Automating data encryption for new cloud architectures

Austin-based Gazzang Inc. has an encryption solution that has been purpose-built for new cloud architectures, and specifically to take advantage of open source infrastructure. The company’s first product, ezNcrypt, is a platform as a service (PaaS) to do transparent data encryption to a range of databases and applications in the open source world. According to Gazzang executives, these types of databases — such as those enabled by Hadoop, Cassandra and MongoDB — are growing, but they don’t have the same robustness of security tools that commercial enterprise-class databases have developed over the years. Gazzang is building a series of products to address this market.

ezNcrypt has two fundamental components. The most important is the key manager, which resides in the cloud — hence the reason for calling the product a PaaS solution. The key manager has infrastructure to generate and manage encryption keys. For companies that don’t want to place the key manager in the cloud for their own security or regulatory reasons, this software component can be installed locally behind the company’s firewall.

The second component is a small kernel modification module for Linux that is loaded in the same space as the operating system. This is where the encryption actually takes place. Gazzang leverages the cryptography that is distributed automatically with Linux, which is AES-256. However, you don’t have to make any modifications to the database or applications or your Linux environment.

What Gazzang has created is a virtual encrypted file system. When any Linux application, process or database goes to commit data on the disk, ezNcrypt intercepts it and does the encryption so that all data at rest — on premises or in the cloud — gets encrypted. The data is only decrypted as it comes off the disk and is loaded into memory for computation.

The initial installation of ezNcrypt takes about 20 minutes. The product makes a slight modification to the Linux kernel. Then you set up the configuration rules to define which servers and processes are allowed to encrypt/decrypt data. This is when you enable the passphrase, and from here on out it’s "set it and forget it." You don’t need to interface with the system again unless the server gets rebooted and you need to reauthorize the release of the master key.

When the key comes from the key manager — it’s encrypted, tagged and hashed so that it’s secure in transit — it goes directly into a memory location in Linux where it enables the automatic encryption and decryption of data. The key is never in the file where the data exists. What’s more, only authorized processes (and not people) can invoke the key. The entire key management process is highly automated, making it ideal for big data situations where many servers and data instances must be protected.

Gazzang’s key manager platform runs on the Amazon cloud. For business continuity purposes, the key manager is replicated in different Amazon locations, and it also has an auto-failover facility to entirely different cloud operated by Rackspace. So, if Amazon’s cloud goes down — which it has recently — the dynamic DNS server automatically redirects all ezNcrypt requests to Rackspace, and Gazzang customers won’t lose access to their key management application.

I talked to a financial services company that uses ezNcrypt on a mission-critical business intelligence application. The company chose Gazzang because the encryption process was a good fit for the Linux technology stack the company had deployed. They need to protect MySQL files, and ezNcrypt does it in a hands-off fashion. Because of the sensitivity of the data, this company brought the key manager in-house. Even at that, the CTO says the price was right for the level of protection they get.

Gazzang executives say they have a number of SaaS vendors who use Gazzang’s encryption tool to protect customers’ data in the cloud. The vendors can assure customers that they have no access to the keys that would give them access to the data.