Red Hat and ZettaSet can Help you Secure your Edge Solutions

Posted by Marbenz Antonio on April 11, 2022

Edge computing and 5G, in particular, are sophisticated, highly dispersed, and multi-tenant settings. Enterprise data is pushed closer to the edge in such contexts, resulting in additional exposure points and attack surfaces that did not exist in older monolithic installations.

We discussed five security issues for edge installations in the previous post. The most important aspect that will be discussed in this article is data. Let’s look at how clients of Red Hat OpenShift and Zettaset XCrypt for OpenShift may benefit from a platform for microservices deployments that include granular and high-performance data protection and management features that modern designs need.

Security threats to sensitive data

As high-speed mobile networks and edge solutions become more common, a new set of security risks and concerns emerge. Among the most important are:

  • Physical security is compromised owing to a remote location, increased physical access, or functioning in hazardous environments.
  • Because of the intermittent connectivity between endpoint devices and the business edge, edge solutions may need to store data locally.
  • Multi-tenancy and shared responsibility are becoming more common.

Due to their greater level of exposure and less physical security, retail sites and distant oil rig activities also offer lower levels of data protection. Furthermore, because the network delivers greater speeds and corporate data is handled at the edge by both providers and third parties in telecoms applications, it is extremely vulnerable to assaults due to the far edge’s decreased degree of protection.

Data security at the edge is provided by Red Hat OpenShift

OpenShift from Red Hat is a platform for executing various containerized workloads. Now that these workloads are being moved to the edge, Red Hat OpenShift can provide the same security features as datacenter deployments. Because data is being collected at the edge, data protection is more crucial than ever. Red Hat OpenShift has a variety of security measures out of the box:

  • Red Hat Enterprise Linux CoreOS is a container-optimized operating system that provides controlled immutability, transactional updates, and container isolation using SELinux in enforcing mode.
  • Red Hat OpenShift comes with fine-grained access control, auditing, logging, and monitoring features out of the box.
  • By default, data in transit and communication between platform components are encrypted. FIPS mode allows Red Hat OpenShift to use FIPS-compliant cryptographic modules for cryptographic tools.
  • Ingress and egress controls, as well as micro-segmentation for east-west traffic management, aid network security.

To prevent malicious code and viruses from affecting workloads and crossing access barriers, Red Hat OpenShift isolates applications from one another. Many edge installations rely on data, and the need for data encryption cannot be emphasized.

These systems support encryption for persistent volumes, such as LUKS disk encryption, for data at rest. Certain use cases, on the other hand, necessitate enhanced data security. Red Hat has teamed up with Zettaset to assist deliver those extra capabilities.

Protecting data with Zettaset

Zettaset XCrypt for OpenShift delivers containers and pods with high-performance transparent data encryption while establishing key granularity of a single encryption key per persistent volume.

This granular security is possible because no two persistent volumes share the same encryption key. Also, this type of key granularity ensures that a persistent volume may be retired without impacting cluster availability or other persistent volumes in the case of a compromised pod or container.

When allocating persistent volumes, application containers use the XCrypt Encrypted Volume storage class to make use of encrypted persistent volumes. This storage class will use XCrypt services to allocate storage of the required kind and capacity and apply encryption on top of it.

The storage is subsequently associated with the requesting container automatically and may be utilized like any other container-attached storage. It doesn’t require any extra provisioning, and the requestor isn’t required to give any secrets, keys, certificates, or other encryption-related information.

Zettaset XCrypt for OpenShift encryption includes key management tools by default. The KMIP-compatible software key manager operating in a Kubernetes pod and providing a Kubernetes service performs the key management operations.

For key generation, key state management, and key retrieval, the key management service implements standard KMIP protocol functionalities.

The conventional KMIP authentication technique, which employs client-side SSL certificates, is used to access the key management services. The Certificate Authority service, which operates as a separate Kubernetes Pod, issues these certificates. This service is in charge of securing communication between Zettaset XCrypt for OpenShift encryption components.

Zettaset XCrypt for OpenShift automates the usage of Zettaset Key Management and Certificate Authority services, requiring no user or administrator involvement. The services are delivered as regular Kubernetes Pods and services by Zettaset XCrypt Red Hat Certified Operator and are automatically configured during deployment.

XCrypt for OpenShift encrypts data flowing across the stacking file system in the shared kernel space of the worker node using kernel crypto. The following are some of the advantages of this architecture:

Minimal performance overhead

Using AES NI reduces the overhead associated with encryption and decryption. The overhead was found to be between 3% and 7% in internal Zettaset performance testing. Furthermore, SSL-based communication with the user-space key management service is kept to a minimum, ensuring that the encryption services are not network-bound and do not need frequent switching from kernel to userspace.

Complete application and workflow transparency

Higher-level services and applications, such as data services and other 5G network services, are unaffected by the crypto because it takes place in the kernel. Additionally, when XCrypt for OpenShift is installed, the developer, admin, and user workflows for deploying and maintaining apps and services do not need to be changed.

No change to application footprint or packaging

Because of the unique design, user apps, pods, and containers may build and access encrypted persistent volumes without the usage of any special or extra software.

Automatic and transparent policy management

XCrypt for OpenShift manages the mapping of cryptographic keys to encrypted volumes, as well as the mapping of encrypted volumes to partitions or devices. Users are not obligated to keep track of any data protection information.

Native storage support with automated storage provisioning

The storage management component of XCrypt for OpenShift allows it to automatically construct volumes of the desired size from one or more physical volumes attached to the worker node. The storage management component also allows for direct integration and automatic storage provisioning of Ceph storage from a cluster-accessible pool.

Advance Key Management integration

Software KMIP-compatible key manager and PKCS#11-compatible software security module are included in XCrypt for OpenShift. Data encryption keys, key-encryption keys (wrapping keys), and master and hash keys are all protected by these two services.

XCrypt for OpenShift may also be integrated with current key management and HSM solutions that are KMIP- and PKCS#11-compatible. XCrypt for OpenShift Key Manager can act as a KMIP-compatible “façade” or KMIP proxy in front of non-KMIP key management systems like AWS KMS.

Enterprise-grade certificate management 

SSL certificates are used by XCrypt for OpenShift to safeguard connections between its components and services. The internal Certificate Authority server issues a unique certificate to each worker node. The Certificate Authority (CA) certificate can also be “rooted” in a higher-level CA, such as a corporate, operator, or provider CA.

While XCrypt for OpenShift comprises a lot of services, it has been well tested in situations as small as a single node Kubernetes cluster, where all services are operated on a single server or even a single virtual machine.


XCrypt for OpenShift, which is built on top of the Red Hat OpenShift platform, offers data protection, management, and monitoring of data and crypto-related activity, as well as the ability to reduce compromise detection windows and respond to compromises quickly and precisely without compromising the rest of the cluster.

The fast development and multi-tenant nature of these settings necessitate a contemporary approach to data security; old data protection solutions that rely on infrastructure-level or storage-level data protection will not suffice. These contexts need granular high-performance data protection that preserves application transparency while also understanding the nature of the things it protects.

Customers may take advantage of a platform for microservices deployments with the granular and high-performance data protection and management features that modern architectures demand with Red Hat OpenShift with Zettaset XCrypt for OpenShift.


Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com

Verified by MonsterInsights