Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Vormetric Partners with DataStax to Deliver Enhanced Data-at-Rest Security in Apache Cassandra

Vormetric Partners with DataStax to Deliver Enhanced Data-at-Rest Security in Apache Cassandra


Vormetric, an enterprise data security solutions provider has announced a partnership with DataStax, the company behind Apache Cassandra, to enhance the enterprise-class security features in the platform.

The two companies will work together to enhance data-at-rest security that includes encryption, enhanced access controls and security intelligence in Apache Cassandra.

In Cassandra, data is flushed from the memtable in system memory to the SSTables on disk. The data stored in SSTables is considered data-at-rest and is protected by Transparent data encryption (TDE) product. Stored data in SSTables is immutable and while writing data on disk it gets encrypted only once.

Cassandra stores all the changes to the data in a file called commit log for recovery purposes in the event of a hardware failure. This data is by default not encrypted. Encryption requires the storage of commit log at an OS-level encrypted file system. TDE data encryption has some limitations like data is not protected when directly accessed by utilities like json2sstable and nodetool. TDE also introduces performance overhead in Cassandra.

Vormetric partnership with DataStax will enhance the existing enterprise-class security features in DataStax Enterprise platform. Cassandra along with Vormetric Transparent Encryption (VTE) and Vormetric Application Encryption (VAE) in DataStax platform can provide sensitive data protection at column level.

VTE offers centrally managed encryption, key management and access control for data-at-rest across distributed heterogeneous environments. VTE provides data encryption at the file or volume level and requires no modification in the existing infrastructure or in the application. Solution includes access control to encrypted data and security intelligence information can help organizations in identifying malicious attacks on sensitive data. 

VAE is a library to simplify application-level encryption integration into existing corporate applications. VAE enables developers to easily build encryption for individual fields (such as social security numbers, passwords, addresses and phone numbers).

Vormetric Data Security architecture consists of two major components - Vormetric Data Security Manager and Vormetric Encryption Expert Agents. Data Security Manager is a FIPS 140-2 certified hardware appliance and needs installation at user’s data center. Device functions as the central point for creating, distributing and managing data encryption keys, policies, and host data security configurations. Encryption Expert Agents are software agents sit on user’s servers at the OS level. Encryption Expert Agents perform encryption, decryption and access control tasks locally on the system that is accessing the data-at-rest.

Data security is one of the major common concerned areas in the field of Big Data, Hadoop and NoSQL databases. Securosis published a research paper with security recommendations for Hadoop and NoSQL environments stated that data security requirements are same for any data repository system having following characteristics –

  • Handles large amounts (a petabyte or more) of data.
  • Distributed redundant data storage.
  • Parallel task processing.
  • Provides data processing (MapReduce or equivalent) capabilities.
  • Extremely fast data insertion.
  • Central management and orchestration.
  • Hardware agnostic.
  • Accessible - both relatively easy to use, and available as a commercial or open source product.
  • Extensible - basic capabilities can be augmented and altered.

Adrian Lane, author of the paper stated that data security in Big Data means data-at-rest protection, data-in-motion protection, authentication of applications and nodes protection, data API security protection. Adrian recommends usage of file encryption, Kerberos for node authentication, key management and secure communication for achieving data protection.

Recently, Big Data security marketplace witnessed explosive growth in security products and solutions. Many vendors like Intel, Cloudera and Hortonworks released several open-source data security products like Project Rhino for data-at-rest security, Sentry for fine-grained access control and Knox Gateway for secure Hadoop access by REST API.

Rate this Article