The Most Secure Big Data as a Service

Security

The public cloud promises many benefits, but there is significant work required to make cloud environments "production-ready." While spinning up a cloud service can be (relatively) easy, making it secure, adding encryption and integrating with enterprise monitoring systems are often major hurdles. From acquiring specialized skills, developing monitoring processes and keeping current with the ever-changing stream of patches and updates...it can take a month to develop a secure cloud environment. Cazena offers the most secure Big Data as a Service available. All of our solutions are fully-managed, monitored 24 x 7 – and include comprehensive security controls.

Built for Security and Compliance

Cazena is designed and optimized to meet the most advanced data security requirements for physical security, network security, data protection, monitoring, and access controls. Cazena’s unique architecture and focus on security from the very beginning ensured that compliance certification was straightforward. We did not have to re-engineer old systems or change our architecture to meet strict enterprise standards. Cazena was designed for security from the ground-up.

Recognized Expertise

Our team includes recognized security leaders, and industry-leading expertise. Cazena’s platform and services have passed rigorous third party audits. Cazena is recognized for its security expertise and ‘above and beyond’ compliance with industry best practices and certifications, including SOC II and other industry-standard designations. Throughout our journey, we’ve also relied on trusted partners to help guide our best-in-class security strategy.

Cazena manages every aspect of cloud security, from technology implementation to the right processes for software development, release and operations.

Security Operations and Compliance

Best-in-Class Security Operations: Cazena has a dedicated team that is continually monitoring our service to ensure the safety and privacy of your data. Our security team consistently monitors all access to the service looking for anomalies that could point to unauthorized access. We also subscribe to industry-standard security vulnerability assessments and ensure that these security flaws are addressed on your behalf.

Committed to Compliance: Cazena commissioned an AICPA Service Organization Controls 2 (SOC 2) Type 2 examination for the SOC 2 audit process and reports criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. Auditors review controls for security, availability, processing integrity, confidentiality, and privacy. 

Security1.jpg

Layer 1: Perimeter Security

Cazena solutions only run on cloud providers with the most comprehensive physical security and compliance controls available. Typical perimeter security is the digital equivalent of high “wall,” often referred to as a “walled garden.” The current recommended way to create a "walled garden” in the cloud is to start with a VPC in AWS or a VNET in Azure and set the security rules to ensure that all traffic in and out is only through expected channels (ports) from expected sources. All resources are within that walled garden, with no public IP addresses. This is very secure, but also can be a challenge for loading data and enabling user access – both of which need to be done on an ongoing basis in analytics projects.

The Cazena Gateway software solves this problem by creating a secure connection between the enterprise and the Cazena Service. This allows users to interact with Cazena cloud resources easily. The gateway helps users encrypt, compress and move data into Cazena, and access the data with analytics tools. Cazena is your walled garden, with no public IP addresses, and the Gateway provides simple, secure access for data and tools. 

Layer 2: User Authentication

With good perimeter security in place, user authentication is the next critical piece. Most organizations already have internal user directories, such as Active Directory. However, cloud providers (AWS, Azure) have their own Identity and Access Management (IAM) mechanisms. Cloud provider components (eg AWS Redshift) mostly integrate with their IAM but some do not: AWS Redshift, for example, only integrates with AWS’ IAM for management and loading functions.

With security requirements for an enterprises’ custom applications and internal systems -- user authentication for cloud services can become an alphabet soup of authentication requirements (LDAP, Kerberos, OAuth, SAML, etc.). Multiple entities often want to own the master. Cazena resolves this with a directory service in the cloud that has a trust relationship with the on-premises, enterprise Active Directory system. This way the enterprises’ Active Directory is still the master, and there is now a single mechanism in the Cazena cloud that can be used to consistently manage authentication for cloud components in the Cazena cloud. Users can continue to use their existing Active Directory credentials to access the cloud resources in the same way that they access on-premises resources. This ensures a consistent, productive user experience.

Similarly, cloud system level components all leverage Kerberos, the leading network authentication protocol for security. This ensures that system level communication is authenticated between the Cazena cloud and enterprise systems. Cazena’s platform and expertise ensure correct configuration and use of Kerberos, often a challenge for heterogeneous environments. Cazena enables, configures and maintains Kerberos as a default (not an option), which ensures that all system level communication is appropriately authenticated.

Layer 3: End to End Encryption

Most on-premises data stores (file servers, databases) do not have encryption turned on unless they are forced to by regulation, e.g., PCI or HIPAA. That’s due to extra work required for authentication, and a perception that internal systems are kept secure by physical security. The best practice however is encryption all the time, for any system in the cloud or on-premises.

While cloud providers like AWS and Azure provide the tools to build end-to-end encryption, it is up to the development teams to use these tools correctly and effectively. That is often where organizations fall short in "DIY" projects. Organizations choose Cazena because our solutions are built from the ground-up for security. Our fully-managed platform includes 24 x 7 monitoring, and enterprise-grade functions for security and encryption. 

Why is Encryption so Challenging for Data the Cloud?

Ensuring that data heading for the cloud is always encrypted -- while in motion or at rest -- is a complicated logistical problem. The user in charge of loading data needs to ensure that movement to the cloud occurs via a secure channel. Once the data reaches the cloud, it needs to be encrypted again prior to landing in the cloud object store, which is typically where most data is stored. Within the cloud, as users move data out of the cloud object stores (eg, to other processing engines or lower latency storage) data needs to be encrypted once again. Each of these encryption keys needs to be managed and secured.

It’s also critical to keep communications private for tools accessing the cloud – typically business intelligence, analytics or data management tools. Most tools that reside on-premises typically connect to other on-premises data sources. Since both the tool and the data are on the same local network establishing a secure connection is often not a high priority. This changes when tools are on-premises and the data is in the cloud. Connections between the tool and the cloud must be secure. Obviously, data privacy is critical. However, other communication (queries, etc.) between the tools and cloud is just as important. For example, a proprietary scoring algorithm should be treated with the same high-level of security as the data.

Cazena's Approach: Automatic Encryption

Encryption is so important that Cazena believes it should be built-in. Users should not even have to think about it. If end-to-end encryption is built-in, nothing is left to chance. No user can make a choice or mistake that results in a major security exposure. This end to end encryption starts with the Cazena Gateway. It establishes a secure connection with your secure Cazena cloud. Cazena configures cloud solutions so that only approved Cazena Gateways can connect. All data and communications must flow through the Gateway. That means everything that traverses this connection gets encrypted. All tools must connect via the Cazena Gateway.

Once data is loaded to the cloud, Cazena ensures that all stored (persisted) data is encrypted. The keys that are used for encryption for data “at rest” are further encrypted by a master key that resides in an HSM, a hardware security module that safeguards and manages digital keys. This ensures the integrity of the encryption keys. 

Layer 4: Data Authorization

The previous layers discussed provide platform-level security. Data access; however, typically needs to be more fine-grained. Users with access to the platform should not necessarily be able to access all the data. The Cazena service includes capabilities to apply role-based authorization for data and metadata. Users can be assigned to groups, which drive what data each individual user can view or manipulate. This can be set at a high-level of just files or tables, or at a much more granular column and row level. The choice is up to each organization. 

Layer 5: Log and Audit Everything

 

Multiple layers of security still can’t protect companies from every potential situation, in the cloud or on-premises. A user can still share their login credentials (explicitly or accidentally) or they could leave a session open on an unlocked device. This is why Cazena ensures that all activity within our solutions is logged in detail.

Every activity, at every layer of the Cazena platform, is automatically logged and securely stored. This includes the cloud layer, the infrastructure layer and the data management layer. Each action, whether it is done by a human user or a system component, is logged and aggregated into in single, central, searchable repository.

Cazena’s centralized logging is important for our security services and operations. Log data is fed through our SIEM, a security information and event management system, that supports our security operations team. If our SIEM or other security processes detect an anomaly or intrusion attempt, it responds appropriately based on the type of event detected. This log data is also critical for any forensics or audit operations.

As a cloud vendor, Cazena is uniquely prepared for enterprise security assessments, with an industry-leading service architecture, processes and personnel. During deployment, Cazena documents processes for incident mitigation and collaborating with an organization’s security team for user access management and related functions. Like any safety net, optimally these functions never get used, but they are critical to have for a production-grade system. 

Security is a Collaborative Process

A successful and secure cloud solution deployment requires close collaboration between an organization and service provider. Cazena understands the importance of a process and program that covers everything -- from governance and compliance to cloud user access. Cazena offers documentation, expertise and collaboration to ensure that you have the highest-level of security available in the cloud.