Object-storage systems continue to gain wider adoption, primarily because of their ability to enable retention of massive amounts of unstructured data. Much of this stored data contains sensitive information, is subject to corporate or regulatory compliance requirements, and must be protected from unauthorized access.
Examples include storing online photos (Facebook), online music (Spotify), and files used in online collaboration services (Dropbox). The vast majority of cloud storage available in the market leverages an object storage architecture, including Amazon S3 and Rackspace.
XCrypt Object is a true next-generation data protection solution that combines Authenticated Encryption with Associated Data (AEAD) and Galois/Counter mode (GCM) to not only encrypt data, but also provide integrity protection for the encrypted data. XCrypt Object can detect and mitigate the exposure associated with cyberattacks that manipulate or delete encrypted object data. This advanced capability ensures the accuracy and consistency of data over its entire life-cycle.
There is a common misperception that encrypted data is fully protected, but even data which has been encrypted is exposed to malicious attacks and unauthorized modification. File-based encryption protects data on nodes against attackers reading files, but still is still vulnerable to write attacks on those same encrypted files (ciphertext).
If attacker can write to the ciphertext, he/she can either (1) erase data without detection or (2) mount a chosen ciphertext attack (CCA) to try to obtain the data key. Data-in-motion is an even easier target since an attacker can simply modify ciphertext by performing a man-in-the-middle attack.
XCrypt Object addresses these vulnerabilities and includes unique features not found in any other Object data encryption solution.
XCrypt Object is a true, next-generation encryption solution that takes an extra step, providing protection for encrypted data (ciphertext). XCrypt Object uses AEAD architecture (vs. Encryption + MAC) to protect encrypted data from ciphertext modification. This approach ensures that encrypted data is verifiably secure. AEAD enables encryption and authentication to happen concurrently, making it easier to use and optimize than older, commonly-used modes such as CCM.
Authenticated encryption using associated data has additional advantages as part of the XCrypt Object encryption solution.
Some otherwise secure encryption schemes, including non-authenticated encryption modes, can allow attackers to discover the encryption keys using a CCA. Non-authenticated encryption only prevents an attacker from reading the plaintext. It does not prevent an attacker from modifying the ciphertext.
The authenticated encryption mode used by XCrypt Object is able to prove that the ciphertext was made by someone who was authorized to possess the encryption. Existing non-authenticated encryption products depend on the user to detect any data modification by noticing plaintext that appears to be wrong, an unreliable approach that exposes organizations to unnecessary risk.
Authenticated encryption will become mandatory due to its more stringent security properties. However, it must not compromise performance and scalability. To ensure optimal performance levels, XCrypt Object uses the Galois/Counter mode (GCM) for authenticated encryption. GCM has been identified as the only encryption mode that addresses requirements for high data-rate authenticated encryption. GCM mode encryption can efficiently achieve speeds of up to 10+ gigabits per second, and can be pipelined and parallelized.
XCrypt Object’s key management is system is infinitely scalable and highly granular, and can support unique keys per bucket, object, or group of objects. A distributed policy server enables user-defined policy enforcement on a granular level, ensuring that a “lost” key has the potential for only minor impact. The automated policy server also ensures that your keys never go to clients.
XCrypt Object is just one of the advanced, industry-leading encryption solutions built on Zettaset’s XCrypt Data Encryption Platform. Additional solutions include XCrypt Full Disk and XCrypt Hadoop. For more information, please contact us at firstname.lastname@example.org