Hadoop distributor Cloudera pursued its strategy of securing the Hadoop ecosystem by acquiring last month the big data encryption and key management startup Gazzang. The deal will strengthen Cloudera's security offering and lead to the creation of a center of excellence for Hadoop security that will initially be fueled by Gazzang’s engineering team.
Founded in Texas in 2010 and employing about 40 people, Gazzang is no stranger to Cloudera’s community. Its technology has been certified by Cloudera since 2012 and its two leading products zNcrypt and zTrustee - now called Cloudera Navigator Encrypt and Cloudera Navigator Trustee - are already available as a downloadable parcel for Cloudera Enterprise 5, the latest version of Cloudera’s big data platform. It also has nearly 200 paying customers, including several Fortune 100 companies.
The acquisition will allow Cloudera to further the integration of Gazzang’s technology with its Enterprise product and offer a unified solution to organizations that have a legal obligation to comply with public regulations such as HIPAA-HITECH (health insurance), PCI-DSS (payment cards), FERPA (education), or the EU Data Protection Directive.
From a technical perspective, Navigator Encrypt leverages open source technologies such as eCryptfs (Enterprise Cryptographic Filesystem) and dm-crypt (disk encryption) to provide block-level TDE (transparent data encryption) and process-based access controls to restrict access to specific system processes. Because it operates at the file system level and supports Intel's AES-NI (Advanced Encryption Standard New Instructions), all HDFS files, HBase records, Hive metadata audit logs and any other file are encrypted and decrypted on the fly with minimal performance hit.
As David Tishgart, former director of marketing and alliances at Gazzang, explained on Cloudera's blog that using the latest industry standard AES-256 cipher to encrypt sensitive data is not enough to fulfill major compliances. Companies also need to think about key management, access controls, processes and documentation. This is where Navigator Trustee comes handy. This universal key manager allows users to store and manage any cryptographic object (including SSL certificates, SSH public-private keys, encryption keys and Java KeyStores) and enforce a broad range of security rules such as object authorization, expiration, revocation and retrieval limits. It also provides detailed logging and reporting features to keep track of all activities associated with objects, requests, and policies.
During a presentation at Hadoop Summit 2014, Cloudera highlighted six extra points to consider when thinking about compliance.
- Are your encryption processes (algorithm, key length) consistent with NIST special publication 800-111?
- Are the encryption keys stored on a separate device or location from the encrypted data?
- What kind of authentication and access controls are enforced?
- Is the data secured in a way that would enable you to claim safe harbor in the event of a breach?
- Do the crypto modules meet FIPS 140-2 certification?
- Can you account for all the sensitive data that may fall under compliance scope?
Commenting on the acquisition, Adrian Lane, CTO of Securosis, an information security research and advisory firm based in Arizona, said in a blog post:
Bundling encryption and key management capabilities into platforms will make them faster and easier to deploy – a win for customers. I usually have a handful of risks and downsides for every acquisition, but it is hard to criticize this deal because there are not that many possible downsides. This is an astute acquisition by Cloudera.
Cloudera's announcement is part of a recent industry-wide push to address the notorious lack of security in the Hadoop ecosystem, including the launch in 2013 of Project Rhino by Intel and Apache Sentry by Cloudera (the two projects have now merged), and the acquisition of XA Secure by Hortonworks in May 2014.