Welcome!

Linux Containers Authors: Elizabeth White, Pat Romanski, Liz McMillan, Yeshim Deniz, Zakia Bouachraoui

Related Topics: Cloud Security, Java IoT, Microservices Expo, Linux Containers, Containers Expo Blog

Cloud Security: Blog Post

Layered Security Is Key to Avoiding Heartbleed

Why Gazzang services were not impacted by the nasty OpenSSL bug

While organizations spend the next few days and weeks patching OpenSSL vulnerabilities, the realization is setting in that we may never know the full extent of the damage caused by Heartbleed.

Although Heartbleed was only announced in early April, it has actually been present in OpenSSL versions dating back to March 2012. This means hackers have had ample time to steal certificates and other sensitive information. Making matters worse, it's nearly impossible for companies to know whether their web communications have indeed been compromised.

What exactly is being exposed?

When exploited by a hack, Heartbeat (the name of the transport layer security extension where the bug was found) dumps whatever data might reside in the memory of client/server communications in small 64k chunks. Normally this traffic is encrypted, but the bug actually compromises the secret keys, usernames and passwords that protect this data. Leaked keys can lead to insecure web certificates, which could indirectly lead an attacker to usernames and passwords, payment card details, cookies -- essentially any information submitted by other users of the service.

Should I worry about my Gazzang zNcrypt keys being exposed?

No. Gazzang zNcrypt keys are encrypted client-side, so a compromise of the zTrustee server using Heartbleed would never expose any zNcrypt keys. Furthermore, while we use SSL for data-in-transit encryption, the payload of data between client nodes and zTrustee is encrypted with strong crypto libraries like GPG underneath OpenSSL. So we're doubling up the encryption, just for instances like this.

Like many other websites, we have already patched our zTrustee SaaS servers for the Heartbleed vulnerability. We also encourage customers who haven't already done so to upgrade to the latest operating system version and deploy those OS patches as well.

How can I protect my organization against future threats like Heartbleed?

One of the reasons this bug is so widespread is because it exploited a vulnerability in the popular and highly regarded OpenSSL crypto library. In other words, it went after the very service layer that untold numbers of companies use to protect against hackers. Where many of these companies went wrong is they relied on that single layer of security to protect against a network attack.

Multi-factor authentication, which requires a second piece of information to allow access to an account, is one way users can protect email access and other sensitive account information. So in addition to upgrading, patching and maintaining the latest versions of your OS and software, another way to protect your company's data is to deploy multiple layers of cryptography.

I mentioned earlier that we use GPG in addition to SSL for data-in-transit encryption. As another example, our customers use Gazzang zNcrypt to encrypt their data and protect that data by disallowing unauthorized people and processes to access it. The encryption key is then encrypted itself and stored in the zTrustee key manager (along with the master). The data owner can then set a broad range of configurable policies governing who or what can access those keys.

The important thing to remember is that security needs to be applied in layers, and a single layer is never enough. A useful tool to check your SaaS vendors' security is Qualsys SSL Labs test.

What can I do as a consumer?

To start, here are a couple of lists spotlighting companies that use the TLS Heartbeat extension. The best advice is to change your password if a service you use is listed as vulnerable.

More Stories By David Tishgart

David Tishgart is a Director of Product Marketing at Cloudera, focused on the company's cloud products, strategy, and partnerships. Prior to joining Cloudera, he ran business development and marketing at Gazzang, an enterprise security software company that was eventually acquired by Cloudera. He brings nearly two decades of experience in enterprise software, hardware, and services marketing to Cloudera. He holds a bachelor's degree in journalism from the University of Texas at Austin.

IoT & Smart Cities Stories
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY. DatacenterDynamics is a brand of DCD Group, a global B2B media and publishing company that develops products to help senior professionals in the world's most ICT dependent organizations make risk-based infrastructure and capacity decisions.
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22nd international CloudEXPO | first international DXWorldEXPO and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time t...
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
A valuable conference experience generates new contacts, sales leads, potential strategic partners and potential investors; helps gather competitive intelligence and even provides inspiration for new products and services. Conference Guru works with conference organizers to pass great deals to great conferences, helping you discover new conferences and increase your return on investment.
Headquartered in Plainsboro, NJ, Synametrics Technologies has provided IT professionals and computer systems developers since 1997. Based on the success of their initial product offerings (WinSQL and DeltaCopy), the company continues to create and hone innovative products that help its customers get more from their computer applications, databases and infrastructure. To date, over one million users around the world have chosen Synametrics solutions to help power their accelerated business or per...
DXWorldEXPO LLC announced today that ICOHOLDER named "Media Sponsor" of Miami Blockchain Event by FinTechEXPO. ICOHOLDER gives detailed information and help the community to invest in the trusty projects. Miami Blockchain Event by FinTechEXPO has opened its Call for Papers. The two-day event will present 20 top Blockchain experts. All speaking inquiries which covers the following information can be submitted by email to [email protected] Miami Blockchain Event by FinTechEXPOalso offers sp...
SYS-CON Events announced today that IoT Global Network has been named “Media Sponsor” of SYS-CON's @ThingsExpo, which will take place on June 6–8, 2017, at the Javits Center in New York City, NY. The IoT Global Network is a platform where you can connect with industry experts and network across the IoT community to build the successful IoT business of the future.
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...