Encryption solutions for the cloud, Part 2: Gazzang is built for “big data” environments
This is the second in a series of posts on cloud encryption solutions.
Gazzang is a relatively new company that is building a series of data center tools built for new cloud architectures, and specifically to take advantage of open-source infrastructure. The first product the company has brought to market is zNcrypt. It is a platform-as-a-service (PaaS) solution to do transparent data encryption to a range of databases and applications in the open-source world, such as those enabled by Hadoop, Cassandra and MongoDB. These databases are growing in popularity and usage, but they aren’t as robust as security tools that the commercial enterprise-class databases have developed over the years. Gazzang aims to fill that gap.
For these types of databases that scale horizontally – sometimes with a million or more fields and reaching multiple petabytes in size – it’s possible to chunk up the data and spread it across hundreds or thousands of servers for parallel processing and analytics. While it is an efficient and effective use of cloud technology, securing that data with encryption can be problematic. This is the niche where zNcrypt fits in.
zNcrypt has two fundamental components. The most important is the key manager, which resides in the cloud. The key manager has infrastructure to generate and manage encryption keys. For companies that don’t want to place the key manager in the cloud for their own security or regulatory reasons, this software component can be installed locally behind the company’s firewall.
The second component is a small kernel modification module for Linux that is loaded in the same space as the operating system. This is where the encryption actually takes place. Gazzang leverages the cryptography that is distributed automatically with Linux, which is AES-256. However, you don’t have to make any modifications to the database, applications or your Linux environment.
What Gazzang has created is a virtual encrypted file system. When any Linux application, process or database commits data on the disk, zNcrypt intercepts and encrypts it.
The initial installation of zNcrypt takes about 20 minutes. The product makes a slight modification to the Linux kernel. Then you set up the configuration rules to define which servers and processes are allowed to encrypt/decrypt data. This is when you enable the pass phrase, and from here on out it’s “set it and forget it.” You don’t need to interface with the system again unless the server gets rebooted and you need to reauthorize the release of the master key.
When the key comes from the key manager – it’s encrypted, tagged and hashed so that it’s secure in transit – it goes directly into a memory location in Linux where it enables the automatic encryption and decryption of data. The key is never in the file where the data exists. What’s more, only authorized processes (and not people) can invoke the key. The entire key management process is highly automated, making it ideal for big data situations, where many servers and data instances must be protected.
The method Gazzang uses for key management ensures that employees working for the cloud service provider(s) never have access to the keys or to data in the clear. This helps organizations meet compliance requirements that restrict access to sensitive data.