Today's leading minds talk Data Storage with Host Enrico Signoretti
Eric Bednash is the CEO and co-founder of RackTop Systems. He has spent the past 19 years as an innovator and entrepreneur, designing products and solutions to solve challenging Extreme Data problems. He has co-founded prior companies focused on delivering IT based services and products within the DoD Intel and Financial communities. Eric is the creator of the myRack orchestration framework, and leads the strategic vision for RackTop’s data storage and management products.
Enrico Signoretti: Welcome everybody, to Voices in Data Storage brought to you by GigaOm. I’m your host, Enrico Signoretti, and today we will talk about data security in the storage system. This is a very, very interesting topic. I met with the guy that I will introduce to you in a few seconds, and we had a very nice chat around data storage and security; a different way of thinking about it, a different way of thinking about security in general. So I invited him because there are a lot of threats today: cyber attacks, ransomware; and also security, if you think about it as the need for compliance...So in Europe we have GDPR, but a lot of other countries are thinking of similar regulations, so I think it’s a very, very hot topic at the moment. So with me today, Eric Bednash, CEO and Co-Founder of RackTop Systems. Hi Eric, how are you?
Eric Bednash: Hi Enrico, thank you very much for having me here.
As I [said] at the beginning of the show, you have a great curriculum [vitae] (CV), and you founded a company because you saw a need around data storage security. So why don’t we start with a little bit of background about you and your company?
My background is predominantly in the data security world. I spent the majority of my career in national intelligence and protecting data—from that perspective. It gives you a really interesting view on how data and data security are very intrinsically tied together. And it was those experiences that really led myself and my co-founder to start RackTop, which is focused on what we call the ‘CyberConverged’ data security market, which merges high-performance data storage with advanced security and compliance capabilities, so that you can really solve the problem of data security right where the data lives.
So if we look at data security, we have already so many layers. We have firewalls; we have security at the application level. Why do we need another layer and another complexity in the stack?
Well if you think about security in general, it has largely been focused on the network, like you said, but the data itself, which is the most critical component—and that’s what you’re really trying to protect—is in the core of the data center, and when it’s sitting in our data storage systems, it’s in what we traditionally think of as sort of the ‘safe zone.’ The reality is that there are no safe zones anymore. There are very sophisticated hackers and attacks that can get beyond firewalls; we have a lot of end users within our network who aren’t necessarily trusted anymore; we have technologies like IoT, where you have sensors that are built into devices that are not even humans, but can be used as attack vectors to steal data.
And so when you think about all of that happening within the enterprise, you can’t really think about data storage as being in a trusted part of the data center anymore. And so to really complete that security picture, you must move the data protections; you must move data security directly onto the data or as close to the data as possible so that you can complete that security ecosystem.
But what are the characteristics of a system that you can consider secure?
Well, there are a number of things. Security is implemented in layers, and you want those multiple layers to be able to provide enough protection so that you can stop or thwart an attacker or an insider threat. So there are things like encryption, multiple layers of encryption. You want to track what users are doing so you want to identify behaviors so that you can detect anomalies, or anomalous patterns, like when someone is maybe trying to steal data, or from a ransomware attack. That would be an anomalous behavior to detect as well.
And then there’s the reporting aspect, and this ties directly into compliance; and you have these security controls and measures that are implemented within a system, but then you also have to be able to show and prove that those controls and measures are in place and remain in place over a period of time. And all of these stack together and layer together to really solve the problem.
But some of the things that you mentioned are already available from other products. I think, for example, about ransomware attacks. Many, many data protection tools now provide similar tools. What’s the difference in the approach, and why is having it embedded in the storage better, from your point of view at least?
So, yeah, when you think about ransomware, I think a lot of people view it from the remediation perspective, so after it occurs. And that most certainly is the way that almost everybody is addressing it today. And I think a lot of backup companies leverage this approach because it’s true: when you get hit with ransomware, you don’t want to pay the ransom; you just want to recover your data, and certainly a backup helps. But there are challenges with that as well, and ideally, what you’d want to do is prevent that attack from happening at a full scale. So you would want to stop it as soon as possible.
So you want to get it [at] the beginning, or you want to be able to detect it early on. And so I think there are products and approaches that can help remediate that today, but ideally what you want to do is be ahead of it as soon as possible. And that’s really where integrating some of these capabilities into the data system and catching, and then also layering them on top of each other is really the answer to solving this problem most effectively.
So you’re saying (and I couldn’t agree more): You can do it in real time, okay, within the storage system so you can analyze the behavior of the user, or of the application, or if something is not usual. On the other hand, you have the data protection that yes, it can do almost the same, but actually it’s delayed in time and you can’t remediate to something that has already happened, right? So from this point of view, it’s a question of uptime at the end of the day, and money that you save by giving better uptime for your systems.
Absolutely, absolutely. And there’s also the delay in terms of recovery. We all know that within a data center, within an enterprise, backups do not get the attention they probably should; they are secondary budget; and then also people don’t always remember to take backups as data...progresses through its life cycle. You may have missed some new data that was created. All of these gaps create additional risks and exposures so that when it does come time to remediate, it’s not even ideal, and there’s an additional risk there as well.
What kind of enterprises are now really focused on this kind of programmatics? I mean, you mentioned that you worked in a large intelligence [organization] and the U.S. Department of Defense, and you have these kinds of experiences. So these are very, very large organizations with security as one of the first things that they look at. But do you see an adoption also from traditional enterprises?
Absolutely. You know, governments are always very concerned about security, and in a sense, have led the charge in terms of relying on the importance of data security within their systems. So it’s always important there. But the commercial enterprise is definitely catching up now, or at least is starting to understand or realize that this is a very important problem that has to be solved.
I think more so even in the last 12 months, the shift from looking at security from just a network problem to being more of an infrastructure problem is starting to occur, and I’m really starting to see it, of course in large enterprises first, but even some of the mid-size enterprises now are starting to pay attention. I think it’s inevitable. You know, every day you read bad news—about some either government organization or municipality or enterprise whose data was compromised or stolen or has been hit with ransomware; and so it’s not going to stop. It’s just going to continue to get worse, and I think that the market is evolving and will continue to evolve at a more rapid pace in the future.
Well, I totally understand it, but again, if you have the resources of a large government organization, how do you deal with the complexity of this kind of programmatics in a medium size enterprise? So how complex is it to operate this kind of system, for example?
Yeah, so if you were to go ahead and traditionally solve this problem, it is very complex. And I’ll touch on compliance really briefly because it’s the same sort of problem that highly regulated industries faced a decade ago, or more. And so basically, these larger organizations: governments, larger enterprises, have teams of people to address these problems. So you have a lot of resources. That makes it possible to deal with the challenges, but [it’s] not very efficient; it’s still very complex to deal with these integrating individual software components together, or software packages together, and there are gaps. Every single one of those programs create gaps because they’re not meant to be integrated together and it’s very resource-intensive. But that’s the way that large enterprises have been doing it.
And so by integrating these technologies together, you solve a lot of these problems. You make it very easy...they’re integrated, so you take away the gaps and the complexities, and then they’re easier to manage, and that’s one of the things that we focused on at RackTop is...by combining these components together, we’re able to not only address the fundamental security issues that we’re trying to solve, but we’re also able to do it in a very user-friendly manner, which addresses some of those concerns around the mid-level enterprise, [that] don’t have the large amount of resources that larger enterprises or governments do have.
And how do you solve another problem? I mean, if you look at security in your organization, you have different layers, different tools to manage it. And of course, it becomes more and more complicated to keep track of all the things that are happening. So how do you integrate data storage security with nectar security, with application security, with perimeter security, and whatever else you have at the security level?
Well, so within a typical large enterprise, or enterprises in general, you’ll have incident and event monitoring and management systems, and you might have security operations centers. And usually these tools aggregate data, and allow you to take action on them. And so from our perspective—in particular, we’re pulling some of the capabilities that would typically be seen on the network or on the endpoint from a security perspective—so security and compliance features that you would have in third-party products, we’ve pulled those directly into the data storage system with what we’re doing. And then we integrate through a set of open APIs with those third-party incident management systems so that people, or even automated scripts that other people may write to aggregate information from multiple sources, can automate certain actions within our system. And we can take part in that whole ecosystem.
And so that’s the typical approach today, how it would be solved. There’s intelligence in what we’re doing, and in the data system, and then there’s intelligence in other parts of the network and really pulling that all together really is what completes that ecosystem that enables you to potentially stop attacks, not only on the data side, but also on the front end, on the network side as well.
And you mentioned many times multiple levels of encryption, so I think you’re talking about the way you’re storing data in the system, but actually, we’re talking about the system devices, and it’s really, really important to know all the process that goes in the data path, but also if I wanted to, for example... change something in my system—I need to understand what is happening. So how do you manage all these things in your system?
So encryption is a very interesting problem to solve correctly. So how we solve it is we do it in multiple layers. And with the power of computers today, existing encryption algorithms, it’s very probable and very possible that they’re going to be broken in the future as compute processing power continues to increase, right? So what you do is just like what security has done in layers; you can implement encryption in layers, and by doing that you increase the strength of the data that you encrypt. So particularly, we can encrypt it at two different layers so that you would have two different layers of encryption over your data. But on top of that, there’s a maintenance aspect to that, and sort of a hygiene aspect to encryption.
So if I were to encrypt data with a key, that key is like a password, and so as we all know as users, we change our passwords because if someone knows the password, they can steal your account. Well the same goes with encryption keys. You have to rotate your keys; you have to change your keys, or else the possibility of breaking that key or obtaining that key is possible, and then you lose the benefit of the encryption.
And so a lot of more stringent enterprises or organizations have strict policies around key rotation and automatic key rotation so that it makes it even more difficult for somebody to break the key...to obtain the key or break the encryption so they can get at the data. That is one of the unique things that our system does: we can auto-rotate keys on a regular basis. This all happens by the system itself, and it’s all reported for compliance purposes so that you can prove to somebody that you’ve done this, and you’ve done it on a regular basis, and you’re meeting those requirements around not only having encryption, but having encryption that is implemented in the proper way.
But you rotate the keys, okay, but I’m missing something here. It needs a lot of CPU power involved and I/O in the system, right?
No. So this is where the way it’s implemented is unique in that we’re using techniques that allow us to re-key systems rapidly without having any impact [on] the data itself. So it uses a technique using wrapping keys or key encryption keys that allow you to encrypt the data, change the keys without actually having to go back and re-encrypt all the data that’s already there.
Okay. It looks like Inception the movie… ‘the key of the key’...but okay. I’ll take it for granted. And what is it about the complexity of large systems? I mean, you’re a start-up, okay, and even if you have the best technology of the world, actually if you’re a small one, you can’t reach every location in the world now, and these large organizations, most of them have plenty of installation[s]. I’m talking about: they have EMC, NetApp, HDS, whatever in their data center; their centers are huge. I can’t think that they will change everything they have and put the RackTop system tomorrow, replacing everything. So how can you start this process of making your storage system more secure?
So I certainly would hope that they would all replace their systems. But I also know that probably won’t happen. So we invented a technology called ‘transparent data movement.’ And what that allows us to do is leverage all the security and compliance capabilities that we have embedded within our system with data that’s not necessarily stored on our own disks. So you can sort of think about it as a combination of a hierarchical storage management gateway that is able to transparently move data between our system, meaning the RackTop system, into S3 or other NFS stores using those protocols and transparently move that data.
So we essentially have all the metadata represented within our system so that the files look like they’re there; they look like they’re on our system, on our NAS; all the access controls are there, and then all the security benefits that we bring to the table can automatically be obtained by the enterprise. They can see all those user behaviors start to get recorded; all of the reports and the compliance and the exposure and everything that we offer is there because our system and the end user all believe that the data is actually there, even though the data is actually being managed on a third party machine. So that is a logical way for us to get into an environment or work with the customers so that they can get the benefits of what we bring to the table, even if they’re still depreciating existing storage assets.
Do you provide the same identical set of features even if you are not working with your system? For example, the multi-layer encryption?
Some of the encryption capabilities—because the data’s not stored on the disks we’re managing, they wouldn’t have that layer of encryption, but we still encrypt data at the data level, and most of the other capabilities are also available. There are some limitations around the remote storage systems, and certainly when you’re talking about S3 and data in the cloud, there could be some latency concerns around that. We do cache data and optimize I/O patterns…
Yes, but we can’t beat the laws of physics.
Exactly, you can’t beat physics. But we do have some technology that enables us to cache data for what we call ‘hot files,’ and that would eliminate or reduce I/O charges as well in certain cases. So there are some things that we do to try and bend physics, but we can’t break it.
Fantastic. So one thing that I really loved from our previous conversation was the concept of ‘zero trust.’ I’m not a security guy, so for me it was not really new, but actually when you describe it, having the storage layer on top of it was really interesting. So why don’t you repeat [your description of] the concept of zero trust, and how it helps to understand better why a secure data storage layer is important today?
Sure. Well, zero trust in the security world seems to be the hottest buzzword right now. And I think everybody’s talking about zero trust, but the reality is right now zero trust is very much a fantasy; it’s a concept. And I think it will be a while before the industry gets there. But to me—
Before you go on—zero trust, for our listeners, is just that usually we take for granted that if you are already in the enterprise network, you should be there. While with zero trust, you never trust anybody. And this is a concept that, as you said, is really, really far from happening in reality.
Exactly. Because we’ve all been trained—we’ve all come up through the years in the industry thinking about the enterprise as a safe place: it’s inside the firewall. And so it’s really a way of thinking. So to me, zero trust is not so much about a thing, but it’s a way of thinking about your infrastructure, your architecture, from a security perspective. And thinking about it so that instead of that implicit trust, where you’re expecting everyone to be a good neighbor within your infrastructure, and everyone to be trusted, and everybody to be there who’s supposed to be there, you change that way of thinking.
And this is even prevalent within the cloud, if you think about it. So if you have systems in the cloud, they’re all essentially on the Internet. So it’s a very important concept when you’re dealing with—that’s even less protected than your own private infrastructure. So you have to sort of change the way you think.
So to me, zero trust is first and foremost, at least today, it’s about changing the way you think about solving problems from a ‘security first’ perspective. Which means that when it comes to data storage, you have to change the way you think about it. You can’t think about it as being in that trusted data center anymore. You have to look at it and say, ‘What protections can I layer onto the data so that I can achieve this goal?’ And that’s really the approach that we take about it, and it’s that data owner’s perspective. It’s that data’s perspective versus the admin perspective or the outside user’s perspective of looking at things. And I think it will be awhile before we get there as an industry.
I think that there’s a lot of awareness around it now, and as products continue to evolve, we’ll actually be able to achieve a stronger security posture by thinking of things this way. And for us, because we have embedded these security and compliance capabilities directly into the storage system, we can play in that architecture. We can take part in that zero trust world already, because we’ve already sort of taken this approach to dealing with data in that we have these controls in place because we don’t expect everybody to belong there. And we want to be in a place where the data is protected as best it possibly can be, right where it’s living.
Yeah. As you said, this is a very interesting concept. And actually very far from happening in reality in most of the organizations that we know today. But again, I think that it is worth a try with all the security concerns that there are now.
Thank you very much for your time today. This conversation was very, very helpful to understand a little bit better data security in the storage world. But I would like to wrap up this episode with the Twitter handles of your company, and yours, if you’re on Twitter, so if somebody wants to continue the conversation online they can contact you directly.
Wonderful. Thank you very much, and bye bye.
Enrico, it was a pleasure. Thank you.