Encryption and Key Management in Hadoop

A key part of compliance-ready security is protecting your data-at-rest and data in motion from unauthorized visibility. Through our acquisition of Gazzang, Cloudera Enterprise is the only platform to provide out-of-the-box encryption for data in motion (between processes and systems) and data-at-rest (as it persists on disk or other storage mediums) through encryption and powerful key management. Data encryption and key management provide a critical layer of protection against potential threats by malicious actors on the network or in the data center. It’s also a requirement for meeting key compliance initiatives and ensuring the integrity of your enterprise data.

Navigator Encrypt

As an integrated part of Cloudera Navigator, Navigator Encrypt provides massively scalable, high performance encryption for critical Hadoop data. Navigator Encrypt leverages industry standard AES-256 encryption and provides a transparent layer between the application and file system that dramatically reduces performance impact of encryption. With automatic deployment through Cloudera Navigator and simple configuration, you can secure your data in minutes instead of days.

Navigator Encrypt also includes process-based access controls. This allows authorized Hadoop processes to access encrypted data, while simultaneously preventing admins or super users like root from accessing data that they don’t need to see.

Key Features of Navigator Encrypt

  • Transparent Data Encryption
    • High-performance encryption that protects all databases, applications, or files running on Linux
    • Encryption supports the Intel AES-NI cryptographic accelerator for enhanced performance in the encryption and decryption process
    • Simple deployment and configuration through Cloudera Navigator
    • Massively scalable with data encryption happening at each data node
    • Encryption keys are stored separately from encrypted data with Navigator Key Trustee
  • Process-Based Access Controls
    • Restricts access to specific, authorized processes
    • Limits data availability to only those who need it
    • Hierarchical process controls provide maximum flexibility and control

Navigator Key Trustee

Navigator Key Trustee is a “virtual safe-deposit box” for managing encryption keys, certificates, and passwords. It provides software-based key and certificate management that supports a variety of robust, configurable, and easy-to-implement policies governing access to the secure artifacts. In compliance with NIST requirements, these keys and other Hadoop security assets are always stored separately from encrypted data and wrapped in multiple layers of cryptography. Navigator Key Trustee is completely integrated with Navigator Encrypt through Cloudera Navigator.

Key Features of Navigator Key Trustee

  • Centralized management of SSL certificates, SSH keys, tokens, passwords, kerberos keytab files, and more
  • Separates keys from encrypted data
  • Easily scales with your cluster and security keys
  • Integration with HSMs from Thales, RSA and SafeNet
  • Software-based with multiple deployment options including on-premise or hosted SaaS

Navigator Encrypt and Navigator Key Trustee enable compliance initiatives (HIPAA, PCI-DSS, SOX, FERPA, etc) that require at-rest data encryption and key management, out-of-the-box through Cloudera Navigator.

Get Navigator with Cloudera Enterprise

Cloudera Enterprise is a unified data management platform that provides compliance-ready security and governance. Cloudera Navigator (including Navigator Encrypt and Navigator Key Trustee) is available as a part of Cloudera Enterprise Flex or Data Hub Edition. In addition to Cloudera Navigator’s comprehensive interface, Cloudera Enterprise gives you access to the industry’s best support, automatic updates to crucial data security capabilities, and the ability to influence future releases.

Learn More About Cloudera Enterprise