Sqrrl Enterprise (powered by Apache Accumulo) is the only Big Data platform that supports a full data-centric security model. Previously we have discussed Sqrrl’s cell-level security capabilities for fine-grained access controls and support for both Role-Based Access Controls (RBAC) or Attribute-Based Access Controls (ABAC).
Another key element of Sqrrl Enterprise’s data-centric security model is encryption. Sqrrl Enterprise supports both encryption of data-at-rest and data-in-motion. This blog post will focus on encryption of data-at-rest capabilities.
Sqrrl has designed an encryption scheme that utilizes a Key Encryption Key (KEK) to serve as the master key that encrypts all Accumulo database files. If desired, Sqrrl can work with a customer to utilize multiple KEKs to encrypt different types of Accumulo database files to provide more fine-grained encryption controls. By default, the KEK is stored in the Hadoop Distributed File System (HDFS), but Sqrrl Enterprise also has connectors to external key management servers if additional levels of protection and separation are desired.
The encrypted Accumulo data files are written to the HDFS, providing additional security at both the Accumulo and HDFS layers. Benefits of Sqrrl’s approach to encryption include:
- Trust boundaries: Sqrrl’s encryption approach shrinks the trust boundary so that only super admins can access the encrypted data. Sqrrl is adding in additional capabilities to further shrink the trust boundary limiting super admin’s access to the data
- Simplicity: Sqrrl’s encryption solution only needs a few lines of code to configure
- Cost effectiveness: Typically less expensive than full disk encryption (and generally more effective for an environment defined by large clusters of servers)
- Performance: By encrypting the data at the same time that data is compressed and by decrypting only the database files that are needed for any given query, Sqrrl’s encryption can operate with very low performance degradation (typically less than 10%)
If you are interested in learning more, contact us here.