DSE database security checklist

Security for DataStax Enterprise database nodes:

Authentication: Limit connections to the database to only known users. DSE supports user validation with the following authentication methods:

  • Internal: Credentials store in the internal database

  • LDAP: External LDAP service, such as Active Directory

  • Kerberos: MIT Kerberos tickets checked against an external Key Distribution Server (KDS) See Configuring DSE Unified Authentication.

    Restriction: DSE Unified Authentication is only supported for database connections. To authenticate internode communication, such as gossip, use node-to-node SSL certificates.

  • Authorization:

    Restrict access to database resources for authenticated users with role-based access control (RBAC). DSE supports role management using the following methods:

  • Internal database: 1-1 mapping of user name or principal name to roles

  • LDAP: 1-many mapping, where users are assigned all roles that match groups they are members of in LDAP DataStax only supports RBAC with authentication enabled. See Managing roles and Authorizing access to database resources.

  • Audit activity:

    Log and monitor activity for database resources, see Enabling data auditing in DataStax Enterprise.

  • Transparent data encryption (TDE):

    Protect data at-rest. DSE provides encryption for sensitive data by encrypting:

    • Entire tables (except for partition keys which are always stored in plain text)

    • SSTables containing data, including system tables (such as system.batchlog and system.paxos)

    • Search indexes

    • File-based Hints (in DSE 5.0 and later)

    • Commit logs

    • Sensitive properties in dse.yaml and cassandra.yaml Encrypt data using an external KMIP or local service, see About Transparent Data Encryption.

  • Encrypt data in-flight using SSL

    Secure communication between clients and the database and between nodes in a cluster, see Configuring SSL.

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2024 DataStax | Privacy policy | Terms of use

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com