XCrypt Hadoop™ from Zettaset is a true next-generation encryption solution that combines Authenticated Encryption with Associated Data (AEAD) and Galois/Counter mode (GCM) to not only encrypt data, but also provide integrity protection for the encrypted data. XCrypt Hadoop can detect and mitigate the exposure associated with cyberattacks that manipulate or delete encrypted data. This advanced capability ensures the accuracy and consistency of data over its entire life-cycle.
XCrypt Hadoop is designed for selective HDFS encryption down to the file-level. Encrypting and decrypting data at the file-level opens up the possibilities of unauthorized access, and calls for greater levels of data protection. For that reason, XCrypt Hadoop provides additional protection in two unique ways: (1) Authenticated encryption and protection for cyphertext using associated data (AEAD), and (2) Cryptographic protection for access control lists (ACLs).
There is a common misperception that encrypted data is fully protected, but even data which has been encrypted is exposed to malicious attacks and unauthorized modification. File-based encryption protects data on nodes against attackers reading files, but still is still vulnerable to write attacks on those same encrypted files (ciphertext).
If attacker can write to the ciphertext, he/she can either (1) erase data without detection or (2) mount a chosen ciphertext attack (CCA) to try to obtain the data key. Data-in-motion is an even easier target since an attacker can simply modify ciphertext by performing a man-in-the-middle attack.
XCrypt Hadoop addresses these vulnerabilities and includes unique features not found in any other HDFS data encryption solution.
XCrypt Hadoop is a true, next-generation encryption solution that takes an extra step, providing protection for encrypted data (ciphertext). XCrypt Hadoop uses AEAD architecture (vs. Encryption + MAC) to protect encrypted data from ciphertext modification. This approach ensures that encrypted data is verifiably secure. AEAD enables encryption and authentication to happen concurrently, making it easier to use and optimize than older, commonly-used modes such as CCM.
Authenticated encryption using associated data has additional advantages as part of the XCrypt Hadoop encryption solution.
Some otherwise secure encryption schemes, including non-authenticated encryption modes, can allow attackers to discover the encryption keys using a CCA. Non-authenticated encryption only prevents an attacker from reading the plaintext. It does not prevent an attacker from modifying the ciphertext.
The authenticated encryption mode used by XCrypt Hadoop is able to prove that the ciphertext was made by someone who was authorized to possess the encryption. Existing non-authenticated encryption products depend on the user to detect any data modification by noticing plaintext that appears to be wrong, an unreliable approach that exposes organizations to unnecessary risk.
Authenticated encryption will become mandatory due to its more stringent security properties. However, it must not compromise performance and scalability. To ensure optimal performance levels, Zettaset XCrypt Hadoop uses the Galois/Counter mode (GCM) for authenticated encryption. GCM has been identified as the only encryption mode that addresses requirements for high data-rate authenticated encryption. GCM mode encryption can efficiently achieve speeds of up to 10+ gigabits per second, and can be pipelined and parallelized.
Zettaset XCrypt Hadoop cryptographically protects access control lists and prevents an attacker from modifying ACLs and using those changes to gain access to data. Application of ACLs at every layer of access for data is critical to secure a system. An ACL is a list of permissions attached to an object that specifies which users or system processes are granted access to objects and are typically applied to data to restrict access to data to approved entities.
XCrypt Hadoop enforces file access according to policies established by the administrator. Policies can enforce access control as well as encryption. The solution has been designed for interoperability in existing IT infrastructure, and works with Active Directory, LDAP, Kerberos, and UNIX authentication mechanisms. XCrypt Hadoop co-exists with and enhances the Apache Ranger offering by adding ACL integrity to HDFS.
Extended attributes (Xattrs) provide a storage place for tags and IVs. Zettaset XCrypt Hadoop cryptographically ties Xattrs to associated files for additional protection against malicious attacks. XCrypt Hadoop uses Xattrs to (1) keep track of authentication tags, and (2) generate unique initialization vectors (IVs) for each block.
XCrypt Hadoop’s key management is system is infinitely scalable and highly granular, and can support a unique key per file. A distributed policy server enables user-defined policy enforcement on a granular level, ensuring that a “lost” key has the potential for only minor impact. The automated policy server also ensures that your keys never go to clients.
XCrypt Hadoop is just one of the advanced, industry-leading encryption solutions built on Zettaset’s XCrypt Data Encryption Platform. Additional solutions include XCrypt Full Disk and XCrypt Object. For more information, please contact us at firstname.lastname@example.org