BT

Vormetric Partners with DataStax to Deliver Enhanced Data-at-Rest Security in Apache Cassandra

| by Abhishek Sharma Follow 1 Followers on Oct 27, 2014. Estimated reading time: 2 minutes |

Vormetric, an enterprise data security solutions provider has announced a partnership with DataStax, the company behind Apache Cassandra, to enhance the enterprise-class security features in the platform.

The two companies will work together to enhance data-at-rest security that includes encryption, enhanced access controls and security intelligence in Apache Cassandra.

In Cassandra, data is flushed from the memtable in system memory to the SSTables on disk. The data stored in SSTables is considered data-at-rest and is protected by Transparent data encryption (TDE) product. Stored data in SSTables is immutable and while writing data on disk it gets encrypted only once.

Cassandra stores all the changes to the data in a file called commit log for recovery purposes in the event of a hardware failure. This data is by default not encrypted. Encryption requires the storage of commit log at an OS-level encrypted file system. TDE data encryption has some limitations like data is not protected when directly accessed by utilities like json2sstable and nodetool. TDE also introduces performance overhead in Cassandra.

Vormetric partnership with DataStax will enhance the existing enterprise-class security features in DataStax Enterprise platform. Cassandra along with Vormetric Transparent Encryption (VTE) and Vormetric Application Encryption (VAE) in DataStax platform can provide sensitive data protection at column level.

VTE offers centrally managed encryption, key management and access control for data-at-rest across distributed heterogeneous environments. VTE provides data encryption at the file or volume level and requires no modification in the existing infrastructure or in the application. Solution includes access control to encrypted data and security intelligence information can help organizations in identifying malicious attacks on sensitive data. 

VAE is a library to simplify application-level encryption integration into existing corporate applications. VAE enables developers to easily build encryption for individual fields (such as social security numbers, passwords, addresses and phone numbers).

Vormetric Data Security architecture consists of two major components - Vormetric Data Security Manager and Vormetric Encryption Expert Agents. Data Security Manager is a FIPS 140-2 certified hardware appliance and needs installation at user’s data center. Device functions as the central point for creating, distributing and managing data encryption keys, policies, and host data security configurations. Encryption Expert Agents are software agents sit on user’s servers at the OS level. Encryption Expert Agents perform encryption, decryption and access control tasks locally on the system that is accessing the data-at-rest.

Data security is one of the major common concerned areas in the field of Big Data, Hadoop and NoSQL databases. Securosis published a research paper with security recommendations for Hadoop and NoSQL environments stated that data security requirements are same for any data repository system having following characteristics –

  • Handles large amounts (a petabyte or more) of data.
  • Distributed redundant data storage.
  • Parallel task processing.
  • Provides data processing (MapReduce or equivalent) capabilities.
  • Extremely fast data insertion.
  • Central management and orchestration.
  • Hardware agnostic.
  • Accessible - both relatively easy to use, and available as a commercial or open source product.
  • Extensible - basic capabilities can be augmented and altered.

Adrian Lane, author of the paper stated that data security in Big Data means data-at-rest protection, data-in-motion protection, authentication of applications and nodes protection, data API security protection. Adrian recommends usage of file encryption, Kerberos for node authentication, key management and secure communication for achieving data protection.

Recently, Big Data security marketplace witnessed explosive growth in security products and solutions. Many vendors like Intel, Cloudera and Hortonworks released several open-source data security products like Project Rhino for data-at-rest security, Sentry for fine-grained access control and Knox Gateway for secure Hadoop access by REST API.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT