DSE database security checklist
Security for DataStax Enterprise database nodes:
Authentication: Limit connections to the database to only known users. DSE supports user validation with the following authentication methods:
-
Internal: Credentials store in the internal database
-
LDAP: External LDAP service, such as Active Directory
-
Kerberos: MIT Kerberos tickets checked against an external Key Distribution Server (KDS) See Configuring DSE Unified Authentication.
Restriction: DSE Unified Authentication is only supported for database connections. To authenticate internode communication, such as gossip, use node-to-node SSL certificates.
-
Authorization:
Restrict access to database resources for authenticated users with role-based access control (RBAC). DSE supports role management using the following methods:
-
Internal database: 1-1 mapping of user name or principal name to roles
-
LDAP: 1-many mapping, where users are assigned all roles that match groups they are members of in LDAP DataStax only supports RBAC with authentication enabled. See Managing roles and Authorizing access to database resources.
-
Audit activity:
Log and monitor activity for database resources, see Enabling data auditing in DataStax Enterprise.
-
Transparent data encryption (TDE):
Protect data at-rest. DSE provides encryption for sensitive data by encrypting:
-
Entire tables (except for partition keys which are always stored in plain text)
-
SSTables containing data, including system tables (such as system.batchlog and system.paxos)
-
Search indexes
-
File-based Hints (in DSE 5.0 and later)
-
Commit logs
-
Sensitive properties in dse.yaml and cassandra.yaml Encrypt data using an external KMIP or local service, see About Transparent Data Encryption.
-
-
Encrypt data in-flight using SSL
Secure communication between clients and the database and between nodes in a cluster, see Configuring SSL.