In the era of Big Data, virtualized environments, mobile computing, and both public and private cloud, and with sensitive data scattered across systems and physical locations, is data encryption a best practice for IT security? Larry Warnock, CEO of Gazzang, certainly thinks so. And the recent success of this startup data encryption vendor argues that the market agrees.
“First, today data is massively distributed. It goes all over the place,” Warnock says. “Hadoop is really a massively distributed file system, not a traditional database.” And even traditional relational data ends up scattered across the data center in virtualized environments.
Increasing numbers of companies are creating hybrid public/private cloud environments, which means that some of their data ends up on public systems. They are, for instance, leveraging the fast-and-easy configuration environment of Infrastructure-as-a-Service (IaaS) vendors such as Amazon.com to run new or fast growing applications and products such as cloud-based games or to handle large seasonal variations in business activity typical of retail. And growing numbers of SaaS vendors, who need to provide strong security for their customers’ data, are using data encryption. “You don’t want the system owner to be able to see your company’s sensitive data if that owner is a third-party like Amazon, for instance,” Warnock says.
Mobile computing creates its own risks to sensitive data. Stories about stolen laptops with data on customer accounts are depressingly common. “I think that the next thing may be theft of mobile devices like smartphones and tablets with sensitive data on them,” Warnock says.
As a result, while traditional security tools like firewalls are still important, they cannot provide the level of data security that they did when everything was inside the data center. And even then reports of massive identity theft through unauthorized access of sensitive data appeared regularly.
Meanwhile, Warnock says, “The cost of encryption has dropped to the point that the question is why shouldn’t you do it?”
One major issue that has delayed the widespread adaption of security is key management, which can be complicated. Also, the traditional approach to encryption is to encrypt all new data at the end of the day, which leaves what often is the most valuable data in transactional systems unprotected for hours. And in today’s 24X7 business environment, many companies never have an end to the day when things slow down and large batch processes can be run.
Gazzang’s ezNcrypt product offers a new approach to encryption designed for this environment in three important ways, Warnock says.
- It encrypts on the fly, as data enters the system.
- Key management is automated, with keys kept in the cloud in a highly secured environment even while the security surrounding the encrypted data is increased over traditional systems. The key uses Process-Based Access Control Lists (ATLs) to include information about the specific programatic process that encrypted the data. The process is finger-printed and hashed, making it impossible for a third party without access to that process to decrypt.
- It is a software-only solution with no hardware appliance. It actually is a kernel modification to Linux. Gazzang supports 272 distributions of Linux. “As long as the file system and database are in Linux, we are good to go,” Warnock says. That means that it can encrypt data on any Linux-based system from Oracle to Hadoop, and any hardware from traditional disk to the new PCIe server memory cards. As long as Linux can see it, Gazzang can encrypt it.
EzNcrypt is finding use cases in several and applications that demand high data security levels, he says. These include medical, where health care providers get highly sensitive, regulated patient data from multiple sources and need to protect it; financial services; and retail, which needs to protect large amounts of customer data starting with credit card numbers, account access, and personal ID information.
Warnock admits that, as with all IT security, making the financial case for investing in encryption is often difficult. “It won’t add to your top line or save operating expenses. It is more of an an insurance discussion. It protects you from the dreaded breach, which often does its worst damage indirectly, to the company’s reputation and the trust of customers. What we are hoping is that encryption data will become a generally recognized best practice.”
So is it best practice? “That depends,” says Mike Rothman, president of Securosis and former security analyst at META Group.
Encryption is therefore an important tool in the security toolbox, but it is not the only one there. It can be a last line of defense for highly sensitive data in the enterprise and a way to provide protection for data in the cloud or in transit across the Internet. But, it should be seen as part of an overall security plan, not as a golden bullet for all security needs.
“Encryption is certainly an important data security tool, especially in today’s IT environment,” Rothman says. “A lot depends on what you are trying to store, who is trying to access it, and what they are likely to try to do.”