Automating data encryption for new cloud architectures

Almost every survey about inhibitors to cloud computing identifies "security concerns" as the top issue. It will remain an issue until the notion of encrypting all data in the cloud becomes a best practice. Gazzang is rising to the challenge with a PaaS encryption solution that automates data encryption, especially for open source environments and big data applications.

Cloud computing is the ideal environment for processing big data. For databases that scale horizontally, sometimes with a million or more fields and reaching multiple petabytes in size, it's possible to chunk up the data and spread it across hundreds or thousands of servers for parallel processing and analytics. It's an efficient and effective use of cloud technology.

Of course, if you put data in the cloud, you will want to protect it with encryption, especially if the data includes any sensitive customer or financial information. However, the very thought of generating and managing all the encryption keys for hundreds of separate data files can be a problem. And, if your data is in a public cloud, you wouldn't want to give access to the keys to the root user, who is often an administrator for the cloud provider.

CLOUD TRENDS: How to go hybrid

IN DEPTH: Can you handle big data?

Austin-based Gazzang Inc. has an encryption solution that has been purpose-built for new cloud architectures, and specifically to take advantage of open source infrastructure. The company's first product, ezNcrypt, is a platform as a service (PaaS) to do transparent data encryption to a range of databases and applications in the open source world. According to Gazzang executives, these types of databases -- such as those enabled by Hadoop, Cassandra and MongoDB -- are growing, but they don't have the same robustness of security tools that commercial enterprise-class databases have developed over the years. Gazzang is building a series of products to address this market.

ezNcrypt has two fundamental components. The most important is the key manager, which resides in the cloud -- hence the reason for calling the product a PaaS solution. The key manager has infrastructure to generate and manage encryption keys. For companies that don't want to place the key manager in the cloud for their own security or regulatory reasons, this software component can be installed locally behind the company's firewall.

The second component is a small kernel modification module for Linux that is loaded in the same space as the operating system. This is where the encryption actually takes place. Gazzang leverages the cryptography that is distributed automatically with Linux, which is AES-256. However, you don't have to make any modifications to the database or applications or your Linux environment.

What Gazzang has created is a virtual encrypted file system. When any Linux application, process or database goes to commit data on the disk, ezNcrypt intercepts it and does the encryption so that all data at rest -- on premises or in the cloud -- gets encrypted. The data is only decrypted as it comes off the disk and is loaded into memory for computation.

The initial installation of ezNcrypt takes about 20 minutes. The product makes a slight modification to the Linux kernel. Then you set up the configuration rules to define which servers and processes are allowed to encrypt/decrypt data. This is when you enable the passphrase, and from here on out it's "set it and forget it." You don't need to interface with the system again unless the server gets rebooted and you need to reauthorize the release of the master key.

When the key comes from the key manager -- it's encrypted, tagged and hashed so that it's secure in transit -- it goes directly into a memory location in Linux where it enables the automatic encryption and decryption of data. The key is never in the file where the data exists. What's more, only authorized processes (and not people) can invoke the key. The entire key management process is highly automated, making it ideal for big data situations where many servers and data instances must be protected.

Gazzang's key manager platform runs on the Amazon cloud. For business continuity purposes, the key manager is replicated in different Amazon locations, and it also has an auto-failover facility to entirely different cloud operated by Rackspace. So, if Amazon's cloud goes down -- which it has recently -- the dynamic DNS server automatically redirects all ezNcrypt requests to Rackspace, and Gazzang customers won't lose access to their key management application.

I talked to a financial services company that uses ezNcrypt on a mission-critical business intelligence application. The company chose Gazzang because the encryption process was a good fit for the Linux technology stack the company had deployed. They need to protect MySQL files, and ezNcrypt does it in a hands-off fashion. Because of the sensitivity of the data, this company brought the key manager in-house. Even at that, the CTO says the price was right for the level of protection they get.

Gazzang executives say they have a number of SaaS vendors who use Gazzang's encryption tool to protect customers' data in the cloud. The vendors can assure customers that they have no access to the keys that would give them access to the data.

Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at


About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Copyright © 2012 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022