Padlocking Petabytes with Weka
Joel Kaufman, Senior Technical Marketing Manager at WekaIO, shares his thoughts on how WekaFS offers a unique value in providing both in-flight and at-rest end-to-end encryption with negligible performance impact for customers using the Weka client. In this blog titled “Padlocking Petabytes with Weka” (with WekaFS™ Encryption)
Data sets are getting bigger and bigger all the time. As they do so, administrators who manage those data sets often work to centralize how the sets are accessed in order to reduce the sprawl that is inherent with dealing with big data. For security professionals this is both a blessing and a curse. It’s a blessing because with limited entry points you can focus on how to secure those limited locations. It’s also a curse because now the cybersecurity “bad actors” know where to focus their efforts in their quest to get at that tantalizing pool of data.
The good news, as we’ve written before in another blog post, is that WekaIO does an excellent job of securing your data through end-to-end encryption all the way from the Weka client to the storage. What is lesser known is that Weka has added a number of security enhancements to the Weka Limitless Data Platform to make it even more secure than it was before. Since it’s been a while since we last discussed this, let’s dive in and catch up on the last two years.
WekaFS and Data Encryption
Starting with the 3.5 release, Weka introduced authenticated mounts via Weka organizations when using the Weka client. The purpose of organizations is to provide separation and security for organization data, which requires authentication of the WekaFS file system mounts. This authentication of mounts prevents users from other organizations and even the Cluster Admin from accessing organization filesystems. We do this by issuing authentication tokens that can be revoked as needed. This limits infrastructure admins’ ability to access data simply by connecting to it.
In Weka’s subsequent 3.6 release we implemented POSIX Access Control List (ACL) inheritance. In this use case if you continued to create subdirectories within the filesystem, the subdirectories would retain the security of the parent directories in which they resided, ensuring that a user couldn’t directly access them independent of the permissions they inherited from the directory above. This then led into broadening the use of ACLs in 3.7 by adding Windows ACL support with translation to POSIX ACLs so that users could have a similar experience in a Windows environment.
Data Encryption for SMB Protocol
Speaking of Windows…We enhanced our security options around SMB protocol and shares in the 3.10 release. Now you can define encryption both on the SMB protocol level and on the SMB share level. By doing so, your data can be encrypted in-flight from the SMB client/device to the Weka storage, where it will be encrypted at rest if the underlying filesystem has encryption enabled as well. We also implemented in this release one of the simplest things that should be obvious, but frankly in an enterprise environment we continue to be surprised by: We now force password complexity rules and enforce changing the default system password on first login. Sometimes it’s the little things….
So, where do we head from here? One area that we are looking at as we expand our customer base is the specific requirements for regulated environments. For example, Weka is heading towards FIPS certification, and Weka already uses the FIPS 140-3 Level 1 compliant encryption key XTS-AES 256 (512bit key). While the certification can take a long time using a third-party independent registered lab, this will be our next endeavor toward becoming FIPS 140-3 certified.
From an ecosystem standpoint we see more and more KMIP vendors, such as Hashicorp and Thales, reaching out to Weka to make sure that their systems work with our storage platform, making it even easier to integrate into existing security frameworks and allowing customers to provide their own keys. And of course, we continue to develop our storage in ways that increase security while maintaining ease of use and minimizing exposure to many threat profiles.
At the end of the day, Weka offers a unique value in providing both in-flight and at-rest end-to-end encryption with negligible performance impact for customers using the Weka client, and Weka will continue to enhance the security of our platform on a regular basis to meet our customer needs.