Cloudera is, for the moment, a dominating presence in the open source Hadoop landscape; but does it have staying power? While Cloudera’s Big Data platform is the darling of the Hadoop space, they and their open source distribution competitors have so far failed to adequately address the elephant in the room: enterprise data security.
Cloudera’s Chief Architect and creator of Hadoop, Doug Cutting, recently discussed the growing value of Big Data in a CNBC Squawk Box segment, but nervously glossed over the subject of data security when it was raised. Benzinga reported Cutting as saying that, “…the value of Cloudera outweighs most security concerns,” thereby demonstrating a level of hubris and naivety that should put every IT security professional on high alert. Their dismissive approach to Big Data security should really come as no surprise. Hadoop was not written with security in mind, and to date, the open source Hadoop community, including Cloudera, has not focused on addressing this critical gap. For enterprise organizations with data at risk, especially those companies that must adhere to regulatory compliance mandates, this should be cause for concern.
Hadoop was a spin-off sub-project of Apache Lucene and Nutch projects, which are based on a MapReduce framework and a distributed file system. That initial application, web indexing, did not require any integrated security. Hadoop is also the open-source version of the Google MapReduce framework, and the data being stored (public URLs) was not subject to privacy regulation. The open source Hadoop community supports some security features through the current implementation of Kerberos, the use of firewalls, and basic HDFS permissions. However, Kerberos is difficult to install, configure, and integrate with Active Directory (AD) and Lightweight Directory Access Protocol, (LDAP) services. Even with special network configuration, a firewall has limited effectiveness, can only restrict access on an IP/port basis, and knows nothing of the Hadoop File System or Hadoop itself.
Enterprises want the same security capabilities for Big Data as they have now for “non-Big Data” information systems, including solutions that address user authentication, access control, policy enforcement, and encryption. Many organizations require these Big Data safeguards in order to maintain regulatory compliance with HIPAA, HITECH, SOX, PCI/DSS, and other security and privacy mandates. But they won’t find those safeguards in open source Hadoop distributions today. Community initiatives underway such as Knox and Rhino are intended to improve Hadoop’s security posture, but tangible results will take time and will certainly lag behind more aggressive commercial efforts.
Cloudera and other distribution vendors are essentially branding open source Hadoop, along with its inherent security limitations. While Cloudera is perceived as a software company, in reality the vast majority of its revenue is derived from professional services, training, and support. It’s unlikely that Cloudera will suddenly invert its business model and come to the rescue with an integrated software solution for data security. Does this mean that Cloudera and other open source Hadoop solutions are dangerous to deploy? Only if IT organizations ignore the inherent security gaps and risks involved, and do not take adequate precautions to secure the data store.
The recent $45 million cybercrime heist involving ATM machines in New York and around the world is a perfect example of how unauthorized access to a compromised data store can result in tremendous financial loss to the victimized financial institution. And, by the way, ATM transaction records are exactly the kind of unstructured Big Data that ends up being stored in a Hadoop environment.
For organizations needing robust Big Data security now, Orchestrator, a commercial software solution from Zettaset, provides enterprise-class security that is embedded in the Big Data cluster itself, moving security as close as possible to the data, and providing protection that perimeter security devices such as firewalls simply cannot deliver. Zettaset’s Orchestrator software automates cluster management and security, and works in conjunction with most Hadoop distributions, including Cloudera’s, to address open source Vulnerabilities in datacenter environments where security and compliance is a business imperative.
While open source Hadoop solutions such as Cloudera’s do indeed have value, make no mistake: The security demands of today’s at-risk enterprises clearly represent a much higher priority for IT professionals and the organizations they serve.
By Jim Vogt, Zettaset CEO
With more than 25 years of leadership experience in both start-up and established corporations, Jim Vogt brings a wealth of business and technology expertise to his role as president and CEO of Zettaset. Most recently, Jim served as senior vice president and general manager of the cloud services business unit at Blue Coat Systems. Prior to Blue Coat, he served as president and CEO at Trapeze Networks, which was acquired by Belden, Inc. He was also president and CEO at data encryption start-up Ingrian Networks (acquired in April, 2008 by SafeNet).
