Security guidelines

Learn about DataStax security guidelines for DataStax Astra on Google Cloud.

Because security is a priority for all modern cloud applications, DataStax has implemented several protocols to ensure security remains a priority.

The following sections discuss security policies that are specific to DataStax Astra on Google Cloud. To view security protocols implemented across DataStax, see Security assurance on the DataStax website.

Database security and encryption

Each DataStax Astra on Google Cloud database provides a secure private endpoint, which requires mutual-TLS authentication. Astra databases are deployed inside your Google Cloud Platform (GCP) project using a tenancy unit, which is a lightweight entity that represents the relationship of a service consumer and your managed service.

Users have access to only databases in their Organization. Each Astra database lives in a separate GCP Project. Neither the Virtual Machines (VMs) nor the storage are accessible by anyone outside of the Organization that the Astra database is linked to, aside from DataStax Support.

All data in transit is encrypted until it moves into the secured network, and all database volumes are encrypted.

Database owner permissions

When creating a DataStax Astra database, a database user is created with the appropriate permissions to take any action within the created keyspace. This user is not a database superuser. However, the database user is granted the following permissions in the keyspace created on the database:
  • Create, select, modify, drop, and describe database objects
  • Grant the same or lesser permissions to additional database users
  • Create and drop additional database users using the Cassandra Query Language (CQL)
Note: You must be the owner of the database to create additional users within the selected keyspace.
The following GRANT statements provide these permissions:
GRANT AUTHORIZE FOR CREATE, SELECT, MODIFY, DROP, DESCRIBE ON KEYSPACE keyspace_name TO database_user;
GRANT DESCRIBE, CREATE, SELECT, MODIFY, DROP ON KEYSPACE keyspace_name TO database_user;
GRANT CREATE, DROP ON ALL ROLES TO database_user;

For more information about using CQL, see the CQL reference.