By Ben Slater Tuesday 31st January 2017

Apache Cassandra Security

Technical

Apache Cassandra security has hit the new lately with a benevolent hacker attempting to warn owners of unsecured Cassandra databases about their exposure (see https://www.bleepingcomputer.com/news/security/a-benevolent-hacker-is-warning-owners-of-unsecured-cassandra-databases/).

At Instaclustr, we take security very seriously. We were confident that our default configurations would not allow access to this type of scan. We have used our central management system to check all clusters that we currently have under management for the presence of the tell-tale keyspace and confirm that none of our managed clusters had been detected by the scan.

Of course, not being picked up by some random, external scan is no guarantee of security so it’s worth re-capping some of the things we do at Instaclustr to make it easy to maximise the security of your cluster:

  • The use of TLS (SSL) and password authentication to connect to Cassandra can be configured with the click of a check box at cluster creation. We even generate sample code for connecting to the cluster to make it as easy as possible.
  • Firewall rules block all access to the cluster by default with exception added at the control of the cluster owner through our console.
  • We support VPC peering and the use of private IPs to minimise public access points through the firewall.
  • We disable access by the default Cassandra user, preventing any attacks using this well-known user.
  • We regularly commission external penetration tests of our clusters and other components of our system.

In addition to these current measures, we have a continuing focus on enhanced security technology and processes which benefit all of our customers as they become available. For example, current engineering initiatives include enhanced intrusion detection across all components of our system and additional security certifications.

At Instaclustr, we’re proud of our capability, focus and record when it comes to security. While it’s not an area that we often talk about publicly we’re more than happy to go into details of our approach with any customers or potential customers – just contact us to set up a chat.

 

Site by Swell Design Group