client nodes and zTrustee is encrypted with strong crypto libraries like GPG underneath OpenSSL. So we’re doubling up the encryption, just for instances like this.

Like many other websites, we have already patched our zTrustee SaaS servers for the Heartbleed vulnerability. We also encourage customers who haven’t already done so to upgrade to the latest operating system version and deploy those OS patches as well.

What exactly is being exposed?

When exploited by a hack, Heartbeat (the name of the transport layer security extension where the bug was found) dumps whatever data might reside in the memory of client/server communications in small 64k chunks. Normally this traffic is encrypted, but the bug actually compromises the secret keys, usernames and passwords that protect this data. Leaked keys can lead to insecure web certificates, which could indirectly lead an attacker to usernames and passwords, payment card details, cookies -- essentially any information submitted by other users of the service.

How can I protect my organization against future threats like Heartbleed?

One of the reasons this bug is so widespread is because it exploited a vulnerability in the popular and highly regarded OpenSSL crypto library. In other words, it went after the very service layer that untold numbers of companies use to protect against hackers. Where many of these companies went wrong is they relied on that single layer of security to protect against a network attack.

Multi-factor authentication, which requires a second piece of information to allow access to an account, is one way users can protect email access and other sensitive account information. So in addition to upgrading, patching and maintaining the latest versions of your OS and software, another way to protect your company’s data is to deploy multiple layers of cryptography.

I mentioned earlier that we use GPG in addition to SSL for data-in-transit encryption. As another example, our customers use Gazzang zNcrypt to encrypt their data and protect that data by disallowing unauthorized people and processes to access it. The encryption key is then encrypted itself and stored in the zTrustee key manager (along with the master). The data owner can then set a broad range of configurable policies governing who or what can access those keys.

The important thing to remember is that security needs to be applied in layers, and a single layer is never enough. A useful tool to check your SaaS vendors’ security is Qualsys SSL Labs test.

What can I do as a consumer?

To start, here are a couple of lists spotlighting companies that use the TLS Heartbeat extension. The best advice is to change your password if a service you use is listed as vulnerable.

Few companies are enjoying a better run of news right now than Cloudera. In mid-March the big data bell cow announced $160 million in funding led by T. Rowe Price. Less than two weeks later, Intel’s mega investment of $740 million is still a popular topic around our company’s water cooler (yes, we have a water cooler). 

The company’s latest salvo happened this morning while most of the west coast was still asleep. Today Cloudera announced the general availability of Cloudera 5, the solution that will drive what Cloudera refers to as the enterprise data hub. In short, the hub is a centralized platform where companies can store, process, and analyze all of their data and run any variety of projects. The idea being to make it easier to store everything and then use the data when they need it. 

Cloudera and Gazzang have a longstanding partnership with several mutual customers including Kaiser Permanente and Western Union. We are pleased to be able to announce our foundational zNcrypt and zTrustee encryption and key management solutions are now C5 certified. In addition, Gazzang is one of only a handful of Cloudera partners that have a parcel available for customers to download through Cloudera Manager, so installation is fast and easy regardless of the size of the environment. That means whether your C5 deployment is 10 nodes or 10,000 nodes, each encrypted node is as easy to spin up as the next, and all communicate seamlessly with our software-based key manager. 

The bottom line is companies that must meet a compliance requirement like HIPAA or PCI-DSS - or have some other obligation to protect sensitive data - can continue to feel confident that the business-critical information resident in their enterprise data hub is secure at rest and protected against unauthorized access or attack. 

Beyond certification and automated deployment, we’re also watching the Intel investment with great interest. I’m not going to speculate on what this investment means for either company. Plenty has already been written about it. What’s undeniable though is that software that integrates with or runs on Cloudera now should also be optimized to take advantage of Intel hardware. The good news for customers is we're already ahead of the game.

Gazzang’s big data encryption solution, zNcrypt, was designed to leverage the Intel AES-NI encryption instruction set that can be found on most Intel Xeon and Core i7 processors. We’ve done extensive testing, and when running Gazzang in a well configured Hadoop environment on Intel hardware, customers often see the performance impact of encryption dip into the low single digits on a percentage basis. Check out our Hadoop performance guide to learn more.

Gazzang also leverages Intel technology to generate strong encryption keys. As you know, data encryption really only works if your keys are well protected and separated from the encrypted data. Equally important to how you store your keys, is how they’re generated. A strong key requires good random numbers. The greater the randomness the harder the key is to break. Our encryption solutions leverage the Intel RDRAND Instruction set, Intel’s digital random number generation hardware, to create powerful 256-bit keys that our customers rely on to protect their most sensitive data. 

Together with Cloudera and Intel, Gazzang is able to deliver enterprise big data and cloud security that installs in minutes, runs at peak performance and protects your most important business asset… your data. 

Tuesday, 04 March 2014 15:04

Talking Data Privacy at SXSW

This weekend, I'm hosting a core conversation session at SXSW, titled, "Dear Taco Vendor, how are you securing my data?" When I submitted the topic, I thought the session would generate some good conversation, and maybe even make some people think. MAYBE. Mostly though, I loved the clever title (kudos to my wife for coming up with it) that combines one of my favorite foods with one of my favorite topics. 

The gist of the session was this. Do you really know what you're getting when you trade your email address, scan your phone or provide any other type of personal information in exchange for free stuff? Where does this data go and how is it secured? Is it at risk for theft?

I work at a cyber-security company, so I'm not naive to the fact that there are certain dangers that come as a result of the wonderfully ubiquitous "series of tubes" that is the Internet. At Gazzang, we often deal in hackers, rogue employees, and vulnerabilities in modern data architectures like NoSQL and Hadoop. Our goal is to help companies keep sensitive data from being exposed. But In researching my session topic, I was amazed at how easy it is to expose someone's very personal identity simply by having access to their email address.  

Toss a few bucks to a data aggregator, and there's almost nothing you can't find online. For example, a quick search of my gmail address turned up my birthdate, last four residences with property values, the names of all my closest relatives, a ton of photos, my work history and links to pretty much everything I've said or done on social networks. 

So much for an email address not constituting personally identifiable information. 

My SXSW session isn't going to focus on whether shady people can access your sensitive data simply by knowing your email address. It's clear that they can. Instead, I want to focus on what that revelation means in a broader context: 

  • Do we need to reset our expectations on privacy, or is that a defeatist attitude?
  • When you give any information to a 3rd party, what should their obligations be to keep it private?
  • How can the public influence vendors to change the way they store and exchange data?
  • What needs to happen (if anything) to change public behaviors around freely sharing sensitive data?

Also, we can talk about tacos.

I hope you'll join me this Saturday at 3:30pm at the Sheraton.

Data-at-rest encryption is essential. It's a requirement for meeting compliance regulations like HIPAA, PCI, SOX and FERPA and is one of the most effective methods for protecting sensitive, business-critical information. What you may not realize is that - in addition to providing an "insurance policy" against data theft - encryption can also be an important revenue driver. More on that in a moment.

IBM Informix customers now realize the benefits of data encryption and key management from Gazzang, the leader in big data security. Gazzang's software suite has recently completed Informix certification. That means users of the hybrid database system can secure sensitive SQL and NoSQL data at rest with near zero performance impact to disk i/o or CPU utilization. 

Gazzang does not require users to modify their Informix database nor the applications above it, and the encryption can be deployed on each datanode within minutes using standard DevOps scripts from Chef and Puppet. The solution supports a range of database types including SQL and MongoDB and currently encrypts more NoSQL and Hadoop environments than any other vendor. 

How it works

Gazzang zNcrypt™ is a "virtual encrypted filesystem" that shims in at the Linux kernel and is transparent to the database and applications that sit above the filesystem. Data is encrypted "on the fly" as it's written to disk and decrypted when called back by the application. The solution leverages process-based access controls (ACLs) that ensure only authorized, trusted processes can access the data. By restricting data access to certain processes rather than users or roles, you can prevent super users like root from accessing data they don't necessarily need to see. 

Gazzang zTrustee™ is a software-based key manager that secures and manages the keys separate from the encrypted data. This helps ensure a data breach doesn't also result in the loss of the encryption key. Remember, encryption is only as strong as the security of the encryption key. A compromised or weak key is all that's necessary for an unauthorized user or hacker to decrypt and access your sensitive data.

The Gazzang key manager allows the data owner to wrap several layers of policy around the key to prevent unauthorized access. For example, you can set limits on how many times a key can be retrieved or set a specific window of time at which the key might be available.  A unique function of zTrustee is the ability to allow people to authorize or deny key retrievals. These individuals can only determine whether a key should be released, but never actually see the key. You can learn much more about zTrustee by visiting: http://www.gazzang.com/ztrustee-use-cases

Why encrypt Informix?

Earlier in this blog, I mentioned at-rest encryption is mandatory for meeting certain compliance requirements. But if you're using Informix to manage data on behalf of your end customers, chances are they're expecting you to encrypt everywhere and anywhere as well. We work with a number of companies that tell us they could neither have won new business had they not encrypted customer data.

Let us show you how we can help encrypt your Informix data, whether it's in a public, private or hybrid cloud or on premise. Shoot us an email at info@gazzang.com or register for a complimentary demo and trial. 

Page 1 of 13