A Closer Look at DataStax Enterprise 3.0 – Part 1February 26, 2013
DataStax Enterprise (DSE) 3.0 represents a major step forward in the big data platform we introduced back in October 2011. As NoSQL solutions like Apache Cassandra, Hadoop, and Solr continue to prove themselves in big data situations, modern enterprises are quickly putting them center stage in applications that help transform how they do business.
That said, there have been some key hurdles that have held back most, if not all, NoSQL databases from going more viral in the enterprise. With version 3.0 of DataStax Enterprise, we’ve addressed two of these top obstacles: enterprise-class security and enterprise manageability. In part 1 of this post, let me take you on a quick tour of what we’ve done the area of security.
Big Data Security
“You gotta be kiddin’ me!”
That was my reaction when I first got here at DataStax and began looking at how Cassandra and all other NoSQL databases implemented security. The lack of security features in the NoSQL world in general really took me by surprise, with such a thing not escaping the notice of tech publications like InformationWeek that published “Why NoSQL Equals No Security” last year.
Having been a database guy for a very long time, I know that the top two ways database pro’s lose their job are: (1) Don’t practice good disaster recovery procedures and have a key database disintegrate with no way to get it back; (2) Don’t practice good security controls and let someone walk off with the company’s crown jewels – their data assets. That being the case, it’s only natural that enterprises would be wary about trusting sensitive data to a database that lacks adequate security controls.
With DSE 3.0, I’m very happy to say that we now provide the most comprehensive and integrated security feature set of any NoSQL/big data provider in the market. Plus, we’ve done it in a way that (1) addresses the dimensions of real-time, analytic, and search data in an integrated fashion; (2) involves little to no learning curve for those of you coming from a RDBMS world.
Because there are many different aspects to security, we wanted to ensure we delivered a multi-faceted security feature set that touched on the areas most important to modern businesses. Of course, we’ll be adding more in this area in future releases, but for a first pass, our customers have told us we’ve hit all the key areas that matter most to them.
For authenticating into a database cluster, you have the option of using internal or external based authentication. Internal authentication stores all login ID’s and passwords along with other metadata safely in Cassandra, and uses the very familiar CREATE/ALTER/DROP USER syntax to manage user accounts. External authentication can be utilized for those wanting to run DSE 3.0 in a Kerberos and/or LDAP environment. If you use Kerberos, you in effect have single sign-on capabilities for all Cassandra, Hadoop, and Solr nodes in a DSE cluster.
Once authenticated into a database cluster, the next security issue to be tackled is permission management; i.e. what can the user do inside the database? If you’re coming from a relational database, you’ll be right at home with the GRANT/REVOKE paradigm we’ve implemented and will be pleased with the depth and granularity of security controls we’ve provided in this area.
Further, the Cassandra-based authentication and authorization are just one possible implementation of these types of security enforcement; you have the flexibility to create/use others if you’d like. Also, you have the option of using authentication without authorization if you choose. Some of you told us you just want users authenticated to a database with no further enforcement, so we’ve provided that flexibility.
What about protecting sensitive data like credit card info, social security numbers, or health care information? Besides the simple file system encryption that many OS’s provide, we supply transparent data encryption that encrypts objects holding sensitive data so that it’s more fully protected from theft. AES 128 is the default encryption algorithm, but there are others we ship in DSE that you can use, plus you can install your own custom algorithm if you’d like.
Moreover, because we run Hadoop and Solr on Cassandra, you can very easily encrypt not only Cassandra data, but your Hadoop and Solr data as well.
Another security feature in DSE 3.0 is data auditing. Make no mistake, we’ve not designed this as some afterthought where a single switch is flipped that in turn floods your system log with tons of audit information you may or may care about. Instead, you have full granular control over what gets audited, what keyspaces are monitored, and more. Plus, you can choose to write audit data to either filesystem logs or Cassandra tables. Implementing auditing is easy too – just edit a parameter file, set what you want to do, and you’re ready to go. Finally, again, since Hadoop and Solr data are stored in Cassandra in a DSE cluster, you can audit actions on Hadoop and Solr activities as well as Cassandra.
DSE 3.0 also provides client-to-cluster encryption for protecting data in flight. This feature ensures data can’t be stolen over the wire and utilizes SSL and/or SSL in Kerberos to keep everything secure as it moves to/from Cassandra, Hadoop, and Solr.
Lastly, we wanted to make sure that what we were doing internally in DSE 3.0 on the security front was efficient and ensured we had no obvious security holes, so we commissioned the expert security firm iSECpartners to do an engineering review of our implementation. I’m happy to say they gave us the thumb’s up on the work.
So, with DSE 3.0, I’m pleased that my initial reaction over security has now been replaced with a much better feeling of having the key aspects of security covered for our customers. And stay tuned – there’s more to come on this front in future releases.
For More Information
To try out DSE 3.0’s new security features, download a copy today. DataStax Enterprise is completely free to use in development environments with no restrictions, however production deployments do require that a subscription be purchased.
For more information on how to use the new security features in 3.0, please see our online documentation, our new “What’s New in DataStax Enterprise 3.0” white paper, as well as some tech blog posts that I’ve written, which are coming in our DataStax dev blog.
SHARE THIS PAGE