Database security checklist
This checklist provides a comprehensive overview of security features available in HCD 1.2 for transactional nodes.
Authentication
HCD supports user validation with the following authentication methods:
-
Internal: Username/password pairs stored in the internal database
-
LDAP: External LDAP service integration (Active Directory, OpenLDAP, etc.)
-
OpenID Connect (OIDC): Modern identity providers for enterprise SSO
Restriction: HCD authentication is only supported for database connections.
Authorization
HCD supports role management using the following methods:
-
Internal: Direct mapping of users to roles
-
LDAP: 1-many mapping, where users are assigned all roles that match groups they are members of in LDAP
-
OIDC: Role mapping from JWT claims to database roles
DataStax only supports RBAC with authentication enabled.
Encryption
HCD provides encryption for sensitive data by encrypting:
-
SSTable files
-
Commit log files
-
Hints files
-
Client-to-node encryption:
Encrypt data in transit between clients and database nodes using SSL/TLS. See Configure client-to-node encryption.
-
Node-to-node encryption:
Encrypt data in transit between database nodes using SSL/TLS. See Configure node-to-node encryption.
Security best practices
This section provides a comprehensive overview of security best practices for HCD 1.2.
Authentication and authorization
-
Enable authentication on all nodes
-
Use strong passwords for internal authentication
-
Configure LDAP or OIDC for enterprise integration
-
Create specific roles for different user types
-
Grant minimum necessary permissions
-
Regularly review and update role assignments
-
Disable the default
cassandra
user after creating admin accounts
Encryption
-
Enable client-to-node encryption for all connections
-
Enable node-to-node encryption for internode communication
-
Use strong cipher suites and TLS 1.2 or higher
-
Implement transparent data encryption for sensitive data
-
Use KMIP for centralized key management
-
Regularly rotate encryption keys
Network security
-
Configure firewalls to restrict access to database ports
-
Use network segmentation to isolate database nodes
-
Implement SSL/TLS certificate validation
-
Monitor network traffic for suspicious activity
-
Use VPN or private networks for remote access
Monitoring and compliance
-
Enable comprehensive audit logging
-
Monitor authentication and authorization events
-
Track data access patterns
-
Implement alerting for security events
-
Regular security assessments and penetration testing
-
Maintain compliance documentation
Implementation checklist
-
Enable authentication on all nodes
-
Configure authentication scheme (internal/LDAP/OIDC)
-
Create admin roles and users
-
Disable default cassandra user
-
Configure role-based access control
-
Enable client-to-node encryption
-
Enable node-to-node encryption
-
Configure transparent data encryption
-
Set up audit logging
-
Configure firewall rules
-
Test security configuration
-
Document security procedures
-
Train administrators on security features
Default Security Configuration
By default, HCD 1.2 has the following security settings:
-
Authentication: Disabled (
authenticator.parameters.enabled: false
) -
Authorization: Disabled (
authorizer.parameters.enabled: false
) -
Client-to-node encryption: Disabled (
client_encryption_options.enabled: false
) -
Node-to-node encryption: Disabled (
server_encryption_options.internode_encryption: none
) -
Transparent data encryption: Disabled (
transparent_data_encryption_options.enabled: false
) -
Audit logging: Disabled (
audit_logging_options.enabled: false
)
Configuration file locations
-
Package installations:
/etc/hcd/cassandra/cassandra.yaml
-
Tarball installations:
<installation_location>/resources/cassandra/conf/cassandra.yaml
Security components
This section provides a comprehensive overview of the security components available in HCD 1.2.
AdvancedAuthenticator
-
Supports multiple authentication schemes simultaneously
-
Configurable default and additional schemes
-
TLS/SSL support for external authentication
-
Plain text authentication warnings
AdvancedAuthorizer
-
Role-based access control (RBAC)
-
Granular permissions at resource level
-
Permission inheritance through role hierarchy
AdvancedRoleManager
-
Internal role management
-
LDAP role integration
-
OIDC role mapping
-
Role caching and performance optimization
Next steps
-
Review the Security overview for detailed information.
-
Set up Authentication and Authorization.
-
Configure Encryption for data protection.
-
Set up Audit logging for compliance.
-
Test all security features thoroughly before production deployment