Database security checklist

This checklist provides a comprehensive overview of security features available in HCD 1.2 for transactional nodes.

Authentication

HCD supports user validation with the following authentication methods:

  • Internal: Username/password pairs stored in the internal database

  • LDAP: External LDAP service integration (Active Directory, OpenLDAP, etc.)

  • OpenID Connect (OIDC): Modern identity providers for enterprise SSO

Restriction: HCD authentication is only supported for database connections.

Authorization

HCD supports role management using the following methods:

  • Internal: Direct mapping of users to roles

  • LDAP: 1-many mapping, where users are assigned all roles that match groups they are members of in LDAP

  • OIDC: Role mapping from JWT claims to database roles

DataStax only supports RBAC with authentication enabled.

Encryption

HCD provides encryption for sensitive data by encrypting:

  • SSTable files

  • Commit log files

  • Hints files

See Transparent data encryption.

Security best practices

This section provides a comprehensive overview of security best practices for HCD 1.2.

Authentication and authorization

  • Enable authentication on all nodes

  • Use strong passwords for internal authentication

  • Configure LDAP or OIDC for enterprise integration

  • Create specific roles for different user types

  • Grant minimum necessary permissions

  • Regularly review and update role assignments

  • Disable the default cassandra user after creating admin accounts

Encryption

  • Enable client-to-node encryption for all connections

  • Enable node-to-node encryption for internode communication

  • Use strong cipher suites and TLS 1.2 or higher

  • Implement transparent data encryption for sensitive data

  • Use KMIP for centralized key management

  • Regularly rotate encryption keys

Network security

  • Configure firewalls to restrict access to database ports

  • Use network segmentation to isolate database nodes

  • Implement SSL/TLS certificate validation

  • Monitor network traffic for suspicious activity

  • Use VPN or private networks for remote access

Monitoring and compliance

  • Enable comprehensive audit logging

  • Monitor authentication and authorization events

  • Track data access patterns

  • Implement alerting for security events

  • Regular security assessments and penetration testing

  • Maintain compliance documentation

Implementation checklist

  • Enable authentication on all nodes

  • Configure authentication scheme (internal/LDAP/OIDC)

  • Create admin roles and users

  • Disable default cassandra user

  • Configure role-based access control

  • Enable client-to-node encryption

  • Enable node-to-node encryption

  • Configure transparent data encryption

  • Set up audit logging

  • Configure firewall rules

  • Test security configuration

  • Document security procedures

  • Train administrators on security features

Default Security Configuration

By default, HCD 1.2 has the following security settings:

  • Authentication: Disabled (authenticator.parameters.enabled: false)

  • Authorization: Disabled (authorizer.parameters.enabled: false)

  • Client-to-node encryption: Disabled (client_encryption_options.enabled: false)

  • Node-to-node encryption: Disabled (server_encryption_options.internode_encryption: none)

  • Transparent data encryption: Disabled (transparent_data_encryption_options.enabled: false)

  • Audit logging: Disabled (audit_logging_options.enabled: false)

Configuration file locations

  • Package installations: /etc/hcd/cassandra/cassandra.yaml

  • Tarball installations: <installation_location>/resources/cassandra/conf/cassandra.yaml

Security components

This section provides a comprehensive overview of the security components available in HCD 1.2.

AdvancedAuthenticator

  • Supports multiple authentication schemes simultaneously

  • Configurable default and additional schemes

  • TLS/SSL support for external authentication

  • Plain text authentication warnings

AdvancedAuthorizer

  • Role-based access control (RBAC)

  • Granular permissions at resource level

  • Permission inheritance through role hierarchy

AdvancedRoleManager

  • Internal role management

  • LDAP role integration

  • OIDC role mapping

  • Role caching and performance optimization

Next steps

  1. Review the Security overview for detailed information.

  2. Set up Authentication and Authorization.

  3. Configure Encryption for data protection.

  4. Set up Audit logging for compliance.

  5. Test all security features thoroughly before production deployment

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com