Since we announced the new Zettaset XCrypt Cloud Encryption Gateway, we have been reaching out to every prospect, customer, and partner to extoll the virtues of maintaining exclusive control of your encryption keys. After all, you wouldn’t just hand over the keys to your house or your car to a third-party, would you?
So why is it that many cloud service providers (CSP) customers are OK with giving the CSP access and control of their data encryption keys? Sometimes bad things happen when you do that. IBM found that out when it left private keys to the Docker host environment in its Data Science Experience service inside freely available containers. Ooops!
This potentially granted the cloud service’s users root access to the underlying container-hosting machines – and potentially to other machines in Big Blue’s Spark computing cluster. Effectively, Big Blue handed its cloud users the secrets needed to potentially commandeer and control its service’s computers.
Technology consultant Wayne Chang discovered the flaw. In a subsequent blog post, he wrote, “It was a misconfiguration vulnerability with very severe consequences. In short, they left all the Docker TLS keys in the container, which is the same as leaving a jail cell’s keys inside the jail cell. This kind of oversight simply isn’t acceptable for such a high-profile and enterprise product; it tells me that their security review process should be more rigorous.”
In his blog post, Chang also wryly noted, “In the race to build new technologies, security is often an afterthought.” Nobody know that better than our development team at Zettaset.
XCrypt gives our customers total client-side control of the encryption keys and all encryption processes. It ensures that cloud service providers know nothing about the content of encrypted customer data or customer keys. The first version of this product addresses Amazon’s Simple Storage Service (S3), where the current default process is to let Amazon manage your keys. We have great faith trusted in vendors like IBM and Amazon. But sometimes faith is not enough to protect your encryption keys.