zettaset elastic big data security for greenplum database

The information provided in this document constitutes confidential and proprietary information of Zettaset, Inc. You may not disclose, use, reproduce or distribute this document (or any portion thereof) without Zettaset's prior written authorization. Further, as between you and Zettaset, Zettaset owns all right, title and interest in and to this document (together with any and all related intellectual property rights).

Zettaset Elastic Big Data Security for Enterprises

October 2016

2

• Introducing Zettaset

• What problems Zettaset solutions address

• Zettaset Encryption Suite

• Key Management and Key Administration

• Zettaset Big Data Encrypt (BDE)

• BDE Data-at-Rest Overview and Architecture

• BDE Data-in-Motion Overview and Architecture

• Q&A

Agenda

© 2016 Zettaset, Inc. | Proprietary and Confidential

Zettaset: Born in Big DataZettaset™ Big Data encryption

solutions protect and assure the integrity of critical data, on-premises and in the cloud

3 © 2016 Zettaset, Inc. | Proprietary and Confidential

Specifically designed for optimized scalability and performance in today’s distributed computing systems and Big Data environments

Ideally suited for elastic cloud deployments, massive volumes of structured / unstructured content

Software-based approach to encryption key management and hardware security modules sets new bar for ease of administration combined with significant TCO advantages

4

Data-centric security solutions for Big Data and Cloud environments must not suffer the same drawbacks that make legacy solutions irrelevant, namely:

What Problems with Existing Technology Does Zettaset Address?

• Inability to adapt to elastic environments• Inability to adapt to distributed

architectures• Lack of automation• Scalability issues• Performance issues• Inability to adapt to multiple databases,

file systems• Intrusive implementations


5

• In today’s competitive economy, data is the primary asset enterprises and individuals possess

• In cloud computing, foremost concern is about data integrity, confidentiality and privacy

• The only way to secure databases on virtual machines or in cloud environments, without sacrificing the huge benefits of these new architectures, is to use software-based solutions that share the elasticity of virtual machines and cloud computing

A Software-Based Approach to Data Encryption


6

Zettaset Encryption Suite:Optimized for Protection, Performance and Scalability in Big Data Distributed Systems and the Elastic Cloud


High performance volume-level encryption for

Hadoop, NoSQL, and Relational data stores

Granular, authenticated file-level encryption for

HDFS and S3, plus added data integrity protection

7

ApplicationDirect integration with encrypt and decrypt API

Database (RDBMS)Transparent to applications with integration to crypto API

File SystemFiles and directories that are part of database

DiskPartition-level or entire disk

Self-Encrypting Drive (SED)Transparent to all layers above

Data-at-Rest Encryption Layers


Key Manager

8

• Basic roles of key manager and hardware security module (HSM) no longer sufficient

– Provide secure storage

– Protect and retrieve keys

Scale and volume of Big Data and complexity of cloud requires more comprehensive approach to key management and administration• Automation of features, like node removal and

key revocation

• Policy creation and enforcement

• Key rotation without re-encryption

• Per-user granularity

Key Management for Big Data: Old Rules Don’t Apply


"Key management is the hardest part of cryptography and often the Achilles' heel of an otherwise secure system.” - Bruce Schneier

Cryptographer and Security Expert, Berkman Center for Internet & Society at Harvard Law School

9

BDEncrypt™

Performance and Scalability in Any Big Data Environment: NoSQL, Relational, and Hadoop

V-Key Mgr V-HSM

• Data-at-Rest• Data-in-Motion• Certificate Authority

• Advanced, automated key management• Certificates generated automatically during install• Admin can revoke all certificates on a node to securely remove that node

Data-at-Rest Measured 3% performance impact Encrypts all existing data regardless of media Encrypts data on any disks – avoids premium

SED costs and offers integrated key management

Standalone, turnkey solution or can integrate and leverage existing infrastructure

Transparent to the file system AES 256-bit standard for optimum security

Data-in-Motion Measured 7% performance impact Secures all connections between cluster

nodes, and between cluster and management console

Eliminates possibility of unauthorized access by anyone within corporate network or server cluster

Ensures networking connections are secure within encrypted and authenticated tunnel


10

• Command-line installer supports distributed installation

• Driven by inventory file

• Easily integrated in complex installation flow

• Uses Ansible

• Requires SSH trust configuration

Installer

11

Installer Architecture

Installer Host

node01 node02 node03

Inventory File[hosts]node01node02node03

SSH Trust

Package Deployment Configuration Deployment


12

• High performance partition level encryption

• KMIP-compliant Key Manager with passive backup (HA is in development)

• PKCS#11-compliant Software HSM

• Encryption takes place in the kernel

• Partition key is obtained at boot time and kept in the kernel

• Nodes can be removed by revoking node certificates

• Command-line installer supports distributed installations

• Easy to add nodes

• Ability to preserve existing data, encrypt in place

• Presented as raw encrypted device, can be formatted as any file system

Data at Rest Encryption


13

Data at Rest Encryption Architecture

Raw Device

DMCRYPT kernel module

Raw Encrypted Device (LUKS)

File System (e.g. ext4)

Database (e.g. Greenplum)

HSM

Key Manager

Kernel Space

User SpaceNode Certificate

Certificate Authority


14

• Get license file from Zettaset

• Establish SSH trust between nodes

• Stop firewall

• Install prerequisites

• Edit or generate inventory file (hosts.inv)

– List of nodes to install on– Encrypted partition(s) configuration on every node– HSM PIN– Internal CA

• Run pre-installation checks

– $ ./install_zts-dar.sh –i hosts.inv check

• Run installation

– $ ./install_dts-dar.sh –i hosts.inv install -vv

Installation Steps


15

Post-Installation Checks


$ more /var/lib/zts/slave/crypt1/data.txt$ dd if=/dev/sdc1 | strings | grep AAAAA

16

• All cluster communications are secured

• Can be applied to any network interface

• KMIP-compliant key manager with passive backup

• PKCS#11-compliant Software HSM

• Command-line installer supports distributed installations

• Based on standard Linux tools

Data in Motion Encryption


17

Data in Motion Encryption Architecture

Security Policy Database

KERNEL

Internet Key Exchange Daemon

Security Association Database

HSM

Key Manager

Node Certificate

Certificate Authority

Data Packet© 2016 Zettaset, Inc. | Proprietary and Confidential

18

• Get license file from Zettaset

• Establish SSH trust between nodes

• Stop firewall

• Install prerequisites

• Edit or generate inventory file (hosts.inv)

– List of nodes to encrypt traffic on– Network interfaces to encrypt traffic on– HSM PIN– Internal CA

• Run pre-installation checks

– $ ./install_zts-dim.sh –i hosts.inv check

• Run installation

– $ ./install_dts-dim.sh –i hosts.inv install -vv

Installation Steps


19

Post-Install Checks with TCP dump


20

• To remove one or more nodes, their certificates must be revoked, so KMIP server would no longer issue keys to those nodes

• Get list of currently enabled hosts

– $ /usr/share/zts/bin/zts.ca list-hosts

• Revoke node certificates

– $ /usr/share/zts/bin/zts.ca revoke-host node15

• Data at Rest: node will stop functioning on next reboot

• Data in Motion: active connections will be dropped

Removing node(s) from a cluster


Thank You !