CompanyApril 1, 2022

Protect Your DBaaS with Astra SSO and BYOK Capabilities

Krithika Balagurunathan
Krithika BalagurunathanProduct
Sajeev Pillai
Sajeev PillaiEngineering
Roger Barlow
Roger BarlowProduct
Protect Your DBaaS with Astra SSO and BYOK Capabilities

These days we are all on a cloud journey at some level. Most organizations have recognized the benefits of leveraging DBaaS offerings. Enterprises expect their complex and evolving security requirements to be met by DBaaS providers.  DataStax Astra comes with several built-in security mechanisms to easily ensure your data is safe while reducing the Total Cost of Ownership (TCO) such as: 

  • A secure shared infrastructure
  • Intrusion detection and prevention
  • Private link and IP access lists
  • End-to-end encryption
  • Role-based access controls
  • Administration audit logging
  • Token authorized developer endpoints
  • Single sign-on (SSO) – New
  • Bring your own key (BYOK) at-rest data encryption – New

More details on each of these security features can be found in our white paper, DataStax Astra DB Security Overview: Serverless Database-as-a-Service with Enterprise-level Security and Privacy. In addition to the already comprehensive list of security capabilities Astra DB provides, we are pleased to introduce our two newest features that offer additional protection for your data. These are SSO and BYOK features, which we’ll describe in more detail here. 

Single sign-on

Single sign-on (SSO) helps with database security because it reduces the chances of database users using a password that is easily compromised. Most enterprises employ some sort of Identity Provider (IdP) to facilitate SSO, like Azure Active Directory (AAD) or Okta. These IdPs are able to federate accounts across multiple applications and databases to provide a central management point for password security. 

IdPs are configured with a password policy that dictates password parameters such as:

  • Password complexity typically requires some combination of capital and lowercase letters, numerals, non-alphanumeric characters, and a minimum length.
  • Multi-factor or two-factor authentication (MFA or 2FA) is a requirement in which a second device or application is used to verify authentication.
  • Password expiry frequency requires the user to create a new password after a specified time period.
  • Session timeout durations require the user to re-authenticate after a defined period of inactivity.

Applications can defer their authentication functions to an IdP to ensure that passwords adhere to an enterprise's security requirements. In addition to the security benefits IdPs provide, they also offer convenience to users, allowing them to log into a single system to have access to all of your databases and apps they use without having to authenticate every time they need to access a different one. 

Another critical aspect of SSO that ensures your cloud databases are secure is your ability to control access to them. In the world of cloud applications, it’s often very easy for anyone to sign up and share their access with others. What happens when someone leaves the organization and should no longer have access? In order to revoke access, an administrator needs to be made aware of that person’s departure. The complexity and burden of this process are further compounded with multiple cloud applications, multiple administrators, and potentially multiple instances of the application depending on the access model. It’s easy to see how access management can become a nightmare.

SSO IdPs that include or integrate with directory services solve this problem by:

  1. Creating groups in the directory services which organize users of a given class together.
  2. Assigning these groups to applications in order to control which classes of users have access to which applications.
  3. Mapping the groups to the permissions systems in the database to define which groups have which level of permissions.

With this type of access management in place, when someone leaves the company, changes roles, or does something bad (uh-oh!) it’s just a matter of turning off that person’s access within the IdP.

Bring Your Own Key   

Bring Your Own Key (BYOK) takes the security of data at rest to the next level by not only encrypting the data but by putting the literal keys to decrypting it into your hands. With this mechanism, the encryption keys, their lifecycle, who has access, and how access is obtained are decided by you. BYOK plugs a crucial gap for companies with stringent internal or external data security regulations to meet.

With BYOK, you can create an encryption key in your own key/secret management system, which you then pass to Astra DB to encrypt/decrypt data that will be stored in Astra’s secure storage subsystem. And you can easily configure policies (e.g. key rotation) to enforce industry best practices when it comes to securing data. 

Leveraging BYOK allows you to proactively prevent and reduce exposure in case of a breach. If a key is modified or tampered with, most KMS providers will send alerts and notifications so you can quickly react and revoke access and change the key. The process of changing a key is instantaneous and anyone attempting to access using the old key is immediately locked out. 

The BYOK feature is a direct integration with the cloud providers solutions: AWS KMS and GCP Cloud Key Management (both available now) and Azure Key Vault (coming soon). The cloud provider solution offers ancillary services such as auditing and custom keystore. There is no cost to use the feature as billed by Astra DB. However, the cloud provider may charge for setting up a key and other costs associated with encryption and decryption. Refer to AWS Key Management Service pricing here, and the Google Cloud Key Management pricing here.


DataStax is committed to offering world-class security for your databases. With the introduction of SSO and BYOK – two powerful new security features in Astra DB – you can rest easy knowing that your data has maximum protection from unauthorized access and that it is securely encrypted.

Further Reading

Discover more
Data Security

One-stop Data API for Production GenAI

Astra DB gives JavaScript developers a complete data API and out-of-the-box integrations that make it easier to build production RAG apps with high relevancy and low latency.