Here are the slides for Greenplum Chat #8. You can view the replay here: https://www.youtube.com/watch?v=FKFiyJDgdQk The increased frequency and sophistication of high-profile data breaches and malicious hacking is putting organizations at continued risk of data theft and significant business disruption. Complicating this scenario is the unbounded growth of Big Data and petabyte-scale data storage, new open source database and distribution schemes, and the continued adoption of cloud services by enterprises. Pivotal Greenplum customers often look for additional encryption of data-at-rest and data-in-motion. The massively parallel processing (MPP) architecture of Pivotal Greenplum provides an architecture that is unlike traditional OLAP on RDBMS for data warehousing, and encryption capabilities must address the scale-out architecture. The Zettaset Big Data Encryption Suite has been designed for optimal performance and scalability in distributed Big Data systems like Greenplum Database and Apache HAWQ. Here is a replay of our recent Greenplum Chat with Zettaset: 00:59 What is Greenplum’s approach for encryption and why Zettaset? 02:17 Results of field testing Zettaset with Greenplum 03:50 Introduction to Zettaset, the security company 05:36 Overview of Zettaset and their solutions 14:51 Different layers for encrypting data at rest 16:50 Encryption key management for big data 20:51 Zettaset BD Encrypt for data at rest and data in motion 22:19 How to mitigate encryption overhead with an MPP scale-out system 24:12 How to deploy BD Encrypt 25:50 Deep dive on data at rest encryption 30:44 Deep dive on data in motion encryption 36:72 Q: How does Zettaset deal with encrypting Greenplums multiple interfaces? 38:08 Q: Can I encrypt data for a particular column? 40:26 How Zettaset fits into a security strategy 41:21 Q: What is the performance impact on queries by encrypting the entire database? 43:28 How Zettaset helps Greenplum meet IT compliance requirements 45:12 Q: How authentication for keys is obtained 48:50 Q: How can Greenplum users try out Zettaset? 50:53 Q: What is a ‘Zettaset Security Coach’?

1. The information provided in this document constitutes confidential and proprietary information of Zettaset, Inc. You may not disclose, use,
reproduce or distribute this document (or any portion thereof) without Zettaset's prior written authorization. Further, as between you and
Zettaset, Zettaset owns all right, title and interest in and to this document (together with any and all related intellectual property rights).
Zettaset
Elastic Big Data Security for Enterprises
October 2016

2. • Introducing Zettaset
• What problems Zettaset solutions address
• Zettaset Encryption Suite
• Key Management and Key Administration
• Zettaset Big Data Encrypt (BDE)
• BDE Data-at-Rest Overview and Architecture
• BDE Data-in-Motion Overview and Architecture
• Q&A
2
Agenda
© 2016 Zettaset, Inc. | Proprietary and Confidential

3. Zettaset: Born in Big Data
Zettaset™ Big Data encryption
solutions protect and assure the
integrity of critical data, on-
premises and in the cloud
3 © 2016 Zettaset, Inc. | Proprietary and Confidential
 Specifically designed for
optimized scalability and
performance in today’s
distributed computing systems
and Big Data environments
 Ideally suited for elastic cloud
deployments, massive volumes
of structured / unstructured
content
 Software-based approach to
encryption key management
and hardware security modules
sets new bar for ease of
administration combined with
significant TCO advantages

4. Data-centric security solutions for Big Data and Cloud environments
must not suffer the same drawbacks that make legacy solutions
irrelevant, namely:
4
What Problems with Existing Technology Does
Zettaset Address?
• Inability to adapt to elastic environments
• Inability to adapt to distributed
architectures
• Lack of automation
• Scalability issues
• Performance issues
• Inability to adapt to multiple databases,
file systems
• Intrusive implementations
© 2016 Zettaset, Inc. | Proprietary and Confidential

5. • In today’s competitive economy,
data is the primary asset
enterprises and individuals possess
• In cloud computing, foremost
concern is about data integrity,
confidentiality and privacy
• The only way to secure databases
on virtual machines or in cloud
environments, without sacrificing
the huge benefits of these new
architectures, is to use software-
based solutions that share the
elasticity of virtual machines and
cloud computing
5
A Software-Based Approach to Data Encryption
© 2016 Zettaset, Inc. | Proprietary and Confidential

6. Zettaset Encryption Suite:
Optimized for Protection, Performance and Scalability
in Big Data Distributed Systems and the Elastic Cloud
© 2016 Zettaset, Inc. | Proprietary and Confidential6
High performance volume-
level encryption for
Hadoop, NoSQL, and
Relational data stores
Granular, authenticated
file-level encryption for
HDFS and S3, plus added
data integrity protection

7. Application
Direct integration with encrypt and decrypt API
Database (RDBMS)
Transparent to applications with integration to crypto API
File System
Files and directories that are part of database
Disk
Partition-level or entire disk
Self-Encrypting Drive (SED)
Transparent to all layers above
7
Data-at-Rest Encryption Layers
© 2016 Zettaset, Inc. | Proprietary and Confidential
Key
Manager

8. • Basic roles of key manager and hardware
security module (HSM) no longer sufficient
– Provide secure storage
– Protect and retrieve keys
Scale and volume of Big Data and
complexity of cloud requires more
comprehensive approach to key
management and administration
• Automation of features, like node removal and
key revocation
• Policy creation and enforcement
• Key rotation without re-encryption
• Per-user granularity
8
Key Management for Big Data:
Old Rules Don’t Apply
© 2016 Zettaset, Inc. | Proprietary and Confidential
"Key management is
the hardest part of
cryptography and often
the Achilles' heel of an
otherwise secure
system.”
- Bruce Schneier
Cryptographer and Security Expert,
Berkman Center for Internet &
Society at Harvard Law School

9. BDEncrypt™
Performance and Scalability in
Any Big Data Environment:
NoSQL, Relational, and Hadoop
9
V-Key Mgr V-HSM
• Data-at-Rest
• Data-in-Motion
• Certificate Authority
• Advanced, automated key management
• Certificates generated automatically during install
• Admin can revoke all certificates on a node to securely remove that node
Data-at-Rest
 Measured 3% performance impact
 Encrypts all existing data regardless of media
 Encrypts data on any disks – avoids premium
SED costs and offers integrated key
management
 Standalone, turnkey solution or can integrate
and leverage existing infrastructure
 Transparent to the file system
 AES 256-bit standard for optimum security
Data-in-Motion
 Measured 7% performance impact
 Secures all connections between cluster
nodes, and between cluster and management
console
 Eliminates possibility of unauthorized access
by anyone within corporate network or server
cluster
 Ensures networking connections are secure
within encrypted and authenticated tunnel
© 2016 Zettaset, Inc. | Proprietary and Confidential

10. • Command-line installer supports distributed installation
• Driven by inventory file
• Easily integrated in complex installation flow
• Uses Ansible
• Requires SSH trust configuration
10
Installer

11. 11
Installer Architecture
Installer Host
node01 node02 node03
Inventory File
[hosts]
node01
node02
node03
SSH Trust
Package Deployment Configuration Deployment
© 2016 Zettaset, Inc. | Proprietary and Confidential

12. • High performance partition level encryption
• KMIP-compliant Key Manager with passive backup (HA is in development)
• PKCS#11-compliant Software HSM
• Encryption takes place in the kernel
• Partition key is obtained at boot time and kept in the kernel
• Nodes can be removed by revoking node certificates
• Command-line installer supports distributed installations
• Easy to add nodes
• Ability to preserve existing data, encrypt in place
• Presented as raw encrypted device, can be formatted as any file system
12
Data at Rest Encryption
© 2016 Zettaset, Inc. | Proprietary and Confidential

13. 13
Data at Rest Encryption Architecture
Raw Device
DMCRYPT kernel module
Raw Encrypted Device (LUKS)
File System (e.g. ext4)
Database (e.g. Greenplum)
HSM
Key Manager
Kernel Space
User Space
Node Certificate
Certificate Authority
© 2016 Zettaset, Inc. | Proprietary and Confidential

14. • Get license file from Zettaset
• Establish SSH trust between nodes
• Stop firewall
• Install prerequisites
• Edit or generate inventory file (hosts.inv)
– List of nodes to install on
– Encrypted partition(s) configuration on every node
– HSM PIN
– Internal CA
• Run pre-installation checks
– $ ./install_zts-dar.sh –i hosts.inv check
• Run installation
– $ ./install_dts-dar.sh –i hosts.inv install -vv
14
Installation Steps
© 2016 Zettaset, Inc. | Proprietary and Confidential

15. 15
Post-Installation Checks
© 2016 Zettaset, Inc. | Proprietary and Confidential
$ more /var/lib/zts/slave/crypt1/data.txt
$ dd if=/dev/sdc1 | strings | grep AAAAA

16. • All cluster communications are secured
• Can be applied to any network interface
• KMIP-compliant key manager with passive backup
• PKCS#11-compliant Software HSM
• Command-line installer supports distributed installations
• Based on standard Linux tools
16
Data in Motion Encryption
© 2016 Zettaset, Inc. | Proprietary and Confidential

17. 17
Data in Motion Encryption Architecture
Security Policy Database
KERNEL
Internet Key Exchange Daemon
Security Association Database
HSM
Key Manager
Node Certificate
Certificate Authority
Data Packet
© 2016 Zettaset, Inc. | Proprietary and Confidential

18. • Get license file from Zettaset
• Establish SSH trust between nodes
• Stop firewall
• Install prerequisites
• Edit or generate inventory file (hosts.inv)
– List of nodes to encrypt traffic on
– Network interfaces to encrypt traffic on
– HSM PIN
– Internal CA
• Run pre-installation checks
– $ ./install_zts-dim.sh –i hosts.inv check
• Run installation
– $ ./install_dts-dim.sh –i hosts.inv install -vv
18
Installation Steps
© 2016 Zettaset, Inc. | Proprietary and Confidential

19. 19
Post-Install Checks with TCP dump
© 2016 Zettaset, Inc. | Proprietary and Confidential

20. • To remove one or more nodes, their certificates must be
revoked, so KMIP server would no longer issue keys to
those nodes
• Get list of currently enabled hosts
– $ /usr/share/zts/bin/zts.ca list-hosts
• Revoke node certificates
– $ /usr/share/zts/bin/zts.ca revoke-host node15
• Data at Rest: node will stop functioning on next reboot
• Data in Motion: active connections will be dropped
20
Removing node(s) from a cluster
© 2016 Zettaset, Inc. | Proprietary and Confidential

21. Thank You !