I wanted to point out a great article by Joab Jackson of IDG titled, Five Things CIO’s Should Know About Big Data. Amid the slew of articles offering advice on Big Data, this particular one stood out because of how absolutely spot on it was.
The five points he makes nearly always come up in our conversations with customers and prospects:
1. You will need to think about big data. What we’re seeing now is that the price of entry to big data, at least from a CapEx standpoint, is pretty low. Open source tools like Hadoop, Cassandra, MongoDB, MapReduce and others, combined with the relatively low price of cloud computing, means organizations that may not have been inclined to collect, store and analyze their data volumes are now more willing and able to do so.
2. Useful data can come from anywhere. Data that used to be “dropped on the floor” is one way to categorize big data. Our CEO, Larry Warnock, likens to big data to a giant fishing net trolling the ocean floor. What we’re hearing from customers is that big data is often a combination of innocuous machine exhaust, customer transaction histories, geolocation, and some personally identifiable information like health records and bank account data. How you use those disparate pieces of data to enhance your business or advance a project is what big data is all about.
3. You will need new expertise for big data. Could big data be the next growth industry? We certainly think and hope so.
4. Big data doesn’t require organization beforehand. Here we have the analogy of big data as a “dumping ground.” Poor big data. In just the last three paragraphs, we’ve referred to it as stuff you drop on the floor, a fishing net scooping up debris and a dumping ground. If big data were a kid, he’d be in therapy right now.
The point is valid nonetheless. Big data allows you to ingest what you want, and worry about how you’re going to use it later. This is how sensitive information often winds up in a big data environment.
5. Big Data is not only about Hadoop. There are a number of really popular tools out there to help you make sense of your massive volumes of data. Joab mentions Splunk, HPCC Systems and MarkLogic. We have customers also using MongoDB, Ironfan from Infochimps and Chef for cloud infrastructure automation.
In the next few weeks, Gazzang will bring to market a new big data monitoring and diagnostics tool called zOps. Stay tuned for news on the newest member of the Gazzang product family.
Finally, I wanted to add a sixth, and final piece of advice to Joab’s article.
6. Think about security before you start. Too often, we hear from companies that leave data unprotected in a big data environment only to realize later that usernames and passwords, credit card data or health records were at risk of exposure. Fortunately, this hasn’t come back to bite anyone yet (that we know of), but it’s likely only a matter of time.
Retrofitting security into an existing big data cluster, which may contain thousands of nodes, is challenging. It also takes time to understand what data is being collected and whether it’s even worth protecting.
Data encryption and key management can act as a last line of defense against unauthorized access or attack. It’s relatively inexpensive and won’t noticeably impact performance or availability of big data. So our advice to customers is, if you think you might have some sensitive data in your environment, it’s better to be safe then sorry.
On Twitter, I’m what you’d call more of a follower or lurker. I certainly wouldn’t claim to be a prolific poster.
Working for an organization focused on big data security, I find myself drawn, almost hypnotically, to the big data hashtag. The growth of and participation in the big data conversation on Twitter has been amazing to witness.
In addition to some fascinating discussions– some of which Gazzang has actively participated in – I’ve also learned that there are now at least two or three big data events taking place each week.
We haven’t been out to any of these shows yet, but we’ve got a big one on our radar in two weeks. We’ll be in Manhattan as a sponsor at MongoNYC talking Big Data security and debuting our new MongoDB-based operational diagnostics product. We’ll talk more about this in a future blog.
I can’t say for certain what goes on behind the scenes at these events, since like I said, we haven’t been to one yet. But I bet I can guess what doesn’t happen.
So for this week’s blog, here are the Top 5 things you probably won’t ever hear at a big data conference:
1) Ouch! I stepped on a data shard, and it went straight through my shoe.
2) Some people call it shrinkage. I call it MapReduce.
3) Please don’t refer to me as an authority on big data.
4) Big data is the single most important IT development in the last 30 years. Why on earth is no one talking about it?
5) If I have to read one more story about relational databases, I’m going to massively distribute my lunch all over this table.
I'm very proud to announce today the launch of eCryptfs.org! For the first time in the 7 year history of the project, eCryptfs has it's very own, dedicated home on the web at eCryptfs.org.eCryptfs.org now serves as the project's official portal to numerous resources, including: information about the project, StackExchange questions and answers, mailing list archives, the Google Plus page, package download links for all major Linux OSes, pointers to the kernel and userspace source code repositories, support resources, documentation, and news.The kernel sources continue to be hosted on git.kernel.org, and the user space sources and bugs hosted on Launchpad.net. We are now using StackExchange.com for questions and answers rather than Launchpad.A special thanks goes out to the original authors and developers of eCryptfs in the IBM Linux Technology Center Security Team, the Canonical Kernel and Security Team, Red Hat and beyond, as well as all of the contributors to eCryptfs over the last 7 years. Gazzang commissioned the artwork and web design, and is sponsoring the web hosting of eCryptfs.org as a bit of a "thank you" to the eCryptfs community growing far and wide. Let us know what you think!Cheers,:-Dustin
I'm absolutely thrilled to have been invited by Barton George to participate in Dell's Project Sputnik! As of this morning, the gag order has been lifted and I can finally publicly blog about it :-)
I'm writing this blog post from a brand new Dell XPS13, given to me by Dell! Project Sputnik is a new endeavor from Dell to produce a portable hardware and software platform specifically designed for developers. Have you been to a conference recently where the predominant hacker platform involved a legion of Mac Airs running OSX? Well, I think we finally have a contender :-)
I drove clear across Austin on Monday last week to meet Barton at The Domain and pick up the new machine. Saying this sounds strange, but the experience unboxing this laptop was significantly different than any other computer I've ever opened. The packaging itself was elegant, even beautiful.
And the hardware -- wow! Aluminum outer shell. Chiclet back-lit keyboard. Thin, light, sexy. At 13", it's the perfect balance between portability and usability. The accessories and peripherals are simple, but sufficient. Two USB ports. A combination mic/headphones jack. An external display port (dongle required). And one very slim and trim AC/DC power adapter. Oh, and there's a little button that you can press and see how much battery you have left. There's a quad-core i7 with VT. Intel video and wifi. Bluetooth. 256GB Samsung SSD. 4GB of RAM (I really could have used 8GB, and it's soldered onto the motherboard). With a 46W-h battery at 7.4V, I'm getting 6+ hours of uptime.
I installed Ubuntu 12.04 LTS myself (as the pre-built image didn't actually exist when I received my device as an Alpha Cosmonaut). Everything worked out of the box, except as mentioned by Barton in his blog post (I had the toggle the hardware wifi kill a few times to get wifi working, and without proper drivers for the touchpad, it's lacking multi-touch support).
From the software side, I'm really excited about the idea of developing a derivative or customized distribution of Ubuntu, precisely tailored for developers. I've used Linux as my development platform for 12+ years, and Ubuntu for the latter half of that. In fact at Gazzang, the vast majority of our developers use Ubuntu desktops, and our development largely happens (or starts) on Ubuntu cloud images and servers.
Ubuntu is such a modern platform, with stable, recent versions of thousands of open source software packages. Partnered with Dell and this breathtaking piece of hardware, I think we're seeing the first glance of an amazing developer platform!
Any downsides? I'm looking forward to a proper driver for the touch pad (I'm told it's in the works). And I really want 8GB of RAM (I usually give my VMs 4GB). Aside from that, this is a truly beautiful machine -- easily the best laptop I've ever seen or used from Dell. I love the focus and attention they're paying to Ubuntu in this space. Well done, Dell!!!
:-Dustin
“The hackers call their £122,000 demand an "idiot tax" because the information was unencrypted on the bank's web server.”
Very rarely do I agree with anything that is said by hacker groups. And I never agree with their tactics or stated mission, but this time the hacker’s were dead on when they referred to this ransom payment as an “idiot tax”.
According to this article, a bank in Belgium was storing unencrypted customer data on a web server. Whomever at the bank decided this was ok is indeed an idiot. Unforunately, this isn’t an isolated incident. We see this again and again, and It makes no sense to me.
Maybe if data encryption were difficult or expensive, I could understand, but it simply isn’t. There are many solutions on the market. Gazzang, for example, would have cost this bank only $500 a month. Let me repeat. $500 a month.
Now the bank is being asked to pay a $150,000 ransom (roughly the cost of 25 years of encryption), and, they will LOSE customers because of this. How can a bank possibly be trusted with their customers’ money if they can’t even be trusted with their personal data? It is outrageous. if I were a shareholder I would demand the CEO be replaced immediately. If I were a customer, I would close my account. That’s how strongly I feel about this topic.
So I ask the head of Elantis to call me. They don’t have to buy my products. That’s not what I’m after. I just want this bank to understand how simple and inexpensive it is to protect sensitive customer data. There are many ways to implement data encryption. There are even open source solutions to this problem.
Customer and/or sensitive company data needs to be protected. Encryption is not a silver bullet, but it’s one of the layers of security that should be used by ALL companies. It is not difficult and it is not expensive. It continues to amaze me to learn of data breaches only to find out later that basic security steps were ignored. Give me a break. Shame on Elantis Bank.
Last week OpenStack held its spring conference in San Francisco, and much like its previous conferences, this one was packed with great sessions and showcased plenty of features to be rolled into the next release of OpenStack ("Folsom").
It's amazing how OpenStack has grown such a large community of developers, established a governing foundation and gathered major backing by hardware, software and service providers alike in just a few short years. Most recently IBM, RedHat and Yahoo announced partnerships with OpenStack.
A presentation from Canonical's Mark Shuttleworth showcasing Ubuntu's MAAS by launching a baby Essex cloud in a matter of minutes with a live animated graph was a crowd pleaser showing off the power of Juju. Also noteworthy was the announcement and commitment from Ubuntu to maintain back support for all intermediate OpenStack releases in between the Ubuntu LTS releases starting with Ubuntu 12.04, thus insuring when 12.04 is installed there is an upgrade path from Essex to Folsom and beyond. This is an admirable commitment from Ubuntu and shows again why many service providers are choosing Ubuntu Server as their platform for cloud.
As OpenStack matures, it is also starting to face many of the open source challenges. For example:
- Should OpenStack start to drive its own cloud API standards, or should Amazon continue to drive the APIs?
- What kind of plugin or driver architectures should be supported to allow different implementations to extend the capabilities of OpenStack without breaking the core?
Although an API and cloud standards would be great, there was consensus at the conference among developers that hindering progress by setting up too many gates is not the right approach.
More than once I heard conversations that were eerily similar to the early Unix discussions on how to maintain consistency with all the flavors of Unix through a standards body.
Security in OpenStack is still in its infancy. While Keystone has made great progress in identity, token and policy, there are many more questions than answers. For example, should security be turned on by default? Should RPC communication happen over SSL, or should the security be left up to the implementation?
These, like many other questions, were left unanswered and will be tackled over the coming months on IRC and collaborated by the community over blueprints. We at Gazzang are looking forward to participating in those conversations to plan on being a key player in OpenStack security.
In May of 1974, singer-songwriter, Dave Loggins released his first hit single, titled, "Please Come to Boston." Before this week, Dave was best known to us at Gazzang as the slightly older cousin of movie-soundtrack legend, Kenny Loggins. Today however, the opening verse to Dave's song, "Please come to Boston for the springtime," takes on a new meaning.
This morning the
MIT Sloan CIO Symposium announced the ten companies that were selected to exhibit at their 2012 Innovation Showcase. Gazzang was the lone Austin-based company chosen and the only one focused on providing
big data security solutions to enterprise customers.
The event takes place on May 22nd on the MIT campus.
I hear Boston in the springtime is nice. Maybe we'll sell some sidewalk paintings while we're out there.
Happy almost Earth Day everyone. I really hope you’re planning to spend your Sunday mulching, weeding, watering, nurturing, composting, recycling and not doing a single thing to pollute or damage the earth. To do my part, I’m going to spend the day reading poetry to a bale of turtles that congregate at Lady Bird Lake.
In honor of earth day, this week’s Friday Top 4 focuses on sustainability. Namely four trends that I hope stick around awhile, and one that needs to go away as quickly as possible.
Also, please do not print this blog post. Think of the trees.
1. BIG data IPOs - Congrats to Splunk on an impressive first day of trading, more than doubling its profits. The company – whose name is not in any way more bizarre or interesting than Gazzang – helps organizations collect and make sense of the massive amount of machine data they generate. This marks the first real big data IPO, and we’re thrilled to see the overwhelming interest and positive response from the market.
2. Momentum continues for Gazzang - Earlier this week, Gazzang issued its state of the quarter press release, and the results were positive all around. Growth across the board in products, customers and talent. Services Angle followed up our announcement with a nice article on the quarter and reiterated our battle cry around the need to secure big data environments.
Look for more news from Gazzang in the coming weeks and months as we continue to bring innovative solutions to market that help organizations protect sensitive information and analyze their IT data.
3. Time magazine lists - Thanks Time for the constant reminder that your lists have 95 more things on it than mine do. Kidding aside, this year’s list of 100 Most Influential People left me thinking, “what planet am I on?” I had initially thought the most egregious error was including Jeremy Lin, a Knicks point guard who played in about 15 games this year. But then I saw this.
Anonymous? Really? This hacker collective is stealing sensitive data from organizations, and in some cases, making life and work more dangerous for law enforcement. Shouldn’t they at least be in the rogue’s gallery?
Anyway, controversial or not, I simply love anything in list format.
4. 
And finally on this Earth Day, my one thing that needs to go straight to the composting bin. Check out the awful Pittsburgh Steelers throwback uniforms. These look like they were designed by a hornet.
The other day I was helping a prospect install Gazzang ezNcrypt on a server with what we THOUGHT was a typical installation of MySQL. In fact, the ezNcrypt Configuration module (for MySQL, Apache and PostgreSQL) identified a common MySQL configuration with everything in the locations we expected to find them. For example, the MySQL Data Dir was found to be /var/lib/mysql/, and the MySQL daemon was found in /usr/sbin/mysqld.
We followed the Configuration script and ended up with two ACL rules. We had our @mysql rule which we planned to use to encrypt the database files, and a very similar @log rule.
They looked like this:
# - Type Category Path Process
1 ALLOW @mysql * /usr/sbin/mysqld
2 ALLOW @log * /usr/sbin/mysqld
Thinking everything was good, we then proceeded to encrypt the database they wanted to encrypt. Expecting that the customer would go to /var/lib/mysql to the database folder, I was a little bit surprised when they navigated to /opt/lampp/mysql/. This wasn't a big concern, as Gazzang's ACL rules can be applied to any directory. So we encrypted the database and tested the application's web site used to access information in the database.
When we opened the web application, we discovered that the database we just encrypted was not visible. As one more test, we logged in to phpMyAdmin on the customer's desktop (where most administration and maintenance of the server was handled), but the database was not visible there either.
Since this was a fresh install of Gazzang ezNcrypt, I knew that everything was installed properly and running, so it was very likely the ACL Rules were not configured properly.
The fastest and easiest way to figure out what's wrong in a situation like this is to check dmesg. The "dmesg" command prints the messages in the buffer of the Linux kernel. Gazzang ezNcrypt sends failed access attempt messages to the "dmesg" output, giving us an easy way to figure out what scripts / processes / applications are trying to access and use the encrypted files.
When we ran dmesg, the error message showed that the "mysqld" process that needed to access the files was actually in /opt/lampp/mysql/mysqld. This server had MySQL installed in two different directories, with the MySQL daemon that was actually running and needing to access the encrypted database files residing NOT in /usr/sbin/mysqld, but /opt/lampp/mysql/mysqld!
SOLUTION: Add the appropriate "MySQL" ACL Rules that ALLOW the "correct" mysqld process access the files. So, when we added the @mysql and @log ACL rules using the process shown in our dmesg output, everything worked the way we expected. Here are the two "corrected" rules (#3 and #4) just below the incorrect rules we started with so you can compare them.
They look like this:
# - Type Category Path Process
1 ALLOW @mysql * /usr/sbin/mysqld
2 ALLOW @log * /usr/sbin/mysqld
3 ALLOW @mysql * /opt/lampp/mysql/mysqld
4 ALLOW @log * /opt/lampp/mysql/mysqld
Once we had the correct "mysqld" process defined in our ACL rules, the database that contained the sensitive data was fully encrypted on the disk, but readily available to MySQL (our trusted application) as well as the customer app that uses this database. We were able to do all of this without making any changes to the database or the customer app.
To sum up, using dmesg to troubleshoot your access control issues with the encrypted files can help any Gazzang ezNcrypt user quickly and efficiently figure out what processes need to access the encrypted files.
It’s been a week of ups and downs here at Gazzang. We started on a high note with an excellent all-hands meeting. It’s always great to see and interact with colleagues from out of town, and it really gets you geared up for the exciting quarter ahead.
On the downside, our previously undefeated (with a record of 0-0) kickball team was
absolutely steamrolled by a group from the local CVS pharmacy. You wouldn’t know it from this photo though. It’s amazing what turning a 0 into a 5 on the score sheet when the ref isn’t looking will do for morale.
We at Gazzang are a resilient bunch, however. As Texas Longhorns head coach Mack Brown likes to say, “you can’t let one loss beat you twice.” So how did we recover, you ask?
Well, our left centerfielder and Gazzang chief architect, Dustin Kirkland, welcomed his new baby girl, Camille Mae, into the world. And we released the latest version of our flagship Gazzang ezNcrypt product.
Take that CVS!
Gazzang ezNcrypt is all about securing that last line of defense between your sensitive data and unauthorized access or attack. In today’s Friday Top 5, we’ll take a quick look at five features of ezNcrypt.
- Advanced key management- Key management is often cited as the most difficult task associated with encryption. Gazzang ezNcrypt stores cryptographic keys separate from the encrypted data (either in the cloud or on-premises) to ensure a breach of any kind does not also result in the loss of the key.
- Process-based access controls- Who, or more appropriately, what has access to the data stored in your environment? Our patent-pending ACL rules limit access to encrypted data and files to specific processes rather than by user. That means only the processes (not individuals) that absolutely require the data and have been authorized access can get to it. Now you don’t have to worry about someone who may have recently left the company still being able to retrieve sensitive data.
- Transparent data encryption- Gazzang ezNcrypt makes enterprise-class TDE affordable. The software encrypts data within data files to prevent access from the operating system. This means no complex changes to databases, files, applications or storage are required. And because we’re securing data ‘at rest’, the performance impact is virtually unnoticeable.
- Dynamic Kernel Module Support (DKMS)- Gazzang ezNcrypt now supports virtually any Linux kernel version, ensuring maximum uptime for Gazzang customers during a security patch or kernel modification. This support is delivered via RPM and Debian packages.
- Parent/child controls- New ACL features provides maximum flexibility and control by letting child processes inherit access from a parent. Just like Camille Mae Kirkland.