- Bare Metal
- Bare Metal Cloud
- Big Data Benchmarks
- Big Data Experts Interviews
- Big Data Technologies
- Big Data Use Cases
- Big Data Week
- Data Lake as a Service
- Dedicated Servers
- Disaster Recovery
- GoTech World
- Industry Standards
- Online Retail
- People of Bigstep
- Performance for Big Data Apps
- Press Corner
- Tech Trends
- What is Big Data
Data at Rest, Data in Motion: How We Use Encryption
From chats to e-mails, encryption is a hot topic as people want to be able to send, receive, and store data as securely as possible. When we go on to discuss infrastructure services, encryption is a major aspect due to the importance of data integrity for companies, preventing data breaches, and protecting your organization from cyberattacks or unauthorized access. How do we use encryption at Bigstep on bare metal infrastructure as a service?
What is Encryption?
Encryption is the process through which data is converted into code (or through which readable text is scrambled) to ensure data remains protected and hidden from unauthorized users, and that can be deciphered only by the person who has the secret code or the decryption key.
Encryption at Bigstep
We believe in control without access, and which does not require access to customer’s data in order to control and automate applications. Various services have various uses of encryption and some require additional configurations to fully enable.
However, most services support both encryption at rest, encryption of data in motion, row-level encryption as well as secure authentication and high granularity authorization mechanisms. Let’s see how we use encryption in more detail on Bigstep Metal Cloud.
Encryption for Data in Motion
Traffic between Bigstep and on-premises infrastructure is always performed using encrypted channels, such as SSL/TLS or by routing traffic via an IPSEC VPN appliance.
Most applications that we offer as a service - especially Hadoop - use or can be configured to use encryption to secure their binary (protobuf) inter-process traffic. All of our services, such as the DataLake or the DataLab also use TLS by default.
Encryption for Data at Rest
Most applications support encryption for data at rest. The encryption keys for the data that gets encrypted can be stored either in the cloud in a specialized service or on-premises in an Hardware Security Modele (HSM) or Key Management Module (KMS).
Authentication of the customer is done via either Kerberos configured to only allow AES 256 keys or via a custom dual encryption mechanism that we have built on top of AES 256 and HMAC.
Our authorization mechanism is based around our infrastructure concept. Users that have access to an infrastructure will be allowed to access various services in the respective infrastructure. The DataLake is configured to apply the Portable Operating System Interface (POSIX) group permissions to users which are delegates. Also the specific applications can be configured to use either a hosted Kerberos/AD service or an on-premises AD service.
We also provide instances with Self Encrypting Drives (SED) and we use the encryption key erase out when decommissioning the respective nodes.
Bigstep Internal Use of Encryption
All our sensitive information is stored in the database using strong cryptographic functions and long salts. All our in-transit credentials such as passwords in configuration files or potentially sensitive information is stored on disk in encrypted files which are encrypted with a random key which only lives during the deployment phase.
For more information on security in Bigstep Metal Cloud, please check our Security Overview.